KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Trust no one, always verify. We know that Zero Trust phrase already. But this principle is rather abstract - how and where exactly should we do that? Martin sits down with Jackson Shaw, Chief Strategy Officer at Clear Skye to discuss one very important part of Zero Trust: Identity and Access Management. Because you can only verify what or who you know - they need an identity to get access.
Trust no one, always verify. We know that Zero Trust phrase already. But this principle is rather abstract - how and where exactly should we do that? Martin sits down with Jackson Shaw, Chief Strategy Officer at Clear Skye to discuss one very important part of Zero Trust: Identity and Access Management. Because you can only verify what or who you know - they need an identity to get access.
Hi, I'm Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts and I'm here today with Jackson Shaw, who is Chief Strategy Officer at Clear Skye. And we will have a talk about the role of identity management and in particular IGA, so the use lifecycle provisioning access governance piece within Zero Trust.
Welcome, Jackson. Thank you, Martin. It's great to be here, as always.
Yeah, so maybe we start a bit with Zero Trust. So I think everyone has a bit of an idea what Zero Trust means, but maybe we give a bit of context how we understand Zero Trust and then look at the role identity plays in Zero Trust. Do you want to start?
Yeah, sure. I mean, I can give you my perspective, certainly from, you know, the very early days when I started working the typical access method to get into, you know, a network or computer system of some nature was a modem, you know, which basically turned into using a VPN to getting into one of these systems. And it was kind of like, to me, it was like, you know, the old medieval fortresses, right? You pass through the gate and you were inside and you had access to everything.
Whether you needed to go over to the food stall or you didn't need to go to the food stall, it was there, you could go over to it if you wanted to, or the dungeon or what have you. And I think we've operated in that mode.
I mean, I started using modems back in, you know, the early 90s. And I think we've been using people still use VPNs, but we've been using VPNs as that gateway into the fortress for what, you know, many, many years now, 20 plus years. And I think what the realization that folks have come up with, and it's really the right thing is, you know, if somebody needs to come into, in quotes, the fortress, let them have access to the only thing that they need to have access to at that particular time. So that is partly zero trust.
In other words, you can only get to what you actually need to get to at that particular point in time. What we don't trust, you trust because you passed the gate. Just because you got past the gate doesn't mean you get to go to the food stall. You have to have money in your pocket too. And I think the second thing that brings with me is, you know, the fact that there really isn't a fortress anymore, right? With cloud computing, there's all these, let's call them mini forts or tents or what have you, everywhere.
So again, back to the whole concept of, you know, once you get in, you've got access to all these different things. Companies and certainly cyber hackers have realized that there's a lot of targets of opportunity.
So to me, zero trust is very much around reducing that attack surface, reducing those targets of opportunity. And where you have these targets of opportunity, I think the thing on top of that is hardening them. How do you make it harder to get to those things through things like multi-factor authentication or other methods? Yeah. So when I look at zero trust, I always say, you know, the point is, so we started with zero trust networks, but we quickly learned it's not just the network. There's more than the network.
And so where I believe identity and access are so important for zero trust is, it starts with identity. Martin is using a device, go over a network to an application, to a service and access it. So it starts with the identity, Martin. Is it Martin? And to the access.
And I think, so over the past year, that's what I found very interesting to see is that the perspective and the focus of what we talked about in zero trust really shifted from a network-centric perspective to an identity and access-centric perspective, where I still see, and I think this is maybe part of our conversation today, that the focus is more on the identity and authentication side. But to me, the access, the authorization side plays an equally important role because this is about which entitlements do I have and will I be authorized to do so?
It's a bit about someone in the fortress saying, okay, I know you are authorized to do so or not. I let you pass or not.
Yeah, I mean, very, very much so. I mean, you know, the whole, I think one of the main concepts around zero trust is this, almost this concept of continual trust, right? And continual authentication and continual authorization.
I mean, the idea of a person having, you know, being checked to see if they have access to something at a particular point in time, if they're authenticated to a particular entitlement or to a resource, are they authorized? Do they have the authorization to talk to this or use this particular entitlement or resource? And literally, those things can change in some ways.
I mean, I wouldn't want to be on a network where those things are changing minute by minute for every user, but it is something where we have seen the industry want to move towards much more of a, I'll call it near real-time authentication and authorization for access to these various entitlements. And isn't it that anyway, the access part, so the authorization part of it is where, which always has been more continual because you access something and it's authorized, you access whatever the next file and it's authorized. So you come in once, but you have many authorizations.
So in that sense, they actually say that we are closer to continual access control in the broader sense. When we look at the authorization part, I think this is also where, to my perspective, the need for being really good in the IGA part. So not only having that in account, but having the entitlements and the access governance done right occurs. Right.
Well, I've always been a big proponent of, if I step back, so in 1999, when I joined Microsoft, we launched Active Directory about six months after I joined and you're basically presented with this, what I call an empty pool. And you started filling it up with things, resources, identities, groups, distribution lists, security lists, ACLs, you just started filling this pool up with all kinds of things. And like any pool, leaves fall, the wind blows, various different things into it. And you have to maintain that pool. You've got to change the filters.
You've got to clear the stuff that's in the pool that shouldn't be in the pool anymore. The problem is that whether it's Active Directory or whether in today's world, it's something like Amazon or it's something like Salesforce or ServiceNow or any of these other systems who've been around for multiple years, there's a lot of leaves have blown into the pool.
So part of the problem and part of the reasons why I'm so interested in this from the IGA perspective, the governance perspective and trying to help clean these pools up is basically to give people this ability to give companies, managers, employees, business leaders, visibility into all of that stuff that's in the pool. Now, some of it's garbage and some of it's not. The problem is that most companies don't know because there's been so many changes of employees, of vendors. There's just been so much happening.
Again, if I go back to my AD days, we're talking about 23 years past in February of 23 will be the 23rd year of Active Directory. You can imagine you have 23 years of leaf buildup. And the problem there is also in the real world, in the region I live, pools are emptied. They are filled again with water in spring, but you can't empty the pool, not even for an hour or a day of your Active Directory. Let's start again. So we need solutions. And this is, I think, really where IGA comes into play that help us. Reducing the garbage and keeping the pool tidy without the need of quality tools. Yeah.
And to be honest, when you think of this, I mean, and here's again, part of the situation we're in, right? I mean, even me as an employee in companies, not the one I'm at now, but in previous companies, as a manager, I would get these reports every quarter.
Hey, Jackson, here's your 23 employees. Go through and look at their entitlements and certify them. This was quarterly activity. It was a pain in the butt because it was, you know, you were under some kind of a deadline to get it done. So the typical thing was, I don't know what all this stuff does. I'm pretty sure my guys all need it. And let me click the approval and send it off.
You know, just as we just talked about the sort of continuous aspect of authentication, the continuous aspect of authorization, we have to have this continuous aspect of reviewing our entitlements. At least as long as we live in a world where most applications work with static entitlements. That's very true. Yes. In a brighter world where the application system authorized or not and work against policies, which we see as a huge uptake in the development of digital services where we really see this coming back.
It would be simpler, but I think we have to trust to cope with the reality and that is most applications work with static entitlements. Unfortunately, that's the legacy. Yes. Yes. Yeah.
So no, I agree. I agree 100%.
I mean, to move towards policy based access, you know, if there was a way for us to, well, not a way there is a way, you know, the historical problem I found with some of these things is the requirement to basically re-engineer an application. Like in the old days, when before we used LDAP, for example, we waited for the vendor to add LDAP support to their product.
And that's a situation where in today's world, where you have potentially tens, if not hundreds of SaaS applications, you're waiting on all of them to include policy based authorization or policy based access or policy based entitlements. So it could be a little bit of a waiting game, but just even the aspect of being able to move from the periodic once a quarter, once a year, do you need access to Salesforce?
Do you need access to this Office 365 entitlement and making that a bit more continuous and a bit more real time and friendly, like perhaps sending a Slack message to somebody or a Teams message saying, hey, Martin Jackson just needed access to this report. Is it okay?
Yes, no. Versus the every quarter, hey, does Jackson still need access? You're raising a very important point. And that is what I say. One of the things is we should also think more about sometimes time restricted and going away from big spreadsheets to simply yes, no decisions, because every one of us is quite good in making a simply yes, no decision. It's like you get a mail with a simple question. You will answer that, respond, reply to that mail immediately, usually.
If you get a mail where you say, okay, oh, this requires some thinking, this will take me an hour to respond to, you put it away and try not to do it. And that's what we do with recertification. We create something like these complex mails that are put away. If we make it simpler and more continual, we definitely will win. And we need to do it, as we said, for the foreseeable time, specifically for the legacy world. And a lot of SaaS already is in that sense legacy. And maybe in a couple of years, we'll see more policy-based access and authorizations that will simplify a lot of things.
But for now, if we think about Zero Trust and going back to our scene, in Zero Trust, this access piece is so essential. How do we get a grip on the entitlements and ensure that these are the right ones? Because only then we can do the right authorization and sort of correct verification of access.
Yeah, I completely agree. And I know you're not meaning it in the sense of email as email, but a notification methodology of some nature. Because in my own organization right now, there are a lot of people that, there are old people like me, if I want to use that phrase, that still don't mind using email. And then there are other folks in our organization who are younger, who barely ever look at their email. They're all into Slack and Teams and all of these other social media concepts.
So I think that's also as part of the problem is, in a way, we have to be very marketing-driven on some of this stuff and appeal to a broader audience inside of an organization. Because all organizations aren't running by just email anymore. This is part of the problem. They're running by multiple different things, right? To reach someone, you've got to speak to them in the language that they're on.
I mean, hopefully, we're not sending them Instagram messages. I'm saying via Slack, hey, I sent you an email. Right. But that's also not the right way to do it, as we all know. But Jackson, a pleasure to talk to you. And I think this was some insightful talk about how Zero Trust and IGA relate and that we can't succeed in our Zero Trust journey without a strong IGA poster.
Jackson, thank you very much for taking the time. Thank you, Martin. I appreciate it, too. It's great to talk to you.
