Dream - Policy-Driven Management of Security, Identity and Access for All IT
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Dream - Policy-Driven Management of Security, Identity and Access for All IT
Dream - Policy-Driven Management of Security, Identity and Access for All IT
But yes, I I'm the direct practice of I am at Kuppinger call Analyst as introduction at the EIC, Martin introduced three concepts that included a concept I wanted talk about today, which is called dream. We like this acronym and we keep it some pronounce it Dre, nevertheless, it's a policy driven management of security identity and access for all it.
And I want to dig a bit deeper into that topic because I think it's really worthwhile in getting a bigger picture and maybe embarking on a journey towards, towards this approach and how to, to align that with your infrastructure and your strategy very quickly, the, the agenda for today, I will talk about complexity just to make sure that we are, where, why we are doing that. And that is to deal with complexity. Then we want to dream beyond seam.
You will see that I'll use this dream acronym as a, kind of, to sometimes how to move your dream into a strategic approach and actually really facilitating an architecture that is actually capable of implementing the concept of dream. If you have any questions, please put them into the application, into the website or keep them in mind for later, when you have the Q and a session, we want to talk about complexity.
And if you look at, look at that picture, if you have the notion that your architecture, your it architecture, your full stack looks like that you might be the right audience for talking about dreams. So we want to talk about complexity in general, your it is hybrid and multi-cloud now, and that is true for almost any organization.
Is it, if it is not really very young, a startup, a cloud native for cloud only organization, and we are not on premises anymore, at least not at, not only on premises anymore. And we have different places where we deploy infrastructure. I will go very quickly through this because you know all of this, but I just want to show the complexity here we have, of course traditional on-premises it and data centers somewhere. We have multi-cloud. And we've talked about that in these, in this track already. So we have infrastructure as a service. We have platform as a service.
We have software as a service, very different, different beasts, and we have edge computing as three examples. And that list is far from being complete and within these platforms, which is actually not much more than just the metrics we do, all of this and more, we have agile it, we do DevOps across these platforms. We do everything that is in the blue boxes. And we do that for good reasons because it's our business. So we have everything. A good example is this orchestrated virtualized platforms say where, say, Docker, say Cuba need is say OpenStack.
And that means that you can, on the one hand, create your services in these systems and you D deploy them across your platforms, which is an end to M metrics just for these two aspects that we look at. So this is something that we have to deal with, and that is something that we need to manage properly.
So you, we have to manage identities and their access for all it. So we have to manage identities and the rights that they have, we have to manage identities on the fly. And that means technical identities, human identities, infrastructure, users, service accounts, whatever you have in any type of your application, it will show up here as well. These identities, these accounts, whatever you call them, they will have access. And they will do that within software defined infrastructures, that rapidly change.
And this is really something different from traditional identity and access management and access governance. We have time limited access just in time provisioning, very ephemeral access that is available only for a very limited amount of time. We need to make sure that we apply the proper governance that we apply the principle of least privilege while making sure that we have the right amount of transparency. If architecture is ephemeral and identities and their access as ephemeral, how do we keep track of what happened yesterday?
When the machine maybe is no longer there, the machine, nevertheless, we need to detect anomalies. We need to automate whatever is possible and make, to make sure that we, on the one hand have the, the, the delivery of identities on the entitlements, to the platforms as automated as possible. And we also identify what's normal and find the outliers in that. So this management of identities in their access is really challenging. And let's look at proper at proper approaches towards that. This is the second time that I talk about an acronym from the G company.
I've talked about sassy earlier and now talking about cm. And this is something that aims at solving that problem. So cm is defined to be the tool set, to solve these tasks, and it was defined, and it was scoped to be what is in this blue box.
So we are talking about identity centric S AAS solutions, or that is something that runs as a service in the cloud and entitlements, which is the E in this acronym with fully, which fully means cloud infrastructure, entitlement management, entitlements are identities and their access, no matter what these identities are, no matter what this access is, it is it aims at defining and enforcing access policies. And it aims at managing these entitlements and data governance instead of cleaning up afterwards.
So everything that I mentioned before should be possible, but aiming at cloud infrastructure and their entitlements and nothing else. And it adds a layer of analytics and machine learning to find the outliers. That was the plan of the concept CIM. And it was picked up by vendors, creating software around that, that implement the cm principle. If you take a step back as analysts, as customers, as professionals, as architect, this is not really new. This is something that we have seen in other platforms as well.
So Pam and cloud Pam CPA is something that manages entitlements, privileged entitlements. Also for the cloud, we do provisioning. We have an identity management and we provision accounts into systems. Usually they are more stable and longer to stay, but provisioning could work also for these platforms. We have user life cycle management, which has influences on the processes that are there. And when it comes to enforcing the entitlements, we have policy based access. This is something that has been around for quite a while, but C E IM needs to be extended beyond the cloud infrastructure.
We want to look at the full dynamic. It, we want to look at DevOps of multi-cloud, everything that wasn't the blue boxes before. And we need to make sure that we have a dynamic security management that is capable of dealing with this volatility of the infrastructure. That means just in time security controls, monitoring, monitoring detection, and remediation, even if it is really has to take place very quickly, policies are there need to be in place.
They need to be managed to implement these just in time controls based on automation, based on well, understood, well defined and managed policies and intelligent remediation of course, is the way to move forward. When it comes to understanding what is going on in your platform, what is required, what is, what is actually happening? Is there something that needs to be mitigated and changed? So we have the policies and the templates. If you look at this at the circle, define the entitlements just in time controls, enforce these privilege, have this intelligent monitoring.
And if something occurs that is not aligned with your policies, that there's a real time response to that. So especially when it comes to threat response. So we have CIM and we think that's a good idea, but it's not feature complete. It's not scope complete. So if we talk about strategy, we need to think bigger. So we need to take a broader approach when it comes to managing entitlements in these, in this, in this yeah hybrid environment, it goes beyond just cloud focused management of entitlements, of access of identities.
And that means for our perspective that we need to have a combination, which comprises I am for identity and access management. We need to have the full lifecycle management to control the governance with IGA identity governance and administration. We need to have privileged access management across all platforms, including the cloud infrastructure. And of course we need to include also C E I M C E E M, sorry, C E C I E M that's it's the post lunch carbohydrate tunnel that I'm going through. So sorry for that.
So C E M cloud infrastructure, talent management are solutions that are here that can support us in solving the overall issue. And that's what we call here. D R E a M. And we look at the acronym dynamic resource entitlement and access management. And that's, that is the picture that Martin showed before. So I just really quickly show it. And if you are interested in learning more about that, there's tons of stuff about that. On our website, there will be more I'm currently writing on that and just re review the opening keynote from the EIC it's really worthwhile.
So this is the picture where we have, especially in the middle, the elements of the architecture. So we have policy management in the middle and enforcement, which is automation. We have the full identity and access management layer, including access governance and including C I E M. And we have cybersecurity security, operations, and automated response. And that is the part where dream comes into play. So we want to live the dream. How do we do it? First of all, we need to understand what we have and what we do not have what's missing, what should be augmented, where we have too much, maybe.
So it's a typical case for a, for a portfolio analysis. So we need to understand our infrastructure, rug rack, what we already have rag rack, sorry for that. So we are managing the volatile high dynamic infrastructure in a hybrid world.
And if we look at the picture we have from bottom infrastructure over services, up to consumers and consumers and data, we have different areas, different types of identities and layers of abstraction, where we need to think of managing these entitlements, these access, these identities, and on the other angle, on the other access, we have everything from on premises over the infrastructure platform and software as a service levels. And as an example, also edge again, not a full picture, just to make sure that we have a look at what is already there. Oops.
So, so this is something that is usually already in place. So we have for the individual systems, we have individual platforms that manage this. So we have traditional Pam, which covers service accounts, which cover covers technical users and admins. On the other hand, we have data governance tools and all these building blocks together is something that we do have that needs to be understood, well integrated, maybe get rid of, because we can do it better, but this is what we already have. And especially we have native tools on the bottom.
This is always something that needs manual intervention sometimes. And that is something that we want to get rid of. When you look at the second dimension, we look at, sorry, this is small to read.
We have, this is something sometimes covered already by existing solutions. So the edge is sometimes already covered by IGA, by Federation and by data governance. And if we move on, these are the areas where traditionally cm is looking at. This is where I, I said before, there is cm already in place, and sometimes cm already laps over to that. And Martin mentioned that earlier, before these products are already covering other areas as well. So we have a, an overlay of, of infrastructures that deal with these entitlements. So how do we live the dream? First of all, and I love this picture.
We need, we need to have the first step, which is assessing and desiring your it and your organization. You really need to make sure that you understand what is there. That includes the architectures that needs, that includes the infrastructures, the services, and the way you're doing that. So you need to have a holistic view of everything that you have on in the cloud. On-prem wherever it is and how you use that, what you have, what you require, what is redundant, what can be required.
We at cooking a code, we have introduced three years ago, the identity fabrics as a basis for an identity first approach. And it would be embarrassing. It would not if it would not fit in here that that, that would be, that would not be a good idea.
So, and it does fit in here. So if you look at the picture, this is the picture that if you have attended some of our events, you have seen before, except that there are some blank spaces here. So we have to the left, all the, the identities and the way they are coming into this system, into this identity fabric, to the right, the systems that we need to manage. And why are there blank spaces?
Yeah, because we are talking about cloud infrastructure, entitlement management, so there are additional components. So to the left, we add repositories events and policies. And this is input to the identity fabric in the capabilities. We have C I E M to be added there as well as a functionality, as a capability to use here, that manage that also is included in the service that is entitlement management service. And of course, then we can, again, federate and, and work with the entitlements within the platform. So we include this in these infrastructure entitlements into our identity fabric.
Next step would be defining your target architecture vision. And once you have applied this identity fabric paradigm to what you have and what you want, then you can use this as the basis for creating your overall own target architecture vision so that you get to a unified view for your one.
It, which is a vision. This is nothing to be simply achieved, but that should be the vision to be there so that you have a comprehensive plan. We think that the identity fabrics and the cybersecurity fabrics are good ideas as we created them for exactly that define a roadmap, follow that and continue continuously towards this, this one, it approach where dream Dre is a part of it. How do you start start tactical again, identify blind spot blind spots, find the right stakeholders and implement the required additional augmenting functionality using the tools that are available.
And these cloud infrastructure, entitlement, entitlement management solutions that C IAM solutions they are already there. And they might be one part of your capability mix to implement what you require, what you require. And we think that this dream approach really embeds cm into a bigger picture for secure and compliant hybrid it, service delivery. So what should be in your mindset? We think a dream of policies and automation can come true. If you consider this overall paradigm within your way of defining your overall infrastructure, how you leverage it.
So think services so consider your identity management, but everything else across the platforms that you provide and the workloads that you deploy as a service, clearly the delineated clearly defined. And that is something that you can then deploy across all your it traditional on-premises. It included think policies. This is something that I said today earlier in the sassy talk, think policies be mature enough to think in policies rather than roles.
Think automation, once you have policies, you can automate them and get to an implementation of these rules that you've implemented and consider everything with the aspect of agility. So service is the main aspect. So if you want to be agile, define additional services and implement them, design them, and yeah. Provision them into the platforms in this manner. Two final flights. How do we continue after that? This is just one step of the journey, the scope of IM and cybersecurity for a hybrid. And multi-cloud reality must be extended beyond that. This is just the first step.
So you need to think bigger. You need to integrate into what's there. Of course you need to consistently foster your automation. And that will also include other aspects beyond this dream three layer approach that I just showed. That will be an integrated approach overall, as shown in Martin's picture. And you need to enter, integrate with what was already there.
And that includes everything that is in the brackets here, ITSM it, service management, DevOps, GIS, whatever you have that you make sure that the policies define also are aligned with that also reflect their reality and are then properly integrated. So your dream dream becomes a part. Yeah.
Kind of, of, yeah. A part of the overall infrastructure supporting you in really managing all types of access. Final slide. Final slide. I have one minute for you. The clock is ticking a little wrong.
Oh, okay. Then here I have 1 30, 33. Okay. That's that's okay. My budget is up. Okay. Nevertheless, six principles very quickly. As a recap, actually think in services and services means you implement services that are required for your business and they require it services.
And you, you provide them. That is your driving force, have a unified view on your it services so that you can understand the policies that you need to derive from that one. It across all platforms, derive policies. Once you have described these policies in a simple manner and managed manner, you can automate them from that. You can go towards agile development so that you have the automation and the policies in place to be quick. When it comes to scaling up, scaling down across all platforms that leads to dynamic infrastructure as a key component.
And one thing that I skipped a bit, because that would have led me to even FA talking not much faster, I ignored the aspect of status and context though, though, these policies already always will have to include signals from the outer world. So that policies also can make sure that they understand what is happening right now. Be it threats, be it wherever you are, time, wherever you are. And that's it from my side, the final bad joke about dream. And thank you very much for your attendance.