KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, ladies and gentlemen, welcome to our copy. Cold webinar, quantifying access risk, how to sell the access governance project to your CFO. This webinar is supported by Chris ideas. The speakers today are me Martin found on principle Analyst of Ko and Marcou vice president alliances of course, IDs. Before we start some information Analyst company providing interpersonal it research advisory services, decision support, networking it professionals.
So just three areas, our research services with all our reports and other things, the advisory services and our events regarding the events. Last week, we had our European identity conference and next European identity conference will be in May, 2013. Again in Munich May 14th, two 17. So best of all, you just block this date in your calendar to ensure that you can participate in this conference. I think the people who were there this year will confirm that this very were spent time. Some guidelines for the webinar. You are muted centrally, so you don't have to mute or mute yourself via control.
These features, we will record the webinar. The podcast recording will be available by tomorrow. And question and answers will be at the end, but you can ask questions using the questions tool in the go to webinar control panel at any time. Usually we pick them at the end of the webinar. In some cases, we also might pick questions during the webinar.
So that's, I think the most important part of the housekeeping. Yeah. And then it's time to come to the agenda. The agenda, as I always split into three parts, the first part was the citation brought to you by me, Martin Kuppinger. I will talk about what to focus on when talking with business and how to translate the it view into the business view and into business risk. The second part will be done. Mark provided by market annuity from cross ideas.
He will talk about why access governance is so important when it comes to translating it risks into business speech, third part then will be the questions and answers part. And I think it will be very interesting webinar. So let's start directly when and looking at convincing the business that they need to access governance. And maybe the first question is why the CFO. So we put the CFO into the title, and I think that's an interesting aspect. And second, that three reason one is run. Financial aspects are quality, financial aspects. Number one, mitigating risks done right will save money.
So if you focus on those things, if you understand, okay, that's the risk. These are my counter measures. These are the projects I have to do. And that's the relationship of risk versus investments. Then you have a very valid argumentation and that's, I think a very important thing where you really can save money by focusing things by also understanding the risk and, and doing the things for us, which are at highest risk. So talking about risk is talking about value and money. At the second point are regulatory aspects. See it recently are key responsibilities for GRC.
So governance, risk management, compliance. They have to care for that area. And when looking at access governance, we are talking about one of the most critical areas when it comes to GRC, because it's about access risks and the related things. And then there's another aspect of financial of the financial side, which is relevant to the CFO. So I think it for quite a lot while has been always struggling. And let's say proving that they really will save money by some actions. So the team sort of is doing it right, saves money.
However, it, in most cases has done it more for itself claiming it's for, for, for the business. But haven't never have been, has been that business centric as it should be. So doing it right is doing it for the business. And that wasn't always the case. And if we are more business focused and access governance to one of the parts where about getting more business focused, and for example, in traditional identity access management, then the C might become relevant again, because we can much better prove that we are making things easier for the business.
And that there's really a business value, which again, might be interesting also to CFO. So in the next few minutes, I will talk about several aspects. So what do we need to de do to support business? Why look at risks, why look in this context and access go. And so sort of really outlining the entire topic and market. And on the second part will dive much deeper into details, really showing how you could do this, this, and, and how to deal with access risks, and how to really show that there's a risk and that's convince the business of the well you of access governance.
So there's a struggle between it and business for, I think probably since ever. It has been there where business looks at speed, agility, flexibility, change, short term, whereas it more looks at contrast speed, security and contrast virtual control and contrast flexibility standards, long term.
However, it's pretty interesting that it, when you look at these, that comparison, it probably sometimes more risk aware than the business itself, because most of the things it is looking for are sort of really risk mitigating things. However, the problem always has been that we had a sort of an translation issue when trying to convince business that there's a there's sounds and, and things it is doing when looking at stability, security control and other things.
And overall, I think today, when looking at what business really wants from it, that it's definitely that they don't want technology first. So what I want is they want to have their, their services, they need to do their job. And I think that's place to our cards when talking about things like access governance and access risks, businesses want to keep corporate information protected adequately. So the access to corporate information is a card topic for business today because this is pretty well misunderstood that they need to protect the type of information.
And when then looking at our equipment, call it paradigm, which is the approach we are, we have to, to really structure it. And the way we deal with cloud on one side and the business on the other side, then the, the upper area of business service delivery is a very important one where it's about service design and service requests. But we also have the area of, for example, information security at the middle layer and it governance with information governance and service governance on the right side and, and this paradigm.
And there are a lot of podcast recordings reports, and everything's available, which we go into detail. This is also about how can I bring it closer to the business and the point I just wanna quickly touch, or the two points I quickly wanna touch are the business service delivery layer and the it governance. So the business service delivery there is really about providing business wants by understanding that business is a customer and acting and very customer-centric. And by providing them real business services and allowing business to request these services, however, always in a secure way.
So security enforcement, it has to do, and with a strong governance paradigm on top. So we have the enterprise governance for business governance and it governance for business governance. It's more about process management and let's say the classic risk management and it governance is about information governance, service governance. The point I really want to focus on here is that it risks are associated to business risks. So the only reason why we look at it risk is that they have an impact on the business.
It might be that they are strategic risk, reputational risk, operational risks, operational risks means just that you have some loss or something to pay. For example, reputational means image issue, strategic risks are the most diverse areas where it's really about the existence of the entire organization, which might become affected. And I think if you look at some of the larger incidents of the last two or three years, then it becomes very obvious that it risk can really be strategic.
So when looking right now at risk part, which is, I think a very, very important thing in structuring ring your it and your it organization. Then the first question is what is a risk?
In fact, a risk is about threats. So we have threats. We have a probability that this threat might happen. And that's the difference also between risk and uncertainty. We have a probability, we have an impact, so we can do a valuation of risks. There's an impact of risk on an asset. It means you can lose money, you have to recover data, whatever it is. And it has an impact on business processes and understanding this relationship, I think is the really starting point for these things.
And as I said before, commonly distinguish types, risk are strategic, operational it, and sometimes reputational that's, I think increasingly as a separate type of risk. On the other hand, when talking about, let's say the, just the different aspects we we have from this webinar, then the other thing is access governance a term I also want to define quickly. So what is this about? There are some questions to answer and these questions are who has access to what, who has access, what, and who has granted access. These are sort of the main questions around this.
And for sure, it's also about understanding the risk of things going wrong. So there are a lot of technologies involved, slack access, warehouses, re-certification analytics, capabilities, access request management, which is by the way, very much about bringing things closer to the business, enter press rule management, and which I, a thing I've put into the middle access, risk management. So really understanding what are my access risks, what are, what is the valuations? So what is the, the impact as an operational risk and so on of these things?
So why do we need to think and risks the risk, as I've said, as a Strat, we have information risk, which are specific risk for specific information from the perspective of the business. And thus it's also a business risk. So if something goes wrong with information, then it's not only the risk that, of around this information, it's raw a risk for what business is doing with that information and access risk.
In fact, is the part of information, risk related information access, which is very, obviously one of the biggest parts. So the other very big part is losing the information because something went wrong, hardest crash or whatever, but one of the biggest practice, really the access part. So to deal with this risk, we need to know about information, understand the risk associated with specific information.
So what does it mean if, when this information leaks, for example, mitigate these risks and then we should focus, we should focus on the biggest risks and mitigate where the balance of risk and reward fits. I think that's really the point where it's also very interesting for a CFO, because first of all, when we think at risk, we start talking business because risk is a thing which is also commonly used in business. We do a valuation and we focus on things so we can explain why we want to do that thing.
First, this project mitigates that risk. And that's the reason why we want to do it. First other projects might mitigate other risks, which are lower than this one, or whether balance of risk in the reward is that good. And that's really then when we are talking business language and so risk really helps us to translate aid things there. So how to risks. We have a lot of assets we have to understand, which are the threats we are facing, especially around business process, information services.
What other realistic probabilities are commonly see organizations really working with fully unrealistic probability, depending on what they want to achieve. What is the realistic impact, same things through here. And what I really observe that area is the impact commonly underestimated. So it's appears sometimes that there's a, the impact companies are, are, are looking at, is defined as too low, which business assets and processes are impacted.
And when we do this, I think it's another part of where we really have a much better business alignment because we start understanding, okay, this it risk affects these business assets. These business processes affect things in an argumentation. Also much easier, not only in the con conversation with the CFO, but with all parts of business, what you also have to do. And I think that's a very important part to, to really do this. We have to move forward from today's traditional approach, which is very, very system focused. So most of the things we are doing today are system focused.
We at least have to understand things in the context of information. So information could be held on many different systems and looking at information moves us closer to the business. If we don't think in services instead of systems, then we are a little bit closer to the cloud, but really ready. We are when we start really understanding that services are connected to business process, that information is connected to business processes, and that we really can put it into the context of business process.
Then that's much more business alignment also from our it risk perspective than we have in a common approach. We have different approaches and risk rating. I don't go into too much detail. So that's one of the, let's say more Carra approach, which is, which is pretty common. And we have to understand, or we have to do these risk ratings for different areas, for services to process the information. So what are the risks there and can then work with that type of things or other approaches? I think that's that's okay.
And another, I think interesting point is also been looking at the, the regulatory aspect of the thing. So having a CFO as a person who is responsible for fulfilling the regulatory requirement risk is sort of a common element, which goes beyond regulations. So we shouldn't limit to regulations themselves. So we have a lot of regulations which deal with risks. We have auditors which look at risk and not fulfilling regulations is a risk, but there are many risk which really go beyond regulations. So where we don't have a specific regulation.
But when we think in, in, in, in the terms of risks, we also, we anyhow will see, okay, it's important to say, to look at these things. So look at risk and you will cover the regulatory compliance aspects as sort of an logical result, but you will do more than trust, fulfilling regulatory clients. So it's not only compliance. And the other point, I think it's just very important in the conversation with the business and also in the conversation is to see if it's about business performance as well.
So one of the things is that you really can deliver more strategic value and support business performance. Strategic value is really the risk mitigation. So deeper insight into what happens in the business when you analyze these issues and depths. So it really helps you then to understand, okay, how can I say, improve my business and business performances. Also seeing that some of the controls relate to where business doesn't operate? Well. So many risks are in fact associated to let's say, imperfect business processes.
And CRC has to provide information about effectiveness and efficiency of operations, and a lot of other things, reliability of all these things, which are things which go beyond for sure, beyond the access risk part. But when we start doing it, we shouldn't focus on access risk, but understand, and access risk are one of the important things. And then we can do a lot of things and we should have a structured well blend tier C, which we do continuously, especially when it comes to access risk. It also supports us an auditing.
And that's sort of the big picture when doing these things and access risk, then that's about defining the risk. So we have the system view, which isn't sufficient. We have the information view we have to combine use, and that's really what we should do there. We should understand that things are not tied to a specific system, but go well beyond that. That should be our, our generic approach.
And that's the reason why we have to do things like access governance, because that's what really allows us to move forward from reactive to preventive in doing a risk or having a risk page approach implement reactive means we analyze afterwards what has gone wrong. Preventive means we really look at things, understand our risks, have our, our, our controls have our thresholds and identify when things are changing, as things are happening. And so finalizing my part of the presentation is a very quick overview of these things.
I think one important point is really once we translate our it initiatives into a risk queue, when we map our it risk operational strategic risk, then we can discuss the risk valuation with the business. And we have a fundamentally different communication with the business than we had traditionally. So seeking risk really has, and we can better, better show why we are doing however we shouldn't forget to seek in business benefits as well. So what are the benefits for the business?
That's something we also should look at access governance helps because it's the layer which supports our access risk, which supports, but also our business users. And for example, easier requesting access, thus reducing risks by making less fault by enforcing policies consistently and done right by integrating also with the business GRC and, and providing a very important it part of our view there.
So, so moving forward, I think we also have, that's a trust, a quick side. We also have to adopt our it organization then. So really to become much more business, fine, moving away from silos towards inapproach, which flow our could a call it paradigm would be my suggestion. I have link to report, which goes much deeper into detail on this later on. And so that's really what I wanted to share with you at that point of time, the, the key message messages, access risks are a key element of your it risks and of your overall governance strategy.
And thinking a risk really helps to sync toq in business terms, which makes it much easier to translate things for your business. I have a slide here with some related research. So reports you should read I'm focused on different different aspects like it organization like our, a call it paradigm like the role access governance place, like AFC reference architecture. This research is available at our website. And I think all of these are valuable background information or pieces of background information for this entire topic.
So after this high level overview on, on why you should really sync in risk, I would like to hand over to Marco making percenter and Marco right now is the person who will then talk about this more in depth and really going much more into detail. Thank you, marking and thank you all for joining us today and during my presentation during the next 20 minutes or so, I will test briefly around cross areas and what is our role in the market?
And then we will move to a few conversation conversation around what comes first, what comes before an anti access governance project, and one is supporting from an access risk perspective that conversation. This will bring us to conclusion and then to Q and a. So a few words around cross ideas, cross ideas is a leading innovator of and access government solution. And we believe that we really enable our customer to achieve their compliance only and access risk management. Objective Mercedes is a name that many of you probably never heard before.
And the reason behind is that up until June, 2010, the company had another name, which was NNG web security and was primarily operating only into the Italian market. Recently after management buyout is now open to the international market, but since the years already crossed ideas, developed a full framework that ranges from authorization management capability. They later extend to the identity and access management space and more recently into the access go SW. And that's where our conversation around access risk scoring is placed today.
So after this very brief introduction around cross areas, let's get to the first part of my presentation today. What is the conversation behind an anti access governance project?
Well, in our understanding, in our experience, everything start from the CFO, the compliance inside an organization that poses some questions to the auditor, a question that sounds like are we compliant under regulation, X, Y, Z, where XY Z depends on the company and on the industry, how do we manage more in general? And now we mitigate risk deriv from the, at infrastructure.
Well, the auditor goes to the it security people and which sparks the question. We shift the question in something that sounds like, how can we prove that John do is appropriately provisioned is appropriate to create and, and, and deliver with the right permission?
Well, the security, what typically does can, is asking to the application manager the same question. So can we prove that John do is appropriately profile, but this unfortu is not a question for the application manager. An application manager can answer around what John DOE has, but it can tell anything around appropriateness. That's the question for the line of business manager. So that's where the question finally gets.
Can you verify if John DOE that works for you is correctly profile and what the line of business manager can say is that, well, you know what, I would be happy to answer, but if you make, for me more readable, they say permission that I'm not really able to understand. So in the bottom up, the story is telling us something is telling in the database, security are a few priorities in our view.
First, making sure that what comes out from the it landscape is readable to business user to really allot the option, to apply control and among control like access certification are the key things that should be implemented. The, the better. Now getting back to the one that originally posted the question, which is the CFO, the conversation that the it security guy poses might sounds a bit, not very clear to the CFO. So there is a lot of acronym. There are a lot of wording.
There are a lot of things, but bottom line, what the CFO is looking like is to be able to measure and prove that the money that has been spent require this control has been spent for a good reason. So that's why we're having this conversation today is around making sure that the conversation can be driven and supported by something that looks like this. So to put it differently, if we were able, as it security to present something that looks like a brand of access risk over time, well, the overall conversation would be much shorter. Okay.
Would be much closer to the expectation of the CFO, which is ultimately funding the project. So now let's say, how do we get to have something like this to get something that looks like this in an identity and access go solution. And to get to explain this, I need to explain something about access risk in general and the way we look at access risk.
So, first of all, just to make sure that we are on same page, what we're talking of is again, access risk, which is a very specific notion of a broader domain of risk during incumbent on enterprise and access risk management is about to measure and also to reduce the probability that the risk materialize becoming an issue. But if we look at the broader picture of what types of access of risks, sorry, are identify and qualified in the risk taxonomy.
Well, we see the access risk is just one in maybe hundred definition of risks. So the question might be why, why should I care as a CFO? Why should I really spend time listening to who's looking to mitigate and to reduce access risk? It's just one in a hundred. So probably there are better things that I can do.
Well, the reason behind is that obviously access, meaning the information to it. Application and system flawed, other domains of risk, enabling the application that supports the option to materialize sort of risk. That's why we're having this conversation.
Yes, it's true. That it's one line in a hundred is also true that that single line is more relevant and effect many other in the big picture. So how do we measure and, and do scoring of access risk in the industry? There are basically one single approach, which is the most spread, which is around doing a risk tagging in an attention access, governances approach of, you know, approach. I have the need to go and define and tag for all main entities that I'm dealing with, for instance, organizational units, application and permission, and by doing so, I can then count and derive.
What is the amount of access risk that I'm dealing with for its user, for each organizational unit and application and so forth. This unfortunately has a very big issue behind is that by definition it requires the tagging process to be completed.
So it's basically postponing the application of any risk criteria after the target process completion, which might be a matter of a few months while if I was able to provide since the beginning an alternate way to derive what is the access risk in a sort of mining approach for those of you, which are familiar with the word that would allow me to start since day one in doing risk measurements and so provide since day one clear visibility on what is the access risk around, and then showing over time that I'm reducing it.
Obviously this is not in removing the, the value of doing a risk tag over time. This is something that can be exploited once completed, but what is bringing this approach in is the ability to start since the beginning. So let's have a close look of what we mean with this. We call this approach actionable risk scoring, and it's not just about doing measurement. It's about supporting the process of dealing with model measure and reduce access risk over time. So around modeling, it means that I need to be able to define what I want to look at and the way I want to look at.
So defining the metrics we will see later. What I mean with that once the model phase is completed, we can proceed doing measurements. So identifying the most critical area and identifying the most effective mitigation measure that I can apply. And then over time, obviously applying the, those mitigation measure and monitor the effectiveness of those. So to do that, our model is basically exploiting three access in which we split the access risk space. One is time. So that's very easy to, to explain our risk evolve over time. Another one is risk model.
So the way we consider the notion of risk, given that there is no such a thing as a unified, generally accepted notion of access risk, the best that we can think of is to let the each company to model his own specific notion of access risk. Again, we will see what it means in a short and few slides and third partition and split the entire company in multiple data sets to have a closer view and more fine grain analysis capability. So let's have a look on how it looks, so making it visual, probably to better explain what I'm, what I want you to make as a point in terms of our approach.
First of all, about data sets, data sets are groups of application, or maybe groups of organizational units. So sex or license, if you wish in which you can cut the company to better understand what is risk. So in a wide plus blacklist fashion, I can define, for instance, that SAP systems is a combination of application, a B CD, whatever already integrated in the system, same applies for the organizational split are just groups of organizational hierarchy of trades. Once I have defined my data sets, I can then define my risk model.
And that's where I'd like to spend a few more for what is a risk model though, where there are multiple notion of risk. And what we provide with our solution is a precan collection of notions.
And here, there, there are a few of them. For instance, we define, there are some funny name here, maybe the, we define the notion of the forgotten. So meaning users, which are more risky, just because it's a long time since they have been recertified last time, or maybe the difference is another criteria to identify more risky user because they are unique. They are provision in a unique way. So there is no other around similar to them. And that's by definition is making them more, more interesting or other which are more risky because are, has a lot of sod violation unmitigated.
And that's very easy to understand or power user meaning user, just because of the number of permission they have are interesting, more than others. So I'm just dropping some example here. And those example are those who are pre-defined in our solution. And there are also another example which are a composition of, of the basic one that I just described. So for instance, what we call the others, which are users, which are risky because they are different and they are also not recently re-certified and so forth.
But my point here is that we basically let allow our customer to either use one of our precan definition or to model their own notion of access, risk mixing the risk contribution parameters that drives our risk scoring algorithm. I'm not going into details, but basically that we have the option to model over 30 risk risk types.
And again, we shift a few of them about allowing the option to define custom one. But once we are done with the modeling phase, defining the scope and defining the metrics, we can start the real thing, which is start measuring what is the risk distribution like? And the first thing we usually look at in terms of the way we approach the topic is to identify where we should be starting from. So if I analyze for the current situation of access rights in place, where is access risk more concentrated when I'm basically answering the question, where should I start from?
And this example is the finance partition is the finance data set that clearly show that there has a higher risk quantity compared to others. And that's where probably I should dig a bit more to better understand what I could do to reduce that amount of risk. That's why the next phase is around better understanding what is the risk nature like, and to do that, we're basically identifying what we call the risk DNA.
So what is the contribution of the various notion of risk that I introduced earlier to the overall amount of risk as we see from this, from this chart, they forgotten, meaning the risk due to the age of the last re-certification is not contributing at all. Meaning that probably the finance division went recently through re-certification phase while the sod intense contribution is the highest. So basically the largest amount of risk is coming from unmitigated sod evaluation. So this tells me what is the risk nature like, or to put it differently.
It basically translate in what is gonna be the most effective mediation measure to be applied. Given that basically what I wanna do ultimately to have a direct mapping between risk criteria that I'm using and applicable mitigation measure. That's why I'm defining multiple risk criteria. There is no, no other reason apart from this. So in this case, so the intent means I number or mitigated so violation. And the best thing I can do is to run a mitigation assignment campaign. So I can then run in the next phase, which is applying the mitigation. Okay.
So what we do is also to allow the customer to have a drill down option, to really check what is the risk distribution like what you see here is a chart that show who are the most risking combination of permission to user the more solid the red, the are the risk. And the reason why we show this is that we allow customer to select maybe the most critical part.
So to, for instance, the 75%, most critical part of the risk on this map. And then only on that, only on that portion run the recertification campaign. So basically reducing the noise, that would be the recertification on low risky assignment. And so focusing the attention of business user only, or important thing while applying the mitigation campaign. So this is really about striking a balance between a fast risk reduction and the business user overhead. Okay. That's why we also provide this mitigation this way to approach the mitigation notion.
So ultimately what we just described modeling, and then identifying focus area and mitigation, and then applying them over time is showing in this example, and hopefully also in real life for all our customer, a reduction of the, of the risk of the access risk. And this again, is something that I can apply since day one. And this is also probably the only chart that I would share with the CFO, having a conversation with him. And this basically brings me to the conclusion and the question that the CFO was coming up with. Can we measure something? Can you prove that money is well spent?
Well, well, yes, we believe we can. We can drive and track access risk production, and obviously we can show you what is going to be like one is gonna be in place. So bottom line, the cross ideas approach for what we call actionable risk scoring is allowing in our opinion, a different conversation with the business is we're moving the need for an expensive and long lasting risk task, risk tagging process, allowing us to start since day one with risk scoring and is driving an effective risk reduction such as risk leave, access certifications. And with that, I hand it back to Martin.
Okay, thank you, Marco. I will make myself for center again. In the meantime, I would like to ask the audience to enter questions. You have to Marco and me so that we can move forward to our questions and answer session. And thank you, Marco. I think this was a very, very insightful presentation, really showing how you can translate access risk into views, which are relevant to the business, which is, I personally think a very, very important thing to do so, so maybe mark from your perspective, and then until we have a large number of questions waiting for, for answers there.
So as I said, please enter your questions now so that we can pick them in the Q and a session, but, but what is your experience? And when we're looking at access governance, given that you're in this area for quite a while, how has the ultimate of people like the CFO changed over time? So what has happened here?
Well, the main thing that happened over time, in my opinion is that first of all, the CFO is involved. This is not something that was happening a few years ago, given that the reason for ING access governance was simply a different one, was around introducing efficiency and a few processes. So was around cost reduction, which obviously was interesting to CFO, but from a complete different angle, from a different perspective now is still around cost, but of a different nature is around cost of something that is coming from risk that can materialize. So not our cost that we save.
So that's what is changed in my opinion, mainly So, so, so it goes back to what I had on, I think my first slide then where I said, I think there are two types of cost factors or financial factors. One are the ones which are relevant today, the cost associated risks and the others are sort of classical cost and CFOs are in the discussion because they understand the risk part and CFOs also understand for sure the regulatory compliance piece. Absolutely. Okay. We have another que, okay. We have another question here, which is targeted to you. Do you integrate with IM systems?
So provisioning systems, if so, which one do you support? Okay.
Yes, we do integrate with external middle directory system or identity management system, including Nobel and Nobel. Sorry, I should say net AQ, formerly known as Nobel identity manager and T identity manager and Oracle manager. That's what we currently support. But on top of this, I should mention also that we do have our own set of connectors. If the customer doesn't already have any other, and we will support integration with enterprise service bus. Okay. As a traditional way that we see consistently growing as a way to approach the integration. Okay. So the answer, yes.
And there's a range of different systems you can support in that area, which by the way, if I go back to this access governance, architecture slide, I think is increasingly becoming reality and also something which is covered in the report and access governance architecture I recently, or we recently published, which really has catered there's more and more in architecture says, we put this on top of different existing provisioning system, different existing identity systems you might have in your organization, which I think as I like adding a business layer, like adding a business, you and bringing notion of risk into it.
And on the other hand also allowing to let's say become more flexible regarding the underlying technical IM infrastructure. Yes.
Again, the, the, the question to the audience, if there are any other questions, please enter them now so that we, we can pick them during the webinar. So it's sort of the last opportunity to write directly, ask questions, to ask.
However, like you've seen at the beginning of the slide, the, the, the email addresses of Marco me are there and we will publish the two slide X latest tomorrow together with podcast recording. So you have to access to that contact information if you needed. Okay.
Looking, going back to this, this term for it. So, so when access governance started, I think it wasn't that much about risk. So from your perspective, when did this really start change and why did it change Marco?
Well, it changed maybe because it was also technically possible to look at this. I again, is I think that we are still in the middle of a sort of maturity path, because as I was saying during my presentation, we don't have yet a clear notion of what is access risk, like, okay. It's a pretty broad definition. So you find multiple, multiple definition there. And basically what we're doing is in line with that, where basically making it configurable, right. The reason behind is that again, the sensitivity of each customer, my, my very, depending on the moment, depending on the specific needs.
Okay. So, and, and that's basically it, this is still a growing thing. I believe that the full develop of, of the notion and on the endorsement of the notion of access risk is next to come is already there in terms of perception, not yet there in terms of implementation and deployment. So it's of, if you look at your customer base and also the ones who are, let's say, running access governance for longer time, they're, they, they, they are, they have understood this issue.
They are, but they haven't rolled out in most cases. Correct? Yes. Okay. I think it's be really interesting to see when this, when, when this changes maybe as the last question, and if there, again, if there are any questions under them now, last question from my side.
So, so how do you use the situation? Because I think the big thing and, and, and thinking in risk is at the end of the day doing, let's say also valuation and probability and impact, what would you say?
How, how good are your, your, it, let's say the customers you have more, which are also usually your, let's say your customer customer usually are, are more from the it side. How good are they and really dealing with these things today? I'm sorry. I'm not sure that I got the question, but I, if I got it right, I think that the conversation is really shifting is as, as you also were saying during your part is more and more, less focused on the technical side of the integration and shifting to the logical side of integration, meaning with that, that yes is important.
What sort of integration we might have with the applications, but this is becoming somehow less important. What is really making a significant difference is the way I look at the logical or onboarding of an application, the way I translate what an application is exposing, the way I make it consumable. This is where you are shaping also the project structure, the way we implement the solution. And also the way we express the policy, the way we translate them to make them readable to the auditor. I don't know if I'm answering the question if I got it wrong. Yeah.
Well, I think it's, it's, it's an important part of the answer. The other thing was trust.
You know, what I really see is that it's not that easy to define probability and the impacts of a risk, especially also for it people. I think that's one of the point really was how much true do you see your customers in defining probability and impact? Okay. Sorry. I was answering maybe correctly. Another question, sorry about that. Doesn't matter.
Well, again, this brings me back to the needs of being configurable, be flexible because again, being that there's no such a thing as identifying what is access risk is really like in terms of commonly accepted notion. This also makes kind of not applicable a common approach in a quantifying the probability of that something materialize. Okay. Because you need a definition of first of that.
So yeah, we are a bit behind, and this is something that brings back to the need of being supported by some advisor, which has a practice around this sort of thing. So I'm talking here, not necessarily of those that we know as system integrator, which are perfect for implementing and deployment the technical side of the story, but also around more specific knowledge around how exactly that, how to quantify and what we should be looking at in looking at notion of access, risk, different companies. Yeah. Yeah.
So if there are no first questions doesn't look like, then again, thank you to all the attendees and thank you to you, marker for participating in this copy, call webinar, they will be other webinars coming soon. So we will keep you informed and hope to have you back as attend in one of the next webinars we will do.
As I said, there will be information about the upcoming webinars these days. Thank you for your time. And as I've said, I also decide next all the other information will be available online, latest tomorrow.