[MUSIC PLAYING] Hi, my name is Todd Peterson, I'm on the team here at One Identity. And today we're going to talk about what it takes to get identity and access management right.
So let's start with a couple of definitions. First off, what is identity and access management? As we all know, it's a very convoluted, complex thing, but it really only boils down to four principles. First is authentication-- how do you get people the access they need? So how do I log into a system basically. Authorization-- once I'm logged in, what can I do and what can't I do? What am I allowed to do? What am I authorized to do? Administration-- it's how do you set all that stuff up? How do you make sure that my authentication and my authorization are actually the correct ones for me? And audit-- how do you prove that all that stuff-- authentication, administration, and authentication-- happened according to the rules that, you know, I can prove to my security people that it's actually happened in the right way?
So that's all fine and good, especially if you only have one system-- you have one password, you know, you have one set of rights, you are one set of permissions, you have one tool is set up. But none of us only have one system, and the scope is getting out of control, you've got a lot of cloud things that are starting to come into play. You've got all that old on-prem stuff happening. You've got new applications that you keep adding, you've got databases, you have things like Active Directory, then you've got Azure Active Directory. So you want to do this authentication, authorization, administration, and audit for every single system that you've got. You don't have a choice, but it's difficult to do. That's all IAM is.
So what would right look like in an IAM environment? First off, you have the right people with the right access to all the right resources in all the ways they want at the correct times and with all the correct governance, meaning that they're doing all of this right stuff in the right way, and you have to be able to prove it. So that's what right looks like. Now go back to what identity and access management looks like, it's difficult.
Let's talk about why it's so hard. First off, we've got complexity. We did some research with Aberdeen Group a few years back that found that the average identity and access management program has been ongoing for six years, and they have not finished, meaning it's taking too long to do things. You've got silos. Because of this complexity, because of the constantly changing thing, the same research revealed that the average employee at a 10-person organization has 27 applications that they need to access and six different passwords that they use to get to whatever the mix of those 27 applications is. So you've got a lot of problems with, you know, it's all siloed, it's difficult, they're going to forget their password, they need different tools to manage it and everything else.
You've got change. Another survey we recently completed found that 72% of organizations are in the process of adopting these digital transformation type technologies. You know, mobile access, cloud stuff, you know, IoT, all those types of things are happening to 72% of the organizations, but only 18% of those organizations feel comfortable that they're actually doing authentication, authorization, administration, and audit correctly for this new stuff, but the stuff's happening anyway.
And then you've got a lot of manual processes just because of the nature of, you can have a 10-year-old system and you have a brand new system-- the same tools are not going to work for those. So that research we did with Aberdeen revealed that it takes more than a day and a half on average to fully provision a new employee. It's a lot of time when IT is working and the employee is not. That's bad. And it takes more than half a day to deprovision that same employee when they leave or quit or get fired or whatever-- that's a bad thing. Anytime that somebody that should not have access retains access, it's bad, so you've got a half the day window where bad things can happen.
At the Gartner Identity and Access Management Summit in 2016, Greg Kreizman was talking to the audience and he said that 63% of the people in attendance there would be replacing one or more of their IAM technologies in the next year. And he said the main reason that that was happening is because their technology environments have changed and the incumbent solution doesn't address their requirements anymore. So you've got this need to move on and to basically to get it right. So let's talk about what it would actually take to get identity and access management right.
So we've got years and years of experience of helping people do this. We've found that there are some key capabilities, some key strategies that can really help you get identity and access management right-- whether you do that through us or don't do it through us, these strategies work either way.
First one is a path to governance. Ultimately, what you want to do is get into a state where the right people have the right access to the right stuff and you can prove it. That's governance. That's where you want to get. Simply just giving people access is not enough. You need to ensure that they have the right access. You want to make it very easy to prove that. The new thing of attestations is becoming very difficult to do because of this complexity. You want to make those easier. And you want to make sure that your governance applies across the board, not just to end user access to applications, but also to access to data and also the privileged user access. So achieving governance is a key, that's one of the objectives you want to do.
Next off, it should be business-driven. For years and years and years, identity and access management was the world of IT. IT guys had to do the work because they're the only ones who knew how to use the tools. That's wrong, because they don't know the why of who should have access to what-- that's what the line of business should do. So what you want to do is implement identity and access management in a way that empowers the right people, focuses on your business objectives, and ultimately streamlines operations and reduces costs.
Next, you want to be modular and integrated. Years ago, you had to buy a very heavy dense technology platform that was very complex and customize it to do what you needed it to do. Today, you can no longer afford that-- it takes too long, it's too rigid, it's too cumbersome. Now you want to be able to start and solve today's problem today, but also move on to the next challenge as quickly and easily as you want to, even though you don't know what that challenge is going to be. So you want to make sure you can start from anywhere and build from there. You want to cover everything in IAM-- don't just focus on authentication, you need to deal with authorization. Don't just focus on audit, because you have to deal with administration as well.
You want to easily plug into your existing solutions, and of course, it has to be cloud-ready. Everything is moving to the cloud. If your legacy technologies aren't equipped to support the cloud, you're going to be in trouble.
You want it to be future-ready. You want to rapidly adapt to your changing environment. People are implementing applications, people are asking for things quicker and quicker and there are more capable things that are happening that old technologies can't support.
You want to embrace a digital transformation-- empower your organization to achieve its objectives through digital transformation, not get in the way of those objectives because you want to be more secure.
And you want to make sure that whoever you choose to help you accomplish this can support you throughout the whole thing, that can help you with the deployment, help you get it right in deployment, but also that they have superior support ongoing of the solutions of whatever you chose to buy from them. And that's going to result in rapid time-to-value. You can unify all your IAM components. No longer do you have 27 applications with six passwords, you have 50 applications with one password. No longer do you have several manual tools to do the provisioning action on a couple of different systems, you have a single tool that does it across everything, it's all unified, business is driving it. You want to relieve the burden on IT, and then you want to rely on the right partners. Find people that you can trust to help you get this right.
Ultimately it's all about focusing on successful outcomes. And you can have the best technology but if you don't get what you need out of it, it's not going to get you anywhere. On the other side, you can have average technology, but if you implement it very, very well with the right help, with the right people, you're going to get identity and access management right.
We've found that it can be done and we encourage you to try that. So if you want to learn more-- how we can help you get identity and access management right, just visit us on the web at oneidentity.com. Thanks.