Welcome to our KuppingerCole Analysts webinar, Speeding Up Zero Trust Delivery Using Managed Services. I'm Martin Kuppinger. I'm a Principal Analyst at KuppingerCole Analysts. I'm your host today and I'm here together with Heiko Hütter of iConsult Group. He is Senior Vice President, Managed Service Strategy and thank you to iConsult for supporting this KuppingerCole webinar.
As usual, I'll start with some housekeeping. I'll do my presentation and then I hand over to Heiko. He will do his part of the presentation. And after that, we will have the Q&A but I'll show you the agenda in a minute. So let's get started here. So from a sort of functional perspective, you are muted centrally for housekeeping perspective, nothing to do. We will run two polls during the webinar. I appreciate your participation in these polls. We will do a Q&A session at the end of the webinar but you can enter questions at any time.
So there's on the right-hand side of the screen, usually there's the GoToWebinar control panel with some questions or Fragen section and there you can enter your questions. We are recording the webinar so you can, you don't need to write down everything. Slide decks will be made available. Recording will be made available rather shortly after the webinar. That also brings me directly to the first poll. And as I've said, I really would love to get your feedback on that. And the question is, when we talk about Zero Trust, the question is, where do you stand?
So do you say, oh, we have a really good Zero Trust readiness across our IT and cybersecurity or is it more that you deployed some parts of it or really more in a conceptual phase? Or do you say, okay, come on, Zero Trust, password, we don't believe in it. So what's your opinion? We let it run for a bit of time. So the more of you participate, the better it is. So don't be shy. Come on. We leave it open for another, let's say 15 seconds and then we will close the poll. So as of that, please vote. The more votes we have, the better it is.
Okay, good. Thank you. That brings us back to the content of the webinar. And I'd like to start first here with the agenda. As I've said, I'll talk a bit about Managed Services and Zero Trust. Then Heiko will talk about how to make Managed Zero Trust really work and Managed Services work. And then we have a Q&A phase. But where I wanna start is, when we look at some numbers we've collected previously, what is the real impact of the pandemic what is the relevance also in identity and security for Zero Trust?
And we've been asking people about, so which of these identity management or identity security topics are most important to you today? At the bottom, making Zero Trust a reality was the, so to speak, number one topic that is aligned with, or overlaps to a certain extent with implementing MFA and passwordless authentication and getting better here as a policy-based concept. But Zero Trust is a very relevant topic.
And I consciously ask for making Zero Trust a reality because I think this is the step we need to go nowadays that we move from an idea, from a concept towards how do we concretely implement Zero Trust and where does it play a role in many areas? This is what I believe is very important. We will see that there are other topics that will emerge over time, like decentralized identity but Zero Trust definitely is a top topic.
But, and I think this aligns with what I just said but we also raised another question that was about where does your organization stand on the Zero Trust journey? And the big light blue part is concept phases. So two out of three, more or less, that we are still in a conceptual phase. I can say the current policy was a bit better but it wasn't that far away from it. So I think moving towards implementation of a solution really getting Zero Trust implemented is the challenge to solve in these days.
And this is where we want to spend a bit of time on how could this be done and why and how could managed services help on the journey? Anyway, I thought about it, I anyway want to start quickly with the Zero Trust picture. And I think it's very important, some aspects here because Zero Trust as a concept is big, it's broad across the entire IT. It's about identities. So can I verify the identity? Is it Martin? This is a device Martin usually uses. Looking at the network system access, okay, it's still Martin, can I authorize this?
So this verification, this repeated check of, is that identity, not necessarily human allowed to do that, go over the network to a system, to application or a SaaS service, working with data and software. So it's really a bigger concept and we have a lot of technologies and this is by no means anything which is about completeness but we have identity management, we have identity threat detection response, ITDR, topics around and as technologies that are essential to make Zero Trust reality when it comes to identity, we have UEM and EDR and EPDR.
So Unified Endpoint Management, Unified Endpoint Detection Response or Protection Detection Response. We have Zero Trust Network Access, SASE, Secure Access Service Network Detection Response, the technology is here. And by the way, very important, when you look at Zero Trust Network Access, then the emphasis should be on Zero Trust Network Access. So it's primarily something which looks as a sort of a network element within Zero Trust but it's not the one and only solution for Zero Trust.
Again, topics we already had, data security, DevOps security. So we have in several areas technologies that help us to verify, to not just rely blindly so to speak on trust. We have technologies that help us integrating all the signals, providing signals back to have better context information, to be more secure. We also can manage this and which is, by the way, also a managed element. So Zero Trust is a rather big beast to tame.
Identity plays a very central role but we also see when we take this, this is one of the various pictures in that case from the DOD, the Department of Defense in the US, around elements of Zero Trust. And then we see there are many elements. Many of these are identity related but there are also many that are not identity related. And so there's not the one silver or single bullet you can use. It is really a combination of things you need to bring together. And that means that to make this work, my belief is that guidance is a very important aspect that you need the guidance to make this work.
How to register, what to focus on, depending also on your environment, your use cases, what you have, what you specifically need and to bring these things together. So, and I would say simply said, when things are complex, then it usually is a good idea. So two things are important. The one is trying to reduce complexity by looking at different parts. So not trying to solve everything, but to focus. And the other is work with experienced partners. So sort of use help here. So you're not alone here. And I think this is the point for that. You're not alone when it comes to Zero Trust.
There are technology providers, but there are also service providers that can help you in making Zero Trust a reality. And I think this is, for me, this is the really essential aspect here that it is important to understand such a journey, a complex journey is easier to do when you work with partners that have experience, partners that have experience, that have blueprints, that can help you in deciding what you need and making this essential, so to speak, implement these essentials, but also operate these essentials. So we had the detection response part.
There are other parts, like in the identity space, where a lot of knowledge in how do I do that right is needed. And this also needs an understanding of this entire cybersecurity element, including the Zero Trust part. That is something which is more complex. So this is more another Zero Trust specific perspective, but you also would see that a lot of the tools mentioned here actually are tools that also have been on the previous slide.
So to be good in cybersecurity, and Zero Trust is an approach that helps you in getting better in cybersecurity, we need to cover the entire cybersecurity cycle, whichever of the cybersecurity cycles you use, but it's not just the tools thing, but we need the process. So how do we do that? And I think this is one of the areas where managed services are definitely very interesting because managed service providers only are successful when they work with standardized approaches, when they have good and efficient processes that can be run with a reasonable effort.
And you need the people for that, which are your own people, but which are also the externals. Sorry, wrong direction. So what you need to do is you need to take a structured approach on cybersecurity as well as on the Zero Trust part within cybersecurity. And while some say, okay, this plan, build, run, improve, it's not really current anymore. And I believe it's still a very helpful thing because if you don't structure it from strategy to architecture, to implementation, to operations, then it's always about planning and building and running and improving.
Trust that at the bottom of the operations, it's a continuous approach. Implementation, you go to agile, but your architectural principles need to be stable and your strategy as well. It's a long-term strategy you need to have here. So this is, I believe what you, what's really helpful. And when we look at it from a Zero Trust managed service perspective, then several of these areas, so I sort of put something more in a light, transparent mode. The ones which remain with the more bold headlines are the ones where, to my understanding, my perspective, Zero Trust managed services can help.
A managed service provider can help you with proven principles and building a blueprint based on experience, on standards. It's about implementation, develop, test, run, patch, update, doing this and showing the operations, doing all the operations in a very efficient manner. And so managed services can help you doing things better because they support you in many of the areas. We can discuss about some of the things I sort of create out a bit and saying, okay, even that is something where they can help, like helping you into requirements analysis, et cetera.
So their experience and their methods and their approaches help you doing things better. The same then holds true when you say, okay, what are the main things you need to do to get better, to enable your business, to get more secure and to build it, so to speak, your fabric of services that underpins your trust, your security fabric, your identity fabric.
And again, there are a number of areas where managed services can help you. So even at the top, when it comes to continuous risk adaptation, I see this as something, but when it comes to all those things below, running the service, continuous improvement, having a well-defined target operating model, every managed service provider will emphasize on the target operating model because this is about defining what is the responsibility of which party. And this must be well-defined because otherwise you have sort of a predefined break point where things go wrong.
So it is essential to do that and managed service providers can help you not only by being an extended work bench, but by helping you with their experience and knowledge. And I think when we go back to this picture I brought up a bit earlier, the survey where 65% said, we're still in the concept phase. Then this is a point which must not underestimate it. A service provider that has done that, helped customers a couple of times, can help in succeeding in that concept phase by having standardized methods instead of by learning from the others instead of trying to invent everything yourself.
And so I personally believe that given also the fact from the numbers that zero trust too frequently is not really yet becoming a reality. If we want to make it a reality, we need the right set of partners and managed service partners to help you across everything or at least across essential parts of it. We touched identity. Identity is one of these very essential parts.
These are, I think, one of the key success factors in making zero trust a reality. And if I'm right with my slide, we have one more poll.
Yes, correct. And then I'm done with my part. So second poll is asking about how do you use managed security services in a broader sense currently? So is it you do most of your IT, obviously your internal workforce, use managed services primarily for operations? Do you want to grow your use of managed services or is it anyway that you see most is anyway outsourced to the managed service providers? So where do you stand? Curious about your results and please respond to that poll. I would say another 10 seconds and please vote. We highly appreciate the more votes we have, the better it is.
Okay, thank you. Which, by the way, I can talk about as part of interesting results that around about 60% say we do most ourselves, but 20% also said we are intending to use more managed services. And some also say we already have a sort of a large portion of managed services in place. So not a surprising tendency that we see growth in managed service.
With that, I hand over to Heiko. Heiko, it's your turn talking about how to make managed zero trust work. Thanks for the hint and thank you, Martin.
Overall, actually, I was not aware that you were highlighting that much, that we have a problem because that was the first question I asked myself when I read this title. When we were preparing this webinar, somebody put this as the title for the next section we're looking at. And I was really asking myself, is that even true? Do we have a problem? Because that's what the section implies, right? If you need a how-to, how to make it work, then something should not work. And so I won't go not anymore into that much detail of one aspect of the problem is we're not anywhere.
Zero trust is an old concept in IT terms, right? It's brought into existence in 2010. Aspects of it are even older than that, but we know this term of zero trust since 2010, and that's in cybersecurity terms, it's centuries ago that this was brought into existence.
I mean, the good note is that we as a community have understood it's important and we want to do something about it, but we still are not clear about what exactly we want to do, what we want to achieve, what is our scope, and all around that. So that's the one aspect. The other aspects, let's get into that in more detail. When I try to get an understanding of what is the problem, first thing is I try to fight the Dunning-Kruger effect. So I need to ask myself, what do I really know? Or what do we as a community know? What don't we know?
And then I really like these kind of meta-literature studies that go into the field where we look at all the publications coming in the public sector, coming in the research area, coming from practice-oriented publications, et cetera, and categorize all of these. And if you look at zero trust, you can really find these broader categories. So any kind of publication you will find basically falls into one of these categories, more or less. And directly on the next slide here. And when you look at that, then you can see that actually performance improvements and these categories are very broad.
So performance improvements mean two things in this case. One is what kind of performance improvements do we need to make zero trust work? How quickly do we need to make access decisions to really make use of our IAM in this context, for example. But it also means the other way around. What kind of performance improvements does our organization get when we do this? And so that and architecture is really, really well-researched. So mainly academia is looking at that and we find many publications around that.
And in that space, the more practice-oriented publications, so like the White Paper, I can recall we released sooner on this topic and many others in the field, mainly focused on what are the organizational advantages you have when adopting zero trust and also migration strategies. Not really surprising. And last but not least, to be honest, I was surprised to see we don't have a lot of user studies around zero trust because in IAM we have.
I don't know whether there is anything in the world as researched as much as login windows in the UX community, but it seems not to be the case for many of the zero trust use cases we look these days. And also economic analysis.
Well, that we have in common in the IAM community and the zero trust approach, right? There is not a lot of really good studies around that there. So for the next part, but this is something to have in mind. What do we know? What don't we really know well? But important architecture, performance improvements, migration strategies, all of this is here. Organizational advantages, all of that is here. We have a very good understanding. So it can't be the problem that we did not achieve a high adoption rate of zero trust in the last 13 years because we don't know anything. We know quite a lot.
And that's, you may remember the first picture I showed. Passion led us here. There are so many people in cybersecurity area really passionate about zero trust.
But well, as Martin said, we need to come really to reality in that aspect. And with this slide, I think a couple of things that I took from another study, by the way, you get all of these later. So you can really look at the full paper in detail if you want to. This was a paper really going over the practical aspects of what NIST has publicized as zero trust. The SP-90207, I think it's the paper. Was going through what are the different aspects. And with this, I want to start telling you two stories.
Two stories of customers we have in the managed services space where one of them was really successful and brought himself in a very, very good position overall. And the other really had some troubles. And I think we can learn from both aspects a lot. I will not give you the names. So we'll only talk about customer A and customer B in this case, but still very interesting. And also that is the reason why identity management is here highlighted. It's one of the four key things to be considered when starting a zero trust initiative. And so customer A.
Customer A was in the situation of a very fulfilling migration to the new IAM system. The last system was running for more than 10 years. And the IAM here was extremely proud of achieving that. And it was at that time. So shortly after the go live where the first zero trust initiative started at that company. And so for several different aspects, this person A really thought of, well, you know, at our company, we are so huge and it's so complicated. I'm dead sure zero trust will fail, right? It's so complicated. I don't agree. I think zero trust is not that complicated.
It's complex, but not complicated. But he said, it's so complicated. And it's in general, these projects, you know, if the first approach and the second approach fail and then maybe the third approach, I really get into that. Of course he was not neglecting any features and was supporting the whole project, but he was not getting himself as IAM leader involved into the zero trust program or project that was happening. Customer B, I want to talk about is a totally different story. Customer B really was running around asking for, hey, do we want to do anything around zero trust really?
Who is leading that? Where can I participate? And nothing was really happening. So he started by himself saying, okay, what can we do?
Right, he engaged us. And I will talk about this a bit more in a later stage. But even though nobody really had an interest in zero trust, right? He started to really look at all the different aspects of zero trust that are even outside of the IAM domain to understand the requirements that will be coming towards him. And this was a couple of years ago, right? I will not go into really more detail about the other aspects you see here on the slides. I think you can read them yourself. I highlighted what I put here, what I also see quite a lot, which was not mentioned in the study.
So that's the blue line down below. And that's what I mean by zero trust is complex. And I mean, it's not a secret by now. I think you can guess it, that approach of customer A, of IAM leader A was really failing overall. And the main reason is a simple rule. It's the big fish and the small fish. In that company A, when they started implementing zero trust, it was mainly that back in the days by the networking guys. And they were really looking only at the small piece of networking. And they were really in the nitty gritty details of it all.
So therefore, as I said, IAM was not a huge topic for them. And also the IAM leader kept out of it because he said, well, they're talking about so low level details. I don't really care at this stage. But this effect, I see times and times again, zero trust is humongous. If you really start looking at the different aspects, that's why I would really love to talk in the Q&A sessions a little bit more about what you mentioned, Martin, of saying, keep your scope in control. If you only want to look at network, only look at network. I see many companies who are not able to do that.
Maybe because they don't focus enough, but also maybe for other reasons. So the zero trust program really got bigger and bigger and bigger and bigger.
And very, very soon, it was a lot bigger and effort and people involved, and departments contributing to the whole program that IAM was the small fish suddenly. Even though this IAM program, as I said, was extremely successful. It was a huge project, migrated a high three digit, four digit number of applications in time from the legacy system to the new one, et cetera. And was really looked at from many different angles. Also in the top management level, it was very satisfactory, but suddenly it was a small fish.
Okay, let's talk about the managed services aspect, both of these customers were using. And in both cases, because we're talking about something that is running for a couple of years, we're talking about an aspect that is maybe I would call a version 1.0 of a service that we now offer, which has a lot more of options, a lot more of attributes. So we have a Cconsult, we are a vendor independent IAM company offering a huge variety of different services. I today only want to talk about what we call the smart managed services. And that is the result of a huge effort we took last year.
We started last year, it's a continuous effort, like many of these things are, where we really have an analysis on what is happening in the SaaS market, so software as a service market, in context of zero trust, which is our topic of today, and many other aspects, and we see a higher and higher adoption rate of managed services. So, I mean, we do managed services for very long, for many, many years, but we really thought, let's give it a thought what we can do to help our customers in a better way, actually.
And we came up with these three attributes that in our opinion, really matter for our customers. And that is the flexibility, the end to end scope and excellence. And these are, of course, first, just buzzwords. So let's give these buzzwords a bit of meaning. What do I mean by that? And we'll keep it brief and only talk about it in the context of zero trust. So when I talk about end to end scope, I mean, different dimensions of how you can look at it. When we set this up with a customer, what we want to do is looking at the various different types of services.
So many people, when they talk about managed services, they only speak about support, maybe operations, right? These are the two aspects that are very, very common in the managed service area. When we talk about our managed services framework, we go a step beyond and really, we package all the types of services we as a C-Consult offer around identity and access management into a bigger framework. So you can get advisory, you can get consulting, implementation, support operations, and we even started to allow business process outsourcing. What do I mean by that?
That is, for example, you get an SLA on how many applications per month you get onboarded. Or how many, or do you have your recertification campaign being outsourced, stuff like that. So whole business process being outsourced around identity and access management. We do nothing else. So when we talk about how to make managed zero trust work, please have that in context, right? I'm only talking always about the identity and access management piece of the puzzle, which is a huge one. So second dimension we were looking at is the coverage of services.
When looking at zero trust, there come a ton of new requirements to IAM teams. And mainly, you may remember the short teaser we did where we put some thoughts up where I said, are your very best friends with this system? And I really mean this. We as IAM community have actually a tendency to not see ourselves as part of the security community. And I think this must stop right now. We are part of the security community by no doubt. And we need to work very, very closely to them. And I'm coming back to my customer A, right?
So he didn't really have any contact, or sorry, I want to talk about customer B. So customer B did not ever have any contact with the security department before really looking at zero trust and what he can do there. And I mean, apart from, okay, I need to have my own application pen test and stuff like that. He did of course that with the internal services. But apart from that, no real contact. And basically then that's what he did, right? He reached out, well, not the CISA directly, but levels under him, getting a grip off, okay, what do we plan? And when do we plan something, right?
Okay, it's not on the radar for this year, but maybe next year, is there anybody working on that to be really at the forefront of it? And at the same time, he started really working towards all of the requirements he was seeing that potentially come, that typically also benefit you in other areas, right?
If you have a good concept around how to provide cloud access and how to manage that in your IAM, then when zero trust is coming, which typically addresses these problems in an early stage, because a couple of the best practical literatures you can find are the zero trust concepts provided by the big cloud providers. For example, if you want to adopt something in their area, then they have good literature around that. So that is something that I see very often at customers, then that is the starting point for zero trust.
So if you are a heavy Azure user, you start using trust initiative in Azure, AWS, same thing. And then you roll it out from there to the whole organization. So he started really, okay, we need to get to the cloud and we need to have a very efficient way of managing access, how do subjects access resources, and all of that in the cloud and started that. And what we see is then when you start getting into more contact, that you quickly learn that there are a ton of security signals coming out of the IAM, where IAM teams typically are not ready to cover that 24 seven.
If you have an alert triggered by locks in your IAM system, for example, it's sometimes very, very hard for central talk teams at our customers to analyze what does it really mean and what is the impact? Do we need to shut something down or can we mitigate it by only shutting down the single user? What does this log entry mean? And then in many cases, the IAM teams, they have not 24 by seven coverage. Needless to say somebody available with the knowledge to analyze the impact of such an event. So we also made our services bigger introducing an IAM SOC, right?
We don't want to be your general SOC for everything, but we think it really makes sense to have IAM experts on hold all the time. In such a case, you have an incident you can really reach out and use that. And then last but not least, type of systems.
Also, to be honest, something that we didn't thought of, but this very customer B thought of, right? He had this legacy system and he wanted to do the move to the cloud. So what he did is actually giving us the responsibility of both saying, okay, you manage our on-premises system and the cloud system. And when you do that, right? If you take longer, if you're not efficient enough, then it's your problem, right? You take responsibility and the risk from my end. And that's the key message here. So managed services is a lot about risk handling.
What kind of risk from such a complex project do you want to handle yourself? What kind of risks do you want to have somebody handle outside, right? Who has maybe other resources, other experiences, et cetera, and can maybe handle this risk better? It's a very basic insurance question. And many of the security questions are such type of questions. So this is what we mean by intense scope, really many different dimensions where we look at. Then another aspect which is really important is experience.
As I said, right, it's a very old concept, 20, 10 centuries ago, basically since we know Zero Trust. So it has evolved a ton since then and is evolving very, very quickly also now, right? Every single week, if you look at the security market, you see not one, not 10, you see hundreds of new vendors reaching the markets globally that tell you that they have something that they can trust, right? So having the knowledge of all of these is absolutely impossible, also for us.
I mean, I will not tell you anything different than that, but at least there is a very good chance, right, that we have touched the products you will be using, you want to start integrating with your IAM system, with your SOC team, et cetera, that we have done that also before. But the key message is, it is absolutely important when you look at a managed service provider, doesn't matter whether it's us or somebody else, absolutely key to understand what are they doing, to really train the people constantly, not one time, but constantly.
And this is also an aspect where we think it really made sense, if you do something wrong, identity and access management, to partner with a company focusing on that, because we do nothing else, right? All our people, we will not have anyone sitting in our support team who has done network security before. And that was the only part, and it wasn't since then for networking somewhere, right? Whoever works for us is really focused on identity and access management, and it really helped us a lot in getting a lot of managed services customers happy in that aspect.
And last but not least, before I come back to the stories, and also some more challenges that I typically see, is the part of flexibility. And this part of flexibility is a two-edged sword. On the one hand side, the time I'm dealing with managed services, which is a couple of years now, I have not signed the same contract with the same type of services a second time. It just did not happen. Every customer really needs a little bit of a different thing.
But at the same time, as I said before, it is absolutely important to create these efficiencies in your IAM program, if you want to handle the big complexity that you're going to face when adopting Zero Trust. So this is the fine line you have to walk on to really have, on the one hand side, flexibility. On the other hand side, you need standardization in the single types of services that you deliver. And this is true for yourself if you do it yourself, but it's also true if you engage with a managed services partner like us.
And don't take what we see here at the slide as only an example of how we look at this whole piece, right, where we bundle all of these different types of services, of advisory, of support, of implementation, and you have really different options that you can choose. What we like to do is, really, when we start an engagement, is going through all of them, even though you will not really consume anything else than, let's say, a one-time implementation of something that you like. And everything else is not of interest right now. But what we see times and times again, things change.
And that's part of flexibility. Probably in a year or two, your team setup looks totally different, right? Maybe people have left the company. Maybe people have left to a different department. You have a different situation, et cetera. We see that all the time. And then suddenly, you are in need of having a partner supporting you, or it's even a strategy, right? We see these waves of, okay, we don't want to insource everything, and then a couple of years later, somebody at CW decides we want to outsource everything again. So that is something that we see times and times again.
And for all of this, right, it's good to be ready. So what we like to do with our new framework here is really, very briefly, doesn't take a long time, discuss all of these aspects, what is potentially interesting, what is not interesting at all, et cetera. And this helps us because then, when we agree to, let's work in this type of framework, then we can really make sure that we have these efficiencies even if you take one of these options later, even if you change your mind.
You see, for example, here, for the implementation of managed capacity model, which is something that we offer, where we really, on a monthly or quarterly basis, we change team sizes very quickly for very large-scale projects, for example. So having this kind of flexibility, absolutely important, because your trust, as I said, has a lot of complexity. And wherever we see this adoption running out, right, even though you do a lot of concept work, we see that in the stats, you get surprised of how complex it really is.
Then you have a big migration of something happening, and suddenly, you really knock, I don't know, 10 support people. That can happen very, very easily. So the customers who are really using this really appreciate that we are able to scale in different aspects.
Scale, as I said, by dedicated people, scale by shared teams that we have introduced now, and it also helps smaller customers who don't really engage with a full support team right away or ever, because that's just not needed for the number of identities that they have. Okay, end of that part. Some more changes that I see very, very often, and I want to finish with that in my story, and just leave this here, but maybe that introduces some aspects for you to raise questions in a couple of minutes.
So, customer A, right? Keep in mind that he stayed away, stayed remote from the Zero Trust initiative, and it became super, super, super huge. And basically, when he understood this I am the leader of customer A, that it's becoming this big thing, and even though it was failing in many aspects, but in others, it was successful, and then you have the sunk cost policy and all of that, it was too late. It was not able to really get to the decision board anymore. It wasn't able to really steer how requirements should be shaped, et cetera, what really helps this I am system.
And basically, what was happening is, okay, we were not talking to you all the time, so what we did is we looked at other services that we have from cloud providers, from other vendors, et cetera, and actually, in the end, they ended up having another access management system, identity access management system, which then they used for all their Zero Trust use cases, and guess what? Now, the plan is really to migrate away from this first piece that they put in place and get to a new system, which supports Zero Trust better, because that is the strategy that they move forward.
So I would say this is a huge failure overall, and it could be avoided by really getting engaged early and understanding very, very early how big Zero Trust can become quickly, and also that it cannot work without I am, right? So if the Zero Trust initiative is not talking to you as I am leader, then they're talking to somebody else doing I am. It can't happen that there is a Zero Trust initiative where identity access management does not play a key role. So this is the kind of aspect that you should have in mind.
And needless to say, right, Customer B, I was talking about, right, he's not a go-to guy. He's not leading Zero Trust because he never wanted to be, but he's really in the steering board. Everybody's really appreciative of him being around, being very knowledgeable about the topic, right? So for him, it's a piece of cake, to be honest, in the I am area to tackle the challenges around Zero Trust. Doesn't mean it's easy for the whole organization, but it means it's a lot easier for the I am program that is running at Customer B.
So apart from these key messages, last slide, promise, apart from these key messages, take that with you, right? And I really mean it serious. Try to make the connection to the rest of the security community at your company. Really get to those departments, really get into contact and understand this early and start doing. That's the key message. We need to stop conceptualizing too much and really get the adoption rate up because 13 years is just way too long.
Yeah, apart from that, I would say these three key aspects also very important from my end, but if you look at a managed service partner, focus on these three aspects. We all know this, you can evaluate a thousand different things, but my recommendation is focus on these. The experience and expertise around exactly what you need, that's key number one, right? And that's where I think looking at a specialist for I am, when you look at I am, makes absolute sense.
We have seen that also, not in one of the customers I mentioned, but we have to very often that first you have the support operations for many years and a generalist doing basically everything for you in your IT organization, but you understand, oh, it's your trust. It's now getting more complicated. Somebody needs to have more knowledge about our infrastructure, modern systems that we have. So now we need to rethink how we really do all of these aspects.
And actually I was basically in a customer presentation last week where exactly that was happening, that the whole support organization was analyzed again and rethought around, okay, what can we do to create more efficiencies with these? Yeah, the rest I think are very, very common practice, terrible German translation, no brainers. So really assess the integration capabilities and also understand the approach for continuous learning.
As I said, if you have good guys today, it doesn't mean you have good guys tomorrow. So it is inevitable and super important that your provider, whoever it is, or if you're doing it yourself, focus on this continuing learning aspect extremely and makes it plausible. How is it happening and why is it happening? Because typically you have a tendency, if you as a customer are not paying for it, why should your provider do it? And if it's not transparent that you're paying for it, how is this translated?
It is very important to really understand this aspect because times and times again, we've seen that it simply then doesn't happen. If nobody puts priority on it, it simply doesn't happen and your knowledge gets outdated very, very quickly in this aspect. So that was my last slide. Now I really look at some questions. Hope we will have a good discussion.
Thank you, Heiko. And I go back to my screen. So we should have the screen again and we go into the Q&A session. And so the first thing is, if there are further questions, so we have some questions already here, feel free to enter these questions into the tool so that we, as I said, the more questions we have, at the end, the better it is, the more we can discuss, but also feel free to share some of your experiences here. So for instance, when you were implementing that, what are the biggest challenges you faced? Or if there may be also, how did you overcome?
Feel free to provide a bit of insight into what you did in your organizations. Or experiences with IAM managed services. I think these are aspects which you can pick up also in the Q&A and look a bit deeper into that. So here's the first one, which I have to admit contains one model I'm not very familiar with, but maybe Heiko, you can answer that. That just came in from one of the participants.
Do you think Istio could be a good start for implementing a zero trust framework for an on-premises in-house developed distributed service platform using Kubernetes that shall be extended by resources and should be able to be used in a distributed way? Distributed service platform using Kubernetes that shall be extended by resources for public cloud. So that's a detailed question, but.
Yeah, I can answer that. But just a small comment. I cannot see the questions, unfortunately. So maybe we can do something in the background.
No, you have to rely on me reading it. I can reread it if you want. Okay.
Okay, then. No, no, I hope I got everything.
So Istio, to get everybody on the same page, Istio is a tool, especially designed in the Kubernetes world, to create a service mesh in Kubernetes. I would put it in the area of micro-segmentation, and that's why this question is extremely specific around, yeah, well, this technology. I would say yes, okay, I need to make it bigger. We were saying this quite a couple of times, right? Zero trust, it's complex. There are a ton of different aspects. So it's very subjective in the end, what is the best first step for you if you want to adopt zero trust?
And so this is a network security aspect that you're looking at, and it's even more specific. It's a network security aspect in Kubernetes. So that really depends, right? If you are a huge organization, and Kubernetes is the platform of choice in the future for the things that you really care about, then maybe that is the best first thing to do, right?
And then, I mean, Istio is, I would say, in the Kubernetes community, a de facto default now, right? There are some good alternatives as well, and then it's also very subjective, and we would need probably an hour to really go into details whether that is the best tool of choice for you. But it's definitely, I mean, one of the market leaders in that aspect. So that will not be a bad choice. At least that is something I can say.
Okay, the next point I'd like to discuss is, so when implementing Zero Trust architectures, what are, and as I said, if anyone has to share something around that, but also from your perspective, Heiko, what are the biggest challenges you see your customers facing, and how do they deal with that? I can maybe add on a bit from my end, but you go first.
Yeah, so I had it on the slide, you may remember. We had this kind of blue line at the bottom where I put what I see very often at customers, and this was legacy systems. So you come up with very cool concepts, and day one, you really want to bring this to reality to find out you have this ton of legacy systems. And what typically happens is then that you do not start implementing something and achieving the 80% that you can achieve, but you get back to the drawing board. And that's the reason where you see customers times and times again staying in this concept phase. Next thing is complexity.
I think we talked about that a lot. And then skills gap.
That's, I would say, number three priority, right? Customers that we talk about, they do not have the people ready that they would really need to work on that. Because typically, you know, your trust is brought up by people who do something else at the company already, right? So they don't have the capacity to really focus on this part in full detail, yeah?
Yeah, and there are a lot of new technologies. So all these four-letter, five-letter acronyms, a lot of promises for marketing. So I think when I look at just the number of tools that come up, it was a promise. If you use that tool, then you have zero trust done.
Honestly, there's not a single tool that does everything of zero trust. So what I see as challenges is really also just understanding what is in and sort of prioritizing where to start and what really delivers then a benefit. So this educational part, it also has to do with skills. I think the other part is also, when we look at zero trust, then we have this, for instance, this policy concept. And when we go to a new zero trust architecture, there's a wonderful policy control plane. And this policy control plan must then work with a wide variety of systems.
And when we look at this, then it means we end up in, sometimes the situation, oh, the systems are not really ready to be controlled by policy. So when you look at IGA tools, then there's some way to go for certain areas of policies. But you also end up in a situation that we talk about integration. And integration, I think, between the different components of zero trust, from central control planes to enforcement in different areas, that also is definitely one of the bigger challenges. It requires also, I believe, to overcome that. A good amount of pragmatism is extremely helpful.
So if you are pragmatic, it makes a lot of things much easier here in the zero trust world. So it really makes things, you need to sometimes say, okay, I can't do yet, but I at least know how I build these policies over time. But I do that part first, maybe in a way which is not as perfect as I'd like to do, but at least I made a step forward. And also sometimes be happy with making steps forward. Absolutely. And I really want to highlight this, the story of Customer A, right?
It's also, and by that, I want to stress what you said about prioritization. Prioritization does not only mean what do I want to implement first, it sometimes also means one of my processes that I do have today is really keeping me from achieving something. So at another customer, what we recently did, we are extremely proud of is we had this, and I told the story of, there was another general service provider managing the operations part of the system with about 20 people.
And then we looked at the system, took it over, and actually nowadays, we have less than a 10th of the tickets that were there before. And also we do it with less than five people. So that's a quarter of the people that were dealing with the same stuff before. So that frees up a ton of capacity, either it saves you costs, or it frees up a ton of capacity of really achieving something. So it's not only looking at all the new things that you want to do, but sometimes it's also about looking at the old things to really make something work and free up the capacity to deal with it. Yeah.
Okay, I think we can pick one more question. And I think this is an interesting one because it's about balancing the need for higher security. That's what we want to achieve with better, but with user convenience.
To me, maybe I'll start here. To me, this is always the wrong way of thinking. Security and convenience also means, security goes up, convenience goes down. Convenience goes up, security goes down. We would be, serve our set of users much better if we could bring up both. I believe that zero trust, when we look at the identity piece and the authentication piece, can hold that promise or finally deliver to that.
When you look at modern passwordless authentication adaptive risk, context-based, et cetera, then the way we authenticate today with using secure elements on the device that work in the background with biometrics, et cetera, is way simpler than most of the authentication, specifically because of the strong authentication we had in the past. And it's also way simpler than username and password. So I think there are areas, I think there's a growing understanding that balancing security and convenience includes the mistake because it's combining both. If you can.
I mean, it's not always possible, but especially in IM, right now we have a ton of very good trends in that area where that's really the case, right? And that's a win-win. And I think we as a community need to get a lot better at explaining these benefits. We are driven by, many times customers come, well, we have this audit, we have these findings, we need to get rid of them, right? And that's the driver for the next implementation of the next feature, et cetera. So in many places, you're not used to articulating the benefits that you're bringing to the organization. And that's changing.
If you do what you just said, Martin, right? If you bring better security and better convenience to the organization, then you really have an asset that you bring. And that's something that I guess we as an IM community need to get better at communicating that to the broader organization. Okay.
Heiko, thank you very much. Thank you to iSEE Consult for supporting this COVID Webinar. Thank you for everyone attending to this webinar or listening to the recording later on.
Now, I think this has been insightful and hopefully helpful to support you in making Zero Trust a reality and understanding what can help you here. So thank you very much. And hope to have you soon back at one of our COVID Webinars or events. Thank you.
Thank you, everyone. It was a pleasure, Martin.
