As security and IM leaders do sometimes wonder, where are we heading with all these complexities, land implementations and such significant investment in technology? My name is Ann Mosen. And today I'm joined by co-founder city of brainwave, GRC, Sebastian, to talk about the next gen analytics and access governance approach.
Well, before we get into the topic, I like to take you through basic introduction about call and what, who we are and what we do. So we are an independent, neutral and information security focused Analyst Analyst company founded in 2004. We have of offices across the globe and we offer some vendor neutral guidance, technical expertise, and thought leadership in the areas of information security, including DD and access management.
Here are some of the areas that we specialize in, which include information and cybersecurity, identity, DD access management, IEG, risk management compliance, and all the areas concerning the digital transformation. Here are the three key business areas that have been branded as content communities and coaching across the three key key pillars that we have for research event and advisory. We provide you research on all major topics, including security and IAM.
The research is pretty vendor neutral, and we also offer objective advice, which is kept up to date, according to the industry standards and our research. Then we have got events spread across conferences, webinars, and, and special events that we host.
We provide as part of events, some future proofing of approaches and great networking opportunities for you to even meet the experts. And finally, we have the advisory services, which are sort of best in class and aim to be trusted advisory partner to your organization.
By working together, we try to make a business more successful and provide you an up to date and recent and current advice in the areas of transformation. Quick take through our benchmarking. I would say that advisory areas, which are from benchmarking to the, to project guidance, so that we help you make your project a success. The key for areas that we provide advisory services within, and it's a framework basically for our coping, a call advisory services, there's benchmarking optimization.
Then there's support for strategy where we help you to design a well thought out strategy to provide clear direction for future requirements and the support that we help you provide in terms of architecture and technology. To help you go through evaluation of vendors services, obviously development of architecture, as well as selection of technologies and products. And finally, we also help you with, and project guidance in terms of evaluation and management of implementation practices and other projects.
Well, there's a time when we are around the corner for EIC that starts next week, and obviously we have several other events coming through. So you feel free to look at those events and just for them, that interests you most. So coming to some of the housekeeping guidelines for the webinar, you are going to be muted centrally. So you do have to try and mute or unmute ourselves. This webinar is going to be recorded and the podcast will be available starting tomorrow.
And finally, we have got a Q and a around, we'll try to keep about 10 to 15 minutes towards the end of the presentation so that you can put in your questions, use your good webinar control panel to keen any questions that you have. And we'll use the time to answer your questions as well.
Quick take through the agenda in the, in the part one, I'm going to discuss the challenges of national IGA technologies and, and landscape. And we'll also talk about how we're trying to transform IGA towards NextGen IGA.
And if time permits will also talk about what leaders should do to align their processes, to support, transition to NextGen IGA. After me, Sebastian will talk about brainwaves vision and position of ity analytics and governance approach. And he'll probably also demonstrate how it's going to be possible to solve some of those immediate and urgent governance requirements with a short span of time, with a dedicated approach for IGA by brain, with GRC. And after that, we'll take any questions that you would've entered. Great.
So coming to, again, the foundation of IGA, what IG really is and how it's been possibly in the industry, right? And as I mentioned, you know, IGA has been a pain point for most organizations and still is I, I always term IG as a foundation to any organization's it security and it's really the backbone for any organization's security portfolio.
And think what happens if it's poorly designed, poorly implemented, and Paul invested into, I always say that, imagine all these security tools, which are working in organization without the knowledge of a user's identity or the user's attribute, where can that lead us to similarly, imagine all these security tools and technologies which are operating without having appropriate roles for your security administrators, it can actually turn into a massive mess, an easy mess for you if you are not having right control over user's identity and the administrative roles in, in, in for some of these security tools that you are operating in your organization.
So basically I'm trying to say that IGA creates that fabric, that links your business to security, and it allows the business to create, define, and even modify these security roles for your users, how they access the applications and even the resources that are owned by the business.
So that's, that's exactly why I say IGA is laying the foundation for ID security. Now what involves in an IGA? What comprises an end to an IGA platform? We have got obviously users identity, where we define certain attributes, user attributes, accent entitlements, right combination, right?
Grouping of those entitlements are basically form into their roles. And we have IG also manages the end to end creation modification, optimization of roles where you then start think comes under the role management. And finally, if you have a real proper role management, you have the right set of relationships, which define how one entity interacts with other and what kind of rights an entity has on certain resources or, or applications or, or databases, for example.
And finally, we have got as part of IGA, an authorization management, which defines what data, what actions are authorized to perform when I access certain resource or access certain application. And all of this combined gives you the foundation for IGA.
So what are the common IG challenges that we have that we hear about very often?
And, and, and as I say, you know, some of these are really, really the common idea challenges that we see in industry, sorry, but then, but then some of them have been, have been there and, and have coming across even in a, in a more stronger way compared to the previous times. So for example, look at our IG architecture, which has got separate disparate, Ary resources, repositories, and most organizations have these RT stores, which are spread across multiple silos.
It's really difficult to get a consolidated view of the user and the attributes that the users deal with, which eventually creates complexities in your environment. And it's very, it's very performance intensive in order to call it all those user attributes by creating multiple connections across the different databases and directories and application stores to Pfizers attributes are even in certain terms, the other way, trying to create a ol view of, of your identity using virtual directories.
Well, these challenges are still depriving organizations from the benefits of IGA.
Secondly, I think that most IM leaders, I send under pressure to create a compliance driven it and not by not their choice, but they haven't been able to somehow drive IGA in the direction of, of a risk driven approach. So I see the fascination of, of fascination to compliance for manic leaders, but leaders have to really understand that IG needs to be risk driven instead of being driven by compliance or policies.
You need to make it sure that it's risk driven and doesn't, you know, doesn't turn into a compliance tool just to make auditing teams happier. There's, there's a lot of potential in IG technology itself, and then just being a compliance tool. So understand your, your, your objectives from an IGA perspective and, and try to make IGA based on the risks as compared to just ticking some checkbox for compliance.
Finally, talking about customizations.
Many, many implementations have, have been overridden by costly and, and overly done customizations, which are again very intensive and deprived view of your IG benefits. There will always be demands from business and you need to make IG business friendly. So you have to, you know, go and put certain type of customizations out there, but make sure that you put a limit to these type of customizations, and also try to try to limit it by the extent of customization that you're going to do only allow the way for customizations which are necessary.
And it's always in the best practice that you record and manage these customizations and understand what the operation overhead is going to be in the long term for some of these customizations that you are allowing for your IGA. It's also other best practice to stick to a schedule, to use these customizations, have a proper review, regular review of these customizations and have proper decommissioning plans for these customizations. You need to also, for example, communicate with business, to give them indications, to tell them that why you can't support this custom anymore.
What are the technology limitations and understand from, from them as to when can they help you get rid out of those, you know, specific customizations that that can be moved to, you know, center integrations?
Well, coming to, I think I probably missed one challenge here. It's obviously the hybrid it environments. I don't think that's increasingly a challenge here.
Well, for deployments, yes. From technology wise, I would say that's not, not a big challenge because most vendors are now trying to give you technology, which aligns with hybrid it deployments.
It's, it's, it's the reality. I'm going to be a reality for, for longer time. So we need to make sure that we understand it. And we try to brace up our IGA for hybrid environments, which supports IG functions equally well beyond your on-prem environment, into the cloud as well. There are vendors out there in the market, which you know, which are providing the support for hybrid ID environment. They themselves are providing, for example, IGL service.
What we call as also Ida IGA, most vendors have rearchitected their products to offer an anti bridging capability to integrate with, you know, cloud providers using certain specific industry standards.
Some IG vendors have even partnered with specialty audit entity brokers to extend on-prem IG capabilities to cloud applications. These approaches are very suitable for ions, which have, which have decent on-prem it footprint and may have requirements to support complex IG scenarios for legacy on term applications, for example.
And the second category of these vendors are the ones who offer a cloud IG product and are cloud deployable and have ready integrations for most popular cloud applications with standards on, from applications as well. So these kind of vendors and technology might be more suitable for, for organizations who have a massive strategic focus on moving to the cloud and are trying to achieve the benefits of cloud deployment in a shorter de shorter deployment cycle with faster upgrades and maybe lower in the short term.
Finally, we come to the IG market trends and what's emerging and what's being carried forward.
So when I say the continuing trends, these trends basically are the trends that we have carried forward from the previous IG version.
I'd say, you know, IG one, IG two, trying to just turn on a numbers and saying that it's next gen IGA. So what has been carried over from, from those previous versions, we see that, you know, better integrations for IEG and UAP. These are some all terminologies for audit administration and governance and user access provisioning. We are seeing that IG pro IG tools are increasingly combining these kind of capabilities to provide you a more comprehensive capabilities across administration governance, including provisioning and, and access analytics.
Obviously there is a drive or I would say desire to use certain types of tools for integrations, for example, your it service management tools, especially ServiceNow remedies, remedy for frontend, for access requests, where you can use some of these, you know, it system tools as a frontend for making access requests, but still use the, in the back end, your IG engine to facilitate those integrations are provisioning to the target resources.
There's also continued archive for a trend for enhanced user experience, which is an important selection criteria for the business.
We are trying to, most vendors have actually tried to re-engineer they business use interfaces, or some of them are actually in the process of doing so, so that, you know, it's, it's, it's, it's a business friendly use interface that they can provide as part of businesses to interact and engage more actively in the, in the IG processes. Our template libraries is another trend that we have seen being Carrie forward to NextGen IGA, where many vendors are now already offering libraries of workflow templates, which better fit your common business processes.
And also, you know, trying to reduce the startup time cost by simplifying any customizations that you may have to do otherwise. And obviously the trends for lower DCO, we obviously see and try to give emphasis on products, product features that can drive a lower DCO in the long run.
We also try to emphasis on that can help IG administrators automate, for example, routine tasks and offer you support for technology and workflows that can be, you know, extended to business and application managers to, to sort of manage own users and their roles to sort of reduce the operational and administrative goods.
What about the emerging trends that we are seeing in industry? So we have got automated reviews, obviously, which is being driven by several rule based policies today. So we have got rule based policies which are driving automated reviews in organization.
And increasingly we are seeing the use of tics. And I'll talk about this in a minute for driving these automated reviews.
Finally, I think I talked about the cloud IGA and we, we discuss about, you know, what kind of vendors are there and how they're providing these services to deliver IG services from the cloud in what kind of fashion in a multi and infection, for example, which you can, you can subscribe to and start consuming right away without any further, you know, deployment and maintenance overheads, obviously talking about acid controls, they are still a big, big thing for several organizations who have got complex E R P and applications with several authorization models.
We talk about as postmodern ERP or applications with complex authorization models. There is very immediate and, and very important requirement to make sure that there are no so risks when you try to create new roles for these applications. When you try to approve rules for these applications, when you try to provision access for these applications.
And that's because increasingly important, because over a period of time, more and more organizations are moving towards a post modern ERP, kind of a model where you have got the EERP functions, being sourced from multiple cloud providers, any, any app, any standard, or I would say an average organization at one point in time has got over five to six different E P functions being sourced from different E P providers from cloud. So think about the complexity that can get into the way, if you are not able to have a view of how the rules are being managed across this applications.
And if you're not able to perform proper segregation of duty controls over the roles and entitlements, which are being assigned to people over these applications. Finally, we talk about artificial intelligence for IGA and it's, it's obviously one of the, one of the key trends that we are seeing in the, in the IG industry. I always say that we haven't IG has never been very far from implementing artificial intelligence in a way that RD analytics, which is I right opposite of AI has been supporting it for, for a long, long time.
And the analytics when combined with the machine learning algorithms in the industry, it gives you the reasons to enhance the IG processes, more commonly role management, for example, which includes role optimization, access certification, overall access request management and approval management. It gives both, or I would rise to artificial intelligence for IGA. So a combination of analytics with machine learning algorithms or the processes that we see is the, is the definition or how we define AI for IGA.
Well, coming to some of the key trends that we see within AR analytics and how it's trying to fast forward IGA, I think I'm already eating on time for Sebastian, but I think I'll take on a few minutes, Sebastian, and then give it what to you. So we, we try to talk about four key pillars in audit analytics, which are, which are sort of fast forwarding IG. And we talk about risk a where you can look into how we can derive this score associated with various activities, including approving access requests.
We have got recommendation engine, which can use all this information particularly to provide recommendations at the time of users when they're trying to request access to a resource or application telling them well, you know, these kind of access requests have got 50% of approval rate. These kind of requests have never been approved in, in last three months.
And this kind of request, you should probably try to raise because some of your peers for example, have got this kind of, you know, access.
So some of these recommendations at the time of user requesting access or the request management and that same, same thing at the time of managers or owners trying to approve the requests, what kind of recommendations they can get from, from the recommendation engine in terms of, well, this has got this specific risk there risk score, which is assigned to this part access request. This request has never been raised and passed. You probably might have to go and review the elements, which are, which are engaged in this kind of, you know, a request creation.
So I think, I think some of these recommendations, which can actually help you, help you look into what may be standard versus what may be nonstandard and where you really want to focus on in terms of both requesting access and approving requests is, is, is an increasingly important criteria and factor, which is we are looking into IG solutions. Finally, what automation is another key pillar of, of analytics, how you can automate specific approvals and obviously how you can automate the reviews. For example, the access certification process.
These things are again, where we are going to use a lot of AI for IGN two. And finally, we have got predictive analytics as part of under the analytics, which helps you to identify any suspicious behavior. People behaving differently from the standard way, how we can define and use some of the threat and capabilities here define, well, this user is not performing on the way it should be. There is specific reasons that we, we, we believe that it might be this product action might be a threat to the organization.
And finally, IGA and an Analyst can help you with activity, correlation, and reconciliation of activities with something which most of the tools are unable to do because IG has got the context for identity and it can help you understand what activities are being done and how you can correlate these activities across different applications and systems to derive some meaningful, you know, reason out of it.
So that's where we talk about the four for audit analytics. Here is a quick representation of what we look into the machine learning for IGA. And how does machine learning have a play in IGA?
So this is all the different type of information which you can discover and gather as part of the, the data gathering phase. So you have got user and audited information resource and application usage and access data. You have got all information from access request and approval information, the various access entitlements and anti relationship information. And finally, we have got all the access and authorization information, which can help you to actually create and modify the IGA machine learning workflows in the long term.
So how we can create IG data modeling, model creation, obviously the model testing and validation and the two phases as part of the machine learning workflows, which are model elation and model deployment.
And finally, all this can help you into, to deriving the predictions and recommendations for IGA, where you talk about, you know, contentness role optimization. I think I talked about access request recommendations, recommendations for access approvals, and finally, how you can automate a certain processes like, you know, access approvals and even access certifications.
So this is where we think the machine learning is going to create important role along with analytics in defining and creating artificial intelligence into IGA. Well, we'll see how that plays. And obviously now it's time for me to hide it over to Sebastian to talk about his part. So Sebastian, over
To you. Okay. Thank you. Thank you. And all so, so perhaps to, to understand generation, we need to take a, a step back and analyze the identity and access management situation.
So, so, so far we have experienced several identity teach on access management waves. The first wave for, for the oldest of us was in, in the beginning of two thousands. And actually at the very beginning, I didn't teach on access management was really dealing with terms of this spoken legacy system.
So, so the ID and the goal was mainly to synchronize data between all the system in order to reduce the burden of the manual administration. So, so it was really a directory driven approach. It was really actually technical efficiency was delivered at the end of the day.
It was, it was around a meta directory on, on a access access provisioning starting 2006, 2008.
There was a first shift on, on the second wave appeared in high and access management and actually governance appeared. So we have, we had an increase of regulatory pressure, which leads to actually identity and access management, not only an it stuff. And I mean by that only doing synchronization and that as synchronization, but it was more seen as some kind of an accountability thing.
So the Heidi was really to formalize lifecycle on, on really high identity lifecycle and access lifecycle in order to really understand actually we are working for the company and who have granted access to what it was really some kind of a workflow driven approach. And the idea really then was to improve the process efficiency and, and of course, to be accountable and to improve accountability by early understanding who have, who has granted access to what?
So, so most of the solutions basically by now are still in the second wave.
And, and what happened actually let's say two or three years ago is that there was some kind of a conjunction of forces, which lead to a shift. So the very first thing of course is that on, on a actually there are no more it boundaries. So people are now working from everywhere, not only from within the company, so they can work from their Hofi can work from, from customer site. And actually as well, companies are no longer owning the infrastructure.
So we are entering into some kind of an hybrid hero where most of the high system are no longer owned by the company. And they're, they're located in the cloud basically.
And, and the idea behind, behind all of this is digital transformation. So actually by now companies, most of the companies have entered into a digital transformation era, whereas they have tremendously accelerated as deployment of new system and services.
And most of them basically are in the cloud and in order to actually to be more efficient and in order to embrace actually new, new business opportunities, but at, in, at the end of the day, it means that today we are in an area where it, some all is no longer the only one having the control control of the deployment of the application of the adoption of the new application is a mix between it, but also business and especially marketing and business people, which are also leading the pack in terms of adopting new new system.
In the same time we experienced an increased pressure from a, from the care. So basically cyber attacks. And actually as a matter of fact, attacks are no longer limited to the boundary.
So the, the legacy is, but we know we are also no facing attacks within the systems.
Themself attackers are, are trained now to, to steal money by, you know, attacking the ERP systems themselves. And we also have actually both attacks from the outside, but also from the inside with, with insiders. And the last thing is, is an increase, a pressure of compliance and special in Europe with GDPR actually now data data is a parameter. So which means that we, we really need to focus in depth within the application in order to mitigate the risk and to, to stay compliant.
So all of this said means that we are entering into some kind of a third wave. So this third wave of identity and access governance is really driven by the business.
So, so the idea is really, is to be able to embrace new business opportunity and digital transformation opportunities with a risk based approach. So the idea really is to simplify all the processes on and to align all the processes and especially all the management processes to a risk score in order to be efficient.
And perhaps basically by let's say by approving at first, or let's say trusting at first, but by enforcing the controls. So the ideal is to simplify life cycle processes and simplify security policies.
And at the same time with this third wave, what we need to have is to understand what's happening below the phase. So it's no longer sufficient actually to manage, let's say, cause grant accesses within the application because of the compliance constraints and especially that constraints at the data level at the transaction level.
And because attackers are now looking within the systems themself and especially within the security mismatch in terms of configuration, in order to try to steal money, we really need to understand what's happening below the surface at the transaction level, at the data level on, on even at an INFR level in order to mitigate a risk. So this third wave actually, what's interesting with this old wave is that it means that identity management, so basically managing the access, right?
Some all is now different than governance and analytics.
So it has to be seen as two separated tracks, whereas operational efficiency still needs to be delivered where we have high volume of eye movement, let's say so where we need to automate things in terms of access management, especially while we really need to deploy data dedicated policies in order to cover the risks. Whereas risk is at stake.
So within ERP system at the data level for, for some system, which are hosting personal data, but, but also for some cloud system based in the cloud where some operational efficiency could not be as tech, because we do not have huge movements, but at the same time, we could have high risk by having some, some data liquid or some overallocated accesses.
So in this software, we, we have a new approach where identity management in terms of operational efficiency has to be seen as different than governance and analytics and somehow governance and analytics has to be seen as some kind of an holistic system, which, which can provide value to the way within your it security strategy.
So not only for IM system, but also for access management for privilege and access management on, on even for the same system.
So as a, here, here, you can see some, some, some, some example of this. So basically of course, with our identity analytics, because you are consolidating all the information about who is working for the company who can access to what at, at the fine ground level and who is doing what you can spot data, quality issues. You can high identify configuration discrepancies, but at the same time, you can also some O empower your access management system by facilitating risk based authentication and risk based access to some system.
You can simplify the management of the systems by onboarding your access request system. And by running dynamic risk checks while granting new accesses, you can have more clever controls on, especially you can have what is called smart access review or smart access certification, where you can help people being more efficient while validating the access rights.
And of course, in terms of monitoring, because you have the context, you can enforce control system, such as your SIM system, by having user behavior analytics on one hand, and by providing identity context to the SIM system, in order for the SIM system, to be able to, to run more in-depth analysis when require.
So Brainware actually, we are an identity analytics on governance specialist on warehouse specialized in identity analytics. So it means that with brain, well, we do not do access management on high identity management.
So we do not manage the access right per, but we are providing solution in order to help a customer to bring an identity context in order to mitigate their identity risk, improve their governance processes and compliance processes and all their systems and, and especially identity and access management systems. So, so far we have deployed the solution worldwide, and we have more than 1000 access certification review access education company run on a monthly basis in order to, to help a customer mitigating their risk on being compliant.
So the idea with brain we, that we can help you, whatever let's say the layer is. So we can with brand, we consolidated data in a way that we can help you at an industrial level understanding what's happening within your system, within your server, within your database, within your cloud system, as well, such as Amazon web services, active directory, Azure, Google suite.
For instance, we can also analyze information at the data level. So share folder SharePoint element of this 365 Google suite as well. And we can of course, as well perform analysis at, at a, at a business application level.
And what is interesting with the system is that everything is done within the same solution, which means that at the end of the day, you have with brain, we holistic view of the situation, whatever the layer is, infrastructure data on business app on whatever the kind of need is.
So whether it's, you know, in order to let's say accelerate the momentum of your digital transformation, or it is to your identity and access management initiative in order to do that with brainwave, what we do actually that we're applying some kind of a business intelligence approach to your data, and we're grabbing data from all of your system in order to, at the end of the day, re reconsolidate some what, what we're calling the access chain.
So thanks to the access chain we know with brainwave who is working for the company, what are your most critical assets, whether it's at an infrastructure level, data level or application level who can access to what so which accounts, whether there are personal accounts or privileged accounts who can access to what and who has done what, because we can also grab all the transaction look.
So at the end of the day, thanks to this accession and thanks to the data Hoover that we have and will help, will help us to, to grab this information from all of your system, whether their, their based on-prem or in the cloud, we can give you this holistic view of, of the situation in, in the company, sir, thanks to this. We can, we can help a customer basically to move to the next level in terms of identity and access management.
So here I have actually two customer case, which, which has been anonymized for the purpose of this webinar.
So two customer care here centered around identity identity and access management. So, so the first one is called augmented I identity and access management. So the idea of the context is a mid range company sector is this company hosting hundreds of application for, for is for its employee and partners, and the successfully deployed on identity and access management system 10 years ago. So it was some kind of the very beginning of the second wealth. And thanks to this system, actually, there are no managing their identity lifecycle. They're also managing their access lifecycle quite well.
So there are the accountability in place and they, they can also automate provisioning for, let's say, 30% of the Perter. So for 30% of the perimeter provisioning is automated.
So, so the situation is that now they're facing a situation where they need to address new parameters and especially terms of cloud based system with, with a great momentum, because it's driven by the marketing team.
And at the same time, they have a huge compliance pressure increase. So they have to enforce ITGC so control, especially for all the privileged access management system.
They have to enforce access certification, access reviews, both at an app at an application level on, at the data level on actually they have chosen to leverage their existing investments by adding to their existing identity and access management system, an identity analytics solution.
So thanks to this now on top of their identity and access management solution, they have reporting and dashboarding for the stakeholder and especially for all the business people, which gives, gives them a good understanding of the situation who can access to what within their teams, they have automated, it general controls for all their privileged accounts and reports are issued on, on a regular basis to all the stakeholders. They have applied governance and new parameters.
So especially they have extended the, the breadths of their system in order to address as well, governance at the data level on governance for some cloud-based system and especially Amazon web services on, on Google suite. And they have deployed smart access certification in order to review who is accessing to what within their it system. So deployment timeframe was three months for identity analytics followed by three months for smart access certification.
And at the end of the day, they end up with reporting such as this one where business people can have a clear view and understanding of who can access to what within their team, along with the differences on, on a, with a snapshot approach. So what changed occurred from one period to another, they can also run some analysis such as this one with, with five table in order, not only to understand what changes occurred within, within the team, but also what are, what changes occurred from one people to another, they have deployed it GC control.
So with the brainwave solution, actually they know, through the web Porwal, they can access to measure dashboards and through those dashboard, they have access to other results of all the controls at, at account level or permission level. So here, for instance, situation of audio accounts for given application,
They have also enforced control with the identity and access management system. So basically with brainwave, what brainwave is doing is that on one hand, it is collecting on correlating data from the identity and access management system on user end data from the systems themself.
And at the end of the day, it shows up here which access rights are over allocated. It means by, I mean, by that those access rights have been configured within the system, but we do not find any clue within the I identity and access management systems.
The, those right has been properly granted. So zoo rights are some over located. We also have deployed governance at a data level. So here we can access to what at a folder level, for instance. So zoo people, finance, all the accounts, all the people, because we have reconciled everything. So here data is reconcilable from attra system, active directory on the five servers themselves, and finally smart access certification, which are both risk based here.
So depending on the, on the it GT control risk are highlighted as well as, as some, let's say detail for each individual entries, but we also have access certification in a form of five table, which tremendously improve operational efficiency of the business people while they're running the review, because it automatically response here, let's say discrepancies in terms of access rights, which, which are granted to the people.
So another use case actually, which is ed and access management fast pass.
So for this one, it was a bit different actually, because this company also had an hundred application deployed basically on, on there an absolute IM system on the, the took decision to reboot their identity and access management initiative. So basically starting again with a new solution, the idea is that they have chosen to mitigate their project risk with identity analytics.
So somehow ahead of this identity and access management deployment, they have deployed brain wealth in order to run identity analytics analysis in order to improve that equality within all the repositories to perform role mining and role modeling, to enforce control where it is needed at first.
So on especially year, the case was for privilege access management and to deploy at first reporting and dashboarding in order to monitor the progress of the identity and access management deployment on what is interesting here really is that when you're deploying identity analytics at first, it, it can be done with a very, very short time frame.
So here is done ahead of time from the identity and access management project one month in order to deploy identity and identity entities and who start dealing with that quality problem.
And then here it's, it was something like three months in order to do role modeling campaign in order to model the role on in order then to, to being able to, to fulfill the identity and access management model. So, so that equality actually is under with brainwave at the various level, brainwave can help you identify discrepancies in terms of permission. It can help you hid documentation around your entitlements.
It can also, of course, help you to identify all the accounts, reconcile the accounts, whether they're personal accounts or privileged accounts and brainwave can help you as well to perform role modelization and role mining campaigns. And we have dedicated interfaces for this with, with role mining capabilities, which helps you really to be more efficient in order to modelize new role for the business people.
So at the end of the day, really the idea whenever you, you, whether you're extending your high identity and access management parameter, or you're starting a new identity and access management initiative, is, is that you really need to think ahead and think about this third world. You need to assess your identity and access management priorities, whether it is operational efficiency driven or risk driven, and you really need to choose the right strategy and tool set in order to implement this strategy.
For those who want to, to have a short demonstration of this, keep in mind that we will be present at the EIC next week, booth four C2. And we will also have a speaking slot on may the 16, where we will present access certification company. And we will demonstrate this during EIC. Thank you. So perhaps will enter into a Q and a session.
Thank you, Sebastian. That was really insightful. And I will look for any question answers and believe we have got some question answers here. So give me a sec, the first question is what do you mean by smart access review? And can you give some examples?
Sure. I believe that's question. Yeah.
Yeah,
Sure. So actually the idea with access certification is that business people do not want to do access certification at the end of the day.
So, so that's the reality, you know, it's, it's a painful process for them. So there have something like your five minute time max to spend to access certification. So you really need, need to be in a situation where you take the most of those five minutes in order to do so as the ID is to empower your access certification campaign with analytics and machine learning, as well as with advance, let's say UX or presentation techniques in order to present really what really needs to be reviewed and on Abra wave.
Actually, what we have is that we have a mix of business logic, risk scoring, and data mining on, on presentation in, in the form of five or table, which at the end of the day, actually automatically recertify, what is, let's say not risky or very normal situation in order for the business people really to drive them to a situation where they will have to have a look at what is really important.
And we have in a situation where most of the time, actually they're able to review something like 2003 in less than five minutes because of also business logic and algorithm applied to, to the data that, that have to be reviewed.
I think Sebastian then I, I think you you're you to the mark there, when you talk about smart access review and as you showed the use of pivotal table for, for giving the access, that's a good example of, of I think smart access review, where managers can do a number of reviews in a very short span of time.
And, and eventually, you know, they can understand what the risks associated with the particular approval are, what they're getting into when they approve a particular risk, a particular access request. And on the longer term, you know, if they find a specific policy violation within that approval request, who they can ask to mitigate it within the, within the interface itself and further information and remediation back into the process, that's something which can actually help you to complete the cycle for smart access review.
And, and as I said, you know, it's a good example there. Well, coming to the next question here in the IM fast path use case, how does your manage or other, how do you manage to deliver value within a month?
There is a trick here. The idea is that with identity analytics, as compared with identity and access management, you are not managing the access, right? Which means that with identity analytics, you do not need to have that data connector. You can rely on simple data extraction or simple flat file. As a matter of fact, you, you just need some or to grab the data. So it's not a connector.
It's, it's more as seen as a data Hoover, let's say, and, and we have tons of them. We can also rely on, on simple data extraction on, on, in this use case, the idea is that actually they were already trying to improve data quality. So they already have, they already had tons of data extraction, which have already been done.
And, and we relied on those data extract in order to do the analysis. That's the reason why it was, you know, a very reduced timeframe in order to, to, to provide value because there was some or no architecture involved at all.
We, we did not have, have had to deploy a connector in order to, to, to provide value in this context.
Thank you. And we have more question by the way, we still have got five minutes.
So anyone, if you have to ask the question, please enter the question using the Q a panel on your, on your code webinar. So Sebastian is, somebody's asking about the pricing model of the solution.
Okay. It's it's entity based.
So, so with brainwaves, the ID is that it's a subscription model. And so it's mostly deployed OnPrem for a customer.
It's, it's a subscription model on annual subscription model with two keys in terms of license. The first key is a number of identities where we are, where we're running identity analytics on them. This is the only key in terms of volume, whatever the number of applications, accounts, permission, data, even deployment instances identity is the only is the only metric that we take on the, the other one is some odd human of features or functionality that you want to have. So for instance, so you have identity analytics, which is a module, and then you have some adds.
So access certification is a dedicated a as well as segregation of duties control, which is another dayed addon for the solution.
Thank you. And we probably have the last question here can list the IM system compatible with brain wave. So I believe what are systems that you can possibly integrate with, okay.
Or, yep.
Okay. So actually let's say 90, more than 90% of our customer have deployed an identity and access management system.
So we, so the solution has already been integrated with, with various system, such as cell points, IBM, computer associates, Microsoft as well for rock. And we also have some customer actually have a built their own B box system based on remedy or service node, for instance, for, for the most recent one.
And, and we were also integrating with those system as well. So really the idea with brainwave is that as long as you can extract the data, we can leverage the data, whatever the underlying system is.
Thank you, Sebastian. And one more question here, do support data, access governance. And so how
So? Okay.
So yes, we support on what is interesting is that we support that access governance in the same solution. So which means that in the brainwave data model, you can have at once those view of who can access to which application and who can access to which data it's technically speaking, it's, it's very different because we have dedicated algorithm for this, and we're supporting that access governance at the file of our folder level.
We're also supporting some systems such as a SharePoint email system, Microsoft 365 Google suite, for instance, it's, it's quite interesting that access governance and, and we are running governance and analytics at the data level as well in order to help customer to run access certification campaign in order to classify data or to enrich data, for instance, by understanding with your, of which system and especially at the data level.
Great, thank you, Sebastian. That was really insightful and hope.
Sebastian has been able to answer all of the questions here on the screen is related research to this seminar from co a call that you might want to refer to. And with that, we come to an end of this presentation. Thank you for joining this webinar and hope you take some important takeaways from, from this.
Thank you, everyone. And goodbye.
