KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hello and welcome everyone, Ann, how are you? Good afternoon. Good afternoon. Great. I'm very happy to have you all here. So let's do a quick round of introductions.
Jeff, let's start with you. Yes. My name is Jeff born. I'm the chief software engineer for optimal IDM. I've been in the working and identity management full-time since the nineties. So I definitely have a good, clear picture of where we've been. So hopefully the, where we go, we will become clearer on this panel. Thank you. Fantastic.
Thank you, Josh. Let's move to you next. Sure. My name's Josh green. I'm on the product team at duo. I unfortunately it was in high school in the nineties, but I've been working in IM since 2010 and transit where things are going Well, we're happy that you're here with us and still going to bring your insight then Yeah. To you next.
Yeah, I'm DRS. I'm the school street strategy officer at axiomatic been doing IM for well over a decade in various roles, products, engineering, and now strategy as well. Great. And Martin, for those audience members who haven't met you yet, could you give a brief introduction? Yes. So I'm a Brisbane Analyst called one of the founders. And I have to say I started in the late eighties entity management with early network and line manager version. Great.
Well, we're glad that you're all here and let's use the previous discussion that we just had between Martin and Fransua as a diving board into this discussion, we ended with the cloud previously and now I'd really like to ask why should organizations move their IAM to the cloud? Now let's continue in the same round.
So, Jeff, what are your thoughts here? Yeah, so, you know, we've seen recently some pretty high level things such as the colonial attack and the other big high profile ransomware attacks. So the biggest reason that people should consider moving their IM to the cloud is to get the best of breed security rather than every single company trying to become an expert in security, they should try to leverage the best minds available in the industry that have really created some outstanding security solutions. Thank you, Josh, what are your thoughts here?
So I think the thing I think I find most exciting about the move to cloud is that it's not just, I mean, early on, right? It was take the server, put the server in the cloud, but that's not how it is anymore. Right? We've got containerization orchestration and the, you know, then you've got things like service meshes around that. So the way we build and deploy applications has completely changed and the ability to secure those and, and, and the level of resilience resiliency you have, especially with containers is something that you really can't replicate on premise.
I mean, the amount of infrastructure you'd have to deploy to do it would be very, very complicated. And in the cloud, it's, you know, a few clips, you know, a few clicks away you've got infrastructure is code. You've got all this different stuff that really allows companies to move and be much more resilient and flexible than they ever could before. Great. Thanks for that.
The, Yeah. And great points by my panelists as well. And I think to add on to that, I think that the fact that cloud allows you to scale. And I think if you look at how IDT access management system have been able to scale the next frontier of the scale, you can get it only within the cloud infrastructure. You really can't do that within your own enterprises.
Another, I guess the logical explanation also is that when you're moving your workloads to the cloud, why wouldn't you want move your IAM to the cloud where it's actually near and you're protecting the depth part of the test? Well, why would you want to do it on your enterprise where you want the bridge fine. But I think the, the logical step would be the cloud indeed. Great and marking. And I think one, we heard about containers and, and other aspects.
And I think what is also interesting to surface that with containers, with the way we, we with edge computing, with other approaches it's anyway, a continuum right now. And, and I believe everything we do in it, we should do in a way that is we treat or deliver service in the inside of a cloud deployment. So we deliver service.
We don't look at what is the server and all the technology below that, but really understand it always the same way that makes a lot of things simpler in security, but from an identity management perspective, the point is, if we run this as a service in the cloud, we can concentrate on other things. We can concentrate on processes on so many other aspects we need to solve in identity management. And I think this is a huge advantage of saying, at least we don't need to care about setting up the server configuring this file, doing that here, that here.
So I remember setting up sun identity manager some 15 years ago or so, and you really had to learn a lot about a lot of middleware technologies and other stuff to just get it up and running. Interesting points there. And if we jump to considering some of the challenges here, what are the typical silos that are at play within the identity space and why should they be eliminated? Let's go in the reverse direction this time. So Martin take it away.
Oh my, my, I would say the biggest silo these days has three characters, S a and P. So I see so many organizations where SAP is separated into a silo. So if then it should be something where say we, we, we have all business applications in the unit, not just SAP and from an identity perspective, that means that some part of user management, some part of access control and other things commonly are treated separately. That makes things really complicated. This is when I, when I had to name the, the, the biggest silo challenge for, I am, I probably would start there. Interesting.
C what do you, yeah. From my point of view, I think that is silos within the organization in terms of like, which development part, right? So if you are a developer, you're focused on your access management for your application. If you are compliance officer, you are looking at only the compliance and regulatory part of things. And if you are the dev op, all you care about probably is making sure that your things are up and running.
So there is silos, but it's, it's captured by the role that you perform within the organization, but that silo needs to break because otherwise you don't serve the organization, need of doing access management for the whole company or all the parts of the company. So it needs to be independent and also proceeding the role as such Interesting Josh.
And From my side of things, I mean, you know, for me back when I was doing professional services, you know, you could predict pretty quickly whether the project was gonna succeed or fail based on whether there was a disconnect between HR and the actual tech organization, right. If they were brought in early and they were on board and really embraced to stakeholders in, in changing the processes, odds are the project succeed. If they weren't, and it was various different products, right? It wasn't a product problem.
If HR was not involved in the beginning, if that wall was there between those two silos, the project was pretty much doomed to fail. So for me, that's always been the biggest one And Jeff, Well, when you talk about silos, I think you have to differentiate between identity silos, process silos, and functionality silos. So the re and each of those things involve very different approaches. A absolutely the, the identity silos is the one, obviously most interests us because we're an IM and the, there are often very good reasons why those silos have to be there.
Sometimes it's regulatory, sometimes it's business requirements, but getting rid of identity silos may well be impossible in many scenarios. So then if you can't get rid of the identity silos, but you do ha you do have to be able to manage them holistically. So then there's two very good approaches to doing that. One is to sync the identity silos into a common cloud repository. The other is to surface is to merge them using a virtual directory so that you can prevent present a holistic interface to your identity silos using a virtual directory.
And then once you do that, then you can start attacking the process and functionality silos to try to merge them together. Great insights there. Thank you. If we think about the practical side of this, how can leaders start implementing an I am initiative in their enterprise? How should they go about this?
Jeff, let's start with you again. Well, I think that they should do is they should start with their highest. What they see is their highest security risks first. And what we like to tell our customers is if you're not doing universal MFA, start there. Now there's a lot of good, I mean, for security, there's a lot of good reasons to do universal MFA, but the upside is there's a lot of really good zero cost solutions for doing MFA out there that are available from a number of different vendors.
In fact, we sort of have an informal slogan that is MFA, shouldn't cost extra. It should just be baked into everybody's solution. So that's my best solution is to start there and then let that initiative pull forward. The rest of your IAM needs Great.
Josh, what do you have to add? Well, unsurprisingly coming from duo, I'm not gonna disagree about the MFA point at all, but I think, you know, one of the things we're, when we talk about evolutions of things, right? We talk about like single sign on, and it's one of the, my favorite examples of security done, right? Because everybody thinks about it as a convenience tool, right? Something that makes your life easier. But in reality, it was designed to stop people sending usually poor and reused passwords all over the internet, right? To all these third party companies.
And then our, our best security was only as good as the worst site where they reuse their corporate password. So we centralized and that to talk to the universal directory side of things, right? When you centralize on the universal directory, one of the nice things you tend to get out of that if it's a good one is you get single sign on. So that's where I would say sort of the next logical place to go, cuz you bring centralized control and hopefully get yourself down to one password.
And of course the flavor of the week, this year is taking it one password further and going fully passwordless where you do everything via cryptographic relationship, rather than having that thing. You know, you replace it with something you are and something you have, and that's sort of the new MFA or at least the current MFA frontier Serious. What can you add here? Sure.
So I, I I've been lucky enough to have been on both sides of the spectrum. I've been a vendor I've been on the enterprise of customers of an enterprise as well. And one of the things I I I've found is that the NIH syndrome, they're not invented here syndrome. And I think that's a very, kind of a quick trap that people and leaders can fall in where they feel like unless you have built it yourself and invented it within your enterprise. It's no go. And I think that's the biggest trap that in IM you, you can see leaders fall into and it should be awarded as much as possible.
The other aspect is being able to be future proof because technology advances quite fast and you need to be able to come up with technologies and solutions, which can stand test of time. So anywhere and everywhere, where you can do things which are related to standards, things which are on the top of the it cutting edge, it will become the norm at some point. So you might ask, well, be at that level so that you, you read the benefits of actually doing something really good And Martin take it away. Okay. Yeah.
So, so I have to be careful not to talk too long right now because there are so many things to that. So MFA you can't do, you can't can't do MFA wrong, but you can't do anything wrong by going for MFA. So MFA is always one of the first things you should do. No doubt. I think from a broader perspective, when, when you look at future of IM and modernizing, IM understand where you can be in the future, make your plan, make your picture, but also structured into based on risks, based on your requirements and your gaps into smaller chunks so that you have projects you, you can run successfully.
And I think one other thing, we brought up the theme of containers. We brought up the sea of standards. I think one, one other thing is what we definitely must leverage. If we feel that we need to invent something ourselves, that at least let's do it in a manner that we can handle it over time below the container. We have the microservice, the microservices exposes APIs. So if we do everything, we code everything we orchestrate in separate microservices using APIs, staple set of APIs. Then we are much better than we have to be before with all this customizing within the product. Thank you.
And so keeping eye on the clock time flies, let's jump to our final and perhaps most, yeah, the question our audience members are wondering the most, which is what future developments do you expect in this space in the next one to two years, Martin, let's start with you and work backwards, Holistic concepts, like our identity fabric, decentralized identities is taking a far bigger role and hopefully finally, and switch. It will definitely agree with the far more policy based access control and trust and time access controls. Thank you C.
Yeah, just as Martin mentioned towards the end of it, I I've always felt that access management used to be kind of sub embedded within the identity management space or within the application, which is kind of on the web straddles, the two, but now, and the coming few years is where access management is gonna have a separate entity and identity of its own. And what I would see there happening is actually a lot of work around intelligence and optimization.
So you don't write policies that are systems, which will learn policies that needed to be there based in patterns that you'll be of behavior as well, which will augment the policies that are written by humans in order to do certain specific things. Right. Thank you, Josh. Yeah. And to pick up on what Martin was saying around decentralized identity, I think that's the thing that actually has me most fascinated at the moment, you know, it has it doesn't, it hasn't even really been standardized to the point of having a particular name yet. Right.
You've got to centralized identity foundation, you've got self-sovereign identity, you've got trust over IP, which Microsoft and IBM and everybody are working on. I think that's huge.
And I spend most of my time dealing with authentication and trust at the moment anyway, but one of the key problems in password list that all the vendors are facing is the enrollment and re-enrollment issue of how do I know having never seen your face before that it's you, that I'm dealing with and what most of them are doing is they're falling back on a preexisting certificate based system or a preexisting user and password and MFA, and that gets you there, right? It's better than nothing.
But I think the idea that you should control your own identity and everyone else should just be a credential issuer, not only has implications for solving that problem, but for privacy as well. The idea that you'll be able to cryptographically assert say, you're going to a bar, right? And they wanna confirm your identity, that you'll be able to cryptographically assert your age without having to provide your name, your photo, your address, and all this personal data. It'll be much harder for that to be hacked and stolen. If the organizations you're making assertions to don't hold it anymore.
And so I think that's a huge development that will also power as a logical next step. The things we're talking about today Really interesting.
And Jeff, So one of the things I see as being huge in the near future is the identity management cloud editing management platforms, moving into the identity and governance areas. And there is one huge silo out there that really nobody's talking about. And that's the different audits that ex audit trails that exist within this. You have the audit trail that exists in the centralized entity management server, but then the same user has audit trails in every O other federated cloud service provider.
And those, those audits are currently hugely siloed. And I think that there's really a golden opportunity to be able to bring those silos of audit information together so that the enterprise security Analyst can view a, user's not only the fact that he federated the different services, but what he did in those services that the, that his employer's paying for.
Great, a big thank you to all four of you. You brought out some really interesting ideas and I wish the conversation could continue because we've only just scratched the surface here. So a big thank you to all of you and to the audience. If you do want to continue asking questions, head over to the networking lounge to discuss this further. Thank you.
