Welcome to our KuppingerCole webinar. The three pillars of access control. Can I say IAM GRC? And he was the monitoring premium authorization control to a new level. By combining IAM GRC and user activity monitoring this webinar's supported by Xpandion. And the speakers today are Moshe Panzer, who is CEO of Xpandion. And me Martin Kuppinger I'm principal analyst at KuppingerCole. before we start, some very quick information about upcoming events and some housekeeping information, I've done a little directly dive into the topics of today's webinar.
I'll be quickly enter on our European identity in the cloud conference, 2021, which will take place in mid September of next year. In Munich, we are positive that we are able to do this as an on-site, but we also will have a full online coverage.
We will be back with our event next year, satisfied we have a tough outer online events coming up in the next year. Just have a look at what we are doing. Then the other point is housekeeping. So we control audio features. You don't need to do anything here.
We are doing a recording of the webinar and we will provide a puck costs, very short term, and we also will provide the slide X of boost speakers for download so that you don't eat to take exhaustive notes here. The last the least we will do as usual in our webinars, Q and a session by the end, however, you kind of antiquated at any time of the webinar. So just feel free to enter questions whenever you want. The more questions we have, the more interesting to more lively or a Q and a session we'll be having at the end.
Without further ado, Let's have a look at the agenda for today.
in the first part, I'll look up, Y there's a logic in combining IAM GRC and user monitoring for a modern approach and access control specifically with respect, but not limited to business applications. And the second part that Moshe Panzer will go more into detail on that, and also look at, to answer since this adventures best practices from using one United platforms for these capabilities, that's such that an underserved part, we will do our Q&A session and providing as, as to the questions you have around these subjects.
So let me start with one slide, which I believe this is very important in the context of everything we do around compliance around audit security, GRC governance, risk compliance team. And that is, this is the manifold topic, which anyway requires a holistic, a unified perspective being trust compliant.
Definitely. It's not enough. It's about the right actions. And so when we look at this seam, we have compliance here and for who we need to be compliant, we need to fulfill the requirements of laws and regulations.
Otherwise we are in trouble and really you also need to pass the audit and all is factually that we are able to prove that we are doing what we are claiming to do or RGR saying to do so the audit this stuff, so we can pass that check. But I think many of us know from experience that passing an audit check not necessarily means that you're really secure. So there's this notion of checkbox compliance, which in fact is more and more who wants audits.
So you kind of pick all the check boxes, but at the end, you know yourself very frequently that there are a lot of things to try not to understate ish.
And that leads us to the actions. So we need to do the right things we need to do. Things really helps us to increase our security, to get better on that. And this might be more, does might be significantly more impact even less than we were telling you, auditor the letter. Clearly shouldn't be, but might have no reality. These things need to be combined. We need to take an approach, which brings these things together.
And lastly, at least this will help us in moving to a levels of security, to a level of self security we need to have, this is really what we need to do. And so we must really bring these different perspectives together. We must work with the, as all the groups related to that. So specifically not trust, split technical security and a little of identity. And then the Alden compliance look at it as a signature fits together.
And by the way, if you take the right actions, the likeliness that we pass, the audits that we are compliant, it's very high.
So when did I look at the business applications for SAP beyond that? And I think this applies to two, to a lot more than just SAP, but it's when we, when we look at certain parts of this entire X controlled market, that market is very much centered around SAP and doing GRC for SAP, but factually the world is changing. It is changing rapidly and it requires us to do things differently. And clearly there's also a demand for doing things well beyond the business applications, but some of the conversation really is always centered around that.
And so the first thing we need to do is really delivering this is where you delivering the insights, the actionable controls for the business to understand, yes, we are secure.
Yes, we, we are in the right state, but also he, our sinks, which might be at her desk and we all know to data, access risk is a business risk we have in too many companies is striking sometimes even failing because they were already good enough and it comes through the access for, so does this give it a start? But what is even more important is the, the systems landscape is changing.
And when you look at SAP itself, because by far not only traditional ERP anymore, they are Kareem and success factors and Nautilus. And if you look at reality of my businesses 10 hour, so you can such as Workday and Salesforce and many other, which play in the central central role, their credit cheese. And so we have the SAS solutions, we have two original solutions. We have a lot more, more critical applications.
At the end of the day, we must get a grip on all of these seamless manner. And if you must do that in a way that the business teams and the it teams can work with stuff.
And so we must translate technical terms and technical perspectives into business perspectives, and also in a Palmer actual world, we need to be fast and rapid and flexible in the deployment. So when we look at what it means, assessed services very quickly procured, that also means we need to be fast enough in that early procuring, but in, thank you, ring in getting a car, cool, getting, implementing the controls for that service.
So, so we need to be faster, more agile and more flexible and more heterogeneous and the in, in, in what you do or in what you support. And this brings together a couple of elements. When we look at these requirements, we, we see changing of it.
The one thing is we S we need to come up with duties of TRC or compliance or compliance management or risk management, because this is the, and I thankful means to the park utility of business. This is to think about happens if businesses say, okay, we want to move quickly into new business models, into new types of services, into our sinks.
This is what happens to the true transformation today. That means that we are also, to some extent, moving away from traditional established Rosis is in the business because obviously which patients faster, which needs to be supported, right? It needs to be compliant. It needs to be secure from the very, and so we don't have to time to for lengthy and complex adjustments, we've asked to be quick and fast, and the way we act on that, we also should be able to, to help business provide information back line, business process.
So if things that aren't used at all, for instance, then we must have put that much emphasis on it. So, which processes are used, which are essential or central, we have inflammation security here. So we have end the need to do it securely. And we all know that we are on the cost. Yeah. And when you, we've got a targeted attack, Stantec's web where people really try to enter exactly ours enterprise than they are after the, this is the stair.
After a lot of information to that baseline level, it might be trust, quote, us, quote, trust, some billing information to produce fake in why SIS and stuff like that. But they might go far deeper into depth. So we must protect sensitive information, sensitive data, and a DMP. We must pass the audits and be compliant. So we need to TRC. We need to. So usually some shop ourselves a two blind SMD controls to the segregation of duty controls, and which helped us to understand where are the critical risks, which help us to mitigate your risks, to put appropriate controls into place.
But it's not all what you need. You need more, what you also need is identity and access management. So managing the uses is central to what we are doing. So at the end, when we talk about all these things that it's about, who is allowed to do what, and that's about yeah. And to walk to the access where there are six buildings, so we must manage sure. Use a lifecycle. So it's still that a lot of challenge has come from, from not removing entitlements when a mover processes start.
So when a user is changing, his truck was in the organization, or it's still having accounts for people who are long retired. So we must do that better. You need effective access controls. And then those means through vocation of access controls, as I said, move a lever. That's how I was going to, you need to get a Tribble and we need to do this cross system.
So it's, we need to do it efficiently. In-depth okay.
For all types of applications and business applications then become a specific challenge because because their entitlement models vary from application to application, and these titlements also frequently or relatively complex and just struck, but you need the sufficient yeah. Insights. So we need to be you able to manage that and be manage. You can manage the core system, so can do walk and then dive into the details of a certain system. And then they're on user activities. And that was all we do in traditional access management.
We trust, focus on static entitlements. So in the traditional rural, you're saying, okay, Martin has these entitlements on this system. He can do that. And that in depth, this is, but what does Martin factually do? So it's the using the anti-violence or is he using the entitlements in a way that is .
We need to understand what is really happening. So that helps us understanding that it does, is it then really a feedback to the business, excessive entitlements, things that aren't used are important inflammation.
And then you, if people have excessive entitlements, then you also have an issue with least privilege principle. That's just understanding risks. When you look at first is repeated and unexpected access to certain financial data. If someone is accessing whatever over the course of the day, whatever the data of 10 or 20 of his clients, that might be totally correct. If the same person accesses a thousand records, then that might be coping data, looking at data that is not really used within the allowed business activity. So it helps us understanding where sings are uncovering.
It has us understanding at the end of the day, the anomalies, if we also need to understand what is an anomaly and what is normal.
So we're close to the end of the year and the end of your bookings, the book keeping department. And normally when you look at sort of the entire course of the year, because they only happen by the end of the year or the beginning of the next year. So they are in that perspective and unbelief at that for whom not an anomaly at all, because they are the regular thing.
And if you look at it for 10 years than they are other than normally, so we need to be very precise in the way we do such a lemme lead detection, because things can go pretty wrong. If you stop your bookkeeping keeping department ever in broking by, but you and a few bookings, then you probably have a lot of issues to deal with it hassles also optimizing and title.
I, so by understanding what it's really done, we can optimize entitlements.
We can mitigate risks.
We can, these a lot of things better. And so from my perspective, a comprehensive GRCs more than trust GRC. It is bringing things together and taking not only a static, but sort of active perspective.
Yes, you can argue, we have this and chair, see to some extent, if you look at continuous controls, monitoring daily, we have an active perspective. And in way, there you say, user activity, monitoring monitoring is some sort of continuous controls monitoring more in the sense of you look at the user activity and not the way how certain business transactions are executed, which isn't the primary scope of continuous controls monitoring, but it's not entirely new, but it's important also for the access controls. So we need us.
And what it's about is we need to bring these things together because it allows us a more efficient manner and effective management.
We need to be efficient in the sense of the Cron only what is a crier. We remove things efficiently, but also effective. And I was in this thing in the sense of, this is exactly what we need to do. And this is done by bringing these things, these three elements together, I believe this is totally locked. She can sing.
And in some way, does maps also to a business transaction perspective where you have your controls for who's allowed to do, to perform which business transactions, where you have your monitoring of the transactional level. So there's the luxury in, in, in there. And this at the end is what enables effective risk mitigation. And this is what we want to do because risk mitigation is what helps us getting better and security being so mitigating at the end of the day security risks. So what are some of the key requirements we need to take a business perspective.
So not only technically we need to translate from technology need to UI business people kind of work with not only tech savvy ones and map these perspectives to each other. We need to automate wherever we can on user activity. Monitoring, for instance, allows us to automate a lot of things or to deliver information we can use to be at least far more efficient than in optimizing and high elements. We have insight into the details we also need. So we need to understand the various levels of entitlements, various perspectives.
So part of procreation of systems, because it's more than SAP nowadays, it must be easy to install and configure and user behavior analytics from my perspective as a master, that because it adds an angle, we usually don't have that much was that, that I'd like to hand over to mushy for the next part of our presentation.
Okay.
Hi, Martine, thank you very much for, for this great presentation in this presentation. I would like to take a more practical, you know, hands-on approach. I would try to focus on real life scenarios and show example from our existing customers. So you can see the value of combining aim GLC and use a monitoring and use the combined power of them.
This is, this is definitely not a mathematical mistake. Okay. We will explain it later. This is the reason for the presentation title. Combining all tools together gives a bigger value than what each contributes by itself.
Of course, before, just before we start, you know, that to be, you know, on the same page here in order to be on the same page, you know, let's define the scope of this presentation and in its focus, because each one of the topics is very, very wide.
We would focus on IAM, which is, you know, identity and access management IDM, which is identity management without managing a business role catalog, you know, managing what a doctor or clerk can, can do.
And a GLC, which is everything related to governance, risk and compliance, including access control, process control, and all the other things that are related last, but not least user activity monitoring, which means, you know, understanding what users are doing and which action users are doing. And when each of these topics is quite broad. So we will narrow down the scope to the, in this presentation at least. And we will deal only with business application monitoring, meaning those ERP and CRM applications.
You mentioned SAP before Martin, you, these in NCO applications, we will demonstrate the power of a single solution that combines IAM, GRC, end user activity monitoring. And you are welcome to continue this discussion later on other application on other and more applications.
So basically what, what we mean when we use these terms in this presentation.
So I am an IDM, you know, we mean the processes of mean, they mean gaining user access in multiple applications, including the known processes, joiner, mover, and lever, and, and creating user account in multiple applications and granting access to them. Then when they, you know, processed creating a, a changing the access automatically. And when they leave, of course, eliminating the user account and removing all access automatically GOC.
When we say he's mainly maintaining segregation of duties, rule set, and forcing it and monitoring sensitive access, we also mean, and this is another thing, you know, we also mean using some analytic reports of access and violations.
And when there's a violation to the sod rules that sending alerts about it last is the user monitoring, which means tracking people's activity, including their activities inside the monitored application, as well as some external parameters, like the IP address and the type of endpoint, let's say, you know, they are accessing from the computer or the laptop or cell phone and eh, all the, all the end point that they are using for, to access the system.
So this is when we are speaking about IDM GOC, end user monitoring in this, in the sense of this presentation.
Now let's start, you know, let's start slowly. Let's just combine two things together and see what the benefit is, and then jump to the big thing. So what can we get by adding an IAM tool and, and GRC tool now when they are separated, like probably some of the audience have today, each one is walking on its own scope any on its own time. And they are definitely not synchronized.
The most frequent case that we see in our customer is to find that the IDM to create a user account and run the access to it, and then comes the alert from the GRC tool saying that the granted access is violating the SLD rule. So then you need to, you know, you need to go and argue with the user about, about taking back some privileges in order to solve the conflict, which makes everybody, you know, upset.
And it wastes a lot of time.
Now, when we combine IAM and GRC capabilities into one tool, we can, we can ensure that we grant the access from the beginning, which does not violate any sod rule, you know, and we can also run the rules and risk catalog all the, our role catalog to verify that no business role like, you know, doctor the same doctor or clerk includes any sod violation and in turn granting them will not violate any sod rule. So this is when we joined IAM and GLC joining on the other side, I am end user monitoring. This is the most frequent situation today.
You know, that the enterprise is used the IAM tool and the usage monitoring tool, both of them, but by different teams for different purposes, if we are looking at enterprises, you know, while I am, is used to create users and to grant permissions, user activity monitoring is used by security teams for tracking suspicious activity and preventing fraud.
This leads to a situation that permissions are granted to employees without checking if they are really using them.
And user accounts are left open, because nobody, nobody really knows if they are being used or not with a big risk of being hacked and loss of expensive licenses.
So combining IAM and user monitoring into one solution enabled narrowing down permissions to employees, if they are not using them, especially those sensitive ones, like, you know, transferring money and creating purchase orders and things like this, or the HR, eh, authorizations, it's not only for a single user level, but, but also on the role level, nailing down unused activities in roles, in, in roles create a smaller and cleaner role structure.
One of our customers found that I would show a method in, in the following slide, one of the following slides, and one of our customers found that, you know, using this method of optimization, optimizing, optimizing, optimizing after two years, they managed to reduce the amount of authorization by 70% just by using this method last but not least eliminating unused accounts.
And this is point number three, eliminating unused accounts automatically saves big amounts of money on expensive licenses, especially in those expensive ERP applications and reducing the risk of hacking into those inactive accounts. This is, this is true. Now we see all the, the recent cases of hacking into accounts. Many times they are hacking, you know, inactive accounts are Hecht first, and then Heckers went into the system.
This is, this is definitely the power of combining usage monitoring into the IAM ward. Last example is what we gain. If we join GLC and user monitoring. Now GLC bringing the analysis of user activity into the static GRC world, because basically GRC is inspecting authorizations of users and not the usage can be really exciting and open new opportunities. At least for engineering people, it begins with the ability to really solve sod conflict, which is amazing. If you are thinking about it, how many, how many efforts are invested in soil?
You know, mitigating sod conflicts, and here we can really solve, instead of just discovering them by removing the activities that are not being used instead of, you know, declaring sod conflicts and creating con controls that someone needs to approve. We can really remove the conflicting activity if they are not being used activities, if they are not being used and solve these conflicts permanently, no need to create more walk with controls.
And if it's done automatically, we don't even need to go and argue with the users before taking the authorization because anyhow, they are, you're not using them. Secondly, by using monitoring, we can allow monitor, monitor, access to production system by people who only need timely access to production. Like let's say programmers or technicians. We were surprised.
And, and this is if, if you are now saying to yourself, well, GCs like firefighter or something like this, I'm telling you that we were surprised to find that the, in some companies, still some companies still grant and revoke this access manually and do not track what the employees are really doing when they are in the production system, not tracking this activity can be very, very dangerous.
Third bullet number three is an amazing improvement that usage monitoring adds to the access recertification process.
In which many, in which managers should resell divider employees, authorizations, you know, this is, this is the, the, the process that managers are recertifying the employees, but we discovered that even the business, yes, alignment the Joe to approve the employees. Authorization will not approve a certain activity. If we mark it and say, you know, this activity was last used four years ago, even the busiest one will say, okay, so remove it.
So showing the last use column and meaning user monitoring, showing the last column and highlighting unused activities, saves managers time and make them focus on revoking those unused activities instead of just approving the long list of authorization without giving it too much thought as sometimes it happens today.
Lastly, the fourth point, you know, is the ability to identify sod violations as, as they happen, as they really happen, what we call dynamic sod, not just on, you know, the authorization level, but in real life, when a user is creating an invoice and then approving it, which clearly violates an sod rule, someone should get an alert.
This enables us to monitor approved violations closely and pinpoint those that are irregular. Now let's add one to one and the other thing, and then that let's get the real power of combining the three tools is much better combining only two.
Let's see how, you know, I, I picked two use cases and some additional examples that I collected from our customers. And in order to, you know, understand what we can gain by combining all three tools into one software use case number one, this is the one that we, that I was discussing before. It's called continuous continuous optimization. And it was, this is really a, we will, you know, this is the process that our customer find the most powerful.
They really, it really utilizes the ability to combine IAM, GRC and usage monitoring first, you know, they create users and grant only the re re required access to them without the sod conflict, which is very important.
Then they show that they don't have any sod conflicts. Then they combined each user access. Right.
Then, then they optimize, sorry, each user access, right? According to usage and narrow down sensitive access automatically. Then on the third level, they go to the role level and optimize the role catalog. So next time they will grant an optimized drawer to the new user. Okay. And then they go and do it again, meaning creating user with the new, with the new optimized drawer, inspect the usage, grab the role, optimize the role.
And then, eh, new users get even more optimized. This is the, this is the process that I was saying before it cut down 70% of the authorization by two years, it's amazing to see use case number two is the mover.
You know, you have a joiner mover and lever, and we are speaking about the mover here, very effective, very safe and very effective mover, much more than it happens today in the movie, of course, people who moves from one position to another position.
Now, many organization won't that this person, and in order to help the business, many organization wanted this person will still have access to the old activities, even if they are in the new position in order to help, you know, the successful, if needed, however, granting new permissions.
Additionally, with the old permission might violate, or sometimes a lot of time violate sod rules. So using a single software, you can do the following.
If, if you have a single software for IDM and GLC end user monitoring, you, you do the following effective mover that, eh, let's do you identify the move event in active directory or, or any other in the HR system, and then run permission according to the new position, then you will move these old authorization, only those which violate the sod rules if they exist. So you don't have sod sod revelation, then you send an individual access review to the employer, employees manager saying, you know, Hey, you just get you just, you have a new employee.
Do you want to leave the old access for additional two weeks? And if they say, yes, the system leaves it. And if they say no, the system revolted. And then after two weeks, of course revoke those additional, eh, authorizations automatically. This is how, you know, to help you can help the business and, and, and, you know, help business do, do more business style activities and not just slashing down, eh, authorization because people are moving from one position to the other controlling.
This process is in, in definitely controlling this process in a multi-system environment like most enterprises have. And we've many employees who change positions frequently can only be done by software that combines IAM, GLC and usage monitoring. And seeing, I'm telling you, seeing this in action is really, really amazing, and you can see how it can help the business in new ways, additional use cases.
These are, these are the, this, hopefully we'll, we'll be more short.
The two other use cases that I want to touch on, eh, the first is the ability to recommend the right role to grant to a user when they request additional access and splitting existing roles to sub roles automatically in order to solve sod conflict quickly. And again, it's solving the sod conflict, not just identifying them and creating mitigating control mitigation controls, phone. Number one, we have a tool named Roland advisor, which is a powerful capability, which is a powerful capability that solves our, of searching for the best role to grant to user.
When they are asking for access to a specific function, say, you know, the access to open purchase order. When you, when they say I need to open purchase orders, please grant me the, the required authorizations. There can be at least 50 different print authorization roles or groups that you could ground or solving the user requirements.
However, only a couple of them will not violate any sod rule if you've run them to the user, you know, together with the existing authorization and, and to, you know, to be more and, and in some of them are much more effective to ground.
Then other knowing what is granted already, what the user is really using and which roles will violate sod rules on the spot allows us to find in seconds, something that takes hours and sometimes days the most suitable role to grunt the one that will be the most effective and we'll run the minimum additional access to the employee role. Splitter is, you know, the second example that I have this function give this function, gives the ability to take the single, a single big authorization role. Sometimes violating couple of sod rules, split it into two or more smaller roles without sod conflict.
Each one of them without sod conflict remove the original role from users automatically and grab the smaller ones again, automatically to users who use the activities in each one, which is definitely please solve the problem. Each user is not holding anymore a role that is, you know, violating sod and at least many of them, or most of them will have the sod conflict solved. This solved the sod conflict automatically, and really, really effectively.
Now some of you say, you know, we all in enterprises, so what if I have, you know, some of you say, what if I have IAM or what if I have already GRC tool? Can I still use the additional power that you Marsha presented here? And of course the answer is yes.
And, and this is the reason that we are, we are speaking about it. What if, what if I have, let's see, you know, how you can get a new level of efficiency in your existing organization, even, even if you already have some tools in place.
So if you have, let's start with, what if, if I have IAM, you know, so if you have an IAM tool in place, you should integrate the GRC platform and use a monitoring capabilities into it because your users are regular to use it. So we don't, we don't recommend to replace it, but definitely you should integrate the new platform into it.
Using connector software can, you know, can add the capabilities that we were speaking about in such a seamless way, that it will check sod violation while creating users by your existing IAM tool and will not allow granting access that violates sod rules. And this is extremely important in a full compliance. Additionally, such a software will also integrate with the role catalog, your existing role catalog, if exists and suggest how to optimize the roles, which is again, very effective way to reduce the number of authorizations and number of conflicts.
If you have, if you already have GRC tool, most of the GLC tools are focusing on one, eh, application like SAP or Oracle EBS. If your organization already has a GRC platform, you know, you can take it to the next level integrating between the existing GOC platform and IAM, for example, as well as usage monitoring capabilities, you can create users and eliminate them while not violating any existing sod rules.
As, as we, as we, as we spoke before, you are also able to force SOS, the rules only use systems, meaning not the one that you are regular to, and you can have all those exciting capabilities in the access of the recertification process that we were speaking before integration should be done. And this is really important. Integration should be done with out of the box connectors and should be seamless because users, again, as I said before, users are regular to some system.
They don't like to switch, especially not in enterprises.
So it should be really seamless in order to enjoy the power of the trio, the trio, meaning GLC, IAM, end, user monitoring. What if I already have monitoring some users come to us and say, okay, we already have a user monitoring. Many organizations already have logging systems and they don't think to use it in order to optimize access. And then when we come, they say, oh, we have logging. Can we do something with this? And we collected, you know, 10 years of logging. Can we do something with this?
And can we, can we do something for authorizations and optimization of our optimized authorizations? So implementing a system that can read these logs and use them for memorization, gives a, you know, a new way to narrow down sensitive access even to home grown nation. And this is something amazing in the past, not only for, for the big four, the big ERP software, but also for homegrown applications.
You know, you, you get into legacy systems and things like this.
And, and it's really exciting to see a 30 years old legacy system walking on the modern sod rules and obeying, you know, gold level GRC rule set really, really exciting, at least for me last but not least. I wanted to speak one to say one thing about, you know, Xpandion because we are, we are all professionals here.
And one, you know, one note about Xpandion only one note, we are in the business for the last 13 years, and this is basically what we do. Meaning we have vast amount of experience in access controls from all aspects, you know, access control, IDM, eh, GRC using user monitoring and things like this. We have fast amount of experience. So if you want to hear about our software, which of course combines am a GLC and usage monitoring, please visit our website or send me an email.
This is my personal email, and we will definitely follow up if you want to, if you want, just to share knowledge, if you want to ask something about access control and things like this, you are more than welcome to write me an email and we will follow up. Definitely thank you very much for, for listening. And I look forward to hearing from you.
So thank you very much. Moshe. We have a number of questions already here. So if anyone ask the questions to Moshe or me, please enter these questions now is that if we can try our best to answer these questions.
And so let's get started with this Q and a part. And the first one is, I think you touched to some extent, but it's still a thing cause I'm going to go, which is worse or deserves elaborating a little more on.
And it's, there's also as good, but a lot about enforcing identity management. So do you with or old legacy systems, so some of our programming internally, or even if that's the really old. So when you look at where, for instance, the standard situation of a bank, a bank might have sometimes hundreds of legacy applications and applications that are relatively new, like behave like legacy applications, even because the special banking software is really an architect in a way which is not, maybe not the most, the most modern approach for software architecture.
So how do you deal with all of these applications?
I'll tell you, I'll tell you legacy systems really are, you know, are the ones that we really, really love because at the end of the day, seeing sod and IDM processes run on 30 years old, you know, code is amazing like, like the old Vox or the old IBM machine, the big IBM machine that you can find in banks and insurance companies and sometimes in manufacturing and bring these old system, you know, to act on the modern security concept.
It's, it's really, it's really amazing. So we, we really love this working with, you know, legacy systems and basically the, the impact on the organization is really huge. Meaning they suddenly, you know, understand how to work with those legacy system in modern ways. And they can enforce their regulations on those system, which is again, amazing thing.
Okay. So I have a question if that organizations, many organizations have some identity management systems that forming dad, their acts reviews every six months or so maybe sometimes they even take a risk-based approach.
But why do you think, or why do you say that systems that trust uteruses is required beyond what an identity management system can do? An access reviews? So w w what is the benefit?
I'll tell you, this is a great question because we are, we are, you know, struggling with this organization, come and say, we are doing this every six months.
What's, what's the, what's the, what's the problem here. And definitely from creating or changing the users and, you know, say from, from the day of creating the user and until the recertification process sometimes takes six months or even one year. So definitely too much time to conduct fraud or, you know, to heck this user, this is, we believe at least that the sod software must be online and give alerts immediately to avoid security breaches. So this is the reason that we say, you know, this is not enough. This is not enough. You have to have an online tool.
Yeah,
That is a very interesting for traffic coming in. GRC has a larger scope. Then Charles is control. So when you look at things like process control, export regulations and otters to a lot of elements in TRC, I am has a larger scope. When you look at access management approach X measurement, a lot of hours, things, user activity monitoring also might have a lot of trust, Coq, 10 trust. So trust Nicole does. It can be.
So, so, and I think it's a question to both of us in some way, are we seeing these areas merging in the future more closely, which I believe is an interesting question. Maybe I start and you continue. So my perspective for analysis side is I think we should differentiate between the cap of abilities and so far for certain sense of targets, like, like Moshe also told, and in other areas of identity management, I see a clearly a conversion. So we see user activity monitoring coming in far more frequently. We see it in other areas as well.
And we see clearly the need to support controls that come derive from, from GRC.
And I think we also need to, to bridge the gap between business application perspective and other types of applications, because at the end of critical data and critical information, only in business applications, if you look at whatever, if you look at the, the, the end user report, you have to do it to your shareholders. Then we talk probably about data, which is hold on on your SharePoint or in the teams or somewhere else for certain periods, which is super critical.
And you have auto data, which needs to protect it also from the type of access. So even documents, some people might not allow it to be access to same data like, like others aren't. So I believe you need to extend certain capabilities beyond business applications, bridge the gap between these worlds. But on the other hand, we have to specialty.
So, so we you'll see, I believe some more productions, but not of full conversions, because there's not the one tool to it all. So to speak mushy,
I couldn't agree more. I must say that in security, you know, from a holistic security point of view, everything will be, in some point, everything will be combined, including by the way, data monitoring, you know, monitoring user access on, on data level, including, you know, all these IOT things that are combined, you know, connecting to the network and you have to do some compliance on them too.
And who, who can, who can, who, and now, now everything now is in silos. And if you are looking at the, how the market is progressing, everything will be combined the end of the day, because it's all from user.
We, we, we discovered that users or not users, very smart people that, you know, we thought that the GRC is different than IDM and IDM is different than, you know, usage monitoring, but our users and, and they are very, very smart, sophisticated, and very experienced people in the, in the market.
They said, you know, it's all the same. It's all the same. If I have sod, I need to inspect if the user is really using it or not.
If I'm adding, you know, IOT stuff to the network, you know, some, some kind of a watch or smartphone or whatever, or, or, or probe, I need to certify that it really has the right authorizations. And it really go through the normal policies that I have. And if someone is, you know, we said, users are accessing functions. And they said, no, no users are accessing data, which data they are using. And we know this is, this is another thing. And they said, no, no, no, this is the same thing, you know, in, in user's point of view, it's altogether.
So definitely I couldn't agree more to what you said, but everything will be in, everything will be converged at, at, at some point. Yeah.
Yeah, no, I
Think that makes attendance about, we will have more parts on the control lanes, which allow us to integrate in the control. So both from an active, a passive perspective to do more across a range of systems. So that's something I would fully agree with you. So another question, which just came in with data science, bringing more focus around fine grain authorization for users in a related sod controls, mushrooms. So we lost technology and then the sheer amount of data we can Brose us and the ability to, to deal with large amounts of data.
As in a, I M L et cetera, will help us to do photo steps when it comes to read it very detailed of that data.
Extremely interesting. And I'll tell you why we definitely in Xpandion we are, you know, technology savvy is okay. So when AI came and this is a personal, a personal story, so, so let me share it with you. When AI came, we immediately jumped in and said, okay, let's add, you know, AI stuff and things like this. And we have AI capabilities inside our product, okay.
Now, but we discovered, and it's really interesting. We discover the users or enterprises. They allow certain amount of AI and they are allowing it. But in some point they said, you know, why did you, why did the system granted these authorization? And we said, you know, this is AI. We cannot explain. And they say, no, no, no, no, no. When I need to go to my manager and explain why this person got this authorization, I need to have a very clear, you know, a very clear reason, how did it go?
And AI, and, you know, machine learning has some fuzziness built in fuzziness that organizations are not so willing to get to, to accept in this, at least in 20, 20, 20, 21. But in some cases, they are very, very happy to use our AI capabilities. And we integrated them a year ago, I think, or one and a half years ago. And they are really, really nice capabilities in terms of, you know, what to grant is a process is should go quicker or slower and things like this, what's the pressure and thing of this.
So, so yes, no, yeah. I'm with
You. I think it's about augmenting the user, but it's also a lot of explainable AI in some ways. So that duty, I understand it's also about, I would say configurable AI in the sense of, you know, if I know that there's a year end, which will lead to certain, not anomalies, but things that appear from not that well-trained system as an anomaly, you need to be able to, to, to work on that.
So if you, if you do do these, use these technologies, right, there's a, just a huge benefit. And I think it's at the end, the benefit is sometimes in relatively narrow focused use cases about augmenting users, but there are, there are these use cases where you say, okay, this is, you know, which entitlements should someone have instead of trusting, oh, copy. The one from is colleague AI can provide on that, that mustard, it augment that without going through a, in a complex process of thinking about what it might be.
And I think so there's a, just a huge potential in that.
Maybe let's pick one more, one final question in the interest of time and a couple of more questions on the questions we haven't answered here. Marsha will answer probably right after the why email. But one question I believe is super interesting for everyone listening as well.
That is, so you might have a TRC team dealing with, as a Dean, you might have an identity management team, or you might even have a GRC team on a business application team. They are doing . I am human they're out of the security people. How do you make these teams work together and use the same software?
Oh, very interesting. I know I will. I will answer this from the technical point of view and from the technical point of view, it's very, very important that everyone sees exactly what they need. And this is, this is done by, you know, one, this is definitely one application, but different roles and responsibilities. So that basically you, you define the same level of access of the access you define for, for the teams. So each one of them really sees only what they need.
So they feel that they are working on, you know, the IAM team feels that they will on, on IAM and GRC team feels that they walked on, on, on GRC, but it's like any RP system, you know, it's all working together on one database and utilizing all the data in order to, to get, eh, the best solution that you can.
Okay. Great. I think was that we are at the end of today's webinar. Thank you for all the questions.
Thank you, Martin, for your insights. Thank you to the entire audience for listening to this could be a cool webinar. I hope to have you soon back at KuppingerCole lens and they will have a nice day. Thank you very much. Bye bye.
