We want to talk about the identity fabric and how it can be used in our daily work as analysts, but also in the daily work of custom organizations that are using the identity fabric and the subsequent IAM reference architecture for designing real life identity infrastructure for assessing them. For this, we have invited Dr. Phillip Messerschmidt. He's a lead Analyst lead advisor with CO A Cole, and he's working with our customers in projects and engagements where we are doing several tasks with the identity fabric and the reference architecture. Hi Phillip. Good to see you.
Hi Mattia.
Thanks for having me here.
Great to have you. And we want to talk about actual use cases where we've been using the identity fabric and the reference architecture for real live business with end user organizations. You have prepared examples. When we look at the first example, what was the type of customer, we do not give names, but what was the, the org organization, the industry, and what was the challenge that the organization was facing?
Yeah.
First I want to talk about the great global healthcare group with four business segments that is operating on, on each continent and each country and doing that, they are facing patient requirements, so being operating on the whole world with four business units that are more or less disconnected. They are decentralized working, they have also decentralized IT departments. So one strategic move that they were aiming at was to, to create a new group IT department that can offer centralized services.
And therefore one of the main challenges was that each and every of those four business units was facing different requirements and different challenges. So it was hard or, or is hard to find a single approach to, to each and every topic. And Im is is not Yeah. Special in that case. So the IM reference architecture and the identity fabrics offer a good starting point for them.
Martin, when you designed the identity fabric and the reference architecture, the service approach, thinking of IM as a set of services was key. Am I right?
Yes, absolutely. I think the point is that at the end of the day when this this idea came up, it was stepping back from and looking at what is the top of I am. IT is providing seamless, yet secure and controlled, governed access from everyone and everything on the lefthand side to every service right hand side. And that requires a set of services. And these services at the end are rather similar for across different use cases.
So, so if it's more about take healthcare patient data, then you have a different identity and some different services, but you still need to manage accounts to authenticate, to do a lot of things. And if it's a workforce access in, in in another department or working with external research partners, the the, the services at the end are, are rather similar. I think this helps to say, okay, what is it really what I need as a set of services that I can provide also to different business units, different use cases.
And so this is I think where where this identity fabric design syncing and the practical reality of customers come together
Talking about practical reality. Phillip, how did you apply this with this customer to get to this, to solve this issue of getting to a, a global IT department serving an international multinational organization?
Yeah, Martin just described it. So the identity of fabrics is a good starting point when we were talking about entities and services and that's exactly where we, where we started with, with the customer. So getting a better understanding of IM as a whole understanding what you want to do, which identities are important for the, for the customer here, which services are, are, are to be used, should be delivered here and what you need in, in between. So which capabilities and services are important?
So the first step was to, to get an overview but also to understand I am better to give a structure that the customer can use to, to collect those requirements. We, we, we started with the identity fabrics as an overview, but we quickly went to the, to the reference architecture and the building blocks here to, to do an assessment status quo view to understand where is the customer right now and a target goal assessment with the subject matter experts to understand where the customer wants to go. And in between we have that gap that should be solved in the end of the day.
So we've designed to get a roadmap to get from the status quo to the target architecture and, and later on to the services he wants to provide. And that was not the easiest task when we, when we remember that there are four business segments, a decentralized subject matter experts that should, and the target was to get to a singer approach, singer centralized IT approach for I am here,
Right?
But this is something that if we abstract from the actual industry that we can see in various industries in various organizations when it comes to creating a next generation, I am to, to get to a much larger solution. And I am has evolved over time as we can see in the reference architecture. So that is really a task that we can see across multiple industries. Which other industries did you use the identity fabric and the, and the reference architecture in for creating, for solving actual issues there? What what are the examples can you provide?
Yeah, I have another example for the chemistry industry actually, and also another use case. We use the identity fabrics and the reference architecture in, so the company I'm talking about now is a chemistry company in Germany with, but has an international presence.
The main, main task on the main things this company is doing is providing chemistry for the construction industry or also pains, varnishes, glues and textiles. So quite quite a number of products. And in this case we, we didn't do a status quo assessment and target architecture, but we were mainly talking about trends. So the challenge of that company was that they had an, an IAM infrastructure and wanted to to get to the next level.
So with all those trends incoming like cloud, like, like zero trust, the existing IM infrastructure was not able to deliver to the expectations and digitization on modernization were important for that company to become or let's say stay one of the leaders in the chemical industry here. So the idea was to, to help them to find those trends in the IAM market and how to prepare for them properly.
Martin, you are the principle Analyst here at KO called Analyst. Identifying trends and, and making them fit into an overall picture is one key challenge. What are the trends that you see as of now that need to be integrated and need to find their way into the individual identity fabrics and the reference architectures of our customers?
What, what are current trends that you see here?
Yeah, so first that identity fabrics paradigm, that that works for more, still more traditional approaches as for more more modern approaches. So you can really use it as a foundation for the journey and correctly increase the set of capabilities you support, improve the services, updated tools etcetera. One important trend is already depicted in that graphic, which is more to the upper left edge of the graphic where we talk about an identity API layer.
What we definitely see is that there's an increasing interest of the developers to consume identity services when they're building new digital services. So this is definitely one of the bigger trends. One trend truly is modernization of authentication towards being more secure and more convenient at the same time resulting in password less authentication. We also see fertile trends. So there will be some, some evolution also of what we do here and in the reference architecture soon, which is then really more about policy based approaches. So this will continuously evolve.
And for instance, also in this combination of the reference architecture, you'll find quite a bit about decentralized identity management. And because this is becoming more and more relevant on, on sort of speak more and more mainstream.
So it, it ends up then in the reference architecture. And so we have the policy based access parts and trust in time access and these things will evolve over time on also game momentum with the evolution of the market.
Great. And Phillip, when you applied this reference architecture and the identity fabrics in that actual use case with this customer, how did you use it for, for getting to a solution for, to a roadmap for next steps within this organization?
Yeah, Martin just stated it. So the reference architecture can also be used to identify trends, to talk about trends and we exactly, we, we did that, we used the, the bigger picture with the identity fabrics and moved very quickly here to the reference architecture to talk about actual trends in the market in IAM as Martin stated, api, IDP improvements, authentication, next level PBP bag. So all of those trends are important for most of our customers.
So we, we've explained those trends to them, we made clear what that means for them and how they can make use of it to, to stay ahead to, to get one of the leaders in their industry. But this is just the one, one of one side. So the other side is all again, is to get a better understanding of where the customer is right now because knowing the trends doesn't help if you don't know where you are and how to get there.
So after making clear what trends are there in the market, we, we also performed again a status quo analysis to get a better idea of the maturity of the customer's IEM infrastructure. And with that knowledge, we, we moved from, from knowing where you are to where you want to be in a couple of years. So the idea to say in three years I want to have this trends implemented or at least be more mature in those trends, automatically leads us to a roadmap design with them,
Right?
And, and understanding trends might also make, make sure that we trends are not implemented just for trends sake or for acts sake or for just being on the top level of, of implementations. But really to understand what the business uses, what the actual benefit of implementing such a trend actually can means, can mean, and how it fits into this, this proper roadmap. I think many organizations do understand very quickly when these trends are explained, what they mean to them and where they can be of benefit to them or not.
So really to take this reference architecture and to, to scope their identity landscape and their access landscape based on what really makes sense for them. You've mentioned another industry where you apply the identity fabrics and the, the reference architecture as, as we have seen there are rather different use cases.
What's, what is it this time that you want to present?
So my final example is about a tools choice and for that I was thinking about a German group that is working in the insurance sector and they're acting as a financial service provider. So they were facing challenges from regulatory side because they were missing features in the IAM sector and therefore they required a new IGA tool to, to cover those, those challenges and remain ahead of the competition in the future.
Right. And when you say tools choice, this is a, i I do this with you together, but there is a well defined process.
Where does the identity fabric and then the reference architecture come into play here?
So in the first two examples, we, we have learned how to use that for approaching strategic questions but also for, for trends to, to learn how trends work in the IAM sector.
The, the tools choice is not too far away from that because you need to understand where the market is moving in the future and how to get ready for that. And it's not just about capabilities and services, but also in the end when you have defined those capabilities and the requirements for that and the services that you want to provide, you also need to think about the tools that can support you with that. And this is where the tools choice come in.
So for tools choice, you are again starting with the identity fabrics, making sure that you have covered all the identities that are important and all the capabilities that you need for that.
And if you are able to define the, the market that you want to cover with your solution and the capabilities and services that you want to cover, you go one step deeper. In this case, we were searching an IGA solution. We were going to the IM reference architecture and thinking about, okay, what is important, which building blocks do we need? What what services needs to be provided?
And we've defined, defined the, the capabilities with the customer. We've explained the trends, again, we, we made a maturity assessment to get a better understanding where the customer is right now and where he wants to move, which trends are important and what requirements arise from that. And with those requirements, we were able to, to check the market for potential solutions and for potential vendors. And we were also able to design a questionnaire for those vendor communicate to make sure that the tool fits the requirements that that customer has.
So in the end, we are bringing, with the reference architecture, we are bringing a strong tool to identify the requirements and ultimately to identify the solutions that are able to support the required features here.
Right. And that also is the glue over to the, through the research part that or the research work that KO are called Analyst is doing.
By identifying the capabilities we clearly get very quickly to, to the market segment that we are looking at, and this is where you Martin provide the expertise when it comes to the research area by defining the individual market segments where the vendors and the services that are provided are located. How does this work together and how are these market segments in the IGA sector described? What are the typical segments where, for example, IGA come into play?
Yeah, so first it's mostly my team and me, so they're quite a number of Analyst Sure. Working on the research on the market Analyst and we, we, we continuously update our market segment definitions because this market doesn't stand still, but for, for sort of the core of Im, we, we still see iga, which is use a lifecycle management user and identity provisioning and the access governance piece is one important thing, which is more to, so to speak, the static part of, of identity management, creating accounts, creating and managing entitlements, the governance pro around it.
Then we have the access management portion, which is more about the authentication flows and federation, stuff like that. And we have the specific field of privileged access management and this is where we look at. And so IHA is, is is still a core part of what an organization needs with to have proper workflows, well implemented processes, et cetera.
And by the way, it's not just a tool, it's all the process work behind it where I still feel that most customers don't invest sufficient work into.
So creating good process on, on paper definitely helps with everything and it saves so much money and implementation that it's always worth the, the time and effort spent with based on, on this analysis, we help sort of, or we map to this ERs architecture and to the larger building blocks, capability blocks there that map to our market segments. And on the other hand, we also have these long questionnaires.
We, we, we, we send us to vendors when we do our leadership documents, our market comparisons, and these again help them to understand what are more detailed requirements that can be used in the tools trust.
Right. And you applied that in the tools choice.
So you, you've mentioned Phillip that this was mainly focusing on, on enabling the customer to satisfy regulatory requirements. So it ended up with a, with a traditional IGA tool?
No, not really because the regulatory requirements are not the only requirements those companies have as stated in the second example, there are also trends that need to be fulfilled and requirements arise from, from, from more than just one aspect. So not just the regular regulatory requirements are important, but also functional features that satisfy those trends. And in this case, companies are already very open to, to, for example, cloud deployments, IDAs deployments that go straight towards zero trust architectures.
So it's not the traditional tools like on-premise IGA tools that has been deployed in the last 20 years, but they are also preparing for the trends and for the next 20 years. And therefore it's not, not just the traditional features they are looking for, but also those that are satisfying the trends.
Right. You've mentioned that, so the, the the move towards cloud deployment models also for iga, for moving these critical, this critical data of persons, of people, of customers, of employees also into the cloud. This is something that is continuing from your perspective?
Yeah, AB absolutely. We have seen that with many tools that are moving towards the cloud. We have seen many provi tool providers even creating two tools, one for on premise that is satisfying the customers that are the, the customers that are still working with that tool, but they are also creating a second tool that that is mainly moving forward and not just maintained.
And with those tools, they are trying to aim at those trends that we have identified in the IM market and for the, they, they make it, they make it possible for many regular, many highly regulated areas also to move to the clouds and use advanced capabilities.
So that's mainly also a bit of the beauty of the identity fabrics and the reference architecture that is that it covers mainly functional aspects and it can be applied to use cases either on premises or in the cloud or hybrid, but it also is able to provide the required capabilities, for example, the dream aspect for providing cloud identities also in these services. Martin you want to add to that?
Yes, I want to add add, add a few things here. So the first one on Phillip, it's absolutely true. We see this trend towards identity as a service in a bit different models, not necessarily full public multitenant cloud. It could be also things which are more in a controlled single tenant environment. But I can't remember any of our customers in the past four to five years that didn't ask for something which at least will allow him to converge from, from an on-premise towards hybrid towards a really cloud deployment. So this was I think one, one of the important trends.
The other thing is in the identity fabrics paradigm, there's also an element which has been less visible on the, the slide we have shown previously, but which is also part of the, the entire paradigm that is that flexibility regarding deployment models and factually the support for modern deployment models. So we expect modern technology to serve so easily be public cloud that is one option or if not then being delivered in a modern microservices architecture, container based deployment or something alike so that it can run and be operated in different target operating models.
Otherwise it will not serve the needs of today's customers.
Okay, great. Thank you very much to the, for giving insight into these three industries and these three very different projects where we applied the identity fabrics and the reference architecture for solving individual challenges within actual tangible customer organizations.
When we talk about IM projects as a whole, Martin, what do you consider to be key success factors for an IM project architecture, this is what we have been talking about here and the processes behind that are most probably one of the most important aspects here. What else would you like to highlight when it comes to making Im project successful,
I, yeah, I'd like to turn a little bit around.
So, so I, I still see too many projects that mainly focus on a single world on that entire slide, which is more the in the block to the right hand side and has five letters, which is tools. So okay, we go for a tool, we have a, we have a problem, we go for a tool and that may solve it, but to find the right tool, you need to understand your current requirements but also the future requirements. You never build identity management for now but for the next decade. So understand the trends, understand what is coming in from regular side, et cetera.
Then you need not only a project, you need usually a program, cause this is a journey. So you need the program, you need a vision of blueprint. This is where the architecture, reference architecture, the identity fabric model comes in, but also the stakeholders, the money.
And then you need processes and people. So internal external people, the processes, what are your workforce, what are your user life cycles, et cetera.
Do it on paper because this saves you a ton of money with during implementation when you know exactly how this process looks like instead of experimenting around here and then to, it's also that we frequently see, I would say I try to avoid term sloppy here, but let's say imperfect two stores where you, where someone reaches out and say okay, this is the problem that and that and that might fit frequently whatever, one or two of the things that even fits to the problem.
And then they talk a bit with vendors and then they, they just do something instead of really mapping requirements, having a long list, reducing it to the short list based on core requirements going in depths into a questionnaire, rfi, RFP process, having these vendor presentations to beauty contest so to speak, doing a proper tools choice, which is another pilot, which is really a proper poc, which is another pilot, which is really a, looking at some key aspects and how well do they deliver all into context and having to target operating model something Phillip truly likes to speak about in place only.
Then you will end up with the successful delivery on time at budget and quality without too much of overlapping capabilities in a way the user likes it. I've seen so many identically management projects which really failed when the, the first came into contact with the end users because the UI was horrible because it didn't work for the end user perspective and which are made to crow. This is again, the paradigm of the identity fabric. This is made for crows for continuous evolution. Right.
Talking about circuit operating model Phillip. So I hand over the question to you.
How important is that and how does this influence the the, yeah, the, the deployment of of an IAM solution with an organization?
Yeah, that's, that's a rather good question. So there's a reason we, we always start with the identity fair and the reference architecture and not go straight into requirements and the tool stress. So when you start with the, with a good structure and having a good overview, you can always, always think about also the the capabilities you want to deliver and how you want to deliver them.
So which, what, what kind of people do I need? How from where do I deploy that? How do I those those services and who is actually responsible for that with new, with the new IGA tools and the new kinds of deployment, we talked about that a couple minutes ago. Do I want an IGA tool or do I want an I deployment? We have the possibility in the newer market to outsource those, those activities also to MSPs.
So I am is not a topic anymore that is only operated by a, a company itself, but can also be outsourced and in such, in such a world where, where we can outsource such a critical infrastructure, you we want to make sure that your target operating model is covering all the responsibilities and those, those risk is also covered.
Yeah, and and one thing I'd like to add here is I think it's very worse to to spend a lot of time on the target or some time really some sort of thinking on the target operating model because aside of the the external managed service providers etcetera, it's always good if the IM is understood as an internal service that is operated properly as a service and delivered to different customers. And going back to the first example, customer example, Phillip product.
If you have a lot of different business units with all different requirements, if you really think in a service and deliver what you do in a service style, you will be way better able to serve these different demands.
Great.
So we are getting to the end of this session, but I think it was clear that the identity fabric and the reference architecture can support organizations in solving their individual identities slash access challenges and to get to a approach that is really capable of being future proof and capable of providing services for the next 10, 20, 30 years by evolving that with in a controlled manner. Thank you Phillip for sharing your insight here and thank you Martin for adding your perspective to that as well. And we're looking forward to your questions now. Thank you. Thanks. Thank you.