We move over to the next topic and talk a bit more about identity, tomorrow's IAM landscape. We have Matthias here, Matthias Reinwarth, that most of you probably know from previous EICs or other conferences of KuppingerCole, working for Kuppinger, practice as a director for IAM, sort of leading the whole space, coordinating across all those units in the industry, I used to say forever, consulting several companies and now doing that for KuppingerCole.
Matthias, here we go. Thank you very much. I have 20 minutes to tell you about what happened in the last nine months, more or less. We have been working on updating a framework that we created earlier and I want to start with the history. If you look at the agenda, how it all started, then a brief look at 2022, so it's not a long history thing, just to make you understand where we come from and where we are right now. 2025 is next year and off to new shores to give an outlook on what will expand right now.
So, the identity fabric and the reference architecture, the lights are awful. The identity fabric and the reference architecture are two key assets that KuppingerCole and Martin and the team and a bit of me and Philip recently have created to use in several aspects of what KuppingerCole does in identity and access management. It's a lot of advisory work, but it's also a key foundation of what we do when it comes to our research and, of course, also to the events, how we structure things.
So, it's a fabric, first of all, from the term. Germans tend to interpret that as Fabrik, factory, which is wrong. It's a fabric.
So, it's a woven thing where we connect things with each other and that was the idea very early on when we created that picture or Martin created that picture way back then and how it all started. These were the early approaches that we started and if you think back and if you're longer in the industry, you have seen these pictures before. This is from 2017, 2018 to the above, right?
That's Martin during the pandemic, early pandemic and look how young he was and that was the starting point and over time, we tried to refine that and to stabilize that and the first publication that we did actually goes back to 2019, so the initial publication. That was the time when we thought it's stable enough, this identity fabric to explain what we want to achieve with that.
So, we did that before and we refined it and we had feedback from vendors, from all kinds of people we interact with, so that was the first starting point. This is this four-page document, the leadership brief to explain the overall concept of the identity fabric and I hope all of you have seen that. If you're new to the game, just a bit of explanation.
That is the, we call it legacy version, so that's the original version that started in 2022 then, so that was already the refined version and to explain this fabric, this woven thingy, we have to the left, we have all these types of identities that we're dealing with. To the right, we have all the types of services that we want to connect to. Martin mentioned brownfield approach, yeah, brownfield is below. This is legacy that you have, that you have to deal with, that you have to interact with, that is still around and it's required because it's needed, it does things, it works.
So legacy IAM, legacy applications and on the top of this huge box, which forms the identity fabric, are all these modern, shiny digital services, cloud-based, cloud-native services, digital services that we consume and provide and in the middle, this block is the core of the identity fabric, where we identify what we need in identity to connect things with each other. So we need identity repositories, we need access governance, we need PAM, we need everything. So to the left, the capabilities, in the middle, the services.
So a capability alone is not there, we need it as a capability implemented by a piece of software, by a process, by a policy or a technology, in the middle services, combining that into something that is more graspable, something like privileged access management. This is a concept, not yet a product and to the right, then the tools, so that we really can say, we need this and that and this, this is this service and we need that product.
That's the idea of the overall identity fabric and that is what we used for everything that I just explained, advisory, research, even at these events to explain things, to structure things. And once that was published, it's always difficult for analysts to coin a term. Sometimes it works, sometimes it doesn't. Identity fabric worked. This is a term that has really spread widely and once it was published, it gained significant industry traction. So it has been used by many players in the field, sometimes very close to what we intended, sometimes not.
So if you look at the picture, this is just a Google search, picture search for identity fabric and you see sometimes these bubbles connected. This is not what we intended. We want to have a structure behind that, but things are differently. But the good thing is people talk identity fabric, they use this term and that is really of importance because since we are in the position to create that and to evolve that, this is why I'm here. That's exactly the idea. So this was the initial publication. Second publication was in 2022.
Then we realized, OK, this initial picture, this reference architecture, which I have not yet shown, this needs to be updated because the world has changed. Identity and access management has changed, not revolution, but evolutionary. There has been changes that need to be taken care of. And that is what we did in 2022. I'm very quickly through the history. 2022 saw the first publication of the IAM reference architecture. That is one level below the identity fabric. So we have a set of components, a set of key capabilities that we use for describing IAM architectures.
And that's what we are talking about is the identity fabric as the overall concept, very abstract, very high level, fully admitted. And then one level down, we go to the reference architecture. And everybody who's in identity and access management knows the structure. Four columns and a few levels. This is a matrix. This matrix really shows all the four different important aspects from admin to audit. So the IGA part, the more administrative part, and to the right, the runtime part, although we need to get deeper into that as well. So authentication, authorization.
Once you have administered it to the left, you use it to the right at runtime. This is getting more complex right now, you know, of session time, continuous access evaluation. Martin mentioned sending another one-time token to ensure that this is really Matthias because he is changing the session at runtime. So that needs to be taken care of. This is the version that we've worked with for a lot of years, starting 2022 or actually going back to 2018, 2019, when we created it. So that was the starting point. So why I'm here? If it ain't broke, why do you want to fix it? Things have changed a bit.
A bit, sometimes even a bit more. So it's 2025. What I want to give you today is an outlook on what we want to do next year, early next year. And on a few of these slides, there are these disclaimers that this is still embargoed until the 14th of January. We were still working on that. But having this event, I would be stupid not to give a sneak peek and to show you that we are really working on that and that we want to improve that. So that's where we are right now.
So we went through these two slides that I've just shown, the identity fabric and the reference architecture, and we want to make it ready for the next five years to make sure that we can evolve from that. Does this render anything that you did when you used that for your concepts invalid?
No, it's an evolution. We really add concepts, we really add building blocks, but it stays within the same structure. And if you remember the green picture, now let's have a look at the blue picture. This is the new identity fabric. What has changed? And you see embargoed. If you take a photo, I don't mind, but there will be much more. I want to show you what is really changing right now. First of all, it all looks the same, does it?
It is, because if we would change this, that would render everything invalid, so we don't do it. What we do is we added a few components to the left and we added more structure to the left. So one trend that we see, and this has been a constant topic also here and it will be a constant topic at EIC in May, is that we inherit new types of identities. They have been there, but there are much more detailed identity types that we need to take care of. Structured here into personal and non-personal identities, there are much more non-personal identities, non-human identities.
Structures into terms are always difficult to use. I, like Martin, I hate machine identities because machines are those large stinking things where you put oil in. Machine is much more. It's virtual infrastructure, it's workloads, it's technical accounts, it's workload accounts, it's autonomous services, software that's running on its own and needs an identity. That's to the left, to the bottom, non-human identities. But also human identities have changed. They were always there, but we now understand much better the concepts that they're behind. We have B2E, business to employee.
That's the workforce, that's the external. But we have B2B, B2C, when we talk about B2B partners and B2B customers. If you are a company serving large corporations like, I don't know, BASF or IKEA or something like that, you have a different kind of customer than Amazon has. You need to understand that. You need to model that. That's B2B customers and partners, quite the same. But the consumer, the B2C consumer stays still there. In the middle, looks the same, right? Only changes, and that is for me the ingenious step. We put in the reference architecture in the capabilities block.
It's a bit limited to make it fit in there, but this is the reference architecture in the capabilities block. Everything else stays the same because these are always examples. This cannot be comprehensive. It's an example. It's a structure. What we added to the right is OT, because OT is getting more and more important. And we've seen that trend here as well. So target platforms, target systems that we need to address is OT getting more important. And you can adapt this for yourself. And that is the good thing.
This is nothing where we say, hey, we are crazy enough analysts to say we are good enough. We say this is everything that you need. It's not something to build with. That's the identity fabric for 2025 or V2, as Philip calls it. So this is the next version that we want to work with. Where are we right now? We are talking to vendors, to customers to verify this. That's where we are right now. That's the reason for this embargo thingy. And the reference architecture that has changed. And as usual, when you evolve over time and you are in an evolving area like I am.
Unfortunately, it gets bigger, it gets more comprehensive, it gets more complex. So you need to structure complexity. And that's what we did here. So if you look at this at this slide, even the fonts have been reduced so that it all fits on that one page. But we really need new capabilities. One example that needs to be mentioned is this growing market of ITDR. We had access analytics. We had identity analytics and we had identity governance and even identity intelligence or access intelligence. But this is all now combined into this term of ITDR.
And I think it makes sense so that you really can say capability is ITDR. What do you have? What do you want? What is required? What do you need from a compliance perspective? Just in the second column, the ITDR component in core. Core is the aspect where we think typical IAM infrastructures are focusing on. And that is so that should be there in many organizations. It doesn't have to be, but it could be, it should be. Privileged has been extracted. That has been always some kind of difficult thing to say, an identity vault, a password vault. Is this privileged? Is this not privileged?
Is this core? We just pulled it out so that we have a privileged vaulting and a privileged shared password management. And we have similar mechanisms when they're required for core capabilities. So that's the reason why you dragged out privileged. Extended was there before. So these are systems that are not necessarily there. But if you have them, they should be integrated with IAM. That's the third layer. Fourth layer is integrations. And that is something that we really focused on to make this more comprehensive. There are more components in here because IAM plays with more systems today.
If you go to the left, to the administration part, if we take something like license management, we were always hesitant to integrate license management in IAM because it's a different beast. It's money, it's different teams. But if you do automated access provisioning to a person and the first access requires to assign a license, that's money. And if you no longer need it anymore, then you need to withdraw the license. And that's saving money. So license management is one of these important integrations that we are looking at.
If you look at the authentication part, we've added CNAP and CTNA just to make sure that these infrastructures are important when it comes to allowing authentication, authorization or more globally access into these overall IAM infrastructures. This is no black and white. We need to make sure where we draw the dividing line for you, for us as researchers, for a customer who wants to make sure I want to understand my platform and learn more about what I'm doing. Two final layers have been added. First is the API layer.
It was there somewhere, but not really explicitly or really as a separate component. But we think in 2025, everything that is on top needs to be glued together with some common layer where you have communication that is secure, controlled and to the point. And that is the API layer. And that spans all of those four columns, because you cannot say API is just admin or just audit. It is everything. So having a proper identity API layer on the API level is essential to glue all these components together.
To make sure this does not say this is one product, this is 10 products, this is a platform, this is a suit. These are best of breed products, can be anything. It needs to be tailored to what you need. Final layer, and that is the new one we've added, is the foundation. And we've made sure that none of this blocks is actually assigned to one of these columns. And that is important because they also span that, but they influence different aspects. And this is everything that we couldn't squeeze into this overall picture of the identity fabric. So that is something like application onboarding.
Is this admin? Is this authentication? Yeah.
Well, yes. So it really spans all of this, and we need to make sure where that fits in. That's one of these examples. There are five building blocks added here. And these are blocks that are above and beyond the reference architecture, but we need them, so we put them into it. What will be the next steps? We are currently refining the description of all these building blocks. They are there. We are just verifying them. So if we click on one of these blocks, so on the top left, we have identity repositories. Last time it said directory services. It's much more now.
It's databases, it's graph databases, anything. So you can then click on that and zoom in, and there's more detail. That is what we're currently working on. And all of this will then lead into a new version of this 2022 document that you've seen. There will be a new reference architecture research document explaining all of these building blocks. That's where we're currently working at. So there might be slight changes. So if you took a photo and you compared to the final version, yeah, there might be changes. So back to the picture.
That is the final preview that I wanted to give, but there's more. One thing that I did not mention today is that we do not only think anymore in admin time and runtime, because there's much more. There's admin time. There's session initialization time. There's session runtime, because things can change during session. And there's post-event time when we look back at forensics at what went wrong during the session. So four time zones, timing is important. I skipped that slide because I just only have 20 minutes, because I wanted to show this.
We want to have an evolutionary approach and we want to use that. What I've shown until now is the left side. So we have the master identity fabric to the top with this overall abstract concept. We have the reference architecture below that fits nicely into this capabilities block. And we are currently working on providing level two versions of the fabric and the reference architecture. The fabric will be divided into fabrics per business model, because if I go to somebody who does not have end customers, they most probably will not want to talk about content management.
Maybe sure, but maybe not. So we can restrict that. We can limit that to different kinds of business model sectors, different industry areas and sometimes even just saying it's a highly regulated industry that adds components and removes others. And the same is true for the reference architecture. We will derive them on a technical, on a capability level, reference architectures that deal with different types of architectures. CIAM architecture, PAM architecture, B2B customer architecture.
And the idea is to create them individually, but to layer them and to combine them until they really feed back into the overall reference architecture that we have to the left. So different detail levels, overall concepts on both areas. And that is what we're currently working on. It will be published by the 14th of January. I would have loved to have it running and here and showing to use the document. Not yet there. We want to make it perfect and we want to make it usable. If it will be perfect, let's wait and see. But it's the aim and that is what I wanted to show to you.
We will do provide upgrade paths for everybody who uses that. It will be the next version evolution I've shown. And that's it. 40 seconds left. Perfect timing, Matthias, and an awful lot of information for 20 minutes, so I can only encourage all of you to have further discussions with Matthias to learn more. I agree with the privileged layer, by the way, coming from a company that financial industry, this is a really, really important layer. So thank you very much for that. Thank you.
