We’re incredibly lucky to have the opportunity to speak with Morten Boel Sigurdsson, Co-Founder and CEO of Omada. Omada is a Danish Identity and Access Management and Identity and Access Governance solution provider.
We covered a lot of ground in our conversation, so without further ado here’s our interview edited slightly for readability and length.
SR: I’ve been informed that you have a strategic alliance with Deloitte Canada, with a focus on IAM-as-a-service. Do you feel this is the direction IAM solutions will take over the next few years? What features of IDaaS do you feel will be most important in the future?
MBS: IAM-as-a-service is a future-proof solution, which gives some obvious advantages:
Customers have, by now, passed the hurdle of getting a secure cloud service, which among other reasons happened [by] getting organizations’ HR data into the cloud. This mental hurdle has been crossed and organizations are therefore now more open to cloud adoption. For many organizations, IAM-as-a-service is a more secure solution as they do not have adequate critical mass themselves to maintain the same security level as would be the case on-premises.
Another advantage is that organizations can get much faster time to value with an IAM-as-a-service solution. They do not need to spend time on installation and there is no need to spend time on automating scripts [or the like], meaning organizations can get the solution up and running [much faster]. With IAM-as-a-service we also experience that customers are more inclined to adopt standard processes instead of getting solutions customized, which also means faster implementation.
There are many benefits of IAM-as-a-service for organizations, including increased ROI, faster time to market, and benefits of scale for both customers and the solution providers. IAM-as-a-service can be delivered either by managed service providers or delivered by the vendor as a software-as-a-service.
There are many features of IAM-as-a-service, which we feel will be important in the future. Identity and access governance is among others especially important in relation to hybrid IT environments, supporting the so-called ‘cloud first’ strategies, which many organizations are starting to implement, as well as the general increase in digitalization.
The increase in hybrid IT environments means organizations require seamless access governance across both on-premise enterprise solutions and cloud-based services and platforms. For most, it is challenging [today] to ensure that the right people have access to the right information at the right time across cloud and on-premises applications. An advanced identity and access governance solution, working across both cloud and on-premises applications, is therefore crucial to minimize risk and maintain security around identities and data.
Organizations need a solution which includes access requests, provisioning of users, accounts, applications, entitlements, and recertification across multiple platforms and systems. It must be easy to establish an overview of access data across hybrid IT environments, monitor access to critical data, validate and ensure that only the right people have access to critical data, and govern users, applications, and cloud resources. An efficient solution should enable segregation of duty (SoD), policy management, role-based access control (RBAC), and other assignment policies such as provisioning, validation/reconciliation, compliance reporting, and attestation/re-certification, meaning that the organization can ensure greater governance, thereby working to close the governance gap across all cloud and on-premise platforms. This in turn creates full visibility and a strong foundation for comprehensive control across all an organization’s applications, identities, and entitlements.
Another important feature is automating the identity lifecycle. Automating your organization’s identity and access management process not only provides efficiency and enormous time saving, it can also improve quality. If identities are not given the correct permissions, the organization faces increased cybersecurity risks, both from externals sources looking to wreak havoc or the quiet insider threat.
By automating identity and lifecycle processes, organizations not only ensure that new employees, partners, and contractors can be up and running from day one. The organization can also implement processes for employees’ entire journey through the organization, such as maternity leave, promotion, and retirement. This thereby increases the security, speeds up efficiency, and frees up necessary resources for (among others) the IT department.
Identity-as-a-service lowers the hurdle for companies to adopt an identity and access governance solution and thereby responds to an urgent need in the market, paving the way for easier, faster compliance. Identity and access governance, delivered as-a-service, means organizations gain easier access to compliance and security with a solution, which drives down the total cost of ownership.
SR: As a Danish IAM solutions provider, how do you feel about GDPR? How do you think it will change IAM solutions and their direction?
MBS: Omada is an international IAM solutions provider, with representation in many countries across Europe and North America.
We have the advantage that we have a very good understanding of the GDPR processes, in that we have a large presence in Germany. Germany has since after the war had one of the leading privacy laws in the world and has fathered many of the laws featured in the GDPR, meaning we have worked with many of these aspects for many years.
This means that we see it as more than just talking about IAM. For us, the legislation is about implementing processes, controls, automatization of work processes across the company when you make approvals, and continued governance of these controls. It is about having a good data handling culture, and to us, the GDPR should be seen as a positive for organizations, allowing them to optimize processes and get in control of their data.
Going forward, it will be a license to operate for organizations, which must be compliant, trustworthy, and easy to do business work. To be this, organizations must have a framework such as ISO27002, and a large part of that is about automation of processes for the GDPR. One of the aspects of the legislation is that that which is not documented does not exist.
[GDPR] of course also goes for organizations outside Europe. According to a poll in Computerweekly last year, as many as 80% of US organizations are affected by the GDPR, so this is a global phenomenon, which all organizations need to comply with.
SR: What will IAM solutions need to do in the future in order to keep up with hackers and stop data breaches? What elements of modern data breaches most surprise or concern you?
MBS: They [IAM solutions] have to be good at governing the lifecycle around accounts, uses, and entitlements. Data shows that many hackers go in via the account, take over the account, and thereby move further into the PC or the organization’s network. Therefore, it is vital to lock down the account—both to make sure that they do not gain access, and so that if hackers do gain access, the access is limited, preventing the hacker from working his or her way further into the company. Governing the account is therefore also critical, as this ensures the correct protection is always up to date.
In terms of the popular CEO fraud, it is also vital that organizations choose IAM solutions which have control around roles and offers segregation of duties.
One of the things which concerns me the most is the sophistication of attacks and how hackers continue to use penetration of networks for different business purposes—and the fact that it is an entire industry. There are today standardized tools for hacking, for example the use of botnets used for (among others) bitcoin mining.
I’m also concerned about the advanced targeted threats and the social engineering hackers do on employees—and especially those in the CXO layer, which means they can do highly refined hacking. We are far beyond the so-called ‘Nigeria letters’ [Nigerian Prince Scams]. Hackers invest time in hacking, they know so much about employees, engineering on social media, finding out who they know on social media and when they are on vacation.
SR: What do you advise enterprises do to help protect them against data breaches? What security holes do you most often see?
MBS: As per the above answer, but also to get an overview and make a roadmap. Organizations should make a prioritized activity plan, decide which things to do first, what will give the organization most value and most business benefit in terms of investment and time consumed.
In our area, there is immediate value, allowing organizations to actually get the overview of their accounts, seeing who has access to the networks. Very often, people are very supervised as to who has access!
Thanks again to Morten Boel Sigurdsson of Omada for his time and expertise on IAM solutions!