[MUSIC PLAYING] Hi, my name is Todd Peterson, I'm on the team here at One Identity. And today we're going to talk about what it takes to get identity and access management right.
So let's start with a couple of definitions. First off, what is identity and access management? As we all know, it's a very convoluted, complex thing, but it really only boils down to four principles. First is authentication-- how do you get people the access they need? So how do I log into a system basically. Authorization-- once I'm logged in, what can I do and what can't I do? What am I allowed to do? What am I authorized to do? Administration-- it's how do you set all that stuff up? How do you make sure that my authentication and my authorization are actually the correct ones for me? And audit-- how do you prove that all that stuff-- authentication, administration, and authentication-- happened according to the rules that, you know, I can prove to my security people that it's actually happened in the right way?
So that's all fine and good, especially if you only have one system-- you have one password, you know, you have one set of rights, you are one set of permissions, you have one tool is set up. But none of us only have one system, and the scope is getting out of control, you've got a lot of cloud things that are starting to come into play. You've got all that old on-prem stuff happening. You've got new applications that you keep adding, you've got databases, you have things like Active Directory, then you've got Azure Active Directory. So you want to do this authentication, authorization, administration, and audit for every single system that you've got. You don't have a choice, but it's difficult to do. That's all IAM is.
So what would right look like in an IAM environment? First off, you have the right people with the right access to all the right resources in all the ways they want at the correct times and with all the correct governance, meaning that they're doing all of this right stuff in the right way, and you have to be able to prove it. So that's what right looks like. Now go back to what identity and access management looks like, it's difficult.
Let's talk about why it's so hard. First off, we've got complexity. We did some research with Aberdeen Group a few years back that found that the average identity and access management program has been ongoing for six years, and they have not finished, meaning it's taking too long to do things. You've got silos. Because of this complexity, because of the constantly changing thing, the same research revealed that the average employee at a 10-person organization has 27 applications that they need to access and six different passwords that they use to get to whatever the mix of those 27 applications is. So you've got a lot of problems with, you know, it's all siloed, it's difficult, they're going to forget their password, they need different tools to manage it and everything else.
You've got change. Another survey we recently completed found that 72% of organizations are in the process of adopting these digital transformation type technologies. You know, mobile access, cloud stuff, you know, IoT, all those types of things are happening to 72% of the organizations, but only 18% of those organizations feel comfortable that they're actually doing authentication, authorization, administration, and audit correctly for this new stuff, but the stuff's happening anyway.
And then you've got a lot of manual processes just because of the nature of, you can have a 10-year-old system and you have a brand new system-- the same tools are not going to work for those. So that research we did with Aberdeen revealed that it takes more than a day and a half on average to fully provision a new employee. It's a lot of time when IT is working and the employee is not. That's bad. And it takes more than half a day to deprovision that same employee when they leave or quit or get fired or whatever-- that's a bad thing. Anytime that somebody that should not have access retains access, it's bad, so you've got a half the day window where bad things can happen.
At the Gartner Identity and Access Management Summit in 2016, Greg Kreizman was talking to the audience and he said that 63% of the people in attendance there would be replacing one or more of their IAM technologies in the next year. And he said the main reason that that was happening is because their technology environments have changed and the incumbent solution doesn't address their requirements anymore. So you've got this need to move on and to basically to get it right. So let's talk about what it would actually take to get identity and access management right.
So we've got years and years of experience of helping people do this. We've found that there are some key capabilities, some key strategies that can really help you get identity and access management right-- whether you do that through us or don't do it through us, these strategies work either way.
First one is a path to governance. Ultimately, what you want to do is get into a state where the right people have the right access to the right stuff and you can prove it. That's governance. That's where you want to get. Simply just giving people access is not enough. You need to ensure that they have the right access. You want to make it very easy to prove that. The new thing of attestations is becoming very difficult to do because of this complexity. You want to make those easier. And you want to make sure that your governance applies across the board, not just to end user access to applications, but also to access
08:34
