KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The hyper-converged digital world is now a reality and managing risk, cyberthreats and ever-evolving regulatory mandates especially around Identities is near impossible if one were to follow the conventional approaches of using IGA Or IAM tools. A digital risk platform with wide integrations, continuous identity risk assessments and remediation built using AI/ML technologies is a must to achieve organisational resilience.
The hyper-converged digital world is now a reality and managing risk, cyberthreats and ever-evolving regulatory mandates especially around Identities is near impossible if one were to follow the conventional approaches of using IGA Or IAM tools. A digital risk platform with wide integrations, continuous identity risk assessments and remediation built using AI/ML technologies is a must to achieve organisational resilience.
Very good morning Berlin, and it's always a pleasure to be here at the EIC. You guys must be really serious, sharp at eight 30 and identities on your mind. I hope you guys had a good time on the boat yesterday, but all the rains, well, I'm not gonna spend too much time talking about technology. What I'm going to speak to you about is really a thought process of trying to implore upon your minds to maybe think through the problem that we have on the hand a little differently, right?
Well, we need to really think through very different here, but I'll really implore upon you to put this five or 10 minutes in the two messages that I'm trying to convey through this presentation. So I wanna kind of ask you to think beyond IGA and identity and access management, the way that we do this today, not fundamentally, but the way that we've been doing it for the last 20 years. I don't know, I see a lot of gray hair here.
I started to look at an identity solutions way back in 2000, 2001 and believe me, not too much has changed from the fact that we still talk about the same provisioning deprovisioning reconciliation. Well, only the names have changed. We used to call it reconciliation. It's called certification today, right? So fundamentally that's what has changed with the IGA. But having said that, Does this go to the next one, please? The clicker?
Well, that's what happens in the morning. So I'm, I'm gonna, the next slide talks about a case study, which I believe is no different, and a lot of you here would've probably experienced something that I'm gonna talk to you about and hopefully this should come up. But what's really on the next slide is we had two case studies, one with a large bank and one with a large telecommunication companies.
And, and that was the complexity. Sure, thank you. And the one that was with the bank had 700,000 workforce IDs and well, it included some third party contractors as well. And it had more than 40 million customer identities and more than 500 applications. The one with the telecommunication company had 200,000 workforce identities and 500 million customers.
Well, I'm sure you would've probably guessed which side of the world that would be, but 500 million customers, literally and greater than 1,250 applications. How do you even do integration of all of that with the current technology stacks that you see today? So let me talk to you about the workforce identities. Access is a people process and a technology mess.
Well, not a mess, but maybe a mesh. Why? Because today you want people to work from anywhere you want to make sure, well, well, it's a faceless identities device agnostic. And the digital stack is amazing. You wanna control people to be able to have access to only a particular set of data, maybe an application, maybe an operating system. And tomorrow you could even be talking about who's got access to your bios and your IT support guys actually have access to your bio systems. And the passwords even today in this century is actually never rotated via a bio. So why?
Because they come baked in by the manufacturer. It could be Dell, it could be hp, and so on and so forth. And all of that stack can be anywhere in the world today on-premise in the cloud hybrid and so on and so forth. And what do we do with this? We actually try and put the hole. So it's like a, it's like a knee jerk reaction, right? You put authentication. So that's on the, on the, on the right hand side services could be active diary Azure. And today you have the Zscaler of the world and the zero trust and so on and so forth.
And on the left hand side, what you do is you go and buy an IM solution, an MFA solution and maybe an SSO solution and maybe a PAM solution. And then tomorrow you would've to go and buy a machine identity solution and maybe you'll need to buy A API lifecycle management. And maybe after that you'll end up buying something to do with bots because bots are gonna run most of your operations, right? And you wouldn't have a lifecycle management for bots, do you? So you need to put all of this to actually control an army of targets. You put an army of security solutions, right?
And unfortunately you still cannot answer the question who's got access to what? Walk into any CSOs chamber today, walk into a CIO's office and say, Hey, you know what, in five minutes, tell me who's got access to what. You would never probably get an answer. And by the time you get an answer, everything in terms of technology stack would've probably gone through a change. Let's take a minute and talk about consumer identities or customer identities. These identities today actually are digital avatars of who you are and who we are.
They, they think it's what you do when you do, where you do what you work for, where do you store your data? What machine do you use? All of that constructs or gets constructed into a digital identity that somebody would have. It's no longer a single customer identity. One customer fundamentally has maybe on an average of 25, 30 digital avatars, right? And as an organization, you need to be managed, you need to be able to manage all of them.
And fundamentally, in fact, the world is so interesting today that we do not have, you know, we get very anxious today because of good technology, right? Try and wait.
You know, 20 years back I used to have no problem for waiting for a taxi for almost an hour. I used to stand in the queue and patiently wait for a taxi at the airport.
Today, if you don't get an Uber in five minutes, you wanna go to the next provider. If you don't get that, you wanna go to the next provider. If you don't get your foot delivered in 10 minutes, you want to go to the next provider, right? So the customer loyalty is fundamentally going away. And you need to be very, very good when it comes or customer or consumer identity. And what you do to control that.
Again, maybe zero trust, trying to control fraud there and so and so forth. And guess what? We haven't even spoken about machine identities, right? And I don't know if you've even been able to go and discover how many machine identities you have and they would be in tons in your own offices, right? And just imagine in the next five years you're likely to have thousands of data centers. The fog nodes would be in millions and the edge devices are likely to be in billions. So I spoke about a problem that we still continue to have for the last 20, 25 years.
The identity, the workforce, the workforce problem. I'm talking to you about the consumer or the customer identity. I don't know, even if we reconcile them, if you don't, you have too many frauds happening and I'm not sure what's gonna happen in the future. Take you fast forward 10 years from now, right? I'm gonna talk to you about hyper digital world and most of you would've probably experienced it. But some of us on that side of the world and, and especially, I would like to take an example from the queue of in in the India technology stack.
I don't know if you guys have heard about the the India stack. Have you heard about it?
If not, please go and do a little bit of Googling. It's amazing. The first one talks about ONDC. It's an open API stack made by the government of India for the solutions of the country. It is open network for digital commerce. These are just bunches of APIs and anybody in the country can log onto it, register as a supplier, dealer, consumer. There is no need for a food delivery giant. You could actually come back and say that I run a cloud kitchen, a small business. I wanna look at, you know, I like to eat something in particular in a particular area.
Look it up, hook it up, figure out who's supplying it, and then look up who can deliver it to me. It could be anybody who could deliver it to me and not necessarily an organized company trying to deliver it to me. And you know what? Then it hooks up into an invoice provider and then it hooks up into a payment provider. And finally you have a stack, which is called UPI today in India, we make even 10 cents, I repeat 10 cents are even paid by the UPI transaction. Just imagine the cost of the transaction. It's almost negligible. Why?
Because they're using OpenStack open technologies and they are purely APIs. Just imagine, we were talking about applications in the first slide. Now you're talking about millions of APIs and they're small pieces of code. How do you even manage and control that? And every API has a token, every API has authentication to be built into it. Businesses are changing fast. This is my, my really best slide. I have it in almost all my presentations. Business models are changing to become outcome-based, business model, hyper-personalization.
People want to personalize every piece of service that you give you, right? And that is at the center of all the businesses today. And identities are likely to drive all of this today. Why? Because consumers are becoming producers. You create the content. It's no longer the telecommunication company. You would probably run a bank, there will be no bank in the future. There will be no power company in the future, so and so forth. So everybody wants to now talk about identity centric security.
Of course there is a huge, huge, I would say probably it's a necessity for us to ensure that we talk about identity centric security. But you know what? Guess what? The identity providers have been starting to get hit starting from all the good players that you can think of. And this is part of a Gartner report. So you know it's been published in 2022. The big trends are get into supply chain, get into an identity provider and hey, you know what, you now have what you want to do. So everybody wants to build an identity threat detection and response.
All of us here eventually would want to converge and get into identity threat detection or response and contextual data modeling. There are only two ways that you can survive. Fast forward 10 or 20 years, how far are we from all of this? How far really we are? Do you think that with all of this solutions running into silos and isolations, do we even have a chance of converging this into an identity threat detection response? I know you have millions of dollars to pay for so many tools. Doesn't matter. Do you have the skills required to run those solutions?
And half the time, if you have the skills in the will to run them, you probably fall into the cracks because you know, half the time the tools don't talk to each other, then you need to create a layer of Splunk or whatever and then try and figure out AI ml, which is spoken about so, so much nowadays, right? But I don't think one can drive this because the triggers are many. And why am I saying this? Because you still have thousands and thousands of versions and you have millions of apps coming up on a daily basis. Why am I saying this?
Because the operating system and the Oracles of the world still come out with multiple versions on a daily basis, right? How would you even imagine for you to be able to control the stack and control the identities around it? I'm an IGA tool, long to implement, too expensive, too much of hard work to maintain the solutions. I'm saying even after spending millions of dollars, it's too much of a pain to manage those solutions. And without this, I mean disrespect to any vendor we happen to, we happen to have a converge identity platform. That's not the point.
The point here that I'm trying to make is not about a solution. The point I'm trying to make is, do we need to look at it very, very differently in the next five or 10 years? Would these technologies be able to scale up? And if they do, very good, but are they able to scale up to meet the complexities of the world? And you know what? The case study that I started with, interestingly, they're still fighting on who is likely to approve and when for all your identity request, who owns the application is still a debate in that organization. Both of them replace two systems.
They're trying to implement the third one, right? Provisioning and deprovisioning at scale is still a problem. You still don't get error statements to say, Hey, was the identity provision or it didn't get provisioned for some reason. By the time you build connectors for one set of application, the core technologies have gone through a change, right? User certification and recertification has now become a process. It'll become a generic process. If you have 10,000 users, the only thing that you can do is select all and approve them, right? There is no other way to do it.
And believe me, we go to the organizations and tell them this is not the way to do it. But no, they want to do it. Why? Because they just wanna meet regulatory guidelines. I a certification make sure that the CISOs are happy and the risk managers are happy, right? That doesn't solve your problem. And reconciling customer accounts to tackle fraud is still an open issue. How do you even reconcile 500 million identities? 40 million identities, maybe even 10 million identities for that matter. We have not even spoken about machine identity so far. We have not even gone that far.
Identity is a people process and a technology issue. It's not a technology issue. I repeat identity problem that we have is a people process and technology issue. It's just not a technology issue. Two important messages before we wrap up this session. If it's a small to a medium enterprise, there is no way but to look at a converged identity platform. Not because we have one, but because everything would happen in the next five years in that order. If you want to create a trigger for an identity and take it up all the way to identity threat detection response, it has to be a single trigger.
You need to ensure that the triggers come from a technology which is able to cover most of your use cases. Maybe not all of your use cases, right? You cannot have 10 different solutions running with it. And definitely if you're small and medium enterprises, you just cannot bear to do it and shouldn't bear to do it if you are a large company, I don't even know if these solutions would be able to scale up. Of course we we, we believe that our systems scale and they are made for scale and cloud native. But still looking at the complexity. Is this how you are really going to solve the problem?
Maybe not the first one. The converge one should be in a manner where you're able to ingest the MFAs, the SSOs, the pam, the identity and access. What is a PAM solution by the way? It is just an elevated user. The only two questions that you need to ask yourself is do I want to do session monitoring and do I want to do vaulting for this identity? That's the only two things. And the third is it has to manage the session. That is a privileged access management solution. But otherwise, fundamentally it is an identity and an access management solution, which you ensure that you do.
You do your certifications, recertification have the right process for it. And believe me, most of the solutions don't have that. And now going to the next stage of it where the complexity arises, you know what we, everything is normal for us, but the world is still at war unfortunately. And there is a cyber threat which emerges every four, almost per second. I got it from somewhere. Maybe it is five, maybe it is 10.
Who has an idea if that is the complexity and if that is what you want to accomplish by building up an identity centric security, there is no way in hell that you would be able to do it with the conventional technologies that you have today. You need to use a continuous risk assessment solution. It could be anything. It could be automation, it could be AI ml. You would need to think through it a little differently. I believe there are a lot of automation solutions. The one that I put on the left for right, for example is Alteryx SaaS idea, ACL.
You have a lot of automation solutions, UiPath, automation anywhere. You have a lot of visualization solutions, tables of the world and so on and so forth. Unfortunately for us, they're disjointed.
Again, you take too much of time to try and get all of the three together and by the time you actually get it right, you probably don't have the skills in the office to continue to maintain them as well. So again, we go back to the same problem. How do you sustain something that you know you would want to achieve? But the only way that I can think through in the complexity that I spoke to you 10 minutes back, is having to build maybe something on your own. Maybe using something that we have is the ability to look at scale and hyperscale.
Which means you need a system which is able to connect to any system, acquire data, create data pipelines, create analytics on every data pipeline that you have. It could be identity, it could be something else. And create a visualization the way that you would want to see it in the way that you understand it and not in the way that I want you to see it, right?
So well, and then you have to add the business processes to all of that. Doing an identity risk for a consumer, doing an identity risk for a payment system within the same company is way different from doing an identity risk that you're trying to do on your third party or on your CRM solutions. Way different. The way that you look at risk here for reconciliation is way different than the way that you look at it from an active directory and certification and maybe an SAP certification. You know, most of us are worried about making short our accounting solutions, okay?
But in an SAP kind of an application, you always have a make checker, right? Even if you lose one identity, you're not gonna lose a transaction. But if you lose an identity here, if you lose a machine identity, if you lose a privileged identity, you've lose a consumer identity, you are, you are, you are sitting on a huge liability. So maybe you need to shift your focus to try and figure out how do we handle all of this?
And well, to try and wrap this up, what we have with the same thought process that I'm talking to you, we've kind of built up a digital identity risk platform. It's basically a larger platform and you can do a digital identity risk around it. And what you do is it's got bots. So the solution is, what we are trying to do is box all that I'm talking about and make it into a champion and it has a collector bot, which means it can collect data from anywhere. I can go in five minutes and collect data from 10,000 firewalls. Noam solutions can do that by the way. I can do it for 20,000 firewalls.
Collect data at scale, analyze data at scale the way that you want to see it and report or visualize data at scale the way that you wanna see it because you wanna solve the identity problem today. You don't wanna solve the firewall identity after 30 days. Am I with you? You don't wanna say that. I'm gonna go through a recertification program and figure out whether I want the identity on a firewall at a perimeter and maybe I will probably dispose it after 30 days. You wanna do it today, you don't want to do it after 30 days, right? So you need to be at speed and at scale both of it.
So this is got something which is similar to A GRC, but it is not A GRC. It can go and have what can go wrong scenarios. You can attach a bot to all of that. So just imagine you writing some 500, what can go wrong scenarios with your identities. Attach a bot to it, attach an analytics bot to it and attach a visualization bot to it. Create data pipelines and they can simply keep running at scale at at super scale. And of course you can make your tree of what can go wrong scenarios in the structure that you wanted. You can have a nice dashboard.
And on the right hand side, the risk is interesting. If you have something which is wrong at the perimeter is a huge risk to you. If you have something which is wrong at maybe an active directory is a risk, but may not be a huge risk to you or maybe an SAP system may not be a huge risk to you. So you wanna focus your efforts on something which is really high priority and see it in a very different manner. And of course I can keep going on and you know, accounts and stuff like that.
And front office, back office, if you're looking at a treasury, the front office would become more important than a middle office and a back office. So you would probably need to look at the treasury in that order and well this is sits at the center and it can be utilized by just about everybody. The heart has to be one and people using it across the organization should be using one set of controls and not multiple set of controls. And this supports the first line, the second line and the third line of defense.
So you need to embed in your entire process the fundamentals of digital risk management and figure out if you're able to solve this problem in the current world with a lot of dynamics in the way that it should be solved and not in a way that we continue to look at conventional technologies and then maybe put an AI ML layer below that to figure out what next to do, how to approve it. Just because you have an AI layer, it's not going help you. Right? So thank you so much for your time and and a pleasure listening and thank you so much coming early in the morning. Pleasure to be here.
Thank you. Thanks Anil for getting the ball rolling, for getting people's minds ticking over this morning. Just one quick question. How would continuous identity risk assessments integrate and work with real time intelligence systems?
Wow, This again, a fantastic question and lack of time. I could not speak about it. Just imagine you trying to put an AI ML solutions in your conventional identity stack that you have today. The IGA world talks about it. The IM world talks about it, the PAM world talks about it with the set of data being just this much, right? And if you do and if you embed a continuous digital identity risk management within different technologies that you have, the set of data is this much.
Just imagine the only difference which is important for an ai ML is a set of data and the telemetry data for an identity has to come from 500 places and not to come from this place. So I think critical for you to be able to embed it and an amazing opportunity for you to be able to build AI ML on top of all the triggers that you get from any of the telemetry data from a continuous risk assessment system.
Okay, great. Thanks.
And Ben, Thank you.
