KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Okay. So really when we look at the, this situation created last year, and, and when we look at what's happening, actually now as a consequence of what happened last year, as I mentioned, the, the trend of modernizing identity and access management and reconsidering, you know, the approach of the past is, is not new right, to a certain extent, but it's really a wake up call, I would say for many organizations to reconsider, you know, their current model.
And, and in this context, as you straight, you know, here on this slide, trying to not only modernize improve address, you know, some of the challenges of the past is clearly a key, a key goal.
It doesn't mean ne necessarily that it has to be a huge, you know, undertake right over whole, completely the, you know, of the existing infrastructure, because the rule of the game these days is, is about being nimble frugal, pragmatic, you know, as this NASA mission, you know, with the, the, the whole, the best over illustrate, there are ways to take a pragmatic approach actually, of modernization in, in this context. So thinking, you know, big and, and thinking strategically is really the, the, what what's, what's at stake here.
And especially when we step back, you know, 12 to 15 months ago, I'm sure that if many of you were part of it, organizations, the reality last year was that you were all struggling to address the huge inflow of, of workers connecting from home, right. With an infrastructure that was not designed for that.
And, and again, I mean, this trend is, is definitely not new, but at the same time, you know, in the middle of the COVID crisis, we, we heard, you know, I mean, many challenging situations of trying to beef up the, the VPN infrastructure we had at the same time increase threats, you know, from the, the solar winds attack, the attack, you know, on the exchange servers. And, and at the same time, many of you were trying probably to address all these changes with your legacy infrastructure.
So you had web access management solution on premise, you, you had, you know, your own Federation model, you may have been using, you know, ADFS, you had your VPN infrastructure, your set up, and, and really in order to address all that, you, you were trying to stretch existing existing tools to the point that you started to hit, you know, some of the main challenges. Right. And I think the other lesson out of all, this is that even if today, you feel like you've managed, you know, successfully the, the big wave, right?
I mean, past COVID the, here it is that it it's, it's not, you know, time now to highest on, on the low oil. Clearly there are challenges that have, that are existing, you know, in your infrastructure and, and really the statute quo to a certain extent, right. Moving forward is, is not enough, right. It's probably now the, the time to start considering the security model of, of what you have in place.
And, and I'm going to go through the presentation about some guidelines and, and some pointers about what can be achieved, you know, to try to address these challenges. And, and, and one point that is quite important. For instance, there are surveys that mentioned that out of the, the COVID situation, many organizations, especially in Europe, had to completely change their security policies for remote workers.
And, and we even heard, you know, I mean, stories of organizations that were forcing users to connect through VPN when they were accessing office 365, because the security Porwal for office 365 was done on premise. And, and because of the, the issues of, of VPN infrastructure, of not being able to step up, they, they had basically to allow users to connect to office 365 directly without any, without much security in place. Right. So no MFA and so on, so forth.
So clearly as a consequence of, of some of the, the, the decisions that were made, some security bilities where were put in place as well. Right? So static quo not being the, the, the answer. This is really the opportunity I would say, to, to lift our heads above the water and now plan for the, the future. Meaning does your infrastructure, or does your security model today fits what is going to be expected out of the, the new world reality, right.
The work from anywhere the cloud, you know, consumption of cloud resources and so on, so forth and modernizing, you know, identity and access management, instead of just stretching, you know, I mean, existing tools is not just an it priority anymore.
It's really a business priority at the same time, because modernizing IM is also what will allow your organizations to prepare for the, the future achieve, you know, business outcomes in a more secure way, remain agile, I would say, in terms of adapting and, and adopting new technologies and, and staying ahead of regulations as well, because as we've seen, you know, the, we trends too, for example, the, the regulatory landscape is, is evolving as well. Right. So how do we, how do we achieve that, right?
I mean, what are the pragmatic steps that can be taken? And one, one thing that is quite important is when we talk about modernization, we are not talking necessarily about a big bang, right?
I mean, we're not talking about starting, you know, a 10 year old pod, I mean, 10 year long project and investing, you know, I mean, millions of, of, you know, investment resources to, to achieve any business outcome. They, there is a survey that we, we conducted, we contacted at the end of last year to 250 it and security professionals about, you know, what was their vision on, on modernization, right?
And as you can see on the, the right hand side of that slide, 85% of the respondent clearly stated that they preferred a hybrid, pragmatic approach to modernization, meaning either keep, you know, most of what they have already existing and integrate, I would say on top of that other people, you know, I mean, we are considering a hybrid model, meaning rationalizing some of their existing infrastructure and starting, you know, to adopt new new platforms. So that's approximately 86% of the respondent, 14% actually.
And vision eventually migrated completely to a new solution, a new platform, but in a phase D approach, 14% of the respondent actually were in that mindset. But actually no one really was considering, you know, any type of re and replace approach, right? Meaning let's forget about the past and let's move immediately on, on something new.
So that's, that's clearly, I mean, these are clearly indications that integrating with existing environment is, is critical and, and being able to heap, you know, the benefits of some of these early investment, especially in terms of modernization is also very important. You wanna be able to extract, you know, value immediately on, on some of these investment decision and, and minimizing, obviously the overhead cost of integration as well, right?
I mean, the bloated PS project linked to any type of IM IM investment of the past. I mean, it's not the new reality, right? It has to be done hardly at low overhead cost.
Now, what are the, the capabilities then that can support this type of approach? The first one that we typically recommend is, especially in terms of remaining agile and flexible is void the pitfalls of vendor lockin, right? At tells we, we are very, very passionate about the concept of bring your own security, even.
So, you know, I mean, many of the cloud service providers are providing some IM capability built into their offer. The here it is that you never know, you know, I mean, what's going to be your cloud strategy five, 10 years from now.
And, and, and being locked in, you know, in some vendors solution may not be actually the, the future proof, you know, approach. And at the same time, they are technical capabilities today to actually, for you to rely, you know, on cloud service providers from many of the benefits that they provide, but remain fully in control of your security, security infrastructure. A good example.
I mean, you know, you have the ability now in many, with many cloud service providers to take a, bring your own key or bring your own encryption approach. So meaning you can encrypt your own data and you remain a hundred percent in control, like of the keys that encrypt the data. These keys are out of reach, you know, from these cloud service providers.
Well, we, we want to apply the exact same model for access management. We believe that bring your own access. So in terms of access policies and, and the credentials, so that are linked to identities is an important concept, especially in a multi-cloud, you know, world in the hybrid environment. It's a very important concept, you know, to be able to remain fully in control of, of your home security.
And this is something that can allow you over time also to adapt easily to new regulations, as we've seen, you know, with trends to there are increased pressure on you as an organization to show and prove actually that the, the privacy of the, the data that you manage remains under your own control, even if you are leveraging, you know, cloud service providers to actually store the data and, and, and manage the applications. Right?
So the, the second aspect is also in terms of managing risks and, and, and security, the survey that I mentioned earlier, you know, also high highlighted the fact that for 89% of the respond, the key metric for modernizing IM right? So the key success metric is all about reducing the number of data breach incidents. And as we all know, the, the main source, you know, root cause of, of incidents is linked to identity related events, right?
ID, theft, and, and so on. So we, we cannot just, you know, I mean, deal with security and especially with the, the alternation and access management piece as just, you know, a checkbox capability, right? The need for instance, to have, and, and, and be able to support different type of alternation journeys, right?
I mean, many organizations like yours are probably, you know, managing a very wide variety of users, right? You may have, you know, office workers, you may have basically manufacturing workers. You may have remote employees at the office employees, external contractors, and so on, so forth, and, and being able to adapt, I would say to, to this reality, being able to adapt also the authentication methods to how your users are going to conduct their, their work journey is also very, very important, right?
So the concept again, of managing and owning your, your security control is, is a very important aspect also of remaining agile, flexible and, and safe in, in, in what's going to be expected in the future, meeting your budget and budget targets and, and gain operational efficiencies is, is also a very important step because at the end of the day, you know, we all have hobby scars from the big IM projects, you know, of 10, 15, 20 years ago, right?
I mean, deploying IM including, you know, I mean, the governance aspect, the access management, implementing an SSO, trying to unify identity directories, all these projects were huge projects, driving a lot of functional services. And clearly, I mean, there are ways now, especially, I mean, with cloud services to, to take a more pragmatic incre approach to, to deploying a modern access management solution or identity and access manage.
And, and, and the benefit by the way of doing that is also, you can really plan, you know, I mean, benefits that you want to extract at each phase and, and email remain flexible and agile as the rest of your organization. It organization is, is evolving as well, because at the end of the day, you know, you have resources today that are maybe located on premises that eventually down the road are going to migrate, you know, more to cloud. And you want your, your framework, your security framework, to be able to easily adapt to that without having to engage into new projects each and every time.
So that's important. And if we really look at what the future proof mode and access management solution look like on this slide, by the way, this is a slide that is taken from a document that was written by N and published as last August. If you're interested, the, the reference of document is S P 800 dash 2 0 7, which really explains, you know, wet, modern zero trust approach of two security is about, and, and on that slide, it shows, you know, what, what we talk about modern access management in that concept, right?
It really shows that modern access management is not just, you know, SSO or authentication, right. Which used to be its it tools of the past modern access management is really a security framework, a security mindset that really push, I would say the decision in terms of who can access what, when, under which circumstances in front of each resource. So this is really the, the important part, right?
I mean, you, you have the ability here to, to say, we're gonna put the security hold in front of the enterprise resource that we are trying to protect. And we are making a basic assumption that, you know, users and their device, and then the underlying network is not trusted, right? This is the, the pennies of, of zero trust.
And the, the, the main point here is the fact that this type of topology can not only apply, you know, to in, in front of each of the resources you're trying to protect. It can also apply to the Perter right? So meaning the enterprise resource that is defined here on that slide can be a VPN or a five firewall to start with.
And, and this is an important part of the, the hybrid incremental approach that I, I, I mentioned earlier, because you can apply the same, you know, framework to the existing security model you have. So meaning you, if you have a VPN in place, or if you have, you know, the concept today of making access policies based on in-network that says out of network, you can apply, you know, the same that with more handler, you know, access policies. And then over time, you can start moving.
You know, some of these resources from the scope of your parameters, meaning applications are protected by your VPN. You can start moving these applications outside your VPN parameter and put an access policy directly in front of these applications.
And this is, you know, one way that that can illustrate that pragmatic, you know, one step at a time approach of modernizing your IM infrastructure as long again, as you have framework that is based on this concept of policy enforcement point access policies that are, you know, context context of where, and, and this is, this is probably the most important aspect of modern IM. So just to, to wrap up, you know, I wanted to give a few, few words about Tallis. If you're not, you know, very familiar with our organization.
I mean, we are, you know, a global organization, very large organization trusted the organization, serving, you know, highly sensitive industries, defense government, I space, and really the way that we're trying to position ourselves, you know, in this new world reality, especially, you know, the world where we believe ID is the new parameter. Our mission in that world is really to deliver hosted access in, in a zero trust world.
And, and especially in line of the, the, the security framework and the security model that I, that I described. Right. So thank you very much for your attention. I don't know if you have time now for some Q a.
