[MUSIC PLAYING] Hello and welcome to Intragen's OneLogin webinars from wherever in the world you're joining us. I'm Helena Carter and I'll be hosting this webinar series covering everything from the future of identity and access management to jiu jitsu, of all things. In our first webinar, we're discussing the identity security market and we're looking to how companies should approach an access management project.
We're joined, first of all by Stuart Sharp, Vice President of Product Management for the OneLogin platform. Stuart, welcome and thank you so much for joining us today. First of all, then, can you give us a bit of an insight into your role at One Identity?
Hi, Helena. It's great to be with you here today. And I'm really looking forward to our session. So I head up product development and strategy for the OneLogin IDaaS platform. It's part of the One Identity portfolio of products. And also I have a special role on the integration of functionality across the product suite.
But a big-- I guess, a good way to understand my role, it's about understanding what the market is asking for, what our current and prospective customers are looking for, and translating those to the engineering teams, to components and features that they can build.
So let's talk then about the identity security market. What are the main developments that you see in this market?
So identity is rightly recognized as absolutely central to security these days. And you'll always hear talk about identity is the new perimeter of security, particularly with the demise of physical offices and the physical location. Sometimes it's the only thing you can rely on to secure your access, your assets and your software and your data.
But there have been a lot of solutions out there that are very secure and that are very strong. The challenge has been, now that more and more users within your business-- so think of user communities. It's not just office workers now who need to access online resources and even sometimes your on-prem computer systems. They're your business partners. They're your customers, even. They're contractors. If you're in education, it's your students, but also now your alumni. So you have such a diverse range of user communities, many of which you have no control over.
So the challenges in the identity market today is how do you increase security over that wide range of users. And the traditional methods that have been well developed and advanced over the years have had the problem of introducing a lot of friction into the user experience. And if it's too difficult to use or if it requires specialist hardware, these diverse user communities, particularly customers and students, et cetera, they can't use it. So that's the challenge today, is how can we deliver a frictionless but more secure option to protect and grant access to your online resources.
So let's talk then about security in the identity security space. OneLogin offers an identity as a service solution. But what are the main factors customers should consider then, when it comes to selecting an IDaaS solution?
So I think firstly, identity as a service is primarily focused on securing online cloud applications. And we've seen this-- 12, 15 years ago it was thought, well, a lot of businesses will never move to the cloud, much less moved to software as a service, what we all know, Salesforce, Office 365, et cetera. But that quickly changed. And now it's, well, who isn't moving to not just the cloud but to SaaS applications.
So they've adopted this drive to business-- companies have adopted SaaS applications in a drive to improve business efficiency. So it follows on that they would expect the same level of efficiency gains if they're choosing to use identity as a service rather than deploying and managing and running their own identity systems in-house.
So efficiency is delivered through automation and also through self-service. So for end users, it's about letting them take care of things like password resets or adding a new phone when they buy a new phone, registering it into your system, et cetera. Can you do that in a way that is secure but doesn't require them calling up your IT help desk? Because every call is expensive, and resourcing it. And also, you don't want to leave an end user not being able to do their work. That's just lost time and efficiency for your business overall.
The other side of automation is tasks that would traditionally have been done by the IT team. So I used to work at Oxford University. I've worked in a number of different departments and colleges there. And of course, the month leading up to students arriving was chaotic, as you could imagine. We had 10,000 students who were all going to walk onto campus the same day. So that took a lot of preparation and a lot of work.
But nowadays, you can actually automate the creation of accounts, the even issuing of passwords, if you need to do that in advance, or just allow them to set it up themselves, et cetera. But creating those users, removing them when they graduate, or when an employee leaves, changing what applications they have access to when they change roles within a company, all of that now can be automated, and that's a really crucial part of identity as a service.
So it might be interesting to actually realize that security is often not the primary reason a company buys identity as a service. The reason they're moving to identity as a service is for those efficiency gains. So analysts, different analysts have polled companies before. And often, security just comes about number four in the reason why they're going to adopt an IDaaS platform.
And how do you see IDaaS developing then in the near future?
So IDaaS platforms need to help organizations overcome these challenges they face in highly complex environments. And I think that there's more we can do as IDaaS providers to streamline how identity teams can meet those challenges, through greater efficiency, like I was talking about, and through streamlined user experiences.
So we're currently working on ways to protect organizations from phishing attacks. And you see in the news all the time the nature of these attacks are innovating all the time. We have to innovate along with it. But our innovation is not just about coming up with new security methods. It's about delivering those new methods to users with the least possible friction. So our aim is to do so in a way that end users don't even notice. Maybe their experience is exactly the same as it always was, but we've been able to embed in it more secure protocols and security systems behind the scenes.
Also, we want to give administrators high levels of control and visibility. So when you look at some of the more recent innovations like passkeys. Passkeys were first rolled out by Apple and then Google, and now Microsoft has rolled them out. These are very secure, they're phishing resistant. But there's a catch, as there often is. These were made for the consumer market.
So if you have an employee in your business, if you let them use their Apple passkey to log into your business systems without a password, yes, it's phishing resistant. Yes, it's very secure. But that passkey is actually synchronized to all of their personal Apple devices. And it's a personal solution. It's not a business solution.
So as IDaaS providers, we need to offer our customers who are organizations and businesses control over even new security innovations. They have to be able to say which devices a user can deploy passkeys on and be able to remove those passkeys when the user is no longer with the company, with the organization. So those are some of the unique challenges that we're facing today.
Now, on the other side is that we as an organization, even though we have a broad set of identity tools that are very mature and are very feature rich, there will always be new vendors that come into the space that are highly specialized, that provide additional value to what we can offer within our own product suite. So it's very important to us that we allow our customers to integrate these new innovations as they come along and add them on to make our products extensible.
So last year, for example, we introduced what I call bring your own MFA. So you can integrate third party authentication mechanisms into your authentication flow. We have lots of authentication options built in, but we want to make it easy for you to add new things that none of us have even thought about. Maybe the company hasn't even, the intellectual property hasn't even been invented yet. But in 18 months it might suddenly appear and we want you to be able to leverage it.
So let's talk a bit about the preparation side of things. And so how do OneLogin and One Identity prepare for new developments?
Well, apart from watching the market closely, gathering information to actually understand what's going on, we spend a lot of time meeting with our customers to understand what are their big challenges. And it's not always what you think. Also, when you think about, we have thousands of customers. So within those thousands, you have a handful who will be leading edge in developing and utilizing the absolute latest innovations. But then you have a whole range of organizations, some who are still very early on in their journey.
And so you want to look at, how can we come up with new ways to deliver this functionality, these features, this security in a very seamless way with the lowest possible administration, for example, because often organizations haven't adopted new technology because they don't have the manpower or sometimes the specialist skills needed to do that. But that's where when you have identity as a service, we can offer that service and enable them to achieve levels of security they couldn't on their own.
Now, a really important part of this too is our technology partnership. I've just started a new program within our partner circle at One Identity for technology partnerships. It's to give them early access to new features, make sure they can develop their integrations by having free access to OneLogin environments, for example, where they can develop, test, and themselves demonstrate to their customers and their prospects the integration between their products and ours. And that technology partnership is a very important part, I think, of what we do to keep innovating and delivering value to the market.
And talking about innovating and delivering things to the market, I know you're a very busy man. Tell us about what are the most exciting projects you're currently working on.
| I'll tell you about one that actually has just launched. Because it's been something I've had in mind for the last three years, and it was great to actually see it come to fruition and deliver to the market. And that's what we call PAM Essentials. So privileged access management is a very mature area in the market for monitoring and securing privileged user access to manage your infrastructure, everything from-- it's not just about managing computers remotely, but it's managing networking and VPNs, servers, data centers, et cetera.
And what we've been able to do is leverage the secure authentication, risk-based adaptive authentication that OneLogin offers and allow these privileged users to do simply launch connections to their remote servers and their managed infrastructure, but with an additional layer of security where we record everything they do, so the session recording. And we also do something called credential vaulting. It means that that privileged user never actually sees the, think of it as a username and password used to access the system. It's injected in the back end. They can't copy it down and walk away and use it outside of the OneLogin access.
So we limit and restrict access to only be via OneLogin. And we record and further protect the access to that managed infrastructure. But the great thing is, it's just like launching an application in the OneLogin portal. All they do is they just click on it and it launches that session for them seamlessly. So it's fantastic user experience and it's great to see that out. That was just released to the market in March.
I've now switched my focus on to integration with a couple of our other products within the One Identity suite, where we've got very mature governance solution called Identity Manager, or IGA, for identity governance. And we have a very mature directory management system called Active Roles. And I've been working with my colleagues on those products to deliver functionality related to both of those, again, via OneLogin. It's taking those features and functions that have been delivered via on-premise software and delivering it now as a service.
Amazing. We've covered, obviously, so much there. So thank you so much, Stuart. Is there anything else that you would like to add before you go today?
Well, like I mentioned earlier, I love to have conversations with customers and with prospects. I like to understand what are the real problems that they face that are causing inefficiencies in the way they do business or where it's leaving them, they feel exposed from a risk perspective. So I'd really encourage them to reach out to me at One Identity. And I'd love to have those conversations to understand what their needs are, because my favorite part of this job is coming up with new ways to make our customers' lives easier.
Well, Stuart, thank you so much for having the conversation with us today and for sharing your thoughts. That is hugely appreciated. Thank you very much indeed.
Thank you.
We're now joined by Kalle Niemi, Lead Business Consultant at Intragen. Kalle, welcome. Lovely to have you here.
First of all, you've got many years' experience working within the identity and access management domain. Can you give us a little bit more insight into your role?
Yes. Well, thanks, Helena. I've been working with numerous customers across numerous different business domains. My experience from working with those customers comes from being an advisor in identity and access management in general, and I also do take part of technical implementation. So I would say I do a bit of both worlds. I talk to people and I talk with the tech and I try to be the link in between these, all the way up to the C level down to the very developers, if you can say. So that is my role. It's a very multifaceted role.
And given all your experience then, how should companies approach an access management project?
I think it should be thinking as any kind of business development initiative. You focus on your key drivers, what are you trying to achieve. And we like to think that there's three different main areas where you can actually find benefits.
One of them is efficiency. You may think of fastening your onboarding process, creating accounts automatically, granting access automatically to people in your workforce.
Then there's the security and compliance side. How do you maintain compliancy over always strictening regulations? How you prove that you are in control and you're governing all the accesses within your organization, and also increasing your security posture by enforcing the things like lease privilege, decommissioning access real time, and all those things.
The last thing, the last area would be user experience, which I think is a combination of the previous two but also a topic on its own. I don't think anybody enjoys a poorly working process when they join a company and then it takes two weeks for them to get accounts and they face Excel forms, different kind of sheets that they need to apply to. I don't think that is a very good posture of your company to a new employee.
And why do you think then that companies should invest in identity and access management?
I think that it is a must thing to invest in it, and because of those reasons that I mentioned, the drivers. You may look into improving your efficiency. I think that is probably the most common driver for many companies that I see out there.
The other main driver is security and compliance. There are several regulations that don't explicitly tell you what you need to do, but they do state that you need to build your controls based on the risk. And that is one thing you need to be able to prove that you've built sufficient controls around the risk within your company. And I think it's a very key thing to take that risk approach into your daily identity risk management activities as it is also demanded by regulations, but it also allows you to spend your investments where it's most needed.
And what do you see then as some of the core challenges in identity and access management that companies are facing today?
I think there are a lot of challenges that companies are facing. But one of the core challenges today is that the identity and access management activities are rather splintered and siloed across the organization. They tend to buy technical solutions to solve one issue at a time, and there's no correlation or no bigger picture of where they want to go with identity and access management.
These initiatives are often led by different teams that don't have any kind of connection between each other, so they may even end up investing into overlapping solutions or they might be paying for a solution that they actually utilize only at 10% of the capabilities it could do. And that is all because there's no central ownership for the identity and access management in many companies still today. And I think that is the main challenge.
The other one, lack of risk or understanding of risk. I think that causes either overspending, so you spend money in places where it doesn't really matter, or under spend. You don't actually protect what you need to protect sufficiently.
For an example, there's still a lot of reliance in old fashioned passwords. I know companies that enforce heavy password rules with very short change periods. That frustrates users. And it's not even really secure. It's just an old way of doing things. So there's a lot of room in improvement on that level.
And also, I think the third big challenge is the whole concept of a workforce nowadays. It isn't that people come to an office where you have an office network and that alone creates a perimeter. It's people are now working from all over the place. Your company will probably empower more and more external workforce. How do you manage that access and how do you enforce stronger authentication policies to people who are not physically going to visit your office at all? And that is a challenge today.
So if you were a company then considering starting their identity and access management journey or developing their current practices, where would you begin?
I think it all begins of setting up some sort of a vision that what you want to do. First, it can be a draft, where you want to go. Then the second thing is to understand your current state. Where are you now? What are your capabilities? What are your processes? What are the tools that you have currently in use? How much resources can you actually put in this initiative? And I do recommend using external help on identifying your current state, because it is quite hard to understand all the dependencies and all the things that actually affect identity risk management if you do it as an internal exercise.
Once you have identified your current state, probably identify the key gaps and you have a vision where you want to go, then the next thing is to build intermediate milestones. Link them to your business objectives, what you want to achieve. And if you can make them quantifiable, something tangible, like how much savings percentage you want to achieve within a year, even better. And also on that, I do recommend utilizing the external help, because that will allow you to put some actual realistic expectations of what you can achieve and in what timeframe, rather than just placing hopes over the time and they will never realize.
And let's look ahead then. What do you think the future of identity and access management will look like?
I think the future will look quite interesting. There are several developments that will address some of the challenges mentioned. One of them is unified operations. I do see more and more companies building unified identity and asset management teams that will cover authentication, authorization, the whole life cycle management of different kinds of identities, whether they are your customers, partners, robots, applications, or employees. That also includes unifying the platforms that are in use. So reducing the amount of tools and also integrating the tools that you are using together so that they operate in a single point of service for all the different kind of user needs.
And the second trend I do see is basically bring your own identity is becoming a reality. Decentralized identities is a thing that is going to be more and more in our daily lives, as people can identify strongly with their mobile phones, with a mobile wallet that has been maybe issued by their own nation. And that verification should be trusted by all other nations around the globe. So I think that will be a bit of a game changer in many use cases and address some of the challenges that we see in the market today when we can trust and have a more standard on the external trust that identities that we have now.
And maybe as the last thing I have to say, the artificial intelligence. That is a tool that will probably help companies move forward faster, gaining insights faster. And I do see the increase of using artificial intelligence-based applications in the identity and access management domain.
And so let's think about key takeaways then. When it comes to the key takeaway here, what would you say it is?
I would say, think of it as a journey not as a project. So similar if you start a new hobby. You start going to jujitsu. You take the eight weeks basic course, then you stop. You can't really say after that or after a year that you're really good at jiu jitsu. No, it's a continuous journey. You will definitely find always new things to improve, new things to address, definitely new problems to address. And that is how it should be viewed. It should not be viewed as a single project here and there with no interlinking between.
Super. A lot to consider there. Thank you so much. And of course, thank you to Stuart, too.
Coming up in our next webinar then, we'll be taking a close look at some key use cases when it comes to One Identity's identity as a service for small to medium businesses and enterprise. Thank you so much for joining us today and we look forward to seeing you in the next webinar.