Addressing the IAM Data Problem to Solve Operational, Security, and Compliance Challenges

We want to go ahead and get started with our webinar today, addressing the IAM problem solving operational security and compliance challenges.

This is in conjunction with Radiant Logic and The Cyber Hut.

My name is Wade Ellery.

I am the Chief Evangelist and I am Strategy Officer for Radiant Logic.

And I am joined today by Sebastien Faivre, our Chief Product Officer at Radiant Logic, and Simon Moffatt, Identity Security Research Analyst at The Cyber Hut.

We will be discussing today the challenges around the identity data component in the Identity Management stack.

If you are able to stay with us to the end of the webinar today, you will receive a copy of the recording, a copy of the slides that we’re presenting today, and also a link to a market guide to identity security posture management, which is authored by our own Simon Moffett, who’s joining us today.

The role of identity the role of data centric identity observability.

This is a comprehensive market guide, I think is a primer for anyone who’s looking into identity security posture management, the challenges in identity data, and really increasing the relevance of security and operations in your identity infrastructure.

So please do hold on to the end.

We’ll be about forty minutes total through the questions and answers going forward.

So today we’re going to be basically going through a series of questions, rather open ended ones about the challenges of identity data.

And then we’re going to have Simon give the analyst approach to addressing those questions, what he’s seeing in the marketplace and where the challenges are.

And then Sebastian will bring in a real world perspective, adding more color and more customer responses in how people are dealing with these particular questions or how these questions are impacting the customers we’re working with.

So, gentlemen, thank you for joining us today.

We’ll go ahead and get started.

Today, we’re discussing the challenges of why the identity industry is becoming more and more critical.

IAM data.

Identity data that feeds every component of the identity stack, whether it’s IGA or PAM or Zero Trust.

Everything relies on identity data.

So as a common point of reference, let’s start talking about how this affects IGA, because we’ve heard a lot in the last few years now about the challenges of IGA projects getting off the ground.

So, Simon, starting with you, why are most IGA products in distress today?

Well, thanks, Wade. Hi, everybody.

Great to be, chatting about this.

Think this is a fabulous topic and a topic which is, has just grown in importance, I think, over the last sort of two or three years.

And I remember I started off in the IGA space about twenty years ago, and I was I was working for a software startup, and it was all the you know, if you just use some IGA software, all of your sort of compliance problems will disappear within six months, and it’ll all be automated.

And you’ll just press play and receive all of these compliance reports and things.

And twenty years later, we’re still having to understand and unpick and really solve some of these key IGA issues.

Why is that?

And we did we did a poll, The Cyber Hut probably about last year, think it was just asking and trying to understand, you know, why is governance administration still not delivering what it really needs to be delivering?

There were two or three different sort of outputs.

There’s one of course, is that connector coverage.

You know, you want your IGA infrastructure to be consuming, managing, integrating with as many different applications and systems as possible.

But that used to be really difficult.

You know, trying to get identity data from key systems, applications, APIs, databases, etcetera, into your IGA infrastructure, it is difficult.

You have to build connectors.

You have to understand proprietary APIs and other things.

So you ended up with IGA, know, covering a really small subset of systems, which okay, it’s good for those small subset of systems, but it’s not really good for the whole ecosystem of security and compliance, which was a pretty big deal.

But I think the other one which is really often overlooked when it comes to IGA is, you know, we’re talking about access request, we’re talking about access review, we’re talking about who has access to what?

Well, they’re all business related questions ultimately, you know, tied to how organizations build workflows, how they handle access request approvals, how particular teams and systems integrate with each other.

I think what often happens is the IGA technology requires businesses to change how they do things.

And that often only ends in in distress and then issues for the for the consuming business because they don’t have the ability to to change processes, which perhaps have been around five, ten, twenty years.

So I think there’s definitely an onus on being able to meet the business where they are and deliver access request, access review, role based access control, and other things within the businesses sort of remit within the context of the business.

I think those two are probably the biggest reasons that that we’ve certainly seen over the past couple of years.

Excellent.

Sebastian, from your perspective, what are you seeing in the customer world in terms of the real world challenges they’re running into with just deploying IGA and around the idea of identity data, how that impacts the challenge in that area?

Yes, well, Simon’s presentation was super clear.

Me, and I’ve been in this identity and access management industry for what, twenty years or so as well, What I’ve seen is from the very beginning, IGA, I would say, has been primarily deployed to solve what I would call operational efficiency issue or to improve the operational efficiency.

I mean by that, primarily managing identity lifecycle, joiner, mover, levers, being sure that the right people can have access to the right application at the right time to do the job.

It was kind of a discrepancy with, I would say, the job to be done or ultimate goal, which was at some point more compliance driven.

So we were in a situation where we primarily deployed, I would say, operational efficiency solutions to solve kind of a compliance problem.

But that being said, if we go back to why we have so many IGS systems in distress, I would say we can go back to these people, process, and technology pillars.

It’s all about, I mean, from what I’ve seen, primarily a change management process.

So to Simon’s point, it implies to change things, to change the way that you manage onboarding, offboarding, requesting accesses.

It also has, I would say a deep impact in terms of technology in order to automate things.

I mean, keep in mind that operational efficiency is ultimately linked with automation, so you need to connect to your endpoint in order to automate, I would say, every single provisioning decision.

And we’re still in a situation where most of the system are still not scheme protocol compatible, so you still have to kind of find ways to connect.

But most probably more importantly, and the reason why IGA, I mean we face some kind of a ceiling glass syndrome with IGA project, is because of, I would say, the lack of proper data quality.

Let me explain a little bit.

When you want to deploy at scale IGA, and especially for operational efficiency reason, what you want at some point is to automate the ways that you grant the right access to the right people at the right time, which means most probably moving forward with some kind of a rule based access control or attribute driven access control.

Said differently, every single authorization decision or most probably the way that you’re shaping up your role or entitlement are associated with those people attributes.

And this is definitely a missing piece in all those high GA systems.

We start with identity data as some kind of a prerequisite with bare minimum, I would say, attributes or information, and we jump directly into the technology problem, which is connectivity, connectivity, connectivity, and then at some point we do realise that we cannot, I would say, move forward just because we cannot shape up the right role or the right access because of this lack of proper identity data quality.

So this is a balance at the end of the day between this technology problem and this data quality problem.

Excellent, and I think I’ve heard from an analyst starting a couple of years ago that the idea of using identity data analytics to really clean up your data ahead of starting your IGA deployment was doubling the ROI for customers that were undertaking that endeavor first.

And that seems to be borne out by what you’re saying.

There is a definite advantage to starting out with good quality identity data.

So if identity quality is one of the core challenges, why do so many organizations have such poor data quality to start with?

It’s chicken egg, isn’t it?

It’s a really interesting thing.

And there are some nuanced parts to this.

Think there’s definitely one about accountability, which is quite a hard problem to often describe it.

And by accountability, I’m talking about the individual pieces of data within an organization be that, I guess, let’s just let me just take a step back.

Let me just define what we mean by identity data, first of all.

And the way I like to sort of describe that clearly is the three p’s of profiles, permissions and policies, you know, the things which are written to disk, hopefully mapped to business process or how the business is perhaps delivering that JML function or, you know, access to services and other.

But you have this this this data which relates to the identities, what those identities can do, the systems involved, and others.

And, obviously, there’s more to it than that.

And, we’re gonna hopefully unpick some on that in the next half an hour or so.

But I think an accountability part is vitally important.

And by that, I mean, you know, who should, an approver be for a individual, you know, a line management chain of reporting, for example?

Who should be, an owner for a permission or a group?

How we should you describe a permission or a group within something as basic as Active Directory, for example?

You know, lot a lot of these things seem quite easy to talk about.

You know, what how do you describe a particular role or particular policy?

And what does this policy do? Who should own it?

Who should approve it? Why is it being created?

And a lot of these sorts of questions often don’t get answered because for one is they’re not very sexy questions, are they?

Who should describe a group or how you should own this particular role, etcetera.

And I think because of that, we then have this sort of proliferation around cleaning up access control data, cleaning up orphaned accounts, identifying shared accounts, ghost accounts, all of the sort of hygiene related questions we know are important to deal with, but we often struggle to deal with them because we have a lack of accountability.

And I think a sort of cousin to that is a lack of context as well.

So context around, if I want to, make an access request for a particular system, I may not really know which groups permissions or functions I need within this system.

And if I’m a line manager, maybe approving some access for an employee, I may not have all of the information needed to make an informed decision.

Do they need the access?

Have they used the access previously?

What are their colleagues doing?

If I allow this access, request, will it be compliant?

So there’s a lot of nuance around context and around the extra sort of information and signaling needed to allow identity data to essentially get to being in a in a running state, is secure, which is clean, which is operationally efficient, of course.

And again, back to that issue around disconnected systems.

Your data really the management functions really should be trying to manage as many different systems as possible.

And the few of the systems clearly the data quality of those systems isn’t necessarily going to be very high, you need to be introducing more systems, more piece of information and be able to have a much bigger, more holistic view there.

So it is difficult.

It’s definitely an easy problem to fix.

I think there are some there are some subtleties around how organizations, I guess, get into this sort of poor hygiene state.

Excellent. Thank you.

And Sebastian, you’ve been, like you said, working the last twenty years in this space.

So you’ve been for a mired and poor identity data quality.

And I know there’s been initiatives in the industry to make this a focus, but why aren’t customers able to clean this data up?

What keeps people mired in a sort of a repeating cycle of data quality issues?

So, mean, most probably the very first thing is from an IGA or Identity and Access Management perspective, identity data has long been seen as a prerequisite only.

What I mean by that, going back to Simon’s point, what I’ve seen is many, many, many, many projects where high identity data was considered to be owned by the HR department.

So there was this kind of impression that identity data is owned by HR department along with every single attribute, which will ultimately serve a different purpose than payroll.

Ultimately, you know, runtime authorization, role based access control and so on and so forth.

And what this company came to realize actually is that most probably the departure date is somewhat accurate, the department is okay, drug title is a mess, and you have nothing else.

This is really, you know, I mean, most probably the inception point is, I mean, who is accountable for identity data quality for security purpose?

There is a lack of accountability here.

On the application side, I would say we have the same kind of issue because there is a knowledge for sure, but it’s a very siloed knowledge.

Let me explain.

I mean, single application manage its own entitlement, its own access rights.

We are often in a situation where those permissions or role are not properly described, which means that when you bring this back to a central IGA system, it’s become very cryptic.

Mean, a RACF system, a legacy system, most of the time you don’t really know what the permission grants access to.

So again, there is a lack of proper data quality because people at an application level do not see really the need of properly manage or enrich all those information.

But when you consolidate everything at an identity access management level, I would say, then you end up with a total mess.

On Hub two, I would say, changed, I would say, three or four years ago, but I mean, for a long time being, everyone was not considered as accountable for this data quality challenge, definitely.

So this was the issue.

Excellent. All right.

So I’m going to expand the conversation a little bit more to ask you gentlemen, how has the migration to a hybrid cloud environment impacted identity data?

Because it sounds like we pretty much have doubled our challenge by adding a whole another environment to what we’re doing.

It’s yeah. I mean, everything’s under flux, isn’t it?

Constant change.

And if you look at the last sort of fifteen years, guess, you’ve got cloud, you’ve got mobile.

Obviously, now we have things like AI adding into the mix as well.

And I think the cloud situations, it’s a really interesting one.

Think fifteen years ago, everyone’s everything’s moving to the cloud.

It’s just a matter of time. And that’s what it’s gonna be.

And we’re gonna press play and it’s gonna just happen overnight.

Clearly that that hasn’t always been the case.

All clouds are different.

By and by that, I mean, we have platforms as a service.

We have SaaS, we have consumption via subscription and APIs, but then we also have the private cloud ecosystem as well.

So organizations leveraging their own private ecosystems via PaaS or even leveraging sort of containerization and cloud native technologies, but within an on prem environment or certainly more controlled environment.

So we definitely have a very patchwork quilt of deployment sort of landscapes to support.

And obviously, as identity now is that new perimeter, right, certainly the most important aspect from a sort of productivity and security perspective, you have to deliver consistent identity services everywhere.

So that that in itself is quite complex thing to deal with from a non functional point of view.

But I think, you know, cloud does bring some benefits.

You know, it maybe integration of cloud systems is a bit easier and faster, you know, having to build connectors with Java libraries and all that stuff.

I was doing that twenty years ago. It’s difficult, complex.

You know, it’s API first.

So maybe consuming and integrating with cloud systems is faster.

But, of course, cloud systems move faster.

So by that, I mean, end users expect access quicker.

You expect deep vision faster.

You expect to have visibility into all of these cloud systems because they are, you know, API first or whatever it can be.

So the expectation alters in there as well.

So you definitely have that that expectation of being able to deliver the same service across on prem, private cloud, SaaS, PaaS and third party systems, which is a enterprise you may not have full access or control again.

So I think as an organization, it can be quite difficult to deliver consistent security, consistent visibility, consistent user experience.

That that is it can be quite difficult as well.

And of course, different frameworks, different integration, part of that as well.

So I think cloud does bring huge benefits, certainly around integration and speed.

You mentioned SCIM earlier, but we have SAML OAuth two OpenID Connect for authenticating and authorizing into these cloud systems.

But equally, we’re sort of spreading the data further and further, identity data further and further so that it still needs to be managed even if it takes maybe a couple of hours to integrate account system and suddenly you federated into your new payroll system, whatever it could be, and you’re online, you’re done, you’re there.

But all of that identity stuff still needs to be managed.

And the permissions, the policies, and things like deprovisioning in cloud is often forgotten about.

You know, very easy to create a federated account in those systems through the back of a SAML assertion or something.

What happens when I no longer need it and I perhaps have left the business or haven’t logged in for six months?

Is that gonna get deprovisioned?

So it’s often quick to start.

I think it’s often the longer term needs to be considered as well, I think.

So it sounds like I can’t just ignore the cloud and pretend like things never change.

It’s not gonna auto merge. It’s not self healing yet.

Maybe it will be soon, but it’s it brings huge benefits, of course.

But it needs to be managed as well.

And Sebastian, in the real world that you’ve worked in, cloud started to invade our safe little world behind the walls we all lived in, how did that change the way customers had to talk about identity data and really what challenges did that bring to the table?

So one definitely is application and services sprawl.

It’s so easy just to deploy just in a matter of a few clicks a new application or new services.

So companies faced this kind of a sprawl, this gigantic increase in number of application to manage.

More importantly, at some point I mean, we’re, I would say, going back to a stellar state, but at some point, IT department, I would say, lost control of the situation because, I mean, even the marketing department were able just to deploy a new application.

I mean, we had to face shadow IT a lot as well.

So it’s really, at the end of the day, it breaks all the, I would say, existing processes in place to onboard new application into the security stack or the IGS stack.

So they had kind of to run after everything.

So it brings a lot of complexity.

At the same time, I would say in terms of impact or changes, it moved forward some standards such as the scheme standard, which now becomes kind of a standard for SaaS based applications.

So somehow it simplified the access provisioning problem.

So most of the time, it’s much simpler to connect and to provision an application in the cloud than what it used to be for legacy system.

But still, I mean, you have to run after all those application system for sure.

It’s much more complex.

So at the end of the day, I mean, this is really this tipping point where companies lost control or I would say visibility over what’s going on.

This kind of full landscape of someone is no longer part of the company.

Am I one hundred percent sure that one hundred percent of the accounts are disabled?

In the SaaS world, I would say yes and no.

This is what I said.

I thought the cloud was going make everything easier.

Darn it.

AI is going to make it all easier.

Right, right.

We’ve established that identity data is critical to a lot of the major components that we use in our identity management stack, both on premise and in the Cloud, and it’s going with this.

But we talked a little bit about the quality of that identity data, and I wanna sort of touch on a couple terms that we hear out there regularly.

Simon, can you give us an idea of when people talk about identity data hygiene, what are they actually talking about?

What am I trying to accomplish, and how do I get about that if I’m trying to bring hygiene to my identity data?

Is that really important?

It is. It is important. Of course.

It’s interesting around the definitions, terms and language.

And I think, you know, back to what I was saying earlier, it is important to sort of define define what this stuff is is all about.

And it’s, you know, back in the day, sort of twenty years ago, for example, when you sort of had the rise of of compliance led sort of IGA, and it was all about, right, can you give me a report which shows who has access to these systems?

And can you show me the separation of duty violations?

And can you show me, I don’t know, accounts that have not been logged in for a year, for example?

You had very specific sort of objectives that you needed to work against.

So you pulled in the data, you needed to essentially create these reports.

And then you really didn’t do anything more than that.

It was very much a bare minimum exercise.

I think what we’re seeing today, of course, is the importance of identity has increased hugely over the past decade.

Absolutely things like security and zero trust.

But we also have the whole gambit of using identity to improve business relationships.

So federation, supply chains, b to b ecosystems, even b to c in customer engagements as well.

So the importance of identity has increased so that the value of the identity data, making sure it is clean, hygienic, operating in a secure state.

And all the benefits of that become much larger, essentially, because the integration for identity is going to be with endpoint security could be with net network security, data security, you’ve got more touch points of the identity fabric and the benefits of getting that stuff right, then suddenly they increase hugely.

So all of those systems that are relying on identity and integrating with identity for federation, for access control, enforcement, and others, they make certain assumptions.

They assume that all of the identities in the directory are real, true, belong to a physical person if we’re talking about human identity, for example.

And they assume that any claims within an open ID connect open or assemble assertion are the correct claims and not excessive permissions, for example.

So there’s a lot of downstream assumptions get made.

And I think this is where the importance having a good understanding of your identity data landscape.

So the identities, the permissions, the policies, making sure you are moving towards things like zero standing privileges and just in time ways of managing that.

If you get that stuff wrong, the blast radius now is considerable.

It isn’t just a compliance report.

It’s going to impact zero trust.

It’s going to impact productivity and the effort spent on access review and access request.

But we haven’t mentioned yet, I don’t know, we haven’t mentioned things that NHIs either non human identities and the identity data, for managing those systems in there as well.

So there are a lot of reasons or the impact I should say is a lot higher now if you get your identity data layer, if it’s ill managed and that really is it’s much more far reaching than it was even possibly ten, ten or so years ago.

So there’s huge, emphasis of getting this right, and it’s more signals understanding your identity data landscape from an identity and permissions perspective and making sure you have that secure running state ultimately and being able to keep that running state effective as the business does its business, you know, whether it’s partnerships, it’s selling things, whether it’s, you know, engaging in federated relationships and supply chains and all that, but making sure that identity data is clean, it’s understood, ties to business use cases, and is wrapped in a nice, sort of secure running state.

Think getting this stuff wrong now is very costly.

Yeah, sounds like the challenges are seem to layer on here.

So Sebastian, when you’re working out in the field and you’re socializing the idea of identity data hygiene customers, how are you explaining it to them and how are they internalizing that concept and what does it entail for them to So it’s all about, I would say, reducing the attack surface, being sure that the right human or non human are able to access to the right assets at the right time.

So it’s, I would say, a mix of data quality control on more, I would say, risk oriented controls, such as the one that you find in dedicated chapters in all those compliance mandate.

So it goes from identifying missing elements in the data, unused resources for sure, misconfiguration, over allocated rights, so onboarding, offboarding issues.

It can go up to segregation of duties control sometime.

What we see a lot actually right now is identity hygiene initiative on what I will call hedges use case.

So our customer tend to consider that they are still good enough with their human identities.

But everything such as local accounts, non human identities, they came to realize that they’re completely unmanaged.

So I would say privileged access are now in control with privileged access on access management system.

But for the rest, it’s still a bit so.

So we see a lot of initiative on identity hygiene.

On nonhuman identity, for sure, on going back to, I would say, complex hybrid environment, bringing up to, I would say, the security team, I mean, holistic visibility about whole identities, both human and nonhuman, in order to understand basically or being able to answer to simple questions such as who is working for the company, we can access to what.

Am I sure that once people are no longer working for the company, all access are being removed in a timely manner?

Back to basics, Okay, excellent.

We hear a lot about security around identity data, and we also hear a lot about identity data threat detection.

That’s SOC, the people at the world keeping us all safe, protecting us, the police on the street, you might say.

So how do I contrast the need for identity threat detection kind of a reactive model and identity data hygiene or cleanup is more of a preventative or controlling model.

What are the components that each of these play in the security space today?

We need both. That’s the key point.

Think, you know, identity has become this really it is really transformative.

And maybe I’m a little bit biased because I’ve been in the identity space for a long, long time.

But it’s really interesting to see, you know, twenty years ago, identity was very much an operational component.

It was a cost center, very much focused on staff compliance initially than productivity, you know, sitting within the sort of CIO, for example.

And then we have this sort of network security stuff for a while.

And obviously now we have this cloud thing and AI and all that.

And we’ve definitely seen the amalgamation or certainly the tighter coupling of identity into more of a security ecosystem, be that integration.

So maybe data security encryption requires identity information.

So perimeter-less network world relies on identity assertions and others.

So we see a more of a bidirectional integration.

So by design, that identity is becoming either an attack surface or the attack surface for both the bad guys and I think the insider threat as well.

So we have this entire identity fabric if you like being an adversarial target, which requires protection.

And absolutely, you know, we need to be cleaning the identity data.

This this comes a really critical thing.

And, hopefully, the webinar is amplifying that.

But, clearly, we need to work on that preventative aspect, you know, removing ghost accounts, shared accounts, excesses, permissions, policies, which are not aligned to business function and others.

And that is that is a preventative thing.

It is it is trying to prevent the attack, stopping the attack before it happens.

But of course, we need to also think about, things like attribution and intent.

So even if Simon has the correct right sized permissions, I may well be an insider threat, or I may well have had my credentials, stolen or misused by a nation state adversary.

So my intent, to use those permissions may alter, which obviously can increase the increase the risk there of data exfiltration and other.

So we need to have that that prevention, the data aspect.

We also need to have a post authentication runtime monitoring behavioral style, looking at the sort of unknown unknowns, if you like, and the ability to understand my intent, you know, what my sort of opportunities and motive to commit something of high risk event there.

So we we do need to have both, and I think they are both very well aligned, complementary, certainly interlinked.

And I think it’s often, you know, you will find things on that behavioral side, the runtime side, which ultimately feeds back into the identity data layer as well, perhaps through the changing of an access control policy or perhaps the changing of permission or a group or whatever.

So they are very much linked and tied together.

And the benefits clearly from having a hygienic system should really reduce the likelihood of, of of malicious activity taking place anyway.

So they are very tightly coupled, I think.

Excellent.

So, Sebastian, when you’re on the field, do you hear, well, I have ITDR. I don’t need identity data hygiene.

Or are they living happily together, cats and dogs in the world?

No.

I mean, Simon’s point, ITDR is all about Doctor, detect and response.

So ultimately, this is something which is related to the security operation center.

So it kind of amplify, I would say, or extends the perimeter of the security operation center up to the identity layer, which is now becoming the first attack surface.

What we hear as a consistent feedback from our customer is the SOC team is overwhelmed with the number of alerts, So they have to deal with tons and tons and tons of events.

So when you think about it, and if you take a step back about this, I mean, you have two ways to reduce the number of false positive of alerts.

One is for ITDR system to become more intelligent.

So this is where AI comes into play.

And the second is to reduce the attack surface.

So this is where there is a real error in having a more balanced approach with preventive and detective control because if you take care of high identity hygiene, you therefore reduce your attack surface so that you have less alerts to deal with within the security operation center.

Excellent. Okay, sounds like it is a hand in glove model.

So you mentioned something a minute ago, Simon.

I want to kind of circle back to, because there’s been a really big push to address non human identities recently.

I was at the Identiverse conference back in May with Sebastian, and I think probably half of the topics that were talked about include non human identities.

The idea of not just service accounts and admin accounts now, but even agentic AI and bots out there running autonomously.

So, when we add that, we just added the cloud layer of complexity, now we’re bringing in non human identities.

How do you address the world as it just continues to get more complex, Simon?

Yeah. It’s it’s a quick question.

You know, it’s we need to think about identity, I think, is being quite more of a separate thing.

And by that, mean, sort of abstracting some of the terms away.

And, obviously, we we’ve all grown up and love the sort of b two e world, and that’s where identity have its origins.

And that then expanded into sort of b two c customer space.

And as you say, we’re now talking about workloads, NHIs and others.

And the last whatever twelve, eighteen months is now Agentic AI.

And we did a cheat sheet recently because there’s so much happening in Agentic AI.

There’s so much material that’s changing rapidly.

But I think what’s important though is take out identity concepts and just be aware that there are different identity types.

And absolutely, we need to talk about strong authentication, for example.

But, you know, doing strong auth for human where you may think pass keys or maybe couple that with a biometric, for example, you can’t do that with a with a service account or a or a machine identity.

So delivering MFA, for example, in that world is a very different thing.

So we can take the concept, but the actual deployment aspect is gonna be very, very different.

And I think back to the NHI thing, you know, we’re seeing some really different nonfunctional problems.

Clearly scale is one.

You can have, whatever, forty times, fifty times more NHIs to a physical human, for example.

But there are some other subtle problems around a lack of authoritative source.

So in our b to e employee world, we have this HR record of truth, and we hang all of our systems onto this sort of source of truth and provision downstream.

Well, maybe in the NHI world that doesn’t really exist.

Have NHI is being created by engineers, service accounts being shipped with default software products, for example.

So there’s often this disconnect for authoritative sources, it’s authentication is going to be different.

And how do you assign permissioning models and make things like credentials assigned to API’s and others?

How do you make that repeatable from an access control perspective?

So we have a lot of the same concepts and topics, but the deployment aspect, I think, is gonna be very different.

But that’s not to say that we need to be thinking about identity data for NHIs and for workloads as well.

And by this, I mean, again, what are the characteristics in the schema that perhaps makes up some of these workloads and services?

What permissions do they need?

They should have a life cycle as well.

They’re going to be created.

They’re going to be used issue credentials, issue permissions.

It’s just talking about token based infrastructures.

They’re gonna have claims and access tokens and others.

So you need to have that same level of governance, life cycling, deprovisioning, assignment of missions, and other that we all are familiar with for humans.

Of course, the implementation is different.

And that’s where the, you know, part of that is to be considered.

But I think the concepts of identity data shouldn’t be ignored and exactly the same for Jentica.

You’re have lifecycle, you’re gonna have permissioning, you’re gonna have to be able to analyze, what that looks like.

And that should really, there shouldn’t be any different region.

You should still be considering the same identity data problems in my opinion.

Sebastian, are you seeing the nonhuman identity take a bigger component or a bigger place on the stage when you’re talking with your customers now?

Is that an area where people are in the real world starting to focus?

Or are we just talking about it at trade shows right now and it’ll go through the hype curve later?

For sure, we’re talking about NHI a lot on trade shows, but moreover, it’s also a big concern for customer.

We have an order of magnitude of something like one hundred between human identities and non human identities.

And the reason is because we have many, many, many different forms of non human identities.

It goes from machine identities, mean those kinds of service accounts, all DevOps, which is more dynamics.

And now we have, I mean, agent TKI.

I would say we’re still in a preliminary stage on every single customer that I’ve seen so far, which is, I would say, discovery and visibility.

There is this lack, to Simon’s point, there is this lack of repository of non human identity.

So they’re all chasing after all those information at least to try to consolidate everything, at least to have this visibility layer on what’s going on.

So where are those non human identities located?

How do they interact with each other?

Or how are those assets connected to each other?

So then the next step will be to, I would say, take back control of the situation, so put proper management and governance policies in place on those non human identities.

Great, excellent.

So you mentioned something a moment ago about visibility and observability.

And I hear it a lot when I’m talking about identity data that you really need to gain visibility to the data, but you need to be able to intelligently act around that data.

So Simon, can you give me a little bit of sort of a walkthrough of the progression from discovery to visibility to observability?

What do those terms mean and how does that like, how does that fit into a project someone may undertake to really clean up and start utilizing identity data?

Yeah. Yeah. That’s a great question.

You often make sort of assumptions around, you know, a lot of things you’ve been talking about.

You need to have clean data.

And it’s like, wow, okay, where do you start with that?

And I think that first part is understanding your landscape, which is really the discovery piece.

So I think identity, you know, historically has been quite bad at that really.

It’s been that operational, sort of infrastructural, component, which wasn’t really that good at understanding where the identities were, who owned them, what permissions existed, etc.

Whereas perhaps maybe from a sort of network or data security world, things like discovery, sort of built into the protocols and built into the landscape.

Networks by design, understand what is on the subnet, how that operates, we are caches and stuff like this.

Identity hasn’t been historically very good at that.

So I think it’s really important to understand the identity assets that you have.

So the identities and where are they? Where are they located?

Which directories?

Which databases are they in?

Which identity providers do you have?

Again, and from there looking at the underlying infrastructure around what systems are integrated and relying upon these identities themselves.

So that’s again back to this view of being able to understand yourself connected and disconnected application world and infrastructure.

And again, applications aren’t all the same.

You’re gonna have custom apps, you’re have legacy apps, you’re have mainframe apps, you’re gonna have SAP apps, you know, APIs, you’ve got all that cloud stuff mentioned in there as well.

And you need to be able to understand whether it’s, you know, how your identity is integrating and interacting with these systems, which is quite a difficult thing to achieve.

I think that is the really first starting point.

And then of course, once you’ve discovered and understanding what you have, it then sort of moves into more of a risk style question, if you like, or risk management style question on visibility.

You know, what are they doing?

What are these identities doing?

Why do they have certain permissions?

Why is this account logged in, once every six months?

Is that normal behavior?

Is it just because, you know, maybe it’s being used maliciously or maybe it’s just an account which gets used every six months for a particular function, for example.

So you need to start to understand those patterns of life, rightsizing permissions, basing all of that on on really solid sort of risk management.

And then ultimately the observability is leveraging your additional signalling systems, understanding context, being able to understand that risk at a more dynamic level.

And you’re really trying to move towards having that secure running state.

You know, this is not an abstract thing where you do it and then you move away.

In six months time, you sort of revisit it.

This is a secure state where it really should be tied and aligned to business function or what the business is trying to achieve.

And I think it’s, it is important to go on that journey, it is important to understand what you have, observe what’s happening and be able to respond to any anomalies you find there be that, you know, within the data itself or the natural policies and profiles.

And I think ultimately, it’s always it’s important to be able to respond to any of the sort of anomalies that you find there and being able to, to respond in an effective way, which can help again, get back to that secure state.

Excellent.

So so Sebastian, building on that, are these separate products, discovery product and a visibility product and an observability product?

Is it like other functions where we really siloed things into pieces and you have to integrate that all together on your own?

Or is this another kind of approach where things are really connectivity is the point, so it would be built into the to the system to make all this work better?

So perhaps, I mean, let me answer to perhaps both of the questions here.

So first is, let me take a metaphor here, visibility and observability.

So think about Google Maps.

So you pick Google Maps, you search for the San Francisco Bay Area, and you have full visibility on Google Maps on all the streets on Google.

So this is visibility, actually.

It’s kind of an outlook of the situation.

You know all the countries, all the countries, or you can go from point A to point B.

And then you put observability on top, which is nothing but the traffic information.

So now you know that there is a huge traffic jam on the one on one, actually.

So you have traffic jam. So this is observability.

So observability, said differently, helps you to identify the issues or pick the needle in the A stack.

So this is the difference.

So what does it mean?

It means that it’s not a different product.

Observability is built on top of visibility.

So you start with visibility and then you add observability on top in order to take the most of the data actually.

So this is a goal here.

And in order for these to be really efficient, it’s like Google Maps, you do not want to have one website for every single city in the world.

You need to have just one website with a whole world, whether you want to have a look at San Francisco, Paris, Dublin, I mean, New York City, whatever.

So this is the exact same thing.

So visibility and observability has to be holistic.

So it needs to address on premises system, SaaS based system, whether those are your private cloud environment, SaaS applications at an infrastructure level, at the data level as well, you need to have everything in this visibility and observability layer so that you really understand what’s going on.

Excellent, so it is a big, like you said, it’s a holistic model.

You can’t have an individual tool for each application, you have to see the world as a whole.

So this time has flown by, we’re approaching the top of the hour here, so I do want to give each of you a second just to sort of summarize what we talked about today and leave the audience with any parting thoughts or next steps.

We are gonna be distributing again Simon’s document on ISPM along with the slides and recording today.

But Simon, in sort of a a parting mode, what would you leave everyone with at the end of today’s conversation?

I think it’s been a great conversation that, you know, we’ve certainly still learning after all these years.

It’s, you know, there’s a huge importance to this.

You know, I think there’s definitely a lot of a lot of importance with identity in general, but getting the identity data layer correct has such profound benefits to the organization.

And we’re not just talking about things like compliance and others but it really does improve the productivity and the agility of the business.

And by that I mean you know getting this identity data stuff right you’re making sure both people and non humans you’re making sure they have the right access at the right time to do the things that they need to do.

That allows the business to be much more agile.

It can engage in in business partnerships more.

It can deliver services to market quicker.

It becomes more agile to respond to external threats, business change, political change, economic change, and other because it has a much more deeper much deeper understanding of the risk associated with its staff and its partners and others.

So I think the benefits of getting this are just huge and there’s no real, you know, getting this stuff wrong is catastrophic in some states.

But equally it is a journey.

It is definitely a journey to go on to and it is based on that maturity aspect as we’ve said.

But I think it’s just vitally important to start this journey and leverage those existing, sources of data that any organizations have.

You know?

The directories, the ITSM ticketing systems, the, the configuration management databases, these sort of disconnected application repositories.

There’s a lot of system information in there which can be untapped to allow the sort of context and the hygiene questions to be answered in a much more detailed and fine grained way.

I think it’s it is about leveraging those existing products and stacks, overlaying that with additional sources of information.

Start small, get on that journey, you know, increase the coverage of your sort of IGA or your data management frameworks and adding more capabilities as they come online and really reap the benefits of that and allow those sort of benefits to fulfill into all parts of the of the business.

Excellent. Thank you.

And Sebastian, some parting thoughts?

How would you solve those So, mean, so finally, the industry realized the importance of identity data, really.

I mean, it’s a mandatory step now if you want to improve your operational efficiency, reduce your risk, streamline compliance.

So I mean, identity data on high identity hygiene is definitely becoming, I would say, some kind of streamlined processes in every single company that I’ve seen so far.

But I mean, going back to this, if we think a little bit more about the future, I mean, when we see or foresee how artificial intelligence is disrupting every single area, just imagine, I mean, how powerful your identity can become if you take care of this identity data, if you enrich identity data, how you will be able to feed those AI and agentic AI engine in the future, keeping in mind that in order to make a good decision, an AI engine needs nothing but good identity data or data which has been prepared for artificial intelligence.

So I would say not only for timing those blind spots on risk issues as of today, but more importantly to prepare this artificial intelligence description that we will observe in the next two years.

You definitely need to move forward with an identity data program.

Perfect. All right.

Well, I want to thank everyone for joining us today.

I also want to personally thank Simon for coming in from the Cyber Hut and giving us really a very detailed real world aspect and analyst viewpoint of what’s going on in the identity data space.

And then Sebastian, thank you for your insights, your years of experience, and giving us the feel of the state of the world right now and how things are on the ground, where we’re going, and what we need to do.

I want to thank everyone again on behalf of Radiant Logic.

This is a continuing series of webinars that we’re producing with the intent of daily sharing information that’s going to make everyone’s identity journey a little bit easier, a little bit more effective.

And thank you all for joining us today.

Thank you. Thank you.