[MUSIC PLAYING] Hello, everyone, and welcome to One Identity's "Cybersecurity, Trends and Insights" series. I'm Joe Garber, VP of Marketing for One Identity. And I lead a series of interviews with identity security's top thought leaders. So you can hear directly from them about challenges they're facing, and how you can best overcome those or similar challenges as well.
Our guest today is Michiel Simon, who's lead consultant for Infosys Limited in the Netherlands. Michiel, thank you so much for joining us. Can you tell us a little bit about yourself and your experience in identity security?
Hi, Joe. Yeah, nice to be here. Like you said, Michiel, I'm based in the Netherlands, Amsterdam, my hometown. So, been in IT for quite some time actually, roughly 15 to 20 years now, and mainly focus with identity and access management, Active Directory, IDENT accounts, stuff like that in the past, I would say, 5 to 10 years. Background is actually not so much in IT, but I gradually moved into this space. As time and interests go on, this is really where I belong, I think.
That's great. Well, thank you very much. It's great to have someone with your experience here to share your thoughts. Since we have limited time today, I'm going to jump right in and ask you some questions, if that's OK.
Yeah, sure. Go ahead.
So the first question I have for you is, talk a little bit about the challenges you've been facing with respect to identity security. What is it you're trying to address, and why?
Well, I-- where to start? I think the main topic for us was really moving towards Identity Management, right? Coming from a set-up where you do everything by hand, manually, based upon an email or a ticket or a task, working with individuals in the team that just process requests as they come along, and then to really find a more structured approach. Like moving towards a process really, and, ideally, an automated solution where you have feeds from different directions merging into a system, which then triggers and acts upon that.
And really, the idea is quite simple. You can put it in a single slide, like probably with a cloud and some arrows. But in reality, just so much more comes to mind when you really want to implement that. And I think really, for us, the biggest struggle was with the scope creep, right? You have this vision of, oh, let's automate everything. OK, but before you know it, everybody bolts stuff onto this list.
People have ideas. While we're at it, let's address this. Why don't you just, in the meantime, send an automated email here, and a trigger there, and a welcome email. And before you know it, you have this endless list of requirements that you'll never be able to complete, especially not in phase 1.
So, while working on those requirements, I found it really important to, at one point, just basically draw a line and say, look, this is my plate. It's full. I can't have anything else on it at the moment. Let's just first complete this part before moving on to anything else. And even those baby steps sometimes are just what it takes to get to that end goal.
And probably you'll never, ever reach it. This is an ongoing thing, where you keep on introducing new items and working with new requirements. The business changes. Your landscape changes. Your solutions change all the time. So it's a never-ending story, really, in a good way, though.
Yeah, I noticed scope creep, and I know that can be very dangerous. So that makes a lot of sense. Were there some specific nuances within your organization? For example, IT constraints, regulations, resource constraints, that presented some special complications for you?
Well, the organizations that I'm involved with are really not local to one country. So they're all over the globe. They have different regulations in different places about what information is available or should not be handled in that respect. It's challenging to work with the different businesses. In the end, we like to think we're in charge, you know, IT, we determine what happens. But in reality, we're just there on behalf of the business. We make their solutions work.
So we have to talk to business owners, HR departments, what they want to see in these locations, what they want for permissions, what's their vision of birthright. And especially, moving to roles rather than look-alikes, this is really something that we were struggling to move away from.
Each time we try to define something that would go back to, oh, yeah, well, it's actually the same as Dave's account, or it's the same as Joe's account, you know? So really, that whole vision of moving away from just copy-pasting whatever the other person has to actually now describe what you really want to see inside such a role.
I think that was really, for some countries or some operations, that's a lot easier. They already maybe work that way under the hood. But for a lot of people, this is just a complete new mindset that they really have to get used to.
You addressed some of this already by talking about drawing a line in the sand and scope creep and such, but how did how did you solve some of the challenges that you faced? And what were some lessons learned along the way?
Well, for one, the moving away from humans to processes, that forces you to think about what you're doing. Even the simplest things as duplicates, a duplicate identity, like two persons with the same first and last name. That's normally something that would just be fixed by whoever creates that account. He gets an error saying, ah, this user already exists. You just amend the name. You put a one behind it, a dot, a slash, whatever. And you move along.
Now, suddenly, you're faced with, OK, we have to define these exceptions. There's no way to tell a computer, just go figure it out. So you'll have to come up with rules. Come up with naming conventions, templates, exception handling. It's a lot of those things that you just need to be in workshops together with stakeholders. And it's really with involving the business units that you get to a conclusion. You can't just go in and say, this is how we're going to do it.
Those changes don't really go down that well, to be honest. In my experience, you have to get the people on board. You have to talk with HR. You'll have to go to an owner of a folder and say, hey look, you know, you're just granting all these people access, but based on what? What's your criteria? What if you're not there? Who will take over?
So it's really getting everybody on board with this program, and not just sit in a corner and try to reinvent the wheel by yourself. Because that alone will just never happen. And so for me, really, the key aspect here was just, involve people, involve teams, involve from all the way help desk up to senior managers in HR, or whatever department they're at.
And how did you measure success?
Yeah, it's tough. On the one hand, you set goals, maybe, that work for you, that that's your goal. But in the end, it's really, again, the business that has a certain expectation. They want accounts that are not just unique or with a secure password, but they actually need to work as well, on day one, and in a predictable manner.
I think for us, the success was really coming from, A, the business, but also the identity team. So the people working with the tools, we sit down, we discuss the topics, we work together. And if, in the end, it does what it should, maybe not 100% perfect, but yeah, I think really that was our goal.
And again, the scope-creep part was hard because, before you know it, you find that solutions are not really what everybody had in mind. But if you just chop it up into workable chunks, that really helps. Because, in the end, that's what's success. If you have a topic and you can conclude it and finalize it, and then move on to the next, that's a success for me right there.
We've done some research, and we found that the average large organization manages access rights in roughly 25 or so different silos. And we've talked about that as identity sprawl. I'm curious what your perspective is, and how many different systems that you've had to get control of, as you've gone down this journey.
Being what they sometimes say, a Windows guy, I mainly work on Windows-based IT systems, I would say that's really our main criteria all along. We have Linux and Unix systems around, but still, it's mainly Windows boxes that we look after.
So trying to get, for example, single sign-on working to a lot of systems, that was very nice to have. But with regards to direct access, it's mainly Windows-based things, a whole lot of Active Directory grouping. And as you can imagine, for example, we have a lot of systems that require an Active Directory group in order to do a certain thing, allow somebody in, or give more permissions than average. Those groups don't always have user-friendly names or they don't even look familiar to a person on the outside. So it's really describing what the engine looks like.
So instead of a group called, A_whatever, something, that you now say, this group gives people the right to print in color. OK, now that makes sense. So to translate from obscure names to functions, that make sense to a lot of people. That was a main part in opening up and exposing permissions to certain systems.
And at the same time, the single sign-on solutions that we have in place do allow for people to utilize other systems that are maybe not directly tied into identity management solutions that you may have. But they still work with underlying aspects of these accounts. So to just grant SSO access I think really is a key feature that needs to be in place for any identity management solution, really.
You mentioned, some were not necessarily connected. Is your aspiration to manage identity security a little more holistically? And if so, why?
Yeah, I think that's a tough one. In the end, there are so many moving parts in an organization that it's hard to really have a single vision on that, especially working with security. Wow, how do I put this politically? It's a challenge sometimes. Of course, they want everything secured. So do I, but we have to make it. Together we work, and we have to chug along and not block each other really completely.
Especially when these things from the past, we weren't so much involved with each other. And nowadays, they introduce systems like privileged access management or they dictate that certain aspects can't be connected to other components.
So, I think that, for us, is the key area, really, is to progress together and, again, involve security as much as we can with regards to deciding and getting some backing from them, as well, that they are OK with what we're doing, that they see the challenges we face, and that they actually contribute to a solution rather than fight us or try to block certain things that we may or may not need.
Well, I think you answered this question, but just out of curiosity, you said partnership is a part of it, but what else, if you were to pursue more of a holistic approach, what else would you need beyond kind of have that partnership to be able to pursue a more holistic approach to identity security?
I think trust is a very important aspect here. You need to trust the other party to have this vision that you share, that you are aligned to go to the same strategy. Sometimes this roadmap of solutions is kind of missing, or not clear, at least. And then you have people working on supporting a solution, maybe, that doesn't necessarily fit in with all the other aspects. And if you then have a different view on what the solution should be like, then it's difficult really to come together again and to move forward.
So, in my view at least, it's important to be on the same page and to have this common goal, rather than just listing your requirements and then logging off that meeting again. It has to be a two-way street and not just a one-way, where people just dictate rules or regulations or policies and then sign out.
Well, good. With that, I see we're close to being out of time, so I'll wrap up today's discussion. I'd like to thank Michiel one last time for giving us some excellent things to think about with respect to identity security. You're a great guest, and I sincerely appreciate you joining us.
You're more than welcome.
And of course, I want to thank you all. Oh, I'm sorry. Go ahead, Michiel.
Oh, I was about to say, you're more than welcome. I like the opportunity to talk about these things. And yeah, any time. Thanks.
I appreciate it. And thanks to everyone for joining this installment of our "Cybersecurity, Trends and Insights" video series. Be looking for additional discussions like this in the near future. And I'm hopeful that you'll all join us. Goodbye. Thank you all.