Exploring the Importance of Identity Governance with Craig Ramsay, Omada – Podcast Episode 102

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Spotify | Pandora | Email | TuneIn | Deezer | RSS | More

Let’s talk about digital identity with Craig Ramsay, Senior Solutions Architect at Omada.

What is Identity Governance and Why is it important? Craig Ramsay, Senior Solutions Architect at Omada joins Oscar to explore all things Identity Governance including – the role of Identity Governance in compliance with regulations and standards, how it affects security and risk management for organisation, alongside some real-world examples of Identity Governance in use.

[Transcript below]

“We’re still trying to shake off the thing that – security is a barrier to efficiency. There’s an old adage that ‘efficiency is insecure, but security is inefficient’. But I don’t think that’s true anymore.”

Craig Ramsay, Senior Solution Architect at Omada, from Edinburgh, Scotland. I have worked at Omada for 3 years and have previously worked at RSA Security and different financial services organisations in the UK within their Identity functions. Outside of work my main interests are hiking and travelling.

Connect with Craig on LinkedIn.

We’ll be continuing this conversation on LinkedIn using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 102.

Podcast transcript

Oscar Santolalla: This week I am joined by Craig Ramsay from Omada, here to discuss the importance of identity governance and how it is helping to solve problems in real-world. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar.

Oscar: Hello, for today’s episode about Identity Governance and Administration, mostly known as IGA, we have invited a super interesting guest who is Craig Ramsay. He is a Senior Solution Architect at Omada. He’s from Edinburgh, Scotland. He has worked for Omada for three years and has previously worked at RSA Security and different financial services organisations in the United Kingdom within their identity functions. Outside of work, Craig’s main interests are hiking and travelling. Hello, Craig.

Craig Ramsay: Hey, Oscar. How are you doing?

Oscar: Very good. Nice talking with you.

Craig: Thank you, you too.

Oscar: So, let’s talk about digital identity. As usual, we want to hear more about our guests. Please tell us about yourself and your journey to this world of identity.

Craig: Sure. So, I mean, thank you for the introduction. And I guess, in terms of my journey into identity, it was a little bit by fluke rather than by design. I studied Computer Science and when I graduated, I joined an operational IT graduate scheme. They had recently started a new IAM project, because I think back in 2008, identity and access management, identity governance wasn’t as mature as it is now. It was still kind of seen as an operational IT project rather than an information security principle. So, the drivers there were more about the efficiency, automated provisioning and stuff. But yeah, they were looking for a graduate on that project. That was me.

And apart from a few years where I decided to try what it was like being a policeman, I have worked in identity ever since either for, as you said, financial services organisations doing the work at the coalface or for vendors, either in project delivery or, and you know pre-sales in my solution architect role.

Oscar: Excellent. So, let’s go first with the basics. We have not talked about IGA yet in this podcast, have not focused on that. So, tell us, what is that? What is Identity Governance and Administration, IGA? What is important?

Craig: Sure. So, I mean, identity governance, when you focus on it, at its core, it’s a solution that will ensure the right individuals have the right access for the right reasons at the right time in your organisation. So, it’s protecting the authorisations or the resource assignments within your organisation. And that’s often policy-driven to ensure that all of, and I think the important distinction here when we talk about IGA, that’s traditionally your internal identities, maybe your third parties and contractors.

And then in terms of the overall importance of identity governance, as I said, it’s evolved over the years from being primarily driving and focusing, looking at the provisioning element of things. But as governance has become more and more important, as we start to take a more holistic view at identity, when you look at the adjacent technologies; privileged access management, cloud infrastructure and tailored management, user endpoint, behaviour analytics, identity governance is now really being seen as the kind of control plane across that identity fabric. So, I think it is becoming crucial. And there’s a lot of visibility on the importance of identity now, right up to C-level and maybe wasn’t 10 years ago.

Oscar: You mentioned this concept about identity fabric. Could you also explain a bit more about that in this context?

Craig: Yeah, sure. So, I mean, identity fabric is a term that’s been coined in the last maybe few years by a lot of industry analysts out there. It’s maybe a new phrase, but I think the concept isn’t necessarily that new. So, I think we also hear people calling it an enriched security ecosystem. So, it’s where you look at these solutions in the PAM space, UEBA, your SIEM solutions, etc.

Those traditionally have worked in perhaps a bit more of a siloed manner. And the integrations have been maybe limited and not as seamless. Whereas now, I think this concept of that enriched security ecosystem, that fabric is that these things should be joined up and they should be – the convergence of intelligence and data between those solutions, I think is becoming more and more important so that you can take a holistic approach to reducing your identity-related risk.

Oscar: It is very important, as you said, because there will be anyway, other solutions working together with IGA. Yeah, absolutely.

What are the main problems, just – I’m sure there are many, but what are the top main problems that IGA solves?

Craig: Yeah, so from a business problem or business challenge perspective, I think the main thing that we always focus on when we’re helping people build their IGA business case, is that we focus on security, compliance and efficiency. So, it’s looking to increase the efficiency and productivity of your end users and their experience, all whilst ensuring that you’ve got increased compliance, increased security and reduced risk.

So, when we look at that, some of those common challenges and problems within that would be reducing the attack surface in the organisation. So, removing unneeded access, adhering to the principle of least privilege, making sure that your identities only have the access they should. I mean, combining those two things is going to reduce the likelihood and the impact of a potential breach in the organisation. It provides you with a unified view of access across the organisation, which a lot of people often haven’t had previously. So, understanding who has what access.

And then there’s the automation around identity lifecycle management. So that’s reducing the time taken to provision your joiners, your movers, your leavers. You’re putting governance and auditing around all of these processes too. So, when people are requesting access, you’re ensuring they’re getting it for the right reasons with the appropriate approval. And you’re cutting down on things like rogue IT administration and stuff like that.

So that’s high level, there is more obviously, but I think those are the high-level ones that we see frequently when we’re speaking to prospects out there in the market.

Oscar: It’s a security compliance, and efficiency. Yeah, we’d like to talk about this. But before actually it will be interesting to – so people can understand the broader concept, how we try to imagine in their minds.

If you can see in a real-world example, how work for a typical corporation that uses IGA. So, tell us what are these main processes that you say, mostly employees, right? What are these main processes? Let’s say a new employee goes from beginning until the end.

Craig: Yes. I mean, if we’re going to talk – the phrase we kind of, is from hire to retire. So, when I try and explain this to my friends, maybe aren’t so technically minded when they ask what I do, I sort of give them an example. I say, OK, you join an organisation, and you are working in their HR department. So, from day one, you should have access to be able to log into the network, an email account, access to various file shares to do with HR to enable you to be productive from day one.

So, the IGA solution will help you identify the policies to automate that process, to make sure that you are productive and also make sure that you’ve only got access to what you should. So, if you’re joining HR, you shouldn’t be getting access to any file shares to do with finance, R and D, anything like that. And then as you move around the organisation or your needs change, you should be able to request access that goes through the appropriate channels.

It should be reviewed regularly to make sure that it is still appropriate as you go through your life cycle as an identity in the organisation. If you are promoted or changed departments, that should change automatically in line with those policies too. And if you either leave the organisation, be it permanently or temporary for maternity leave, garden leave, that kind of thing, your IGA solution should then disable or provision that access in a timely manner too, to make sure you’re reducing risk.

So, I mean, those are kind of some of the high-level things that it’s that right access for the right people at the right time for the right reasons is kind of trying to, in a nutshell.

Oscar: Indeed, that was in a nutshell, very, very easy to understand. Thank you for that. Some of these at least main problems and how these are being solved. But IGA, let’s start with security as you put security first, how IGA is helping with security?

Craig: So, in terms of how it contributes to, you know, maybe security and risk management, I think, it’s providing stronger access control. So, it’s starting to limit access to your sensitive and privileged information. So, when you start to look at either personal identifiable information, financially sensitive information, or privileged access, so this is when you start to look at integrations with adjacent technologies in the PAM space, you’re ensuring that the access control is limiting that access.

Reducing risk. I already talked about the fact that that principle of least privilege means that if there is a breach in the organisation, the identity of the account that’s breached should have only the access needed to do the job that it can, and it shouldn’t have any elevated permissions permanently. The ability to traverse the network or to have a much more impact on that breach should be reduced. You’re also reducing the likelihood by integrating with identity providers to perform strong authentication. And those unneeded accounts or unwanted accounts or unused accounts have been removed over time as well. So that should be helping you reduce the risk and then improve your security posture.

In combination with that as well, if you look at some of the real-time monitoring and identity incidents or detection and prevention you’re starting to see integration with abnormal access patterns, maybe you know impossible logons, for example, we integrate with the Azure identity risk subscription so that’s looking at – user logged on from Edinburgh one minute and they’re trying to log on from Beijing the next. That’s impossible, so that may be an indication of compromise. And then your IGA solution could lock down that account.

So, there’s many ways you could do that and it’s obviously a maturity journey, you need to crawl before you can walk before you can run. But it’s a maturity journey you go on to take a holistic view in reducing your identity related risk.

Oscar: Yeah, indeed. From basic essential functionalities of security to much more advanced like some of the ones you described.

The second one is, of course, we’re interested about compliance is very common that someone comes, start to ask someone from Omada, or from another company even Ubisecure, we also do identity access management and one of the key drivers for them is compliance especially in some industries, it’s more important that. So, tell us about compliance.

Craig: Yeah. So, I mean, when you go out there in the market and you’re speaking to organisations like more and more and more we are speaking to organisations that operate on a global basis. So, you’ve got country or region-specific things like GDPR, SOCS, HIPAA, PCI, DSS etc that are external regulatory compliance frameworks that you must comply with. And you know we keep a track on with things like Schrems II as well. We’re always keeping an eye on that to ensure that the solution we provide is compliant with those things.

But then we’re also helping our customers comply with how they are storing, processing and managing the data in relation to those things. So, if you look at what I often say is that an identity governance solution is a technical translation of your business processes. I think you always have to look at making sure your people process and technology are working in harmony with each other. Technology alone will not resolve your problems. So, I think as part of a wider identity information security strategy you should ensure that your internal policies and standards are created in such a way that it will help you comply with those external regulations if they apply to you.

But you should always look, I think it’s a healthy thing for any organisation across any vertical to have these well-defined policies and standards and ensure that they can comply with those. And as I said that’s where identity governance comes in, because it helps you comply with those things by defining policies that can detect when you’re non-compliant, you’ve got that audit trail. So, it offers – you’ve got transparent auditing for your internal and external users to prove compliance. You will go through regular recertification, attestation, reviews, whatever you want to call it. But that also ensures that you’re demonstrating regular compliance.

And then we already talked about risk management as well, but compliance and risk often do overlap each other. So, you’re identifying and mitigating compliance risks through the definition and enforcement of these policies as well.

Oscar: Indeed. So, there is some reports that can be directly created, right, from the IGA system. And that can be directly taken by the compliance officer or whoever requires it, right?

Craig: Yeah.

Oscar: The other you mentioned there was the operational efficiency, right? So, as you mentioned, it’s one of the three main problems. Let’s – I’d like to hear more about that as well, how IGA helps.

Craig: Yeah. And I think that’s one of the things that I think separates IGA and the information security market sometimes. That it’s not always focusing on risk reduction and things that are maybe potentially seen as negative. So, you talk about fear and certainty and doubt within the sales process, etc. When you’re doing that, it can often be quite a hard sell because it’s hard to quantify the risk. We can’t help with that. There are formulas out there of calculating the impact of a risk based on, you know, and the likelihood, the cost of the actual breach, etc.

But to bring it back to what you actually asked about from an efficiency perspective, if you look at – if organisations are still heavily manual in their provisioning and their processes, there’s a huge cost to that from areas like your service desk, your operational IT administrators. And often it leads you to the potential for human error as well. So, if you start to automate those things, you see a reduction in numbers of calls to the desk, a number of manually created events and things that are being done. And you can put a pound, euro, dollar sign against that clearly from an efficiency and a cost reduction perspective.

From an end user perspective as well, I mean, it’s always, I think there’s – we’re still trying to shake off the thing that security is a barrier to efficiency. There’s an old adage that I keep using for it regularly that ‘efficiency is insecure, but security is inefficient’. And I don’t think that’s true anymore. I think if you correctly apply your policies in a way that apply the appropriate level of risk, your users – to them, it should be seamless pretty much all the time. They shouldn’t see these processes as an action. They should see it as; they request the access they need, it gets granted to them in a timely manner. When they move around the organisation, a lot of that should happen automatically.

Overall, you should see an increase in productivity. Your line managers aren’t getting frustrated when people join the organisation and they’re having to submit 10 different requests to get them functioning from day one. So, it’s overall operational efficiency and cost reduction. But the productivity. And end user experience of it as a result of a well-delivered IGA program, I think is clear to see as well.

Oscar: Yeah, cost reduction is clear and is a great reason to buy a product like IGA. Absolutely. Well, if you quantify that to a buyer, it’s like, wow, you can convince him or her very easily. Yeah.

At Ubisecure, we are working with CIAM, and I experienced directly that sometimes requests come from potential customers, and they are looking for identity and access management. And when we review closely, we see that sometimes what they need is IGA or what they need is both IGA and customer identity and access management. So, and in those cases, the customer will need to deal with these two types of system, right? The IGA and CIAM.

So, what is your perspective from your experience working integrating these two types of tools? What are the main things that a buyer bought from business and technical perspective should know at least?

Craig: Yeah, so, I mean, funnily enough, I have worked on a couple of opportunities where Omada and Ubisecure have been working together on those kinds of joint proposals where people are looking for IGA and CIAM. And I think it’s interesting because you can make a very strong case about where the overlap is, but you can also equally make a very strong case about why they should be separate because of the nature of the requirements.

From a CIAM perspective, you’re looking for that seamless, really quick response for all your consumers. And then you should be able to deal with high demand periods when you’re very, very busy, when your consumers are consuming your services. And from an IGA perspective, you’re very much looking at the internal and the control and the level of these privileges that we’re talking about. And there are similarities in the capabilities in terms of, you know, being able to provision in a timely manner, deprovision in a timely manner, ensuring that it’s the level of appropriateness.

So, if you look at it from an integration perspective, a unified management of the identities, I think, could be important whilst treating them differently. I think your end user experience again should be important. So, you’re balancing security and efficiency for your internal and external customers. And then you should be able to have that from a scalability perspective by seeing those things integrate well with each other as well.

I think what is important when you’re speaking to people, understanding their requirements is crucial. So, when they’re talking about, you know, B2B or B2C capabilities and requirements, it’s OK, well, how do you manage your B2B and B2C use cases? Because I think if you take software or technical organisation where their consumers consume their services in a far, far different way to maybe a retail bank or a supermarket. The requirements for end users from that perspective, they’re opening up a loyalty card in a store and you’re processing their personal data in that manner is very, very different to maybe a software company where people are having accounts created and consuming those services.

So, as you can probably tell, not an absolute expert in the CIAM space, but I think whenever those opportunities arise, I think the first important question is why? To understand what it is exactly they’re trying to achieve. And then you map the use cases to the functionality in each of the appropriate solutions to make sure that it’s well matched. There will be overlap in some cases. But as I said, there’s a strong case for when there’s similarities and when they should be managed separately. But ultimately, it’s part of that wider identity fabric we mentioned earlier that it’s kind of all identity in the end, I guess.

Oscar: Yeah. Indeed. As you say, you put it very clear, the importance of really knowing very well the requirements because in a conversation, they might tell you we need this one, two, three, five things and can be also in a written Excel file or whatever. But then you have to go deeply to understand what they meant by saying this B2B or anything, right? So, yeah. Indeed. Thank you for sharing that.

Looking now at the present and future, let’s say, because IGA, as many other types of products have been evolving, are evolving all the time because there are different needs. So what customers are asking today when they are clear that they need an IGA software? What they’re asking today and what are these new problems that need to be solved, are being solved now and need to be solved if they are not solved today?

Craig: Yeah. So, it’s a very timely question. To be fair, we recently released a State of IGA for 2024 report at Omada and we did a webinar discussing the findings of it and it did exactly that it looked at how seriously people were taking identity. And then as you said what are they looking for currently and what are they looking ahead at as well. So, and we just talked about the why and the use cases, so I think, number one that we still see is that the solution they’re looking at adapts and meets to their changing business needs. So, the requirements they have now and the requirements they think they’ll see in the future, it’s the core capabilities must adapt and must comply with that.

We’re seeing an increased importance being put on the ability for the solution to integrate as part of that security ecosystem we talked about. So being able to play nicely with the adjacent technologies across the identity fabric. And then from a connectivity perspective, I mean I talked earlier about a unified view of access across the board, the nature of organisations has changed massively in terms of on-premises systems to a lot more cloud services being consumed. So the ability to extend and integrate with a growing list of different target systems is important for them.

Looking ahead, we do see AI and Machine Learning coming up again and again. And I think when we see that it’s important to take those as separate things. So, from ML perspective, you know, if you look at kind of the role mining capabilities that have been there for some time, recommendations during reviews, recommendations for decisions or decision support for approvals, that stuff has been around for a little while.

From an AI perspective, I mean there’s a huge buzz around what’s happening in AI. Just now Google just released their Gemini Chatbot to rival Chat GPT and that the generative AI stuff and the practical uses of that are going to start to be seen. So, you know integrating generative AI, we have stuff where it’s looking at… you can ask questions about the documentation. So, like what is this object in Omada and like what’s the difference and it’s starting to respond to that so we’re in the process of testing and releasing that.

And then looking further down the line, it’ll be generative AI within the solution. So, user logs in and it says, “What are you trying to do today?” “I need the same access as my colleague Allison.” And it’ll say, “OK she’s got this, this and this. Maybe this is what you need to request.” Or it’s becoming more mature and more complex or sophisticated in what it can do.

So, I think ultimately what people are looking for is ensuring that the solution they have can do what they need to do today and can do it well, it’s scalable, it’s easy to upgrade, it’s easy to maintain. They’re reducing the complexity of management of it so they’re simplifying it from that perspective. But looking ahead they’re needing that generic connectivity that can allow them to connect to any of the systems they have now and ones they want in the future. And then being able to take advantage of the advances in the AI and ML space to improve end user experience and also the maintenance and administration of the system itself for their administrative users.

Oscar: So, you believe that machine learning and the other what we call artificial intelligence is going to be used. It’s to be solving those problems that today customers are bringing up.

Craig: I think it’ll augment, and I think – because that’s the thing people get worried about AI replacing us and whatnot. And maybe somebody using AI more efficiently than you might replace what you’re doing but AI itself can’t and I think any algorithm that – it does do in the output of it still needs human validation particularly in a field like IGA where OK it’s taken a huge amount of data, provided this output and most that might look OK. There’s probably some human context in terms of exactly what that business does that’s needed to say, “Yes I’m still OK with that.” Because ultimately the human’s going to have to be accountable for the decision that’s made. I don’t think and I don’t think we’re going to see algorithms being fined or sent to jail for data breaches you know, I mean.

Oscar: Yeah, a human will go to jail anyway. Hopefully not. Hopefully that doesn’t happen.

Craig: No, hopefully not that’s what we’re trying to prevent. You’re right, we’re trying to prevent that but yes.

Oscar: Exactly, exactly. Yeah, yeah definitely. Also, one thing you mentioned, it comes back to what we discussed earlier these identity fabrics. Yeah, the way to coexist all this all these tools, IGA, PAM, CIAM all together that’s also, as you say, it’s something that is becoming more important because the environments are getting more complexes.

Final question for you, Craig. For all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Craig: So not to spoil the magic of the podcast but we’re recording this just before Christmas towards the end of the year and I don’t know when it’s going to be released but that’s always a time for reflection and looking at where you’re at and where you want to be going. And I think for any business leader right now, I think conducting an identity maturity assessment is something that you can do actionably right now. So, look at where you’re at from an identity maturity perspective and identify gaps that you need to start filling, or priorities looking ahead and aligning that with your business goals, your business risks to ensure that your information security strategy, your policies and standards support your overall business objectives.

And then from that, building a plan of continuous improvement, some milestones as well. And I think any well-delivered IGA project should be doing that. It shouldn’t be looking to boil the ocean or deliver everything at once at big bang. It should be continuous improvement and continuous demonstration of value.

So, I appreciate that might be – that’s not something cutting edge or brand new or innovative, but I think it is really something actionably you can do now to take a step back, assess exactly where you’re at and then build that plan and start to try an action that. Do that at the end of the year, at the start of the year. There’s never a bad time to take a step back and reflect and put that plan in place. But I think that’s definitely something actionable that they could put on their agenda right now to do from today.

Oscar: I couldn’t agree more an assessment, absolutely. It’s something needed. Yeah, it takes time. And it’s very actionable, as you said. Yeah, thank you very much, Craig, for having this very interesting conversation about IGA and other topics, related topics.

So, let us know for people who would like to continue this conversation with you, or follow you, or find out more about what you do, what are the best ways for that?

Craig: Yeah, absolutely. So, you can find me on LinkedIn, Craig, I think my username is Craig86. Obviously, I work at Omada Identity, but that’s, again, if you search for Omada, you’ll find us there. I mentioned our State of IGA 2024 report, you can download that free from omadaidentity.com. And there’s also an on-demand webinar where myself and Rod Simmons, our VP of Product Strategy, discuss that report in-depth.

But yeah, please do feel free to reach out and connect. If you want to chat about all things identity or just want to know a bit more about Omada or myself. But yeah, it’s been a pleasure talking to you, Oscar, as well. Thank you.

Oscar: My pleasure as well. Well, all the best. Happy New Year. Now, this coming the new year, 2024, I wish you all the best for you, Craig, Omada, and everybody who is doing all this great job in the identity space. Thank you. All the best.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.