Welcome to our KuppingerCole Analysts webinar, The Impact of Expanding Attack Surfaces on Enterprise Cybersecurity and Why You Need a Strong IAM Posture. This webinar is supported by One Identity, by Quest, and the speakers today are Larry Chinski, who is Vice President, Global IAM Strategy at One Identity, and me, Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts. Before we start with the content of today's webinar, a little bit of housekeeping. We are controlling audio. We will run two polls during the webinar. And if time allows, we will look at the results during Q&A.
We will have a Q&A session at the end of the webinar, but you can enter questions at any time using the webinar tool. On the right side of the screen, there's an area Q&A, which you can use to enter your questions. Last but not least, we are recording. And we will make the recording as well as the presentation slide decks available shortly after the webinar. So that's it in a nutshell. And before we start with our topic of today and have a look at the agenda, I want to start a quick poll. So we will leave the poll open a little longer than I continue with the slides.
I always appreciate when you're participating in these polls because the more results we have, the more interesting, the more valid the results are. So this first poll is about the budget changes for your identity management or identity security budget for this business year compared to the previous business year. So significant growth north of 20% or a slight growth in the, as we define, 5% to 20% area, stable plus minus 5%. Or will it decrease by more than 5%? So looking forward to your responses. And as I've said, the more of you participate, the better it is, the more interesting it is.
You'll find a poll section as well in the webinar tool on the right side of the screen. So looking forward to this. And having said this, we leave it, as I've said, we leave it a bit open for a while. I want to quickly look at the agenda for this webinar where we have a very long title, as you've learned, but basically it's about the role of identity and for cybersecurity. It's about identity security. I'll talk a bit about why identity is so central to cybersecurity.
And then Larry will also give a sort of a short intro presentation about strengthening your eye and posture for tackling the ever-expanding attack surface. And after that, we will have a mix between the fireside chat and the Q&A. So it will be sort of a chat between Larry and me, but basically we also will already start picking up your questions once they fit into the flow of the conversation and try to respond to the questions you have. So don't miss entering your questions.
The more questions we have, the better it is for such a webinar because the more lively also the conversation afterwards will be and don't miss the opportunity to ask Larry and me whatever you are interested in. So when I talk about identity and cybersecurity, then I tend to go back to zero trust.
And yes, you may argue zero trust is a bit behind the big hype, which is, I would dare to say basically a good signal because it means we're shifting more into a phase of maturity and adoption. And it's still a journey for many, many organizations. When I talk to organizations, most still have a long way to go.
But I'm a believer in this concept of zero trust because I believe as a paradigm, it's an extremely valuable and a very important approach because it really helps us focusing on what you need to do, which is a multi-layer security, which is not trusting single components, but really trying to have multiple roofs, multiple verifications, and always verifying, avoiding things like lateral movement, but also just blind trust. And why do I bring this up in the context of identity?
This is, I think, pretty simple. When we look at zero trust, then it starts with the identity. It starts with, for instance, me, Martin, authenticating using a device to a system. So at the beginning, it's always an authentication of a human identity or sort of a silicon identity. It is identity to device, then it goes over the network and then it's going to a system and applications. That could be one. If you think about a SaaS service, then we probably look at it as a service. And then we go to data. And finally, this is all built by software.
So everything in IT shows up in some way here, but identity is, so to speak, nearly ubiquitous across this flow. So at the beginning, it's the authentication. It's the context-based authentication. It's about identity threat detection and response. It's about identifying, is there a potential threat? So does this look like a malicious attempt of Martin, of someone impersonating Martin to come into the network? We need to manage the device. And also there, we need to map the device to the user. We need to have this binding.
We potentially use, in modern authentication schemes, we use secure elements on the device, like a TPM, a Trusted Platform Module chip, to have some of the information required being stored securely on the device. But it's also frequently an identity-related thing here. It goes over the network and also Zero Trust network access to pick up one of the things here. Zero Trust network access is about enabling an identity to securely communicate across a network. But then we come to the system.
Yes, the system needs to be managed. It's also an endpoint. But it's also about access. It's about, then in this part, so at the beginning, it was, we need Martin and authenticate him. And right now, it's about authorization. It's about, is Martin entitled to access? And to do whatever Martin intends and tries to do in the application, this is very much about the access part in identity and access management. We also might have privileged access management here.
And what you see is identity is extremely important for everything we do in this sort of fundamental cybersecurity paradigm, which is Zero Trust. There's data security, and by the way, data security also has to do with identity, even while we frequently haven't solved it perfectly well. So managing access to data is surely one of the areas where we can improve. For instance, if we have data lakes and want to decide who can do what and see what in the data lake, still not easy to solve. So I can guarantee you, ask me how to do it, but it's not super simple.
And then we have software, and we need to ensure that code is under control, is not altered maliciously, all that stuff. Also there, a certain element of identity and access is in. Who can access the Git? For instance, this is about access control. So what we need is an integrated approach on security, which is identity security, and it's not identity versus security.
These things are really very close to each other, and there are elements in identity which have a different focus than strengthening security, because it's also about a digital identity, for instance, your customers and consumers, which has a different angle. Yes, you need to secure that, but there's a lot beyond that. There are things in cybersecurity which are not identity. Traditional network security to sort of extend on some of the other elements, but in many, many places around security, you find identity.
And so when we need to think about this, then we should really think about a combined approach. And my colleague, John Tolbert, a bit ago did this exercise and said, okay, where's the identity across Dimitri attack metrics? And it's everywhere. It starts with phishing attacks. So I want Martin's password. It goes to brute force attacks. It goes to trying to gain access to other access tokens or elevated privileges and so on and so on. So it's at the end of the day, when you read through that, I don't want to read out this entire slide.
It is very clear that identity is really all over the place when it comes to cybersecurity, when it comes to attacks. And we also should be very clear, and Larry surely also will talk a bit more about that. When we look at what attacks, at the attacks, then it's, so some say everything is identity based. It's not exactly true because there are vulnerabilities in software that can be used to box, et cetera. But a really big number of cyber attacks, a really big share is identity related. It's about gaining access to credentials, abusing the credentials, all that stuff.
So we need a very strong identity and identity security posture. In this age we are in of ever increasing cyber attacks. So this is where I'd like to start and why it's so important. After another poll, Larry will also bring up, bring in his perspectives and then Larry and me will exchange and also respond to your questions. So as I've said, feel free to enter questions at any time. And I'd try to, will launch a second poll. And this is, it's just as sort of a subset of technology. So I picked five technologies I feel are really interesting and really relevant.
But if you turn, I'm curious about which of these technologies do you feel are, is the one which is most relevant? So it might be a bit biased. We are hurting a lot of identity people here, but as of that, I'm really curious about your perspectives on if you look at these five, which one do you feel is the most relevant? With stats and while the poll is continuous running in the background, I want to hand over to Larry.
Well, hello everybody. I'm Larry Chinsky and I'm a vice president of global strategy here at One Identity. And I'm really very excited to be here today with Martin. So I've known Martin, gosh, I don't know Martin, how many years now I've known you ever since I've been at One Identity, I think. And we've been able to meet a few different times, you know, they're in Germany, here in the States. So it's nice to be sharing the stage with you here.
I tell you, a lot of the things you've just talked about are exactly what we have been trying to educate organizations with, you know, out as we, as I travel through the globe, meeting with organizations, understanding their approach to identity and understanding, you know, how are they looking at some of the threat surfaces and things like that and how are they responding to that? So I'm very interested to see what your poll, what these polls provide here because, especially the second one, because the second one has a lot of really important initiatives that I ask customers all the time.
And one of the things Martin, you talked about was this whole concept of where the breaches are occurring, which are, most of them are on the identity now. As a matter of fact, depending on which breach report you read, even if you look at only ransomware, somewhere between 82 and 89% of all breaches today occur on top of the identity. And that's a very interesting statistic. And the reason that they're occurring on top of the identity we're gonna talk about, but if I show you a few examples, there's an acronym that we like to use called EFL, and that stands for easy, fast, and lucrative.
So the threat actors today, when they go to try to breach into an infrastructure, they want three things. They want it to be easy, they want it to be fast, meaning they wanna get in and get out, and they want it to pay a lot of money. And that's why we see such a lot of high demands on ransomware. So this whole thing of, in the past, where they would sit inside, maybe do some war driving, breach a wireless network, and sit in there for nine months collecting credit cards, doesn't really fit the kind of model that threat actors are looking for today.
They wanna get in and out, inject encryption algorithms into organizations to encrypt that data, and then actually charge a ransom to get paid and get out. So I threw up a list of a few organizations here that just in the last two years were victims of a very widely publicized breach. So one of the things you'll notice here is that none of these industries are the same. We've got hotel and gaming up there, we've got restaurants, we've got oil and gas, we've got technology, we've got phone, restaurants, you know, all kinds of different verticals up there.
And what that means is, is that the threat actors don't care about the data that they're hijacking. Whereas in the past, they might only target a finance company, or maybe healthcare. Now they don't care. As a matter of fact, you look at some of these breaches in the past, like Colonial Pipeline, which seems like that would be one that'd be a pretty high target area. But then a few weeks later, we had JBS Foods get attacked. Now that was a chain of slaughterhouses and meat processing.
Now I can probably tell you that they most likely didn't think that threat actors would care about their data, because what are they going to do with a bunch of information around slaughterhouses and meats? But the threat actors now know that the organizations care. It's very important to them. So this is really agnostic across all industry verticals. There's really nobody safe.
And, you know, Martin, you pointed out a good point, and, you know, the different ways that they're actually trying to get to these identities, whether it's phishing or vishing, which is how Caesars and MGM was breached, which is a voice level type of phishing attack. But, you know, when you look at why this threat surface has changed and why this landscape now is being pointed towards the identity, there's a few different reasons for that. And I'd like to talk about this thing called the Enterprise Attack Surface.
And so the Enterprise Attack Surface is really just a wide range or a range of how a threat actor can get into the organization, you know? And so over time, this threat surface has what we call expanded.
See, once upon a time, we had the ability of getting near 100% protection on anything because individuals were coming into a building or coming into a physical office. And that's one of the reasons why we've seen this attack surface widen because of this enormous remote workforce that we have now.
So when you have an enormous remote workforce and your employees are no longer coming into the office, you're not really able to use hardened endpoints and infrastructure services to protect them anymore, such as, you know, content filters and dual layer firewalls and, you know, network segmentation and port blocking and things like that. Now, those identities, those people are out working remotely. So that represents a case where they're now exposed. And so that's widened.
And then if you look at the amount of cloud initiatives now, this is very interesting because, you know, when we first started talking about cloud strategy and cloud strategies and organizations, what the organizations were looking at was how do they provide their products and services as a service or put them in the cloud? We still had most organizations looking at their security posture and their security infrastructure and all those types of tools were on-prem.
Well, now organizations are looking to take those very security tools and deploy them as a service. So what you've seen over the last couple of years, are organizations such as One Identity and others create SaaS-based versions of their entire identity platform. So that's deployed as a service, that's typically maintained by the vendor in either a dedicated tenant model or a multi-tenant model, completely as a service. And so that's widened that out as well, because now you've got an attack point of those security tools themselves, not just, you know, the products and services.
Now, one of the other things we've seen interestingly over the last couple of years is that there's just a big lack in cybersecurity skills. And what that causes organizations to do is invest in what we call automation as a part of a digital transformation process. And so that's where we see things like hyper-automation and AI get used for trying to make up for the lack of skills they have.
So when you look at hyper-automation, most organizations think of that in a way of, you know, things like robotic processes and being able to leverage those type of tools to automate a lot of the things that they don't have the skills to maintain. So very, very common for that, where we see a lot of bots, you see a lot of organizations that provide robotic processes for identity. I've even seen organizations deploy bots to create identities, delete identities, provision and deprovision them, basically replicating functions that a traditional IAM solution would provide.
So this has expanded, this attack surface has gotten very wide. So what that's caused organizations to do is shift from what we call an infrastructure-centric cybersecurity model to an identity-centric verify and validate model. So we're gonna validate and verify those identities as they come in.
Well, one of the things Martin had talked about is the philosophy of an identity fabric or a converged or consolidated platform. And, you know, we hear a lot about this one plus one equals three, and I never really understood what one plus one equals three means. But really, when you look at it very simply, if you've got the way that we see security tools being purchased today, right now, identity and IAM is the most fragmented market in all of cybersecurity.
Whether you're talking about threat analysis, detection, prevention, no matter what it is, IAM is the most fragmented model in all of cyber. And that's because organizations are still purchasing specific tools for specific things. If they need PAM, they're buying a PAM tool. If they need IGA, they're buying an IGA tool. And they're kind of running those things separately.
Well, when we look at those organizations I showed you on that first slide with all those breaches, two interesting points. Every single one of those organizations on that screen were breached via one identity, an identity. The second thing you may not notice is every single one of those organizations had an identity tool deployed to protect them against an identity-based attack, but it didn't work. And that's because now with this expanded threat surface, the threat actors are able to kind of find gaps in between those security tools.
So for example, if you've got a PAM tool and an IGA tool, they're able to somehow wedge in between there and kind of bypass the security on both. Well, this one plus one equals three model means that if I've got an IGA solution that's providing IGA functions, and I've got a PAM solution that's providing PAM functions, if I integrate those together, that gets me a whole brand new set of capabilities that did not exist before. And that's what a one plus one equals three model, because when I integrate IGA and PAM, I now can do automatically provisioning of administrative accounts.
I can look at things like detailed analytics behind what those privileged accounts are doing, and I can take action leveraging my IGA platform to fulfill different events. So, and there's a lot of different ways that kind of the four core market segments as they come together, enables us to provide that one plus one equals three.
So, it's something that we've started seeing a lot of. Martin's been talking about this for a while now and then the identity fabric, which I'm a huge believer in. This is something at one identity that we've been positioning for almost the last five years now. And it is the way now, when you look at the future of IAM and the future of protecting your infrastructure, this converged model or this identity fabric is really going to be what is required to provide a true identity-based ecosystem and end-to-end protection. And really, kind of the common thread behind this is the identity.
So, when you look at identity security across an entire landscape, we've got workforce and customer IAM, tons of privileged accounts, directories. So, when we look at this identity fabric concept, what we're really doing there is we're unifying identity together to provide a more comprehensive framework.
So, when you do that, that is what provides the best end-to-end protection against any of these type of identity-based threats out there. And so, as we move forward, we've looked at a lot of the, Martin and I have talked about this many times, but when we look forward to the future and what's going to be the best model, we know that buying individual solutions in a fragmented fashion like this isn't going to provide the best type of protection. It really is getting to a model where we consolidate.
And that's why you see a lot of vendors out there now that are maybe an IGA vendor or a PAM vendor is now trying to cross-pollinate. And by cross-pollinate, I mean, they are now investing in solutions outside of their market.
So, if they're an IGA vendor, look at some of them have now bought PAM solutions and they're trying to wedge those in. We've got access management vendors out there that have invested in lightweight PAM and IGA trying to create this unification.
So, that really validates everything we've seen in the market. Even private equity firms are getting on board and they're buying companies in multiple segments because of this trend.
So, that is one of the bigger trends we see now. And that is something that we've really start to come and put together is how we're going to have to build that true identity-based ecosystem and really bolstering up the security posture.
So, right now, we'll have a bit of a chat and we will look at the questions. We have, I think, at least 10 questions already here.
So, feel free to enter your own questions in the webinar tool, but also there's an option to vote. So, you always can vote for questions and say, hey, Larry, hey, Martin, please focus on that one.
So, I'll watch this and the higher the votes are, the sooner I'll pick up the question. So, that we have a good conversation. I'll stop sharing the background right now.
And Larry, so we touched really a lot of points here. Yeah.
So, I think one question, which is, I think there are probably even two around this. And this is, I think, an interesting starting point. We talked about identity security and then the question is, so in the organization identity, sometimes it's owned by the business, sometimes I see it being owned by the infrastructure team, while attack surface mitigation and a lot of cyber security things or also like cyber security is owned by security.
So, I think there are two questions around that, which we probably can discuss in a combined manner. The one is, how should it look in an ideal world? Or aspect number one. The second would be, if it's split responsibility.
So, how do you manage to move to sort of a joint conversation here? Yeah.
And so, you want me to start off with that one, Martin? Yeah, go ahead.
Yeah, yeah, yeah. So, and those are a couple of great questions and it's probably going to be kind of a long answer.
You know, when you look at an identity, any kind of, let's call it an identity project. It's one of the few type of IT projects that spans every single organization, every single BU inside of an organization.
So, I've always talked about, there's kind of like the top five reasons why these type of projects fail. And one of them is, because there's really no executive sponsor which means there's no way to communicate that with all the levels of the organization.
So, when we look at, you know, how to best put together a program like that, yes, identity should be viewed, first of all, as a mission critical application. And I say application loosely because we think of applications as individual targets. But really what we need to look at is, identity as an application, it will span all across the organization. And what we've seen is that, sort of the larger the organization, the more sort of fragmented and disconnected that is.
Meaning, you know, that gets spread out between, you've got a PAM team, you've got an IGA team. We've even seen financial, they have their own logging teams, right?
Yes, I think that is part of that. And yes, and there's, we only do that. And this is the next department, and then here, physical access here, et cetera, et cetera.
So, it's frequently sprawling across the organization. On the other hand, to be a bit more positive, what I observe is, we see more CISOs taking ownership of IAM nowadays.
So, when I go back a few years, I think two things have changed why it was uncommon. So, the one thing is, CISOs have a way more active role. When I go back a couple of years, CISO frequently were really more a government review and audit job. And right now, CISOs usually are very active. The other thing is that, I think it's increasingly understood, which role identity plays for cybersecurity.
And so, I'm more than three decades in the identity business. So, at the beginning, we looked at network operating systems and administrative tasks, like meta-directories. Then we had a bit of single sign-on, and then it shifted a bit. It started in the infrastructure space, and then we saw more governance coming in, sometimes changing the ownership. And right now, it's really shifting more into the CISO domain. We may even see a further shift, or a split, in some sense, between more the digital ID aspects, like enabling digital business, and more the security aspects in the future.
I think there's also, in many organizations, I see something really, I see a positive evolution here. Yeah, that's true. I think we need to work on that.
Yeah, yeah. And you're right. One of the things that, when you talk about the role of a CISO, I remember, I'm sure you remember this too, Martin. If you go back 10, 15 years, identity was kind of viewed of that, I just need to synchronize passwords. That's really all I need to do. Or I need to provide a single sign-on, enterprise single. So CISO didn't really care about that, because that's an operational efficiency type of thing. And even today, look at access management solutions.
Access management solutions, if you look at the top four reasons why access management solutions are purchased today, security is number four. It's last. Operational efficiency, and ease of use, and that sort of thing.
But yeah, now, as it's evolved, and the attack surfaces widen, and the breaches are occurring on top of the identity, you're exactly right. The CISO is usually the one now, because now I am has become a true part of a security posture, not just an OE type of thing. And I think that going back to one part of the question, which is also, how do you foster conversation? I think it's about working on understanding, we are all working on the same challenges. What helps us, to my experience, is regulations. So we already have a ton of regulations in place.
And on both sides of the pond, we see a lot of new regulations around, like the EUCR, CRR, so like the NIST 2, the critical infrastructure regulation, like DORA and the financial services industry, et cetera. And the interesting point is, all these regulations we are facing span identity and cybersecurity. And all the controls framework, the risk management framework, all this stuff is covered. And that means, when we start from a regulation perspective, it's very clear. If you want to comply, we need to work hand in hand. This can be a very good starting point.
Instead of saying, hey, identity is the most important thing, way more than cybersecurity, this probably doesn't help foster conversation. Yeah, yeah. But if you say, hey, we all have to solve similar problems, we have similar challenges, we need to work together. I think this is a good starting point to respond to the question, the initial question we had here.
Yeah, I like what you're talking about compliance, Martin, because I think that I've read somewhere, and I can't remember what report, that when you look at all the different regulatory bodies that are there, whether it's on what side of the pond you're on, I think I've read that around 60% of the security-based regulations we see can be resolved with an effective IAM solution. So, and it could be as easy as password policies or things like that.
So yeah, you're exactly right. Compliance is a great way to say, not only can I provide a secure platform and lifecycle management that we think of, like onboarding and offboarding and role management and stuff like that, but also as a vehicle for ensuring that the regulations are met of all those different types of bodies that we see. And then also when you look at ISO 27,000x identity, which is an important place there.
Okay, let's look at the next question, which already got four votes. So as I've said, vote for the questions you'd like to see answered first. This is about, with all the technologies involved in Zero Trust, where to start? Yes. Is it authentication or is it something else? So even when we say we take a, when we may touch the holistic perspective to Fabric later on, but even if you say we do that, we can't sort of speak, build robe in a day. So we still need to understand where do we start? And I think there are different approaches we can discuss on how to select where to start.
What's your point on that? Yeah, and I've got a, this is a very, very personal one for me, Martin. And you know, matter of fact, I like that you started off your session today talking about Zero Trust. And this is a conversation that I've had many, many times. And most of the feedback I get from, matter of fact, I've had this quite, I've had people, I've had organizations ask me this many times. I've also had organizations say, we feel that Zero Trust is unrealistic. We feel that it is overwhelming.
And we don't know where to begin, but let me tell you our, my approach and my thought on Zero Trust. My thought on Zero Trust is, you know, cause obviously the overall core philosophy is, you know, you trust no one. And in my opinion, kind of all accounts are privileged accounts because they have access to something. But I tell you what, I like to start with Zero Trust. And I use Zero Trust and JIT kind of interchangeably. JIT meaning just in time, privilege or just in time provisioning.
I like to start Zero Trust, and this is what I've helped a lot of our organizations do, is let's start with your Zero Trust model on your privilege accounts only. And the reason I say that is because when you look across an organization and the Zero Trust philosophy, which I'm a big believer in, if you've got 10,000 employees, it's possible you may only have a couple of hundred actual privileged accounts. Maybe you have some service accounts and admin and real analytics and all that sort of thing. So it is much easier to start your Zero Trust project on a small number of accounts.
And why not start on the ones that are most critical in the organization, which is privilege? And that's fairly easy.
Yeah, I think it's a fair approach. Two points I see here. The one is, you said Zero Trust is so complex. A lot of people say it.
Yeah, yeah. What is the easiest way to solve a complex problem? You deconstruct it in smaller problems. Yes. Solve the small problems and then you bring it together again. So you need some understanding and solve small problems so that you end up with something you can combine again. But I think this is really the way to look at. So don't try to solve Zero Trust. Understand what is most important, what is in that, and what can you solve?
And this also helps you then potentially to pick the areas where to start because that is also, when we have some, for instance, in our advice routine, we use some standardized methodology, which helps people, which helps walking through in workshops through. These are the various building blocks. And let's look at how important, are they relevant to you? How relevant are they to you? Where are you with them? So is this something where you have a major gap or not?
Then you can create wonderful scatter diagrams, for instance, which help you to say, okay, here on this upper right part, these are the things where I should start. So there's not the right place. On the other hand, I would dare to say, moving forward with a strong passwordless multi-factor authentication definitely is an investment where you don't, so you can do it wrong, but how you do it, but doing it, so moving forward in that space definitely is a good action. So you won't start at the wrong place when you get better in this area.
If you do it right, so you can surely fail with every project, but basically this is what you should do. So this is my thinking here.
Yeah, yeah. Well, and you know what? I guess one of the first things I like to do too, Mark, is when I like, it's amazing when I hear zero trust.
I mean, what does that actually mean to that organization? Can you define what you'd like to do?
Like, and typically what that means is something along the lines like this. I don't want the, I don't want accounts to be there. I don't want passwords to be there at all. And I'll use my example on Privilege, for example. So there is no Privilege account that resides active on an infrastructure anywhere. Whenever you need access to, let's say an application with Privilege credentials, you request it. It goes through its MFA process.
You know, it dynamically provisions the account and enables it, dynamically assigns a password to it. When that time has elapsed, it removes the password, disables, and then deletes the account. So there is no account there at all. So that's kind of one, that's probably the most common type of thread that I've heard from organizations I've talked to when they talk about zero trust, which is why I use JIT interchangeably. But I like to identify, what do you mean by zero trust first? Let's figure that out. And then let's move forward from there.
Yeah, so I think, but that would probably go beyond the scope of this conversation. So I think very interestingly, look at the NIST architectural zero trust, then there's policy-based X control, also trust and timing. And I think, yes, there are elements in which we need to think about how can we get rid of them, like standing entitlements. But that's probably a bigger conversation. We have a lot of other questions here. So maybe you move forward a bit to the next point. So the next question with a number of votes is, employee identities are managed by HR.
What is the best place to manage non-employee workforce identities, or generally speaking, non-employee identities, and still keep control of what workloads you may have? So define which employee manager can manage which non-workforce identities. So how do you deal with a scenario where you have a lot of different types of identities? How do you get it under control?
Yeah, and that's another good question. And you're right, typically the employees are an HR system.
Now, what we've actually seen, and depending on how many there are, so if it's consumer identities where there might be millions or hundreds of thousands, that's typically managed in some other type of repository. It could be a ticketing system or something like a Workday or ServiceNow or something like that, where they have their own type of management thing, or even a GRC platform. I've seen those used, like an SAP, things like that.
But yeah, typically those are held, and there's organizations and there's vendors out there that actually have tools for managing specific, those types of identities. And so where they're held separately. We've even seen the same HR system manage those. So I don't know that there's really a best place necessarily. I think it really depends on the size, if they're consumers, how many there are, and what that infrastructure could look like. And I think it's probably even bigger because there are some non-human identities we need to look at.
And then we have a problem which sometimes really scale because this might be way, way higher numbers than human identities. But even for the human identities, so we have this from the consumer to the customer to the different types of partners. And partners are really, I would say the difficult part because some of the partners might be very loosely coupled, more like a customer in the way being managed. And others might be more like an employee being in the organization for years. And so it's really a broad range of use cases. And we can continue that. And I also think it's very important.
Yes, the HR might be a very important source, but very frequently it's not the only. That's right. Exactly. And we need to understand, and for instance, HR frequently is a good source, frequently not always, it's a good source for new employees. But changes may not be. It may be that whatever the change of someone moving from one department to the other is reflected in the HR system way too late. Then we have more than one source. And we need to understand, or really, I think we need to look at what's triggers and then we can work with different sources.
We can then build the workflows, the processes accordingly and optimize that. And it's usually bigger and more complex than it looks at the first instance. I also see a lot of organizations, I've seen organizations that have 40, 50 or more HR systems in place. If you look at larger global organizations, you may end up with a huge number and then it's, again, different. So I think the most important thing is to understand for each identity is which, at the end, which attribute triggered or, yeah, triggered by, or changes triggered, new, changing, deleting, is triggered by what?
And what is then the leading system for what? It's not the one leading system, it's more complex. And interestingly, it's an exercise that is not that difficult to do. You can do that basically with a large Excel sheet, if you want to understand on how does it look. And I think it helps understanding how does the information flow, who is in charge. It also helps you clarifying organizational responsibility. So for many attributes, the HR department will tell you, we don't care about this. But you say, hey, I expect you that it comes correctly from your end.
This is then causing all the identity information problems. So really try to understand how this information flows, who's in charge of what, talk with the other departments, and then you will become much better in your identity management posture.
Yeah, and you said multiple sources through, like email system could be the source of two, four email accounts and a PBX for a phone or whatever. So there's a lot. And one of the things just in closing that up is the digital identities. We mentioned different types of identities, but these digital identities, which are non-humans that basically are created out of hyper automation tools and AI and things like that, that's a whole nother set of identities that somewhat get overlooked.
It's typically very difficult to do things like password rotation and manage those type of identities because they're automated, they're bots, they're not really tracked, but they are a significant breach point. So those have to be managed in some way as well and some other type of process and that sort of thing.
Yeah, and it looks like we could spend hours alone on this question. Yeah. Let's grab some more here. So the one which just moved up in the list of questions is we are an MSP, is a managed service providers provider or an MSSP, maybe in this case also, and it's hard to push IAM for smaller companies. What's the key message we should focus on to drive adoption? Maybe I start here.
Yeah, sure. When I look at it from a more European perspective, there's one important interesting thing to look at first, and this is NIST 2. Yeah. NIST 2 broadens the reach of the critical infrastructure regulation massively in two directions. The one is which industries are in scope and a lot of manufacturing is in, for instance, and the size. And it can be that you're a 50 employee organization and you already are in, depending on revenue and some other factors, but it starts very early. So it means a lot of medium-sized businesses are impacted, number one.
Number two is, so when you're small, you take a risk of getting out of business when you're not secure. Right. Because when you're the entry point of the attack to your largest customer, then surely both made our mistakes because the large one wasn't good enough and you weren't good enough, but they always will blame you. So you're risking your business by not being secure and security includes identity. That's the way I would start that conversation.
Yeah, I think you're right. Yeah, yeah, absolutely. And that question is right.
I mean, it is a little bit harder on those smaller accounts, but the risk of not having that is something that you can't overlook. And I think the biggest challenge that I've seen on the smaller ones, and I'm not sure if this is what the question is, is really the cost and what it's going to cost to do that. But what I've seen over time, Martin, I'm sure you've seen this as well, is that the more sophisticated the technology has gotten, believe it or not, the cost has come down quite a bit over the last couple of years on what it takes to secure.
I mean, we've got organizations that we support now with our channel ecosystem, one identity that are 100 users or 200 users. That's pretty small. And so those things are all possible. I think that's gotten a lot better.
Again, that's kind of the biggest one, aside from the view of it being complex. But I mean, if you're an MSP and you're providing that local service, that kind of removes a lot of that concern and fear from the end user or the end customer. Yeah.
Okay, we have here another question with several votes, which is, I think, a pretty tough question. So SaaS solutions often require organizations to simplify roles and entitlements. Yeah. But the reality is that organizations are complex and require dynamic, or at least complex role assignments as teams are agile. So how do you handle this in a way that prevents role explosion?
Yeah, well, and role explosion is really tough. As a matter of fact, I'm sure you've seen this as well, Martin, but I've actually gone into organizations where they have more roles than they do people, and more roles than they have employees. And so that's a case where it's just gotten out of control over several years on what types of roles need to exist and that sort of thing. But the one thing that, when we look at deploying identity as a service, there's kind of two different approaches there.
And this is kind of a long answer to the question, but there's sort of a microservices-based approach where you split up all the capabilities of an IAM platform into multiple different chunks and then deploy those individually. And then there's another option where you kind of wrap a DevOps practice and procedure around kind of a historical on-prem solution and deploy that entire framework as a service as well. So when you do it that way, and then you have, we can deploy in single dedicated tenants or split it across multiple tenant, multi-tenant, that sort of thing.
But yeah, so in either one of those cases, I think that if you are doing a microservices-based approach then yeah, the role is an issue. And so typically what I like to do is I start off before we're looking at building a SaaS model or even an IAM model is we have to get underneath the roles infrastructure first and go through that and figure out, okay, what duplicates do we have? What roles don't exist because of old applications and figure that out first.
Because then once you have that, once you deploy your IGA or anything as a SaaS, I don't think that's gonna really lead to role explosion that way. I mean, all we're doing is moving that to a different platform, but it has to be a different type of conversation before you get to the identity component of that. There's no doubt.
Yeah, so I think to a certain extent, we're a bit stuck in a situation where we, as the users can't solve everything because yeah, in an ideal world, we would have something which is really more trust in time, which is dynamic, which is policy-based as an access control, which basically would require the SaaS service to at runtime request an authorization decision. We use a policy that can then look at different aspects like the role, but also whatever this person is a salesperson in charge of this zip code area, et cetera. So we could bring in way more factors.
And this is unfortunately still, we're making progress on that. We see a lot of adoption, interestingly, where digital services are developed. So things like OPA, open policy agents, et cetera, get a lot of traction amongst developers. But when we look at more the commercial off the shelf type of SaaS solutions or the legacy, then there's still some way to go. And I think I see an evolution here as an analyst, but it's a journey. And unfortunately we can't argue that it's new, a new challenge.
You know, I always say when we come to this part, you know what happened in 1976? 1976, IBM released RACF. Yeah.
And RACF, the Resource Access Control Facility basically did that already. Or almost 50 years ago. So there's no excuse for the industry to not be there because we know how to do it. We need to get better on that. I think the point is to a certain extent, we need to look at, depending on the mechanisms used, what can we provide as attributes to the application? Can we use scopes like in the AWOS or the CBOR? Can we use things like that to at least get a bit of a dynamic portion? We see portion in there.
We also see some tendency of standards maturing, especially when you look at some of the banking-specific incarnations of standards in the architectures. We see that there is a shift towards more dynamic authorization, also as sort of extension of the AWOS world of standards. So there's an evolution happening, but it's still a journey. And so I think the other side of it is also sometimes to understand to which extent do we need to manage it. And then the other thing is, with many roles, it's not fun to have a lot of roles.
But there's one element in the answer which helps us, and that is automation. So if we have a lot of roles, we must automate what we can because managing it manually, this is the biggest hurdle. The more automation we have, the easier it is to solve it. Not a perfect answer, but probably the best answers we can give here. So let's have a look and the remaining, whatever, two or three minutes, maybe at maximum we have, which of the questions we can pick. So we have quite a number of questions still here. So let's pick this one.
We have a lot of IM tools that are hanging around in the organization in various levels of partial deployment. Yeah. What can I push to get resources to finish these seemingly abandoned projects, or this is harshly formulated, or should we just consider these failures and start from scratch? Good question. I would say they should call me and we'll get that taken care of for them. How about that?
No, I'll tell you what, we see that all the time. As organizations grow by acquisition, they have maybe two or three of the same IGA tool, two or three of the same PAM tool. And typically what we see organizations do is, at least, I love this question, because at least they recognize that they have this concern and they want to do something about that. But starting from scratch is definitely an option.
However, if you look at which ones are deployed and what are they actually doing in that deployment? For example, if you have a PAM solution, is it only doing password vaulting? And then you got another one that's over here that's only doing session management. Maybe you've got an IGA platform that's only doing synchronization to Active Directory. And then maybe another one that's doing a lot more. If you look at all the different, how those are deployed, what they're being used for, first of all, is it meeting the use case? Are there challenges with it? Is it working?
And if you find one that you like, you can hang on to, then yes, I would say you can kind of push elements out. Let's build my framework around this one because we like it.
Go ahead, Martin. What I would look at also is two aspects. The one is, why did this project stall? So what are the reasons for that? Because then you can figure out, is this something I can overcome? And the other is, do I still need it? So are the requirements still the same as when I started? And if the requirements have changed, could this solution ever fit to the new requirements? I think these are questions and I think these are very close to what you said to look at and then you can make decisions about, is it the right way to move forward?
And I've seen, you know, we as analysts, we frequently are asked, not always, many ask us early in the project, but sometimes we are asked when a lot of things have failed. And the answer rarely is, throw out that tool and use another one. Because usually it's about policies, processes, requirements, a lot of other aspects. And many of these can be fixed and to bring up something to life again.
But yes, what you said is also important. Look at where you have overlaps, build sort of your entire map. The identity fabric as a paradigm, we have a ton of helps here. Unfortunately, we are running a bit out of time. We could talk for hours, I believe. Yes. Before we leave, I quickly want to hint on our upcoming European Identity and Cloud Conference, which runs June 1st to 7th in Berlin. Don't miss this event. It's really the must attend event, so to speak, in Europe and probably on the globe around everything which is hot in identity management, cybersecurity and digital ID.
So be there and meet with us and looking forward to have a ton of talks here. And that's it basically. So with that, I just want to say thank you. Thank you to you, Larry, for all the insights.
Oh, you too, Barton, absolutely. Thank you to all the attendees also for the huge number of questions asked. Unfortunately, we weren't able to respond to all of the questions, but feel free to reach out to me. I can forward to Larry. I can respond directly. Just don't hesitate mailing to me with your questions. Thank you to OneIdentity for supporting the Scope and Code webinar and hope to have you soon back at one of our other webinars or other events. Thank you.
Great, thanks everybody.
