KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Talk about cloud security, 2025 perspective and roadmap, which is a, a tricky theme. So, so I really hate my, my colleague York when he comes up with these ideas because, you know, I think the last two years have shown planning is not so easy. Things can really change. And so I think there are some things which are, are quite clear, which are the big themes we should look at, but there will definitely be between now and 2025. There will be things we haven't on the radar.
No one maybe has on the radar and, and who, who of us knows whether we will have between now and 2025 something which is, is way bigger than colonial pipeline as an incident on the infrastructure and stuff like that. So it's, it's extremely hard to predict. We need to be aware of that. We need to be clear on that end. So I try to give you some thoughts and, and some information about what I have in mind and, and what I see happening.
And, and it all starts with a very simple thing or a tricky thing, because complexity never is simple. If you're, if you're honest, it is, it is about complexity.
And so, so some of you, maybe in a role, even over the CIO, others getting this, this, this thing given by the CIO, we all have seen this cloud first over the past years, we also have seen, unfortunately, the pendulum is bringing back edge computing, edge computing, or, or the idea of, of SASI my colleague materials will talk about SASSI later today, where you then say, okay, is isn't it a great idea to add an SD van, to have our internet look like local area network, a little so maybe depends sometimes back too much.
So I would be very reluctant for SDWAN and look very careful at the use cases. Some might be good for others. It's total nonsense to give up the, the, the flexibility of the internet for, for something that allows you. If someone is in a gamble, lateral movement. So building a bigger castle, so to speak, not sure whether it's, it's always the smartest idea, but anyway, we, we see complexities increasing and that will not disappear. We will have to face this.
If, if you're, if you're retailer, if you're on logistics, if you're a manufacturing organization, if you have branch offices that, that are still open and there will still be some bank branch offices open, and others, you have something which is always running local S it, it will not be all in the cloud. There might be more, there might be more edge computing, which is so to speak the hybrid thing.
But the reality at the end is multi-cloud multi hybrid it for the vast majority of organizations, not for all very clear if you're this, this, this smart startup in the Silicon valley, or in Berlin where we are now, then, then you might say, oh, I have everything as a service. Anyway, I run everything in the cloud and my users, they have their notebooks and they are wherever, which is the other side of the reality.
For most organizations today, you, you, your office workers at least are somewhere, but then you say, okay, device cloud service, all fine, all simple, but for the most, for the majority of organizations, it is not as simple. There's a little bit of legacy sometimes. So if I go to the average insurance company or bank, then you find a couple of hundred of legacy systems and not to speak about OT environments. So the operational technology, where, where legacy way you, if you're somewhat lucky will, will manage to find those systems sometimes. So things are, are, are different.
And this is where we need to deal with, because at the end, what happened? So we, we had the servers and then we added VMs. So in some environment, and we had VMs forever more or less, if we go to the mainframe for the rest of the, it took a little longer, then we added the public clouds.
Oh, we said, oh, we also need private clouds as out of the public clouds. And oh, we need edge computing and let's see what else we will need. And he has PCs and the notebooks and the smartphones and tablets and the things who knows what will be the next catchy device. We will see here. And for us in it, this, this usually brings the problem that we say, oh, something new. And I think historically, at least it was. And then we said, oh, we need to be careful with these tablets. And then the CEO came and said, oh, I've seen the airport, my colleague.
And he had this cool iPad saying, I also want to have one. And then the entire strategy fall apart. So complexity will not decrease. I think this is the learning we have, we have applications, storage, data services, absent. This world is getting way more complex.
So in, in, in, in the past, we have been thinking in servers. So take privileged access management. We manage that Linux service, and we onboard our three Linux servers over the next year. But today a vast part of our workloads is dynamic agile in an infrastructure as a service environment, or even a Kubernetes environment. If you run it internally, it is still a different type of workloads is different thing to manage. We have services that manage that need access to resources, where things are constantly changing. This makes the world way more complex.
So we, we will have a more heterogeneous, more complex environment. And we must think about how can we deal with that? I think this is when we look forward to the next years. And in fact, what we need to start today, this is a major thing to look at. How do we manage this at how do we manage at the right place? How do we get a CRI on that? And how can we still be at trial? How can we deliver at cost? How can we deliver time to value when developing digital services? And that's the other part, our organizations are increasingly, so most businesses today are in some way, a digital business.
I wouldn't say software business, which is part of it, but the digital part, the way we interact with customers, the type we provide services. This is differentiating this started ages ago. When you look at, when I sometimes look at my Amazon account and tells me Amazon customer since 1990 something. So then you see, okay, this, this is net super, super new, but it's, it's becoming more and more. And if you look at, at for instance, the automotive industry, the differentiating factor in the future is not the motor, not the engine. It is the software because the complex, and it's the way.
And also the software from a technical and from a user perspective, technical, how do you manage your battery? How do you do all these things? And so things are changing and we need to be agile. We need to do it at cost. We need always to keep control and compliance in mind and security. And the problem here is when we are talking about AAL business, if our digital services fail, then the business is in trouble. It costs quite a lot of money because this is where we are vulnerable, where we are, where the risk are, the more we have here, the more it is in the past.
The focus when you talk to organizations is that, you know, my main focus is not, not stopping my production line, still, still an issue if you're producing, but today, everything is so to speak to production line, the digital service, and this makes it more complex. And so how do deliver, deploy, run, and secure the services the business needs? Can we do that manually? Definitely not. And this is when we look at trends for 2025, a very important thing.
Do we, everything as code very, very hyped topic, honestly, I'm definitely don't believe in this concept because, so there might be code, which, which comes out of something. Yes, you might have area. So if you're, if you're delivering an infrastructure, if you deliver recess service, you might have a team that cares for, for that service, which is a combined of, out of security of infrastructure people, which then code because they do it every, every single day.
But if you look at the average and the normal type of code produced for new digital services, then it is not a smart idea to have the coder coding infrastructure and security requirements. People who are developing software sometimes are good in security in infrastructure, but not always security. People sometimes are good coders, but not necessarily. And by the way, code is error grown by nature. So if you code things, you make mistakes. It's not a smart idea.
So I'm, I'm a believer in policy based automation. And when I also look at the trends, we, we are observing as Analyst in the market, we see more and more of that happening. We see quite an uptake around policies around automation. And I think this is the way to go into sync.
We, we must understand what we have, and this all starts at the end of the day with understanding what we have. We need to get better, to have more data about everything we have in it. Data that is constantly updated.
Look, I look at the room whom of you would say in my organization, we have a really great working and comprehensive it asset management, oh, you can raise your arms. I see zero arms raised in that room and it might be not that different from the, the online audience we have. So materials can give me hint from the online side. A lot of people said we have it, but I would be, would be reluctant. That might come more through the chat, through the, the questions, by the way, race questions, whenever you have.
So, so we need to understand what we have because only then we can automate and then became maybe bring in some, some well applied AI, ML, whatever we yesterday had a talk about that and said, yeah, so that AI we are using in insecurity is not that much AI, in that sense, we commonly understand maybe we should call it augmenting intelligence or something like that, because it's about augmenting us. It's about helping us do our job better to reduce the workload, to, to set the focus for humans.
Anyway, we, we need this to automate and we need policies that if I policies, I'm, I'm a big believer in policies because everyone understands policies. If you say to your, your, your child, child subject, don't touch the hot oven, it's a policy at the end and the same policy. You have IP addresses. Don't go to airport 25, same structure. Structure's always the same. And people can describe policies very easily, by the way, much better than they can describe business roles or stuff like that.
While business roles are arrived at the end of the day from policies, but no one thinks about it, but it would be a different topic and a totally, totally different presentation here. So anyway, we have to, then we can do automate the configuration. And this is a basic way to think. And in that the most important things at the end is we need to understand what are the, so to speak. The actors does subtracts the identities, not only of humans, we must think way beyond humans. It is a lot. The more we, the more we do it in it, the more we automate, the more it is about services.
We have things, we have devices, all that stuff, and we, we know them. We could, at least we can know them. We could know them. It's way harder to, to manage the security of the device part of this game, if we can do it, but in the, bring your own device world in the consumer IOT device world, it is limited. We have lesser control here, the network. So if we think it is, we are here in the room, some of you might then go into the internet. They are using the wifi here. Then it goes through whichever internet service providers and ends up wherever the control is limited.
Yes, we can artificially set something which says, okay, so VPN is something and Swan is something. But the question also is what, what is the price to pay? So we see a massive increase in DDoS attacks on VPNs of large organizations, because with the work from home, this makes organizations vulnerable. And then the attackers say, okay, pay us. And we don't. And we stop the DDoS attack. This is happening. That is happening massively.
We, we will, we have seen the Fastly outage. We have CD Akamai outage, which also means every layer we add is another point of failure. And sometimes a single point of failure. We also have control about data, about computer resources, about storage, about all that stuff. And we need to get a equivalent that this is my, my first message. We need to understand the complexity. We can't solve it manually. We shouldn't try to code everything we should always look for. How can we automate based on policies and augmented by AI IML or whatever is behind.
It might be just rule sets, which have the marketing label of AI. I don't care if, if it works and if it augments, what are trends? I pick a picked a slide here from battle ski notes from yesterday morning.
The some, some numbers we've we've collected over the past months, ransomware. Yes, very clearly. Ransomware is a major challenge these days, and it'll not go quickly, go away quickly. New to the stage really is this entire software supply chain thing we can argue, Hey, it's not new hot fleet. Many years ago, wasn't an attack was trust, bad software. But at the end of the day, we have seen how vulnerable it is.
So I, the only thing is it starts happening. It starts happening right now.
And it, it is this threat because yes, the, the effort for the attacker is way higher than in many of the traditional attacks. But the impact is much bigger.
If you, if you succeed with the type of attack and I, I feel we will see way more of that. There are many other things we are facing, but more interestingly, when we look to 20, 25, what other things we will see, and I put it into four boxes around environment, technology regulations, attackers, and, and when we look at the environments, I, I already talked about it will remain multi-cloud multi hybrid. We see probably more edge computing. We see what I already, already elaborated on hybrid work as the new normal.
And we will see more bring your own device scenarios, which mean controlling the devices gets more, more challenging. And we see more device broad in the sense of, oh, another type of device here is something you, there is something new. And that is, that is part of it. We have the technology part where we also will see more AI in cybersecurity on both sides of defense attackers will use it and we will use it to defend ourselves. And it is an uneven play because as we know, an attacker trust needs one attack, rector that works.
We need to defend against all it's a little bit like, like playing football or for the American soccer. And, and you have 22 people on the field, one goalkeeper on that side, one goalkeeper on that side and 20 field players on that side, that's a little bit of situation we are in that we are that sole goalkeeper, so to speak, who, who needs to defend, we will see the impact of quantum probably arise until then maybe, maybe not. Sometimes things take longer. And at a certain point, this probably may or will become a threat to traditional encryption technologies.
This is something we, we need to, to keep in mind, confidential computing. I see as a major trend. So confidential computing is the theme of, of keeping in information, so to speak encrypted, always even when processing that information like, like in homomorphic, encryption and other approaches. So this will be clearly a trend decentralized technologies will, will play an important role. So some managing assets and, and other stuff, sharing information defining on, on who has access to what.
So with, with this entire theme of decentralized identity, we, we are, we are seeing a lot of evolution in that space, but it's, I would say it's, it's still just scratching the surface because the, the, the real use case is, or the, the even more interesting use case will be around. How can I control which data I share under which conditions for how long with whom extending it way, way beyond sort of the, the, the current focus on more on the authentication use case. I know there's a lot, lot of thinking in, in that space, but we will see more on that.
And also between organizations, how can we, can we keep sort of get a better group of data? Data security anyway, is, is, is super important theme that we haven't cared enough about data. We must be better in data security and data governance, etcetera.
You know, when you look at most organizations, probably few organizations would say, Hey, I really have a good grip on my structured data. I know where data resides in which databases I know about the data lineage. So where data flows, I know where it's processed. And I also have ensured that my policies are enforced consistently from the database to the data, like to the analytics tool, to the files, which fall out of the analytics tool.
I, I think very few, if any organizations would say, I can do that, I'm super good at that Koba, have you just a second, you need a micro, you don't touch it because hygiene rule, Have you also researched or found or noticed that organizations, especially large ones who have these complex it landscapes that they have separate groups or departments to for data management, data quality data classification, because I think that's the new basic asset management. Yeah.
So, so I, I think we see, see an uptake here. First, we see that that there's a tendency to go for, for tools to help you understand where data resides and bring different groups together as well. Cause they have usually this data stewards, they have to users of the data, they have specialists more for, for, for using data. And this is a concept we, we see slowly evolving, I'm trust, writing a leadership compass on, on the solutions for meta data management and data catalogs.
So, so there there's technology arising, but it's still a long way to go. This entire thing is clearly organization, too broad. Policy-based automation back to the, to my technologies. I need to look here because otherwise I'm not in the camera. Sometimes I forget regulations. We will see server incidents. It is as always, once something goes really wrong, then regulations follow because we always know the law and regulations are always behind the reality. That there'll be the case here as well. I think we see an expanding perspective.
So more organizations will be considered being critical infrastructure and having higher roots to fulfill and regulations for all. So the, even for the average, whatever medium size business, the regular terror pressure will increase also due to all the, the supply chain and, and third party risk management things already happening.
So this, this troubles through attackers, I don't see that we haven't decreased to expect neither in or a number. And some of them will use automation to further optimize their attacks. So lesser humans and, and more automation. And that will happen on the other side of the fence as well. And I see to a certain extent, also a real risk of cyber welfare, some way you could argue some of these things are happening probably more a cold cyber valve currently, but yeah, it'll be seen. So what are the challenges then? I think I already touched many of these from the survey, too many tools.
Interestingly skills, short siloed organizations. Budget is relatively low on that list, still a concern, but it's not the top thing anymore. I think we, we, on average, we get somewhat more money for cybersecurity because everyone understands cybersecurity identity and these things, they are essential for the business. So it is not just that that ACC athlete trial somewhere in the seller anymore, it plays an important role. It was interesting.
We had our cybersecurity council this, and I think probably close to half of the, the people we have in that group had some, some issues around finding the time for the council and having the board meetings. So CSOs are quite regularly in board meetings nowadays, they have a different role to the point silent organization. I think it goes also the data thing we need to, to get better.
We need to, to de silo, we need to understand what needs to be done, done where, and, and how to, to take a more integrated perspective, the skill strategy we had a entire drag more or less yesterday on that will remind the challenge, which again, is in a call for also augmenting humans so that we can focus. The too many tool thing is a very interesting point. I believe because on one hand we always feel we are missing stuff. On the other hand, we, most organizations have a ton of security solutions.
And when, when something happens, then we observe quite frequently that organizations enter this headless trick mode or panic mode and run around and purchase everything they can get that maybe helps it doesn't help. You need to understand what do a portfolio assessment understand what really delivers to your security at which cost? What are the things to focus on, have an all over a holistic strategy as well, understand where your risks are, what to, to protect, which are the assets to care for. What are the really important things at the end? It's data.
Data is your most important asset, not the network, but the network is to entry point for the ATTs part of the problem. So reduce complexity, execute on the zero trust model, go for layered security for well sought out layer security, understand the real benefits and assess the technologies in place set, focus.
And yes, there there's, you know, there's always this question. What do you need to protect? And there's, I think there are three, three angles. You can look at this. The one is, what do you really need to protect? Which are your crown tools. This is where we should start with. So what is really the point at the end? It's mostly intellectual property. It's financial data are things like that, PII and so on. But the question also is where do you have the biggest or most dangerous attack surface?
So where do the, the attackers come in, which is a different angle because they need, they, they have to go somewhere until they are at your data. So where's where are the doors or, or, or the way the areas where they can enter and what can you protect efficiently? That's the other side? So at the end, some things are easier to protect than other side touch already. If you bring your own device device, it's harder to manage on own device. Identities are always a good starting point and consider also this changing nature. This is not getting simpler.
It's, it's getting more complex because you're living in a multi-cloud multi hybrid world. It's that just protecting some servers, it's workloads, it's a dynamic infrastructure. And so it is not that you, you can say, okay, I trust you because these are my assets. I trust focus on the data because the attackers will come in earlier. So there is this network angle, there's this part with the box in your software, you need to be aware of.
But I think these questions without going through all the, that in detail might help you in, in figuring out what to do to get better towards 20, 25 last, not least let's stream a little bit, or we call the concept. We spell it Dre in that case, it's something I, I I'm, I'm shown the first time at our European identity conference in September, an approach for security for all of it, because I don't believe that we will win when we do something for cloud infrastructure versus our traditional security.
We need to understand this is a world which has workloads, very different forms, multi-cloud multi hybrid. So what I call dynamic reserve title and access management focuses on, on everything and the security and identity layer that goes from on-premise to the public cloud. There's there are other concepts. In addition, you'll find information on our website. We can focus more on the agile development and how do you make it secure? And how do you do you deliver to the need of the business? But at the end, it's about three layers to bring together, which are policy management enforcement.
So the automation, how do you manage the policies? How do you enforce the policies? I think it's very worse to look at some of the, the upcoming seems like OPA op open policy agent and other stuff. It is about identity and access, including what Gartner calls cm, the cloud infrastructure, entitle management. I think we need to go beyond cloud and beyond infrastructure, take a broader, more holistic approach. And this, by the way, also what we see from the vendors, what is happening to, to put this into a, a bigger theme, and there's the cybersecurity security, operations, automated response.
So are all these things we have and underpinned by it, operations, delivering to what we have in DevOps. These are the things which then are around it.
And we, we need to think about how do we do we do this? We need to de silo here. We need to, to understand there's not a cloud and on premise it or on cloud and on premise security, it must be go in hand in hand. It's about understanding our requirements. How is our world evolving? What are things to do? And then we can come up with a vision and look at what do we already have? What do we need need? What are things that are not yet fully there? So when I look at policy based automation, I see a lot of interesting things happening, but we are clearly not a hundred percent here.
And we have a lot of small tools, which over time will convert into more combined solutions. And then we can deliver, we can run in a better way. And the core of this is from my perspective, understanding the world is more complex policy based automation and understanding what to protect and, and where to start with the protection. This is when I look at, at the roadmap and, and the perspectives for 2025, what I'd like to share with you today. Thank you.
