Identity And Access Management

Interview: How Mid-Sized Businesses Can Secure Access Management In The Cloud

Expert Insights speaks to Helmut Semmelmayer, Senior Sales Manager of tenfold, a cybersecurity provider specializing in access management software.

Article thumbnail image

With more companies joining the cloud than ever before and the exponential rise in edge devices connecting to company servers, governing who has access to what and when becomes a central question when it comes to cybersecurity.

And the answer? Identity and Access Management (IAM) is a consolidation of policies that addresses digital identities and their levels of access within a network. It includes role-based access control, user access reviews, change tracking and reporting capabilities.

There’s plenty of IAM solutions on the market, but even though they all broadly offer the same thing, these products aren’t a one size fits all solution. Enterprise level solutions won’t work for mid-sized businesses, and vice versa.

This is where tenfold comes in. They’re an IAM specialist that focuses on providing a solution that is easy to deploy and use for companies in the mid-market segment.

We spoke to Helmut Semmelmayer, Senior Channel Sales Manager of tenfold. After leaving university with a BA in Computer Science and an MS in Computer Systems Management, he immediately threw himself into the access management space and establishing a sales model within the company’s home market of Austria.

We discuss the importance of access management for mid-sized teams, key features to look for, and why zero-trust is so important for organizations of all sizes in the cloud.

Can you give us an overview of the access management product tenfold offers, including your target markets, and how tenfold sets itself apart from its competitors?

HS: tenfold was founded on the observation that the IAM solutions being deployed in companies were all large-scale programs designed for equally large-scale enterprises. Big players servicing big clients, basically. We’re talking thousands, or even hundreds of thousands of users. 

But none of these suppliers seemed to focus on the mid-market segment – companies with 300 to 5,000 users. This realization really took us by surprise as there is high demand among mid-sized businesses for an access management solution tailored specifically to their needs. Businesses in the mid-market segment are not really able to make the best use of large-scale solutions, as these are mostly too complex and expensive.

Our aim was to develop a solution that would fill this gap; a solution that is easy to integrate and easy to use. And that’s pretty much what we did. The result is a product that can be deployed easily and is user-friendly, covering all the demands mid-market organizations have.

Our unique selling point is that we have removed everything from our product that makes IAM solutions complex, difficult to use and expensive, and instead have added features that are suited to the mid-market segment – and we have made it available at an affordable price. That’s our unique position in the market. We have designed a product that serves a purpose and serves it well. 

What were the challenges you faced developing this kind of targeted product?

HS: I admit it was a bit of a learning curve. We first had to understand what our potential customers wanted and needed in terms of functionalities for managing access rights. What we learned was that the entire purpose of access management is to ensure people within an organization do not have more access rights than they need to do their jobs. If someone has access to information beyond their remit, that is a potential threat. Insider breaches, technical breaches and malware attacks are all common risks that come with a poor access management concept. People with access to HR data, for example, can easily look up personal information or find out who makes what salary.

What are the main access management challenges that your customers are seeing today?

HS: Many of the challenges we see are related to cloud environments, so that is an aspect we are going to focus on in our technical roadmap this year, and probably in the years to come. What companies struggle to grasp is that cloud environments work very differently to on-prem environments, as they cause a shift in perimeter. 

Before the cloud, security took place within the network perimeter, everything behind the firewall. It was sufficient to simply shield off the network from the outside world and only allow certain information to enter or leave through pre-defined points. Now, with the shift to hybrid and cloud environments, that network perimeter does not exist anymore. 

You cannot protect Microsoft 365 with a network firewall, for example, as it’s a global service. That means it can be accessed from anywhere. Any person who is on the internet can potentially log on to your network if they have the right credentials. With excess privileges, anyone can potentially read and modify information, which significantly increases the risk level.

Access management is very much about securing and protecting identities and implementing a zero-trust approach. That’s where our product fits right in. The idea behind zero trust is that identity marks the new perimeter. 

tenfold helps organizations establish a zero-trust path by implementing a new cloud strategy. Not all organizations have fully warmed up to the cloud yet, but I would say that at least 50% of our customers, or potential customers, do focus on the idea. There’s definitely a stronger focus on it in the UK and US than in the German speaking world. That’s because the cloud became a “thing” in those countries much sooner than in Germany, Austria, and Switzerland.

Is Zero Trust something you’re seeing in the smaller end of the market as well? Would you recommend smaller businesses to consider implementing zero trust? 

HS: That’s an interesting question. I think if it were up to the businesses themselves, to make sense it wouldn’t be such a big question. And it depends how you define “small businesses”. tenfold starts at 300 managed users, which I’d classify as medium-sized. I think if these businesses had the option, many of them would prefer not to move their services to the cloud, for fear of losing control and uncertainty as to whether the cloud will work for them and whether it is secure.

But, in the end, it isn’t up to them. All vendors are moving to the cloud and many products do not exist on-prem anymore, with more to follow in the next five years.

I doubt that, say, Microsoft is going to maintain on-prem versions of SharePoint or Exchange and other such products in the upcoming years. Some of these products have already been canceled with a set date in the future. 

Whether a move to the cloud makes sense or not is not up to the customer anymore. The decision has already been made by suppliers. Therefore, everyone needs to have zero trust and identity protection on their radar. There’s no escaping the cloud, and anyone who thinks otherwise is going to have a tough time facing up to reality in the near future. The industry has already set out on this path and there is no turning back.

Why is IAM important for solving these challenges?

HS: The cloud is important to consider here, as is the regulatory environment we operate in. We see more and more regulations requiring certain industries or types of organizations to establish a security management system that conforms to industry standards. Many businesses, especially from critical infrastructures like water supply, healthcare, power generation, transport, and so on, are certifying to ISO/IEC 27001 and other standards.

Such standards determine what companies in critical infrastructures must establish in terms of IT security, because the assumption is that, if someone were to hack into an organization and gain control, this would have a serious detrimental impact. So, besides having to worry about their own internal security measures, such organizations must also worry about regulations and access management and are faced with mastering the concept of least privilege, which requires you to ensure your users only have the minimum amount of access rights as needed. 

This ties in with the idea of zero trust, which is to make sure you do not trust anyone with access or data unless their job absolutely requires it. 

What is your advice to companies implementing IAM solutions, and do you have any key recommendations to suggest?

HS: What I cannot stress enough, because it’s something we have seen many times, is that companies looking to purchase and run an access management product really must keep in mind their size. Do not invest in an access management product that is not the right fit for the size of your company. The product you choose must match your business in terms of complexity, especially with regard to IT systems and internal processes. How are things done, what are the procedures for creating users and assigning access rights, who decides who gets access to what, and so on – these are all issues that need to be covered by your chosen product.

If you have special requirements like integration of different systems, or if you have important processes that need to be run, then a simple solution will not be the right fit for your organization, as it cannot cover all your requirements. 

On the other hand, you should not purchase a solution that is too complex for what you are trying to achieve. It is important to understand that standardization is the key to success here. It would be a mistake for a company with, say, 500 users, to invest in a highly complex solution that provides the greatest level of flexibility because they think they need it, but don’t actually need it.

Then they are stuck with a solution that requires so much customization and long-winded, expensive projects to even be deployed that they never actually arrive at the goal they initially set out to achieve because they have run both out of money and out of people on the way. In the end, the solution never goes live because they are still busy implementing and running projects that last months, or even years. So, I think that’s the goal: to match the complexity of your business with the level of complexity of your chosen product.

Find out more about tenfold here.