Mature IAM in the Era of Work from Home

okay we are going live into one we are live hello guys uh i'm back again um so i'm happy to present uh bhuvana natarajan as our next speaker bhuvana has been working in different phase of cyber security implementation consulting and operations management over the past 15 years uh based on her experience working with multiple fortune 500 customers she understand the diverse need of multiple verticals within the cyber security she has delivered multiple proposals and led many identity management projects across north america bhuvana's primary area of interest include operation management and identifying and improving the maturity of a given landscape based on risk assessment uh bhuvana topic for that for the talk today is mature i am

in era of work from home i think this is a really really good topic uh and we need to have discussion on this uh like you know um so hand it over to groove now or stage is all yours yeah thanks harvindler thank you and uh i do want to thank the edmonton designs for giving me this opportunity to present on this topic so i'll get started with a brief introduction about myself um so this is how i got into cyber security it was not exactly the uh you know this is precisely what i want to do in my life kind of a goal but this is how i got in i kept saying and then god said okay go into

cyber security and everything is going to be uh fine uh and ever since after i finished my college i got into uh wipro and uh for a year i was in induction and testing and then for 11 years i did just identity and access management in various capacities and i started off with the developer and it has really given me a very good hold on you know uh what the customer wants you know like what are the issues that can happen at the grassroot level i did a little bit of operations too and then i moved into uh leading and then consulting and finally uh managing uh identity and access management projects and further on i moved

into cyber security management and the last three years have been about uh managing uh you know cyber security for one of the one of our clients here so uh as we all know cyber security is kind of pretty uh huge uh spans across everything that's infra and everything that's applications and there are so many physiques of cybersecurity right and uh the one area that i'm kind of good at is identity and access management and so when hanny asked me can you talk on this topic i was yeah definitely i mean it's something that i really like a lot i know something about so when we talk about identity and access management again it is not just one thing identity

and access management is so many sub domains like for instance you have access management identity management privileged access management access governance and all of this kind of spans across different types of users like between users enterprise users consumers business to business users you have so many different kinds of ids right social ids privileged ids service id share ids uh the normal active directory ids that we generally use what kind of apps you know against what kind of apps we are using our ids and what is the kind of access that is being provisioned so when we look at this entire uh when we look at the entire gamut of what makes up identity and access management

uh it is really not a singular thing it's very plural it's it's so many things put together and here one of the things i have not mentioned and you know one of the things that kind of gets called out repeatedly is multifactor authentication it's usually part of access management uh but it is taking a life of its own uh in the recent past so today we will be talking i would say that you would be kind of scratching the surface you know in terms of discussing what we can do in this age era of work from home um as we move towards a new way of working what is it going to be like so let's go to 2019

let's start from there one of the things i do want to say is through the meetings today all the meetings that have happened today or the uh talks that have happened today most things have already been discussed uh people who have a lot more uh expertise than me who have a lot more experience who have a lot more a much bigger vision of what they uh see in the in their organizations have spoken about the importance of identity and access management so i think my deck is kind of a summary of many of those points but we'll go through it nevertheless so in 2019 even before the pandemic started the list of people we could trust

was very less and if the cso was lucky enough he probably got a multi-million dollar cyber budget but it is not exactly like he did not have problems he or she did not have problems there were security awareness trainings and then we had operations teams and you know project security folks who would say no this cannot be done or oh we will not let you do this or uh hold on let me think you know what is the best way to do it and then that would always be someone who says i think we need to take care of every year you know just after the audit is done i'm sure many of you have faced

this just after the audit is done or through the year someone is saying we need to do access management we need to do it better and it's of course not a very simple thing it's it's something that spans across everything identity is one aspect that kind of goes across everything infrastructure everything application related so we had some people you know skill set is another very big issue and it is not something like you know it's not a shortage point in 2020 in 2019 two there were people there was limited amount of people who could actually do full-fledged iem implementations then we had our operations teams and our system administrators and they would say let me go ahead and take care of

password management so all these things kind of existed in 2019 and alongside security in the overall i.t landscape things were already moving from on-prem to cloud these things were very much in progress even in 2019 and frankly even in 2019 things were not going at you know i'll go at a normal you know 1x kind of a speed they were probably people were making the jump oh am i in a legacy system then can i just avoid the intermediate steps and kind of move into something that's cloud-based all those thoughts were already there and probably the approvals were coming in much slower and at that point of course there was no concern about working from

home probably you know the policy documents the hr policy document said something like you'll work from home once uh per week or once in two months or something like that we didn't have that concept as um as rampant as it is today come 2020 we had the pandemic uh in march as you can see it was not a bad start in terms of attacks and other things but the first thing that happened as soon as you know everyone kind of settled and decided that oh something you know we can start looking at or probably they were preparing in march i don't know but in 2020 april the credential phishing kind of shot up and if you look at this is a key aspect

password management password and today we have spoken so much about it even during the panel discussion you know one of the things was go for something that is passwordless go for multi-factor authentication in the chat section that where we saw you know there were multiple asks about multi-factor authentication so the moment you know we kind of settle down credential phishing kind of went up and this kind of shows how important identity is and the password and other attributes associated with um identity is actually and one of the other things that is that was kind of rampant you know in terms of coronavirus scam has again been identity theft uh while all these things did not exist

um i mean did exist in 2019 too the ramifications if they happen today are kind of a little more lethal because people are already vulnerable and with furloughs and many other things we don't want to maintain the identity of a person the integrity of an organization in a much better fashion so with all that in mind let us just take one use case one example which was the um twitter hack that happened uh you know a few months back uh and the reason i bring this up is we want to talk about security awareness also today you know as we went through these multiple discussions we heard how security awareness is so important if you look at what happened

in uh the twitter hack primarily they fished okay that is something you know that is one aspect of security but they fished for credentials and then when the person got uh when the person gave up his credentials or you know he provided the required access it was very much related to access management it was very much related to the identity of the person and if you look at what the reporters are talking about you know you just need to give a and usually the reporting is a b c d e f g h right and here twitter said uh we have strictly limited the access to avoid any kind of problems we will give the

access at a later point you know we will start rolling out the access again but the perception of whatever this person has written the reporter has written says uh though they said you know it is strictly limited and only granted on um valid business reasons they also said you know they have signed them they have reduced the access significantly so the organizations go through some kind of a crisis too right like what does the public look at them like so knowing about all these things i just want to say that the pandemic though it has changed how companies work it is not essentially changing what they create it is not changing what the companies provide to the consumers

so basically when you look at the entire iem landscape or even most other aspects of security you are not looking at a complete overhaul you're probably look if you're ideally a mature organization right you're going to be doing these three things you're going to be looking at a few of your operational process you're going to be remodeling a few of them you're probably going to be upgrading a little bit of your infra because you're already on your cloud journey and if you have the necessary approvals for many things intra-related and applications related you're probably going to be upgrading very little of your infra and you're probably going to be revisiting your audit controls these are

kind of the three things that you will be doing but most organizations in spite of all the things all the changes that have been happening in the recent past are probably because of all the changes that have been happening in the recent past as they move into cloud they might not be very mature in each one of these points uh uh a nikita if you could just put up the poll we can probably you know go through it towards the end of this meeting okay i'll just continue with the uh discussion here so in terms of expert talk as we go through multiple uh discussions right as we go through uh multiple materials that you know people

where people are opinion on what what they see one is obviously the data thefts that are increasing and uh in spite of you know having or moving towards a cloud-based environment uh there are still restrictions because most of your active directory is still on prem not everyone has moved into azure already uh or probably you know you were just beginning your journey and you're nowhere near you know a proper way of completion i would say uh privacy concerns we spoke a lot about privacy concerns today one good thing is where uh you know um i'm sorry i don't remember her name um where she just mentioned didn't see as many number of uh hacks or as many number of uh threats

as they expected to see which is kind of a good thing to actually know you know uh the other thing is concerns on the strength of the network mostly because we were still operating in an on-prem model we still had on-prem controls we had a lot of on-prem controls and we were just beginning to think about how do we mature it into a cloud-based control and we are not there still but knowing that the spend is not going to be extremely great knowing that you know even companies and businesses are controlling their spend uh what we do here is the i.t spend is going to be relatively neutral yeah there are a lot of projections on how much is going to

be spent yes it will be spent over a period of time but having said that where they will spend it what is the area where they want to focus on that is still you know kind of neutral and security is not the only area where they will be pushing in their money now knowing about all these things what is different what is different between 2019 and why should we be having this conversation in 2020 right this is something uh you know one of our very senior managers had uh said a long time back organizational inertia is an all-time low and i really love those words you know the inertia that you have in an organization bringing 20 people together

and then they are focusing on what is key to them and then you know they take a period of time to decide what is important no right now it goes i have this thing you know wherever the security they have that thought in their head you know that uh that pebble in their head that says no you cannot wait no this cannot wait you need to make that change so they have that mindset right now and when you have that mindset now uh the inertia kind of becomes very less and adaptability is going to be very high like for instance i remember in one of my previous uh projects um there was this person who

would come in and say two-factor authentication is privileged access management it used to be so difficult i mean that person was so set in his ways and it was so difficult to make that move but right now it is not like that now we have a lot of support from people who are kind of you know us higher up they want to know about it and one of the points that was said today senior folks understand security as a matter of fact today when security does not sit at the table people on top ask where is this person where is the ciso or where is the security architect that question does arise and now what we can do is we see

large vendors like let's say microsoft or google many such organizations whose suites we already use in our organization they are already providing a lot of cloud-based applications can we move towards it can we consolidate all of our on-prem tools that we use for iam and leverage microsoft or any other uh you know google or any other suite that is something we want to look at and that is what is kind of different in 2020 uh the lack of inertia and the availability of these suits that can help us actually make a jump now knowing this one of the key things i do want to talk about is in march 2020 we were at we need to work from home we

were doing i would say very quick risk assessments smaller team like for instance a rollout of vpn was happening like this you know in the snap of a finger do a risk assessment do your vpn roll out or uh our laptops and computers or the desktops and the office would probably never go home but all of a sudden we were sending it home right and we were uh probably pushing bitlocker and many other things very fast but now the question you know so many months into the pandemic and when we have started talking about can we return to work the discussion is going to be more around what percent of folks do we need in the office

can we enable remote working permanently for certain positions or and the most important thing right something that actually uh uh touches dinner with the business too can we save on office space right because it's uh cost saving for most of the organizations at the moment and seriously organizations do worry about their employees and if they can have their employees working from home when they just give up a little bit of their office space why not right so using all these thoughts or all these parameters it is now possible for us to dust whatever um plans or propositions we had previously right proposals we prepared most of the security folks i have seen you know in

the past uh we prepare business cases we prepare so many business cases for identity and access management for uh i want to move into cloud and we have this on-prem solution or i want to consolidate uh i want to move into a new edr solution we just did not have that leverage we were just not able to provide uh what the i mean provide reasons on what the roi would be but right now we have that uh lever so using all that it would be good to sign off sign on i mean revisit our proposals get a sign off on cloud-based long-term solutions and also consolidate what we have on on-prem so this new normal is going to

be kind of a lever that lets us move into um newer ways of working with identity and access management now having said this and my screen won't move i don't know why ah what's happening [Music] just a moment okay so this was something i thought i should add mostly because at the beginning of the pandemic ride um this is this is more to do with business continuity than the pandemic itself and probably in the future we want to have our uh business continuity documents kind of updated with these important points right uh when when the pandemic struck and we started doing operations a few things that we did not think about right um collaboration especially collaboration

with the hr to understand what change they are undergoing in terms of onboarding their folks today if we have a certain way of onboarding folks into our environment how is it going to be you know when they are going to run their background verification is there going to be a delay so having all those conversations with your supporting teams all that was something uh we had to consider remote access provisioning and vpn access provisioning those uh those service requests kind of uh went up in number uh then in terms of functional access requirement i don't think that there was much of a change at all um the only thing was uh probably you know we were going for

more blanket approvals because we knew we had to uh kind of you know we knew that we had to provision access to so many people but in terms of uh who's going to have access to this particular feature this particular page in this application that did not have any kind of change so these were aspects that did not change you know even after the onset of the uh pandemic or even as we work from home it will not change what did see a lot of change however was access management this one was more towards identity management access management in terms of how are we accessing the application that underwent a lot of change how are you accessing your remote

desktops do you need to access your remote desktops do you need to sign into your corporate environment signing into the corporate environment now that became a pretty big topic i would say because our environments are not always necessarily built to pick up that amount of volume so in that case how are we going to enable single sign-on and how are we going to enable split tunneling and json was speaking about it this morning you know how split tunneling is an important factor uh that would have been uh that would have been a very important factor in most organizations right so how are we going to handle all of those things how are we going to onboard more

applications into you know whatever your access management tool is for instance if it's octa how are you going to move into it did you have the base information to contextualize and take risk-based decisions on it how are you going to mandate mfa i remember a time when one or two years ago you know even within the company i worked for and the multiple other clients mfa was something seen as a was seen as an inconvenience today people ask for mfa password is no longer sufficient frankly when a password research request comes it's like do we still have this problem right because you have so many means of going passwordless you can go for smart devices you can go for google

authenticators you can go for multiple other ways of achieving the how what and something you have something uh you know and other things right so all these are discussions we should be having and we'll talk about it momentarily what is the permitted authorization core screen authorization that we see here in terms of authentication is something that was discussed in detail fine-grained authorization to applications was not something that underwent a huge change people were still doing their work if anything a few people unfortunately were losing their jobs but mostly this did not change in terms of siem monitoring so both for authentication and siem monitoring there were two important things one is bringing a context and risk-based

uh perception you know or a risk-based uh decision making so in terms of static rules we probably already had it but in terms of dynamic rules what can we bring in and that is where the whole concept of do you know your organization have you put it all in the cmdb all those things kind of start coming into the picture where all does your company operate what all geographies do your is your company working on if a person is working based out of let's say africa and you know you just say no i'm because pandemic happened and i'm going to restrict all access to let's say uh africa and uh uk because i think my

crowd is only in canada i mean that's just not correct right so minor things like that kind of became uh important when we started looking into authentication and uh sim monitoring access recertifications this is anyways a part and parcel of every year's audit every year's work that an organization does but at the start of the pandemic looking at as they started working from home right looking at who has global domain admin access local admin how many people have local admin access security tools we'll talk a little more about local admins and you know application lists and other things in the slides to come what kind of security tools do we have what kind of infra tools and

applications do these people have access to all those should have been revisited by now you should have taken a look at it at least to see or know what amount of risk we are having in our bucket the next thing is around privileged access management uh you know i don't mean it in a bad way but i don't know that europe has always kind of you know carried the baton in terms of identity and access management they were the first set of folks who did identity management very well they did privileged access management very well um and even as we were saying like because i was from an mssp uh uh company i could see that

most of our identity and access management projects were coming from europe first before it started coming from usa uh and then the privileged access management projects they started ripping in a lot more earlier than they did from the north american geography but right now i think the gap is kind of closing very fast but if the organization presently does not have privileged access management it's high time to implement it one of the biggest things that we have been talking about today what we should be doing in the future and this is kind of where we are starting on the meat of the topic and i think i have another um what 15 minutes of yeah 15 minutes so

i'll go through this a little fast yeah security awareness even this morning on the chat these were the questions right how do we do security awareness one thing that i do notice especially for identity and access management and this is where the twitter example also kind of comes into the picture we talk about training our business folks a lot we talk about training our employees a lot but there needs to be special training for people who are part and parcel of your security team your analyst your l1 analyst your l2 analyst they are not subject matter experts they are not architects they don't always think from the perspective of you know is this a safe thing to do they

are they are following your standard operating procedure documents so you might want to give them special training because i have seen people losing their job when you know they do something really bad i mean they they probably thought it's the right thing like for instance a major incident has happening are going ongoing or you know let's say a seven incident is ongoing and without thinking twice they just provision access and something goes wrong we need to provide them the guidance to tell them even though it is so take a step back during major incidents or during you know your seventh is when you want to be a little more careful and we need to train them and when we

train them repeatedly on it it becomes easy they are not looking here and there for guidance they know where to go for guidance i think that's kind of something we want to focus on tell them what the risk is what is the impact of the organization and also consequences to the employees not in terms of scaring them but in terms of keeping them aware uh this is more like my personal point of view i'm sure there are very nice ways of doing it uh but it's more like what should be happening in terms of roadmap priorities for any organization during uh as we move to the work from home kind of a model right there's obviously going to be some

amount of work from office and there's going to be some amount of work from home but there's going to be a big portion of folks who are going to say of course i can do my work from home and a big chunk of the senior management that's going to say yeah let them work from home we have seen it works we know it's where it's not that bad we know it is safe enough uh why don't we just create controls around it and at that point what should our priorities be the first priority will obviously be authentication and authorization the second one will be adaptive authentication uh third one being privileged access management and fourth one is user

lifecycle management again this is my order of you know how i would build a roadmap or how i would prioritize things of course many of this will overlap but what would i start with i would start with authentication and authorization in terms of an environment um an environment assessment in order to you know kind of address these priorities we want to start off with our environment assessments of course this is not going to be um you know the normal consulting exercise where we are talking about i want to move from this technology to that technology we are now talking about redefining boundaries we are talking about how do i go from i was so protected to i'm probably going

to go all the internet or i'm probably going to go 90 percent internet and 10 is going to be something that's very important critical right like i'm gonna go for a four factor authentication or something like that and that has to happen in my corporate environment so when the discussion is something around that you might want to consider what type of users you're talking about what type of applications you're talking about how is your infrastructure going to look like because identity is not siloed identity runs across laptops in fros applications we just span across things so when we are just panning across things we want to see what we have as a base too and based on what we have as a base

provide recommendations here and also make our roadmap according to that one of the simple and i would say one of the use cases we came against and something we were not necessarily thinking about was session management in o365 during furloughs we let go of people and then we realized they are they were still online after we terminated their access their session was still on and then we realized oops what do we do about this it's probably a very minor thing but it is not so minor you know uh depending on the kind of person we are letting go so all these minor points critical points might need some amount of rethinking because previously when you turned it off in

active directory probably everything got turned off right now that is not the case so that's something that you might want to look at uh also in terms of after you finish the assessment you're going to arrive at one of these maturity states right like within the security team you're going to be able to say i'm completely on manual identity and access management i'm probably in automated identity and access management or my organization is already in a risk-based mode of working and my tools support whatever i want to do in terms of risk whatever i want to do in terms of context right this is kind of where ideally you should be right now many organizations are already

especially the bigger organizations or the ones that have regulatory requirements are already moving towards ai-based management not an identity management but more in access management that's where you know your adaptive authentication and all those things kind of come into the picture but having said that there are very many organizations and i'm not talking just about mom and pop shops i'm talking about even bigger organizations where they are mostly into manual identity and access management you might want to consider switching all the way from manual identity and access management to other risk based or a completely ai based access management there are so many tools there are so many technology vendors that can help you with this and the features they

have in their product are sufficient for you to derive use cases even see when they build a product they are building it around use cases that different uh you know companies have or different verticals have you can always derive it from there and choose something as a best way to go forward now knowing this after you have arrived at this the the next step would ideally be drawing your road map your identity and access road now now this can sound very cliche but you definitely want to start with the zero truss framework zero truss framework is not something that we want to pull impose on just intro security right it's not something that you want to impose on just one application

security or infrastructure it's across identities too and the best part about it is in identity and access management everything has already i mean we have always built our history on this trusted identity have just one id using which you can track all the other ids if i do something to this id the rest of the ids should know that you know they have to do a relevant activity build that kind of a trusted environment plan your roadmap according to that zero trust authentication you want to move towards risk and you know contextual based authorization like um you know with work from home let us say right uh i choose to work anytime i want sometimes i work in the evening

uh you know my friend might choose to work late in the night because uh oh let's say you know he just had a baby he's able to work only during night hours we need to allow for that kind of uh elasticity you know flexibility and when we set up our policies our dynamic policies and other things so how do we build a zero trust environment but with enough flexibility to let the business keep running right so we'll start with this and doctor has given us a very good a logical point i mean a logical diagram on where we want to be if you look at uh where they are saying your stage 0 is fragmented ids

unfortunately many organizations with legacy systems are still here at least partially here if not fully here at least partially they are here and at some point you might either want to move away from those legacy applications and as part of that project consolidate everything or kind of set up a project to bring this all together then you have unified iam this is where most people are already contextual access this is when we are all moving towards adaptive workforce this is more like you know occasion or something you are just improving over a period of time we just keep doing it uh minor improvements one percent improvements over a period of time so this is kind of the model

where we will be moving towards in the future or we should be moving towards in the future in terms of identity and access management itself what do we have as technology roadmap what should we have as technology roadmap considerations right you might want to identify technology please don't go for hybrid solutions either choose to be with your legacy tools or go for something that's completely cloud-based please don't go for a on-prem application and then deploy it and as your identity and access management doesn't require that there are very good products in the environment i mean in the market uh please choose to go with one of those it will definitely lead to reduction in operation costs um

also start looking at whenever you're getting an identity management tool or an access management tool uh do check if it has threat analytics capability uh most of the tools today like let's say octa or let's say um you know uh sale point saving whatever we go ahead with right it has its own threat analytics module or let's say cyber arc or let's say uh any other tool it has its own threat analytics module so what basically happens is instead of sending all the locks to your sim tool or whatever is the new edr tool that is kind of coming into the picture and then processing it all in one place and making it one mammoth all over again

you're just doing your intelligent work in each of the systems and then you're just sending the intelligent data to your sim tools that's definitely a preferred model of working that you're already paying the money for all these things so you want to pay as little as possible on the other end of the spectrum and there we have ultra mode capabilities that are kind of coming in right what can i do with our intelligent data so that's one of the key considerations mobile really technology mobile ready technology for identity management in terms of you know approving from your mobile and things like that not to your web application but just through an email or something like that it's been around

for a very long time and many of the bigger organizations have definitely implemented it uh if you have not done it yet then it's definitely something that you should look into most products come with it too moving directory services to cloud 99 of the organizations had active directory and 99 of the organizations are going to have as you're ready in the future the quicker you move there uh you know it's just easier for everyone as they move all of their uh legacy applications there too uh implementing uh yeah um many of the tools i mean at least the applications what i have noticed is some of the applications legacy applications they are kind of giant in size and when they

do their projects they are able to move it only piece by piece so when we go through the projects with them and i go back to what tanya was saying in the morning morning just because we have moved our tools to the cloud does not mean that we we don't accommodate some of their needs we want to look at what their needs are in terms of and any id management or any access management solution on cloud should still cater to something on-prem there is always going to be one piece of applications that's going to of application that's going to lie on-prem it could be a crown jar as well it could be something that has pii in it

or for whatever regulatory reason it simply cannot move into cloud whatever solution you create or architect should also be able to cater to something that's on-prem if only minimally passwordless authentication the most important thing moving to password-less authentication it the number of passwords we have right i mean on a day-to-day basis you're sitting in front of your laptop there's a pop-up do you want to register for this do you want to register for that there are hundreds of passwords every time i want to log into any of the sites i have signed into the first thing i'll be doing is clicking the forgot password link because i'm obviously not going to remember it so i

get forgot password and then i send a link to my email box and then i kind of reset and then come back i think we should start moving more uh towards a passwordless uh authentication stream i i go back to my very first slide you know there are probably so many system administrators who will thank you to you know in the b2e and b2b uh environment and finally we have mfa uh adaptive authentication we have spoken so much about it today uh risk-based authentication what can we do about it there are so many ways of doing adaptive authentication uh smart devices uh or let us say you know um i mean we just spoke about it

uh smart devices google authenticators use all of them go for uh you know an adaptive um i mean a more forward way of performing authentication and some very basic things like you know make sure the applications you're selecting what in terms of when you're floating in rfp and you're giving questions for what should be the security requirements ask basic questions like does the application support saml oh idc or you know does it do all of those things or um some of your software report so that we can see what it looks like and you know we can understand how well your product will scale or you know how much we can trust you so all these basic questions should

obviously go in place then we have ueba uh it has been around for a very very long time but gaining a lot of importance and also the same time um user behavior analytics is kind of becoming a part of identity and access management solutions and also your siem solutions so you might want to consider all these things when you're selecting your technology a few other things that are very specific to organizations internally not necessarily uh uh you know the not necessarily product based but for what you will do as an organization most organizations still don't have a list of permitted applications what is allowed what can a person access when he is doing his work

you need to have that central list of applications because as you go towards more internet phasing applications or you're letting people work from home on their laptops official laptops or it could be their own laptops too right what can they access what can they not access you want to know those things it is very important um then in terms of non-authoritative ids and distributed passwords right uh you need to have a central having that one trusted id you know it kind of goes back to that you want to have one id like the one ring that kind of controls everything else right and you don't want to be having or if there is some reason why you cannot

avoid having those different ids in those applications how do you track it back to this id so you can terminate these accesses when required you can modify these accesses properly when required there's a change in email how does that email change flow into the rest of the um you know applications you want to think about all those things when you're re-architecting as you do your work from home these things were important in the corporate network but they are really you know in very subtle ways they are extremely important now role mining capabilities most identity management products provide role mining capabilities they provide it bottom up they don't provide a top down they provided bottom up

but it is important to have both the top down and the bottom up way of doing role mining so please leverage this you know your organization best so develop your uh your uh what your role structure should look like you know based on the applications you have in your organization and the next point is on entitlement data management oh hellwinder hi give me one minute and i'm kind of done uh in terms of entitlement uh data management right you want to build an entitlement catalog many times the security team is kind of expected to take care of the entitlement data let us always remember that the security team does not we can only do governance we can only go back and we

can provide the provisions we can tell them this is how i want to do uh governance but you cannot do it for the application team so please move all that function back to the application teams uh it's going to be more important as you start looking at what functional access can be provided what needs to be removed i'm sure that many application owners are going to come back and say these accesses should have never been provisioned so please remove it most access governance tools recertification tools allow for dynamic attribute based recertification so that's one of the considerations when you're going for product selection uh provisioning capabilities to uh privileged access tools it's a very basic feature basically

and segregation of duties is something that kind of comes in the end mostly because it takes a lot of discussion it's obviously not something very work from home related but it's kind of an end goal that we should have in our mind as you are building our identity and access management environment these are some of the other things as i said iem is not siloed anymore so you might want to start looking at how is it going to interact or what kind of data is it going to provide to the casb siem and how is it going to interact with your other tools you have in your environment and most importantly make it easy for your application teams

to onboard their applications once you get the uh flow of it right you're going to be asking the same questions for both access management and identity management from your application teams except if it is too complicated some finance applications are always very complicated and you might want to have a project for it but many smaller applications don't need it so set up a framework so that they can start onboarding and this will kind of accelerate whatever you're doing in terms of building a much better identity management environment this is more or less what i had uh thank you so much three minutes over time i'm really very sorry but thank you so much

sorry harvinder i can't hear you but uh yeah thanks uh i forget first of all that's uh an awesome presentation um but uh we have one question from adam here's where do you see the crossover into physical access control with iam sorry [Music] where do you see crossover into physical access control

okay call access control uh i would look at it in two ways okay i kind of focused on now b2e today completely and i was not necessarily thinking about all aspects of identity in terms of physical access but uh when we start looking at um i'll give an example what we went through it's probably a much easier way of explaining um when we are let's say let's say we're bringing in someone and i'll again go back to the termination use case because that is where you know most of the problems happen right so when you're kind of letting go of someone even today as far as i have seen um in spite of you know the tools from 2007

saying oh identity management tools can give you access i mean can provide you the functionalities to remove physical access say you know we can just send a message or a task to the physical access board and you know they will remove access of that person based on that i still see today that most people rely on the hr communicating it to the identity management team hr communicating to the uh um you know the physical access team hr communicating to so many other people i think that's one primary area where you know we will we can make it much simpler i would say if we did go with the centralized id kind of uh model in the

long run okay thank you very much uh for the session uh we're gonna take five minute break after that doctor nam need god properly gonna talk about artificial intelligence and machine learning in cyber security um thank you very much uh really appreciate it for your talk