Virtual Event Recap: Identity Management
In early October, Ivanti hosted its first ever virtual event: The IT Leadership Summit. There were a total of 30 presenters, including Forrester analysts, product marketing managers, director-level IT professionals, and executives.
Below is the video and transcript from the session on Identity Management.
Melanie Karunaratne, Senior Manager, Product Marketing, Ivanti
Welcome to the state of the Union for identity management. My name is Melanie Karunaratne and with me today is Liz Angus. Also, I'm pleased to have with us UNC Health System, Justin Fair, Teresa Patterson, and Brian Sherill. And they'll be talking a little later about their identity management journey. But first, we want to talk about the drivers and the impact on your business of identity management and later near-term and future trends. But let's start off with a look at what identity management is. Identity management is about people or as it's termed identities and their access to applications and data and any other systems or as we term it entitlements that they need to be productive. And this is more than providing a cell service request portal, although that may be parts of it, it's about managing an employee's identity lifecycle as they go through their tenure at your company. And this is has been on the agenda of CSOS, the large enterprises for several years now. It's also being embraced by small to mid-organizations who are seeing the worst with identity. So it's worth taking a good look at this.
Now, where do you first provide employees access to apps and services? Well, when an employee is recruited and onboarded. And onboarding can be a costly affair. So it's imperative that IT plays their part and gets it right. We need to easily create identities for these new staff to get the devices and the apps and the data and everything they need to be productive as soon as possible. And these activities need to be done consistently aligned with this policy for every single employee and it has to be done scalably in a way that matches your company's growth. But we know that that's a difficult task to ask when you're using paper-based and manual processes that tend to slow things down, add costs, potentially provide additional directories for all the identities and it can be insecure. And when one-third of employees state that they had a bad onboarding experience and 31% of new recruits talk about quitting their job in the first six months, that's really gonna hit your costs if you don't get it right.
And then, of course, once an employee is onboarded, that's just the start of their journey. Employees tend to change roles, get promoted, move departments, and each term of this, they're gonna need or request new resources and data. And now at this stage, when I-teams often aren't aware of a role change until the service desk ticket appears from that transitioning employee, but even if you are aware who actually is responsible for making sure that a user is pulled out of every single distribution list or out of every single group that they've ever been assigned to.
And once you've given access to an employee who leaves/moved roles, for example, what about revoking access to an app that they no longer need and data that they no longer need. That's something that's often forgotten. And employees tend to gain access to more and more and more resources that they don't necessarily require. And that's where security becomes an issue unless you can make those real-time adjustments when employees change their positions. Also, many times, what tends to happen is when another employee comes on board, the rights of the first employee are duplicated, so that next employee gets those elevated privileges as well and so on and so on.
And according to an insider threat survey, 37% of you thought that the main enabler of insider attacks was too many users with excessive access privileges. Yet, right there, that's what we're talking about just now. And 33% of organizations experienced up to 5 insider attacks in the last 12 months. Now these could be malicious, they could just be human error, but whichever way, if that leads to a breach, the stakes are high and it's gonna cost you in terms of revenue loss, business disruption, lots of customers potentially as well.
And one of the largest risks to me is when employees leave the company or are terminated and it's time to off-board them, because again, manual processes can hamper this, but also with the number of pile-based accounts out there that you need to turn off, things have become a little bit more complex than before. And don't forget your contractors and your temporary employees who may have been hired for a short period of time. These guys don't often appear in the same systems as permanent employees. So we know that you're potentially juggling more than one list of staff and it's really difficult to remember to turn off apps and applications for those temporary staff, but it's very important that you do because you really don't want to become tomorrow's headlines and take a look at some of these here. An employee in a healthcare organization accessed HIPAA data which was stored, I believe, in a Google drive online. And here's another one which is even more worrying that an organization when they terminated a system admin administrator, they couldn't turn off their rights. So this administrator obviously had elevated access to privileges which they abused.
So it's really important that you act quickly when an employee leaves or is terminated and you revoke those privileges and access to technology and assets so that you keep your business secure. Here's a really worrying and shocking statistic that I found from a survey that 89% of employers retain access to the apps like Salesforce and email once they've left the company. I mean, that's a huge amount of additional access that shouldn't be in place.
So I've talked a lot about security risks, but there are other costs and benefits. For example, software asset management. Now here, a survey suggests that 76% of respondents admitted to over licensing for fear audits. So if you don't know what access your employees have or what licenses they have, then, of course, you're going to compensate, over license in case you have an audit, but it's really shouldn't be like that. You know, if you can reclaim licenses from those ex-employees quickly, then you're gonna win big because you can reassign those licenses. You can cancel them when they come up for renewal and with widespread adoption of SaaS licenses, they can often be turned off right away, which results in immediate savings. Now, one research report from Forester, there's an economic impact with identity and automation estimated a saving of over $200,000 over three years just by organizations automating the onboarding process and eliminating the unnecessary licensing that takes place.
So in summary, you're facing an uphill challenge. We understand that when you're managing the lifecycle of employees that you've got visibility issues where you've got users everywhere with unknown job responsibilities and entitlements. You may have directory school where multiple identities are big being created in multiple systems. And you're likely to have contractors and temp workers recorded in different systems or even just on the PO. And then, of course, we talked about user productivity and experience. We talked about the manual processes where breakdowns tend to happen when people get too busy on the other things, so end users don't necessarily get the access to the apps they need fast.
And then, of course, there's the flip side where IT teams could be doing more innovative stuff rather than shuffling paper identities back and forth. Then, of course, there's react to security where you reactively removing access to data and apps. When you hear about an employee being offboarded rather than automatically eliminating and reducing entitlements granted to them. And managing risk and compliance. Well, that can become a nightmare as well. Audits are time-consuming at the best of time, but if you don't have entitlement analysis or access to reviews and certification and ongoing access to who has what, then that time can spiral upwards.
But what if you could provide your workers with the right level of access automatically. What if automatically you could provision and de-provision them and have processes in place to do that. What if as a worker on boards you can easily create an account, provide hardware and software and everything that their role entitles them to. And then when they change roles, their access rights are revoked and updated again automatically just when HR, for example, changes the job title in their system everything ripples down through the identity management world.
This would support compliance as well because you'd be able to see and have access to who has what accounts and how they got access to them. Well, all of that is possible with identity management tools and the right processes that you build, you can provide the capabilities to manage identities securely, centrally, consistently and at scale all aligned to your business processes. And what you would be doing is managing an employee's lifecycle through auditable workflows and approval processes and maybe providing self-service on top of that to streamline onboarding and offboarding and get you the insights that you need to meet governance and compliance standards.
Now, we worked with a research group, Forester, who interviewed a number of organizations that had implemented and automated identity management solutions. And they discovered that new user downtime was cut by up to three and a half days and also that they were IT provisioning and de-provisioning savings over three years, over three years of about $3 million. That's not a number that you can set aside and forget about. But also in talking with one of our customers, they managed to reduce their cybersecurity insurance costs based on the back of implementing this solution.
So by automating your identity management, you can really balance meeting compliance in government's requirements while providing workers everything that they need. You'll gain insights into risks related to access, you'll be able to establish controls over accounts and assets, and you'll be able to ensure that the right levels of access are given through approvals and policy. You'll be able to get visibility and see count violations that we talked about earlier with rogue accounts, and you'll be able to see levels of access that on an ongoing basis who needs access and who doesn't. And all of this supports you in compliance and audits.
One organization we spoke to now has the confidence that when an auditor does come in, they know they have high confidence of about 90% success because they no longer rely on manual intervention. And I know of an oil company that used to rely on, well, still relies on temporary employees who needed work permits and they found that through manual processes, audit trails were easily being just destroyed, workers couldn't start on their start date because they were not getting onboarded fast enough, identities weren't able to be tracked. Thankfully, they've now automated all of their processes and the work permits process from beginning to end now drives greater productivity and standardization than ever before. So that's just one small example of how identity management or automated identity management can help. But now I want to hand you over to Justin Fair from UMC Health to talk about their own identity management journey. Justin, take it away.
Justin Fair, Director, IT Infrasctructure, UMC Health
Thank you for joining us today for our discussion on our state of identity management. My name is Justin Fair. I am the director of IT infrastructure for UMC Health System. I'm also joined by Teresa Patterson. She is our access control specialist within IT security and Brian Sherill who is our DevOps engineer within IT infrastructure.
A little of who we are. We are located in Lubbock, Texas. Most people don't know where that's at. So we'd like to show. We are in the panhandle of Texas and we are a 500-bed acute care hospital. We employ right around 4,800 employees between the hospital and a private practice physician practice. We have and support 3,100 external and private users. Most of those are Texas Tech School of Medicine employees. We annually see a little over 30,000 inpatient admissions to the hospital, over 75,000 emergency room visits, and 313,000 outpatient visits through our private practice clinics. We have 38 of those urgent care and primary care clinics located within Lubbock and around the panhandle area. And as mentioned, we are the academic teaching hospital for Texas Tech School of Medicine. So Texas Tech physicians and their clinics. UMC Health System over the years has received many awards. We are the only Level I trauma emergency center between Dallas, Albuquerque, Denver and San Antonio. So we cover a large geographic area for patient transfers. We are and have been one of the best companies to work for in Texas the last few years. We have received healthcare IT's Most Wired the last three years as well. And so many awards for the health system itself. And so we're privileged to be able to communicate and share our journey.
So when we began our journey before automation, it was a very manual process. It was not efficient. It was paper-driven. There was literally paper that was sent to HR that HR would then pull out and hand off to IT. And it was a very manual, physical process to literally take paper between departments to get accounts set up. That would begin and be submitted a few days or a week before the employee's first day of in-processing and it would take upwards of two to three weeks to complete that process. So I mean, it was a very arduous process. There was a lot into it. And then we'll kind of speak to some of that a little bit further. That led to delays. New employees that were in-processed. We see new employees in-processing three times a week. On average, 75 new employees that are in-processed every week and each of those would see a delay in getting access to their accounts. Also in January and June of each year, we would receive over 400 requests from Texas Tech School of Medicine to process and generate accounts for new residents, new nursing, new nursing students, and to support their clinical practices. And so that would also add to a lot of work.
The impact. Being within healthcare, this is one of the most impactful areas. We would have nurses that would become new employees. They would get onto the units, but they could not log in to any tools. They could not log into the computers because they did not have an account. They could not log into our electronic health record to chart patient data because they would not have an account. And within healthcare, there are many patient safety initiatives that we're working on that rely on technology toolsets. So examples, bedside barcode med administration. You have to be logged into the system in order to scan that barcode on that med to ensure that the patient is receiving the medication at the right time and the right dosage. And if it's to the right patient.
And those are safety tools that we've employed to prevent medical errors that these nurses would not be able to utilize without having accounts. Physicians fall into the exact same scenario, whether it be a Texas Tech physician, resident student coming in and practicing or a private physician, if they do not have access to those accounts, again, they will not have access to the clinical tools designed to protect patients. That those tools for physicians, clinical decision support where the EHR can bring up and make recommendations on best care given to the patients and based upon best practice and guidelines and those things. So by not having an accounts, they would not have access to those tools and it ultimately can lead to a patient safety concern.
Aside from the patient safety, from a business perspective, you had employees that were not productive. They may hit the unit and they would not be able to, you know, log on the system, so they would literally be sitting around looking for work to do. Or they would get creative and they would log in with another nurse's credentials and provide care that way, which is again, from a HIPAA perspective and a HIPAA violation, that is a major security concern. And so from a business impact perspective, there was a lot of that occurring. Besides from the critical care areas in the back office side on the ancillary support, you would have users that could not log into their computers in accounting, in the business finance side and which could result into delays in getting funds either processed or received. And so again, back to the productivity of the employee could have been severely impacted by that two to three-week delay.
So that was prior to automation. One way that we like to show that is from a graphical perspective. List out the number of steps that were in our previous process. So step one, the hiring manager would submit the new hire paperwork to HR. Step two, HR would submit that paperwork to IT security. And again, this was manual papers being transferred between departments. Step three, IT security would meet with the hiring manager to verify and validate the access that was needed for that request. At that point, IT security would then submit that to the application owner for account creation.
Step five is when the application owners would manually provision those accounts and it would fall... One of the things with this is it would fall in the middle of their kind of workload. Application owners, they don't just sit around and provision accounts and they also are supporting break-fix issues for the business and their priorities may be on projects. And so secondary to break-fix issues and projects, that's where account provisioning may fall. So there at times could be delays in that just because of the sheer workload of the application owners. Once the accounts were provisioned, the application owners would notify IT security that the accounts were created and what the account information was and IT security would take that to and communicate that to the hiring manager.
So you can see at the bottom of the slide deck, somewhat of a timeline representation of that. And that average time to complete would take between two and three weeks and again, that's on an average week. Between January and June when we had to provision accounts for new residents for Texas Tech physicians, from School of Medicine, nursing students, those things, we would see an influx of 400 per month. And so that would extend that time between two to three weeks out further. So that manual process required a lot of manual interaction, a lot of transfers of papers and it was not efficient at all. It was just many opportunities to improve.
After automation, we streamline the process. So and we streamlined it not only in the number of steps within the process but also with employing automation itself. So prior to automation, we had a seven-step process. And with automation, we reduced that process down to five and we reduced the manual touching. So step one would be the hiring manager submits the new hire paperwork to HR. This is still the same initiator that kicks off the process. At that point, HR would enter that new hire information into the HR information system.
Here within UMC Health system, we use Infor Lawson, but it could be any HR information system that you connect into for the automation piece. So it's not a specific vendor. I think there's opportunity with pretty much most if not all HR information systems. It's getting in and connecting with those systems. Once HR has entered that information into their system, that's when automation picks up. At that point, the Identity Director picks up that request, they see the change and then it would process that new hire information to those applications for user provisioning. So, that would be the initiator of to the systems I need to create an account.
And then step five is once that account is created by those applications IT director would send that information out to the hiring manager. So again, you're not relying on an individual taking time to do that. It's all automated and be Identity Director. That took our average time for provisioning from two to three weeks down to right at two days on average. And there's, again from a very paper process to a very automated process within the system and I think that's crucial to understand is it definitely required is we look at business process change, change management is a huge component of it because you are changing business processes within users, you're changing business processes within HR. You're changing how systems talk to one another. So Brian will speak a bit to the lessons learned in terms of having a good team to support that as you look at the integration with those applications.
So to kind of take a step back on our journey aside from the process side, our journey began in 2015. We evaluated various solutions and partners and before we landed on one and it was a long process to stand up at the point that we made a decision on which solution we're gonna go with. It was definitely a long process and it required considerable engagement with HR. As you're making a business process changes with HR, you are changing how they do their and how they've done business typically for years. And so it is very crucial to have them engaged at the table to understand that, "Hey, we're changing your process," and, you know, help them understand and be engaged with you throughout the journey. And I mean it was a large process change from that manual paper process to an automated process. And within organizations, sometimes that's a difficult change because if you're used to having a piece of paper people naturally are, may be uncomfortable with relinquishing that piece of paper and going to something that is electronic. So that was another change hurdle that we had to overcome.
In 2016 is actually when we went live with our first automation in June. And that was creation of active directory accounts. So this is the bare minimum. You have access to the network, you have access to the environment and we've consistently added on additional applications after that. We've migrated to an Office 365 environment in all of our Office 365 account provisioning after the active directory account provisioning. We also provision Office 365 accounts automatically with our Azure environment in the cloud. And so we're continuing to add onto that. In 2017 we automated provisioning of our Cerner EHR and that was a huge accomplishment for us.
We were one of the first Cerner clients to automate the identity management with Cerner Millennium. We have between 5,000 and 8,000 active users within Cerner Millennium, depending on the time of year. And automating that process was a significant improvement for us from a business efficiency perspective. Also, as I spoke to earlier, if a clinician does not have access to the electronic health record, they do not have access to the tools that are meant to help them from a patient safety perspective. And as healthcare is driven around patient safety and reimbursements and efficiencies, that is a huge, huge risk for us. And so accomplishing that, what was significant for us from a business perspective.
So looking into the future, I mean, this has actually already begun here at the end of 2018. Our future journey going into 2019 is we initially went live with account provisioning of UMC and UMCP. That's our private practice accounts, so roughly 4,800 users. Our next step is to automate the provisioning of over 3,000 external user accounts. That includes Texas Tech physicians, their clinic staff, their students that come on board. So aside from the ongoing regular employee, it's the twice a year large influx of students and providers.
So that is on our...we're actually begun working on that already. And so we're slated to go live with that in the next 12 months. We will also work on bringing in the rural referring facility. So as I mentioned, being where we are geographically located, we provide support for a large area and we have a lot of referring facilities from eastern New Mexico down to Central Texas in over into West Texas, heading towards El Paso. We have a lot of external referring facilities that send patients in and have doctors that want to connect in and see access and what happened to their patients when they were sent to UMC and this will allow for better management of those accounts. And then continued integration with Microsoft Office 365. There, we see considerable number of requests related to provisioning of groups and access and in those things within Office 365. And our next thing is to shorten that up and continue integration of that. So as groups are created, it can be manual, can be automated versus the manual process as it is today.
Aside from that, we support over 300 different applications within IT and continuing to bring in those applications via the automation is strategically something we're going to do as well as, as the business grows and procures additional applications, getting those integrated as well. So it will be a continuing journey for the...really, I don't think there's an end to it. It'll be one of those things that as we identify opportunities to drive efficiencies, there will definitely be opportunities to pull in with automation. So with that, I'm gonna conclude this talk around the business impact and I would like to turn it over to Teresa and Brian to kind of discuss some of our lessons learned through the process.
Brian Sherill, DevOps Engineer, UMC Health
So one of the biggest things that I would say with automation, you have to have a clearly defined process. If you do not have a clearly defined process, automation will not work. And so speaking to the business side, one of the things that was key and critical when this was first started was to outline HR processes and some of the processes changed, some improve and some had to be created. There were some that didn't exist prior to this. You had different people in HR doing things in different ways. And so we had to build the processes and then we can look at automating those.
The next thing, you want to fully understand those processes and document those. That way you've got that written down. And so as you try to automate, you understand the requirements you need in automation to fulfill the process as it exists. This will take by far the most amount of time. This is why the startup time as Justin alluded to is very long. The process piece is critical to being successful with Identity Director and automation.
I would highly recommend your team to build a development environment for all of your critical applications as well as active directory. If you do not already have this, building a development environment will be key to your success. You'll want to test things. You'll want to create new items, new processes, new automated entries. And so having a development environment where you can test that out is crucial.
You'll need direct involvement from your HR department. If you don't have direct involvement from them, this will probably most likely fall on its face. You have to have their buy-in because they need to understand that the information they're providing to this is critical to how automation works and how the Identity Director access works. They need to understand that when they make changes that's going to change in an automation and Identity Director and that could potentially change someone's access incorrectly or correctly. It's going to drive a change. So HR needs to be vitally involved in this whole process.
You wanna understand your business logic rules for your HR data, understand how your organization uses HR data, how it classifies HR data. You need to understand your positions that you have within your environment and you need to work with HR to classify those positions as you work with the hiring managers to understand what positions get what access. What we found in our own environment was we might have one position with a bunch of people in that position, but they all do different things. And so we had to go through this process of creating new positions to clearly outline what each person does so that like tasks are grouped into the same position. And so even if you have one-off positions for someone that does very different things from anyone else in your organization, that's key to making this whole process successful.
You wanna have an IT team that understands your HR system. Our health records information system team, they had to build this database views in order to get the HR data into Identity Director. That was crucial. Without that, this is going to be very difficult. You wanna make sure that you've got a good team of IT, very technical strong team to get this data into Identity Director. When you're building out automation, you wanna keep automated tasks as small as possible. It's better to have a lot of small tasks rather than just a few very large tasks. Each automation task should only do one thing and that way if you have an issue, if you have a problem, you know exactly where to go, you know exactly where you need to make your change without having to guess and without having a major impact. The fewer steps within an automated process, the better. Have a lot of automated tasks, but have each task do one thing and one thing only.
Teresa Patterson, Access Control Specialist, UMC Health
Okay. The last piece is communication and flexibility between the business process owners and the application owners is critical. If you don't have the communication between the HR department, application owners, the processes, you may go in and create a certain process and once it gets down to that application owner, they'll say, "Oh, well that's not what we do here. We'll just fix it on this end." Once we automate it, that's not possible. So you wanna make sure that you've got that communication and the flexibility to help them do what they needed to be done in order to be successful.
Justin Fair: So in summary, if there were three main points that we would like to pull out and communicate, it's that there are definitely considerable efficiencies that can be realized with automation. That results in both soft and hard dollar savings from the business side. If you have delays, if you look at that lean initiatives, one of the major areas of waste is delay, if you're waiting on something. And with automation, it really works to attack that specific area of wait. And within our journey, we saw considerable delays with the process because it was a manual process and also that downstream caused delays to the business of employees basically not being productive. They were not able to hit the unit as a new employee and begin providing value to the organization as soon as they started. There could be a two to three-week delay before they actually started being a productive employee. Within any organization that is not a good business process and that is something that definitely is a huge opportunity.
The second thing that we would really like to focus on is the business process change. This is what Teresa was alluding to, is it is a difficult one. When you go to change a business process there are many considerations that need to be taken into place. And you need to have consideration for how things have historically been done. You need to have bind engagement from the business that they're going to support the change and just when you go live, you will have issues, but I think our messages to hold strong because once you surpass those initial hurdles, once you go past that go live and get most of those issues resolved, in the end, it's rewarding. If we look back now compared to where we were, this would not be something that we would want to go back in time and go back to the manual process. And there's been a lot of efficiencies gained and that's allowed employees to in turn focus on doing other tasks, working on other projects, working on other initiatives.
And third thing is that it aligns with our organizational goal of becoming a highly reliable organization. Within healthcare, that is a major initiative and focus is repeatable consistent processes. Anytime you have a manual process that relies on an individual or group of individuals to accomplish something, there's variance in those processes. Automation is by far so crucial in eliminating that. Automation is very consistent and it provides the same consistent approach, process and experience each and every time. So we as an organization drive towards the concept of a highly reliable organization, to improve business efficiency, to improve financial responsibility, and ultimately within healthcare to improve patient safety. Being an HR organization is definitely a key goal for us. So with that, we appreciate the opportunity to share our story and our journey and we just appreciate your time this afternoon.
Liz Angus, Product Marketing Manager, Ivanti
Thank you, Justin, Teresa and Brian. That's all been really good advice and it's been fascinating to hear about your journey and the process improvements you've been able to make with automation. I'm sure it's also sparked some ideas for the audience about how they could apply what you've done in their own organizations. So thanks again for coming on and sharing that.
So now that we've had an outside look, actually an inside look at how one organization is using identity management in their business to automate their onboarding and offboarding processes, we'd like to broaden our view back out and wrap up with a look at the trends we're seeing in the broader industry. Okay. So let's first take a quick look back at the most recent trends. We've been seeing tools needed for identity management evolve to meet the changing needs of the business. In recent years, vendors have made strides in both feature expansion and architecture modernization.
Modern tools are more modular and scalable with enhanced feature sets. Vendors have added access certification and governance capabilities in response to stricter regulations like GDPR. They've added popular cloud application connectors in response to cloud adoption by workers. They've also added mobile apps to support users who are working remotely and from a variety of devices. They've also opened up rest-based APIs to be able to integrate identity solutions with other technologies such as your ITSM or ITM solution, so you can get a two-way integration. And a good example of that is with your ITM solution, it could ask which service last had the device for mapping users to devices in your identity solution. Similarly, to simplify vendors have added libraries of workflow templates that make it easier to get started and they've made many improvements to provide a better experience for both IT admins and their end users.
So as digital business demands grow, where is identity management going next, what is shaping the future? Gardner and Forrester have identified the top trends that IT professionals should prepare for. We won't have time to touch on all of them today. So I selected just five of these trends to highlight.
We talked about cloud when we looked at recent trends where I mentioned that the rapid adoption of SaaS by the workforce has led some vendors to extend on-prem connectors to cloud applications. And of course, the cloud trend continues into the future. But we are seeing that shift to cloud delivery options. The transition to cloud delivery is just beginning. As the stat here from Gartner shows, the adoption of identity management solutions delivered as a service will increase rapidly. Over half of new deployments three years from now will be either cloud architected or cloud-hosted solutions. But as these stats also show the cloud may not be the best choice for all organizations or the choice that all organizations will make. You need to think about what's right for your own organization and that may be cloud or it could also mean that you opt for on-prem software or even find that the optimal choice for you is a hybrid solution based on whatever your own cloud strategy is.
The next trend, expanding managed identity environment is also being referred to as the more and more and more syndrome and you can see why on this slide. The managed identity environment has expanded exponentially and is increasingly complex reaching far beyond traditional employees and on-prem applications. I'm sure you find in your own organizations that you have more users, be it employees, contractors, partners, customers, and also more devices. And each of those have different identity lifecycles and access requirements. Along with your pricing, more identities, more entitlements, more privileged entitlements, more authoritative systems of record many of which are also now hosted in the cloud. So you can see from this slide that the digital initiatives are adding both volume and complexity to the managed identity environment.
While the overall business drivers for identity and access management have remained consistent, today there is greater emphasis being placed on security and risk management because the threat landscape has increased. Protecting the business from data breaches and insider threats is a top priority for organizations of all sizes across all types of industries. Not just the large enterprises in those highly regulated industries like financial services and healthcare that have traditionally had the need for identity management solutions because they have really complex identity environments. We're seeing growing interest from mid-enterprise businesses and even small businesses, SMBS. Nowadays really all businesses of all sizes have similar security challenges with breaches due to access issues as well as more complex identity environments. And because of all this, we're seeing the security team get more involved in the decision to purchase an identity management software solution. The CSO has taken on an even more active role as a primary decision-maker. And this may be something that you're seeing in your own organization.
Building on this last security trend, many organizations have implemented both identity governance and administration and privileged access management systems separately, and many more will probably continue to do so as you see from the Gardner stat on this slide. These organizations, however, now see an opportunity for integration between the two systems. There's been a surge in privilege accounts where, you know, certain users such as IT administrators or upper management have more access rights and permissions than those given to standard business users and this privileged access is the access that's most often targeted by cybersecurity threats because it leads to the most valuable assets for the business.
Because of this, IT and security teams need to get in control of managing and securing all of those accounts. By integrating the two technologies, you can manage access to privileged and non-privileged accounts holistically, which gives you much better control. Because employees responsibilities have changed over time, it might not always be necessary for high-level permissions to remain in place, and revoking that access as soon as it's no longer needed [inaudible 00:45:57] vulnerabilities of hackers who target these types of accounts. So when the people's roles change, they may still need access to the application, but they may not need the same admin rights.
The final trend I will touch on today is going to be an exciting one to watch the evolution of over the next few years. As digital business environment becomes increasingly more complex as we've talked about on the previous slides, the ability to effectively manage identities and access is stretching beyond human capacity. In many areas of the business, analytics is emerging as an important trend in identity management. Not replacing human involvement, but just enhancing it. And with it, massive amounts of data can be rapidly analyzed, something that humans alone just can't possibly do.
So advanced reporting and analytics have already emerged for basic use cases and into the future we'll see identity analytics continue to improve with machine learning and AI capabilities for those more advanced use cases. One of the ways identity analytics help you is by incorporating usage data and machine learning to improve policies and automatically grant access based on patterns in user behavior and that usage data, not just on assigned entitlements. So it's really looking at not just access, but also the patterns and behaviors and this type of analytics is great for things like pinpointing over-privileged users and minimizing unnecessary access.
Identity analytics can also be used to intelligently detect high-risk actions in the environment and be able to respond in real time to the most critical threats. You can alert when a user behaves abnormally. For instance, when an employee starts using applications outside of normal work hours or submitting access requests for a large number of applications that no one else in their peer group has, this could be a sign of a malicious insider, so the tools could then detect that, alert on it, and then respond to that suspicious behavior by restricting access if needed. So identity analytics is still an emerging discipline, but that's definitely one that's predicted to evolve quickly. So this last trend is definitely one to keep a close eye on.
As you've seen with these trends we've just talked about, identity and access management can be overwhelming especially if you're just getting started. So today we wanted to leave you with some takeaways to help you with some next steps. And these takeaways are similar to what UMC Health Systems touched on in their lessons learned. Initiatives like these often arise from a business challenge where identity management has been identified as the solution, and everyone's immediate response is to say, "Let's go out and buy a product to fix this." But you have to be careful with that because identity management is not just about the technology, it's really about business process and integrating with your organization's processes. So you have to focus first on people and processes before you can get started with evaluating and selecting the tool that you're going to use.
So a good first step is actually to take a step back and really understand your current state. So first to get a good understanding of your users, your processes, all of your entitlements and what they do. For instance, what is your current process for onboarding a new user? You saw UMC Health Systems process for that. Do you have the right process or does it need to be changed? Part of it is going to be changed management too. So you'll need to invest in the necessary changes at the beginning or you're likely going to struggle with reaching your desired outcomes. It's also good to have a good understanding of your business needs and your requirements and look for any gaps across. If you do this pre-work first and document everything as you go along, you'll likely have a better chance at success and reaching your desired outcomes.
Because identity management is about, you know, business processes, you'll need to get out of your office and interact with business process owners and application owners to learn about their operations and processes, understand their needs, and open up those communication channels with them. And this is gonna be very critical to get their direct involvement and buy-in early on in that process. It's also wise to connect with others in IT, especially those in security and risk management roles as we've talked about. Share what you're finding with them about processes and everything else to really help establish a reciprocal relationship and unite on these initiatives in order to achieve the best outcome for the business.
And now to wrap up, I'd like to thank Melanie and the folks from UMC Health Systems again, Justin, Teresa, and Brian for coming on today and sharing their perspectives and their learnings. I also wanna thank you, our audience, for taking time out of your day to attend. We really hope you found this session and the information we've shared valuable. If you do have any questions at all about anything we've covered on today's webinar, please don't hesitate to reach out to us at any time. Thanks again for joining and have a great rest of your day.