______ ______________________________________________________________ There we go, we're live. Okay perfect. Good morning everybody. My name is Giel. I'm the head of growth at Elimity. We will be waiting a few more minutes so you can get comfortable and take a coffee. It's rather cold outside, so let's wait a few more minutes for people to dial in. Okay, maybe a good idea because we had quite some registrations today for this session. It might be a good idea to drop in the chat where you are dialing from because we have people all across Europe, but also in the United States. So feel free to drop in the chat where you're calling from. And you can also mention what the weather is like these days because we had some snow today in Belgium, which is quite rare for us, a little bit less rare for our partner in the Nordics CloudWorks. And I will give you guys a few minutes to get comfortable. Okay, I see people are entering the room. Okay, perfect. So first things first, we will... Okay, I see people from Denmark. I see people from Norway. I see people from Belgium. Perfect. Okay, first things first, the topic of today's session. The reason that we chose the topic, securing access to data and application is not a surprise. It's part of all cybersecurity strategies these days, especially with the new regulations, such as NIST 2 or the established regulations, such as the ISO 200. 27001 and many more. However, in practice, we see still a lot of recurring identity and access management challenges. We see organizations often struggling to have a clear view on who can access what, which is often resulting in audit findings regarding identity visibility. On the other hand, we see security teams still running manual access reviews with old school Excel and email, which is not making the IT or the business very happy. So in that context, the collaboration between CloudWorks, our newest strategic partner in the Nordics, and Illimiti can provide the answer. So Illimiti has developed a lightweight identity governance solution, and CloudWorks guides their organization to identity and access management challenges. So today, I'm glad to announce two beautiful speakers. So first of all, we have Iver Liese, who is the customer success manager of CloudWorks. He's a veteran in the identity and access management space. And on the other side of the table, on the other side of your screen, you can see Maarten de Kat, a very well-known face, if you joined other sessions in the past. So he's a VP product of Illimiti, and he will give you more information about Illimiti's solution. So for the agenda of today, it's pretty straightforward. So first of all, Iver will start with a presentation of CloudWorks, give an introduction, and discuss also the challenges and the trends they see in the identity and access management markets, including why do we need identity governance. Then afterwards, Maarten will go deeper how Illimiti and CloudWorks can help you take control of user access within days with a lightweight identity governance solution. And at the end of the presentation, we have some homework for you. And also, there is some room to ask you some questions regarding the product, regarding the collaboration with CloudWorks, and everything you want to know from us. Maybe before we really kick off some housekeeping from our side, we had a lot of registrations this morning, but a lot of people couldn't make it. So we will be sending all the recording to all the people that registered previously. If you have questions, feel free to drop them in the chat, and they will be asked at the end of the presentation. So that being said, I turn this over to Iver. Iver, the floor is yours. Thank you, Hill, for that introduction. And thank you for inviting me to speak in this webinar. So as Hill said, for the next 10 or so minutes, we will do a brief introduction of CloudWorks, explain a little bit why it is so important to get control of the identities, and by that, explaining why there's a need for IGA solutions. So first off, the intro to CloudWorks. So CloudWorks is a company. We focus on IAM integrations and services around that. Our presence is within the Nordics, so it's Norway, Denmark, and Sweden currently. And we divide our services into three different pillars. So we do advisory for our customers, where we can go in and do what we call a pre-study or an IAM assessment to map out where are the customers in their IAM journey? Have they started? Where are their pain points? What is the quick wins? And then propose a way forward. When the customer moves forward, we move into implementation. In some cases, customers have already selected a solution and want us to help them implement it. And we can do that in different layers. So that could be either through a phased implementation or specific tasks. Or in some cases, we can do the whole integration piece. If the customer so desires. Managing the project from A to Z, the whole way. And the third pillar within the services is operations or managed services, where we can help customer manage the day-to-day operations of their IAM solution. So the challenge with IAM is that it is often highly technical. And this means that customers might not have that competency themselves and need someone to handle that expertise. And again, these managed services can be from more of an ad hoc basis all over to a 24-7 service if the customer so desires. The foundation for all these services is, of course, some sort of product or solution. And we can help customers select that product or that solution. And we have partnered with the vendors or best of breed solutions in the market, which you see in the bottom right. And the Limity is a very important vendor for us when it comes to IGA light solutions. CloudWorks has been in the market for 10 years. This means that we have a lot of successful projects behind us. And we have an extensive knowledge base of how we can integrate with different applications. We are approximately 40 employees and rapidly growing. And this makes CloudWorks probably the leading pure play IAM integrator in Skadden Evias of today. So that was about CloudWorks. So why do you need IGA and why is it so important to get control of the identities? And we cannot talk about this without getting into regulations. Regulations is a big part of why it is important to get control of identities. And there's no question about it, whether we like it or not, regulations are here to stay. And this slide is not something we're going to dive into detail in. It's a little bit busy. It's a little bit small font in here. But it's just to visualize how these different regulations have evolved over time. So from the late 80s, where it took some time for the next one came out, it has increased rapidly. And the reason for this is the increased pay of digitalization and also the increased cybersecurity threat landscape. And one example of this is the NIS directive. The NIS directive, first version, I think, came out back in 2016. And it affected just a few businesses, few sectors, large businesses. And then, again, the modernization and the cybersecurity threat landscape increased rapidly. And then EU saw the need to modernize NIS. And back in 2023, NIS 2 came out. And in NIS 2, a lot more organizations are affected. And also organizations need to look at the supply chain and make sure that they also are in policy with what the directive says. So this means that customers really need to have an eye on this. And the NIS directive is a very important part of regulation. And if you haven't started the journey to do IAM or do IGA and get control of identities, it is crucial in order to satisfy the different policies for these regulations. So many customers have already started this journey. So they are well underway in doing IAM and doing IGA. And often in these projects, they start off with planning and saying that, well, we want to automate and integrate with everything we have. And then IT modernizes. Applications move from on-prem to cloud, maybe. And integration might break. And they need to manage that and create those all over again, which means that it is time-consuming. And it is complex to maintain those drivers or integration points over time. This means, again, that it is difficult to integrate every application that the customer has. And we try to encourage the customer to think about how much effort is it versus the actual benefit of integrating an application. Maybe there is a simpler and more cost-effective way to gain control than doing these 100% automation sync solutions. And looking at the slogan on the bottom here, where it says that 90% of enterprises are not able to regularly review user access, this means that it is actually a need for some tooling to more effectively be able to look at and control the identities in the different applications. Looking at security level, so the IT landscape, as I mentioned, has evolved rapidly within organizations. And it is a little bit harder to answer when being asked. The broad question is who can access which data and applications. That is a very broad application and might not be the correct question to answer. But another question, which is more specific, is which levers still have accounts? Can you easily answer that question? I mean, have they been disabled? Do you have an overview of every application services they have been able to access? Are they disabled in all those integration points? Or are there still ghost accounts out there for customers or employees who actually have left us? Another question is, can you easily provide a view of who can access privacy-sensitive customer data? This is something that might come up as a quick question from management or other stakeholders, saying that I have been requested to provide this overview. Can you pick out this from me? And this is also something that can be difficult to present if the tooling is not in place. And the third bullet point here, which is close to my heart, because who can control over employees as they stay on in the business? There is a challenge with employees who get hired into a role, they advance into another role, maybe into a different department. And additional rights have been added every time. But maybe the process is not in place to remove the previous rights, which means that you end up in some sort of rights creep or permissions sprawl. Rights have been added every time you switch roles instead of having that overview of saying that, well, this person is not this person is hired into this role and should not have these accesses. And this is a very common problem for many businesses. Another question is, can users or employees submit and approve contracts in which robot accounts are active? So these are questions that are very specific and should be sort of easy to answer if the tooling is in place. But a lot of customers have a challenge in actually answering these questions. Then we can look into a couple of use cases. So first off is around identity visibility and the challenges we see here. So I mentioned a couple of times already that the IT landscape is rapidly evolving. Customers are modernizing, they are switching applications from on-prem to SaaS. So customers end up with several SaaS application vendors, they still have applications on-prem. And you have the human accounts and you have the non-human accounts. So the complexity is increasing and it's increasingly more difficult to get an overview of the identity or the visibility of the identity and who has access to one. And this gives challenges again, because this causes audit processes to fail. It is difficult to manage and be in compliance with compliance processes like the ISO 27000. It is also not so easy to generate reports or who has access to what for those who actually want to see this. And again, as I said previously, the IT landscape is evolving and this makes IGA a very sensitive application. You need to keep an eye on that. But maybe there's an easier way to handle this and also get an overview from those integration points that hasn't been touched yet. Second use case is around access reviews. And this is a really important topic because this is also a part of compliance processes. To present this in a good way for many customers. This is again regarding compliance processes like for example, ISO 27000. Many customers do this with Excel based access reviews, which might work to some extent, but it is complicated. And again, as applications move around from on-prem to cloud, you need to update and how do you track that and so on. And this also makes it very difficult if you have a complex landscape. And the result of this is that customers end up with a lot of manual work. So when you get the task to review the users in applications that you might be responsible for, should they keep their access? Should you revoke that access? Should you do something with it? It's a lot of manual work. And if you do that with the Excel based spreadsheets, it is really time consuming. And it's really difficult to see how the user and how the identities have evolved over time. This causes challenges for businesses. They have the risk of people leaving because this routine based work. I don't think many enjoy doing that. And the process are really tedious. It's difficult to handle. So this was the intro to why IGA and identity and having that control is important. And now I hand it over to Martin to go into detail on how Alimity can help our customers solve these different issues. So over to you, Martin. Yeah, thank you, Ivar. So like Ivar said, clear challenges. That we see in the markets. To summarize, I think the importance of properly governing who can access what is growing, definitely, based on or because of all the different regulations and security requirements that you have these days. And secondly, also, typical approaches take a lot of time and effort, like Ivar said. So it's not doable for a lot of companies out there, especially the IGA deployment, but also keep on doing the manual access reviews. So there clearly is a need for a more light weight approach to still prove that you're in control. And this really is where the collaboration between CloudWorks and Alimity comes in. Alimity provides a platform, data driven platform for identity governance. And CloudWorks really is a European leader that guides organizations through their security and IAM journeys. And so together, CloudWorks can then help apply this platform and this approach in practice. And in the rest of the presentation, I'll go a bit deeper into this approach and show you how it can help you and end up with some homework in the end. And the gist really of this approach is that we look at this problem not as an automation problem. So it's not a provisioning problem, but rather a data problem. And then you end up with what we like to call the essentials of user access governance. So the essentials of allowing you to prove that you're in control. And for us, that means that you should first have visibility of your users and your permissions. You should know who, at which point in time, can do what across your critical systems. So that you can then let IT and business review these things and clean up these accounts, their access, take action on any findings and automatically monitor these things over time. So ideally, you end up with this sort of closed loop data approach that lets you control and remain in control who can access what fast. And so at Alimity, we provide a platform specifically for this. Think of this as a sort of, well, sort of power BI, but specifically built for identity and access management that goes beyond just reporting as well. So it does five things in essence. First of all, it focuses a lot on easily collecting data from your most important sources, meaning that it comes out with a lot of built-in connectors and a very extensive connector library in order to get the data in there with as little effort as possible. And we're really talking about the deployment of days for your top five, top 10 applications. And then afterwards, easily understand who can currently do what so that you identify risks. You automatically monitor access over time so you get notified if new risks are found. You can indicate necessary changes for cleaning up those risks. And if you don't have another system for that, also run your access reviews to include people like application owners, line managers that are all responsible for a specific part of your organization to include that in this reviewing process as well. So this is really an IGA suite, but without the provisioning, without the lifecycle workflows, all to make it easier to deploy, get faster cybersecurity value. And if you look at a typical IGA journey, you there would begin with setting up read-write connectors to all of your systems and defining workflows that should be automated and defining role models to specify who should get access to what and so on. And the security value of that really comes at the end of that long journey. If you're looking at it from a security perspective, it doesn't really make sense to do it like that. Instead, what we propose is, well, what we call on this slide, security first identity governance, where you focus on identifying your risks with as little effort as possible, and then review, clean up, and monitor your users and accesses over time. And this really prioritizes cybersecurity return on investment first, because you focus on removing those largest risks first, and then push these heavy investments like your role model, life provisioning, and so on forward in time. By the way, it also gives you an important data foundation that you could use for efficiently start designing roles and separation of duty policies and so on, but that's stuff for another presentation. And so the focus of Illimiti really is on those first two blocks and a bit of the third block in this slide. And to show the process of getting in control, let's take a look at the more specific case study, one that also relates to one of the case studies that Ivar highlighted. And this here is an example of a company of around 2000 people. And they really wanted to increase their internal control for several reasons. First of all, to decrease cyber risk. So it really was the CISO that was driving this effort. And also to show compliance, because they were sort of an insurer, and they had the insurance and financial regulations that they had to comply to, but they had to do a lot with a small security team. So they're not a big bank or something like that. And in that case, our standard approach works in the five phases that you see here on this slide. And in the first phase, that really focuses on getting to that first feasibility as quickly as possible. And then we always try to start from the customer's perspective. So ideally, from a security, from your security effort, you should already have a review and a prioritization of what your critical systems are, which are the crown jewels in your organization. And that can depend heavily from organization to organization. So for a production environment, a factory, it might be the operational systems. For an insurer, it's probably the insurance core systems, maybe with some payment systems and so on. And then you think of where are the identities for our critical systems located. And nine out of 10, those end up with, first of all, an active directory, an enter ID. And then it kind of depends on where your organization focuses your security effort on. We have some customers that then focus on development environments, on database administrators, on SharePoint, file shares, whatever is important to you. Those are the sources for which you want to gain visibility, for which you want to know what users are there, what can they access, and then start cleaning it up. So in the first phase, like you see on this slide, we try to work iteratively. In the first phase, the first sprint, you focus on those connectors that are critical to you and for which we provide out-of-the-box connectors as well. So you avoid the effort of writing something custom or deploying something heavy connector. And instead, you focus typically on active directory, Azure AD, an HR system to pull everything together, and then one or up to three more different systems. And then you end up in a few days, like you see on this slide, with your visibility into who can do what in those top five type of systems. And then you can start cleaning up. And that's cleaning up to help you do that. On this data, we then help you apply a set of security controls. This is a framework that we designed and developed ourselves together with our partners based on the security control that you see in SOC 2, ISO 2017, 2001, and the NIST 2. So it's everything of those security questions like Ivar talked about before that you should really show that you're in control of. And it's things like orphaned accounts, privileged accounts, access accumulation, which is the example that Ivar also highlighted, that you have people moving around to the organization and that they get more and more permissions over time and they're never revoked. Stuff like data quality, segregation of duty around financial systems, and then all over the world, always for every specific customer, always we do a workshop for the business specific controls. And those are things that you know that are important for your organization. Might be geographic separation, or people from one department should not be able to access systems from another department, or maybe separation between the production environment and a test environment. Those things, those are really the controls that you should then apply to your data, to the example of the data foundation that contains an overview of who can access what, so that you then end up with a view on your largest risks. And in the platform itself, like I said before, ideally you also link in the HR system. So you have the employee record with important metadata of the employees with the start date, the end date, the place in the organization, the job title, and so on. And you use that employee record to link all of the different accounts back to the person behind this employee record, so that you can then see who can access what. And if you then apply this framework, you typically end up with sort of 40-ish controls in the first few days that show you where your largest risks are. And most of the time in our experience, that's stuff around these orphaned accounts, combination with the privileged accounts, also very interesting. So orphaned privileged accounts is a very important one. And then you get an overview of your largest risk. You know where you can start, start or should start improving, where you should focus your attention. And if you want to go deeper, then you have all of the data at hand. For example, also to visualize the accesses of people in the same team, detect outliers, use this data to clean up excessive privileges, but also maybe to design your first role model. That's really what this platform is about to enable you to do all of those controls as easily as possible. And in the case of this specific customer that I'm here talking about, they had a very strong focus on active directory first. So they really focused on active directory in the first couple of days, and they quickly found active orphaned accounts. But they were then able to clean up in a matter of weeks afterwards. And this was really important for the CISO of this company. Because from experience, he knows that, or he knew that identities and access is a really important part of your risk posture right now, your attack surface. But identity governance, IGA, IAM still had an impact. So he had a very strong image of being expensive and years of work. And CISO here really wanted to show that you can apply a risk first approach and that rapid success can be made. So with focusing on this active directory and focusing on actual risk, he was able to buy a lot of goodwill from both the business as well as management. This gave him a clear view of the largest risks, immediate security improvements, also audit proof that they were doing the necessary work, which was needed for an audit from the national bank. That was coming up as an insurer being. And perfect input to then prioritize their next steps. And from that, they then evolved from active directory to also include more cloud systems. And in this case, also file shares, SharePoint, and database admins were a critical part. And that's really how you evolve iteratively. So this is the gray arrow where you iteratively expand your data model, expand your view on the users and accesses in the system, in your organization. And then grow your control with the security controls over where you identify risks over all of these systems. So that's one aspect, how you grow from system to system to expand your data model. But everything that I've been talking about right now is also done mainly by the core security team. But at some point, those people don't know everything anymore, of course. And you have to also then involve other people in this cleanup exercise. For example, if one of the controls show that there are 200 of these potential orphaned admin accounts, the question of whether these accounts really are not needed anymore is probably something that lies with application owners or line managers. So that's the second area where you iteratively grow in your maturity and where you then include line managers and application owners in the form of access reviews. So you don't give them access to the same interface as the security team because it's just too much information. But rather, you would want to ask them more specific questions, something that only relates to their team or their application. And let them review that data. And for that, you use the process, the well-known process of access reviews or recertifications, you might also call it, where the platforms, where you define a campaign and a platform sends out invitations, they receive an email, they can then provide an input in a nice web interface. And all of those changes are then turned again into change requests in the system that can be tracked and can be fulfilled by people on the other end of IT. And that's a very well-known process to include these people. And ideally, in the first phase, well, what you see here as phase four, in the first step, you include these people with a very specific question. So you ideally don't let them review just everything, like all of the AD groups in their team yet. But you focus on those risks that you found in step three that the core security team found, like, for example, again, these orphaned accounts or admin accounts and all of that. And that has two major benefits, because first of all, the question becomes a question of, well, is this a good way to get them involved in the process? And then secondly, you focus on the actual risks. And so, again, this is a process that is a lot more specific to those line managers, to those application owners, and it becomes a lot easier to get them involved in the process. It will buy you a lot of goodwill. But secondly, also, again, you focus on actual risks. So if these people then provide their feedback and you process this, this will actually lower your actual cybersecurity risk, which is also one of the major drivers behind this way of working. major controls are the major security controls I mean are in okay state then you evolve into more continuous monitoring and continuous governance meaning that you use the platform to also keep being in control be updated automatically if new risks are found for any of these stored controls but also that you expand your governance to include more and more data that for example do a regular review or recertification like every three months or six months or every year for these line managers or all their the ad groups of their people or for an application owner to review all of the permissions to their application and not just the potentially risky ones so all in all what you see here is an approach to getting control and staying control fast so in the first phases we're really talking in terms of days and weeks for first results and in total it gives you a lot lower a much lower total cost of ownership than deploying a full IJ suite definitely so this really is an approach that that focuses on those companies that need or that that have security requirements or compliance requirements around identity and access management and the essence really is that we look at identity governance as a data problem and again that's the platform that we use for that but even if you don't do this with our own platform then this here is the five essential steps and the homework that I wanted to send you home with so if you want to to do this effort and apply this line of thinking on your own organization then first of all perform a risk analysis ideally you should have done that already because of your general security efforts so you should know where your most important assets and the related identity sources are and then define the essential security controls on the last slide I'll repeat a link to words the KPI guide if you want but in essence the most important ones from our experience are the orphaned accounts privileged accounts separation of duty if you have any financial systems and then definitely business specific controls and then in step three that's maybe the main point that I want to make it make make here is make it data exercise collect data so collect your users your permissions from your critical systems apply your security controls to that data to identify risk and then act to clean up those risks so if you find things that are strange ask people about it investigate whether something should be removed should be revoked should be disabled do that and then finally and that's actually a step that will buy you a lot of good will buy it will will show the value to a lot of people but that many people still forget about is monitor to show your progress over time now specifically this means repeat steps three and four so if you have done some cleanup actions again collect the new data and reapply the security controls to show that you are improving because you don't have to be completely in control all at once the important thing is that you show that you're spending effort that you're really working towards improving over time and that's the part that will buy you again goodwill from management from auditors and show that you're acting on doing the necessary homework and of course you can do this manually like I said before you don't have to do it with our platform but if you want to do it efficiently then of course send us an email and we'll show you how to do it with our platform and by the way if you still think if it still feels like too much work for those organizations where we started offering this as as a service standalone service as well together with partners by the way so together with cloud works for the Nordics and we call it an identity security assessment where you do not use and install the platform yourself but rather we come in with the platform we analyze what the core systems are for you we import the data set up everything apply the security controls and in the end you get this nice report like in every assessment a nice report that shows you where your major risks are but actually but also an actually working instance of the platform that makes this tangible that makes this actionable so you see all the controls from the report in the platform and if you want to know the details if you want to investigate what to clean up who to to address if you want to maybe trigger access reviews you have that platform as well making this effort from your site again a lot lower and making this a perfect starting point if you have if you have to do a lot with a small security team and that's the last thing that I wanted to say so here on this side you again have the links towards the identity assessment should that be of interest but also the KPI guide we call it so that you can see the second QR code that you see there how to prove that you're in control if you're interested in doing this exercise yourself and definitely take a look at that guide because it contains a lot of information about all the different security controls that you could apply to your identity data and it's by far our most downloaded resource these days so I guess there should be something of value in there and here that's everything that I wanted to talk about so I would say I give the wording and to you and if there are any other questions then we still have some time for that yeah sure like mentioned in the beginning of the presentation now there's some room for some difficult or not so difficult questions for Martin and Eva we have the first question is I think okay I have it here I think it's a question for Martin but Eva feel free to to give some insights afterwards as well will your IGA solution be a path towards the full-blown IGA solution in the end eliminating itself or will it continue to have its place in the organization's IGA environment so Martin that's maybe a question for you good question that is a good question yeah maybe let me show another slide for that well not another slide one of the slides that I already showed in the past so I think your question Niels is is relating to this slide here so it's really we I think your question comes from the part that we do not do provisioning deliberately and at some point an organization might mature and want to do that and that's where maybe a full IGA suite could come in later on and based on our experience I think we see two different files there so on the one hand you have the the smaller organizations that like in the use case that I talked about for them a full IGA suite will never be the the answer just too much work and what they actually work towards is a combination of like a limit E for the governance the access reviews and so on and then maybe using another lightweight provisioning engine to do provisioning for the core system they will never do this for all of the application but rather they use something like enter ID it has some basic and workflow and provisioning capabilities to do those those provisioning for their top five internal systems in order to lower the operational overhead and then you end up with a combination of lower overhead for the core systems together with visibility and governance for the complete set of applications that you have that's a combination that we see and then on the other hand we have a number of customers that are larger organizations and that are moving towards a full IGA suite or have this this ID at least to do that in the end and in that case you see that this is really going to these four blocks on this slide that's this this data that you build in a couple of years before with a limited and maybe and this also helps in doing some of the first steps towards an idea like like I said the role modeling and the cleanup and so on those are preparation steps for them start automating later on that that really helps there and in that case we've never had the the case where the limit E is then shown out as well what you rather see is that you have all of these connectors already you also add the connector to the IGA so you can then compare the roles in the IGA together with what is in the actual target systems and it just takes on another role than the primary role at film so it's not like we've eliminated ourselves yet we haven't seen that but I understand where your your question comes from I hope that that answered your question definitely thanks for that yeah very good very good question indeed and then we have another question from the audience a bit of a tricky one Martin I think this one is for you as well isn't it limited just a one-off well I can also reply if you want but I think that the question or the answer there is what I try to say with the with the identity assessment in that case you could see it as a one-off it it can be something limited in time let's call it that so the identity assessment is something that where the the platform what the intention of deploying the platform isn't really that you would start doing this for four months or years to come but rather you would like to limit the initial effort and get faster results and you can definitely use it in that way that's actually what we offer in the identity assessment offering as well but I do have to say based on experience if the platform is running why turn it off so you see that afterwards there's also there's definitely value in keeping the platform running and making it a longer-term exercise because if you then start cleaning up you want to see your effort you want to see the results of that effort and maybe over time mature into more continuous monitoring the governance with the access reviews and so on and that's really how how this these different steps link together but you don't have to so if you want to just stop after a few weeks if you're happy with those results for an audit maybe and then clean up on your own pace that's perfectly fine know is that also your experience there yes sort of and I agree with you Martin but I think that using it as a one-off will give you control over the identities for that specific time and and if the result of that one-off is that you have a lot of deviations to fix stuff it means that things will happen as you move along and then you need to do this repeatedly so so we would recommend to as long as you do the task to just integrate and do the reporting and get over you one time why not keep it and and do another review I mean if you if you sort of save that things looks fine you you can wait a year or so but still you can pick up those those changes and see what was happening within your system so yeah yeah okay clear answer and maybe one last question about uh the reporting capabilities because we discussed regulation a bit how do you compare the capability with a traditional IGA what's the difference regarding the reporting capabilities Martin you want to kick off and then afterwards either yeah sure um so yeah like we said maybe to show the slide again with the overview of the platform um this is not a reporting platform so if you see like major IGA suites like a sale pointer and uh one identity they always provide the ability to export some data into reports and do some work with that um the intention here is it's analytics so it's much more the line of thinking of a power bi that's why I like the combination or the phrasing of this is a powerful bi for I am a lot one customer said that and it stuck with me because this is where you automate the data input you build your reports your views on that and it makes it a lot easier to dig into the details there and it goes beyond that of course it's with the the monitoring the active monitoring that's not the reporting anymore the access reviews the change requests where you indicate necessary change and you track the states of that so it becomes a lot more than just reporting this is really an audit focused on a security focused platform which gives you all of the tools to show that you're in control and in an IGA itself if you have the data there that definitely it's a good starting point it becomes a lot more powerful if you have that data to also include that in the Liberty um in the limited deployment uh the presentation that we gave now has a focus on organizations that don't have an IGA yet but we equally equally as well have customers that have a partial deployment so uh one identity or a sale point included or connected to some of their systems but not all of them and you want to complement that or a very extensive IGA deployments where you just want to put a limited insights on top of the data in the sale point for example and make it easier to do security controls on that and it's an extension from the reporting into the analytics part so there are many different variations of how you can deploy this platform this presentation focused on those organizations that have security requirements and want to start with improving their security as efficiently as possible yeah okay perfect clear answer uh maybe that were the main questions for today we have maybe yeah maybe one last question and then we can wrap up this uh this session uh which deployments does limited support cloud or on-prem Martin both we have a SaaS offering for SaaS first companies and we have an on-premise offering for those companies that want to keep their data local and if you have more if you have a lot of on-premise sources then probably makes more sense to deploy limited insights on-premise as well making it easier to connect to stuff like file shares and and active directories and so on but it's it's fully featured so there's no difference between the offerings it's just a question of where you want to keep your data mostly okay perfect I think that was it for today's session then there's not nothing left and to thank you both thank you Eva thank you Martin for your insights regarding all the challenges and solutions and the the partnership with with cloudworks if you have questions you can definitely reach out afterwards um towards myself towards Martin or Eva and discuss your use case uh for the records this session has been recorded and will be sent to all people that registered beforehand so everybody will get the recording in one hour I think so then you can feel free to share the recording with your colleagues and other identity and access management experts in your country and then we hope to see you soon but thank you both and thanks uh to all the attendees bye-bye bye see you later bye see you