Interview with David Leporini - Ensuring the Right Access for the Right People

In this interview, David Leporini, Director of Cyber IAM Products and General Manager of Evidian, discusses the major changes affecting the cybersecurity market and Evidian's approach to Identity and Access Management (IAM).

Published in Informations Entreprise No. 188, October, November, December 2023

Identity and access management is becoming the cornerstone of modern information systems. Evidian*, a French leader in technology, combines expertise and innovation to serve a rapidly changing world.

*Evidian represents a product line software solution of Eviden dedicated to Identity & Access Management

Informations Entreprise: Can you shed light on the major changes that have impacted the cybersecurity market?

David Leporini (Director of Cyber IAM Products & General Manager of Evidian): The evolution of the identity and access management market is being significantly disrupted by several dynamics. The first, which cannot be ignored, is the impact of the pandemic on the professional world. Remote work, already in existence but confidential in terms of scale, has seen an unprecedented acceleration, forcing companies to reconsider their security protocols for remote connections.

Companies had structured themselves around an internal security perimeter protected by firewalls and VPNs. However, this concept has given way to more complex architectures. Now, employees and third-party partners need to access professional applications from various locations, outside the company's internal network, including paths that do not necessarily pass through this network. This introduces increased complexity in identity and access management.

Furthermore, the regulatory landscape is becoming denser. For example, the European NIS Directive 2 extends security requirements and will come into force in France no later than October 2024. This directive requires companies to formalize their risk analysis policies further, accelerate the processing and disclosure of vulnerabilities, and improve security incident handling, especially incident detection and response.

Regarding sovereignty, especially in France, it is undeniable that data control is of crucial importance. Encryption is often mentioned as a primary mechanism to ensure sovereignty, but it cannot be separated from a robust identity and access management system.

Informations Entreprise: Could you discuss the main challenges and opportunities you identify in the current evolution of the identity and access management market?

David Leporini: In the complex landscape of identity and access management within enterprise information systems, two major categories of projects have emerged. First, there is the strategic desire to regain full control over identities, whether they are employees, consultants, or other partners interacting with company data. Indeed, previous methods, often manual and poorly documented, have shown their limitations.

In this regard, the role of solutions such as identity governance systems, especially those based on IGA (Identity Governance and Administration), is crucial. These systems allow for automated management of user lifecycles, permissions, and roles within the company. They also provide audit, reporting, and dashboard mechanisms for an overview.

This approach requires close coordination with all functions of the company. Human resources processes, especially regarding arrivals and organizational changes, must be seamlessly integrated. Similarly, special attention must be paid to internal changes, the integration of external collaborators, and the evolution of roles and permissions within the organization. Some regulations also require the separation of functions to prevent conflicts of interest or potential abuses.

Informations Entreprise: Can you enlighten us on how Evidian approaches identity and access management?

David Leporini: Rigorous identity and access management are essential. Our approach begins with establishing the company's security policy around precise organizational and operational rules that govern permission management. We develop what could be called "approval workflows" to regulate access based on hierarchical or operational criteria related to specific projects.

Our system, like an air traffic control tower, models all security processes related to access permissions within the company. This solid foundation ensures that at any given moment, each user has access only to the data and applications strictly necessary for their role. Once this base is established, we can deploy additional security rules to strengthen authentication protocols in line with security policies.

Furthermore, it is essential to note that governance does not stop at the implementation of these processes. Regular audits are conducted to control access and identify any deviations or exceptions that may occur. In fact, exceptions are more the rule in our environment. Whether it's a project creating access outside the usual processes or employees using their own devices, our tool monitors and brings these cases under governance.

In addition to these reviews, our system can generate real-time alerts in case of non-compliance with established security policies. This can range from enhanced authentication for external access to specific identification mechanisms, driven by our global security policies.

Finally, our product also includes analytical features that generate regular reports on the application of established policies, providing complete visibility into compliance and exceptions, and ensuring the maintenance of defined security standards.

Informations Entreprise: What is the evolution you observe in deployment methods?

David Leporini: Undoubtedly, the evolution of the identity and access management market is a predominant topic that requires supporting multiple deployment and operation approaches.

Historically, our solutions have been deployed in two essential ways. First, the traditional model where the client hosts the solution on their infrastructure, thus managing the product independently. This option, of course, still exists today.

Secondly, a model in which the client opts for an off-site deployment, entrusting the management of the product to our teams or third-party hosting providers, often in collaboration with Eviden, Groupe Atos' cybersecurity teams. This method has also proven successful.

However, a third path has made its way into our range of offerings in recent years. This is the SaaS model, which allows companies to focus on the functional use of our solutions without the inherent hassles of deployment and hosting. Although this model is not universally applicable—some sectors, especially defense and critical infrastructure, are still reluctant—it is increasingly favored, especially in a software deployment model.

Informations Entreprise: How does Evidian adapt to the dynamics of American startups and technological innovations?

David Leporini: Our market is characterized by a certain maturity, evidenced by consolidation movements but also by ongoing excitement, particularly in North America and Israel, where funding flows to startups specializing in innovative themes. While the fundamental principles of security remain constant, access and administration methods evolve due to technological innovations, especially the advent of cloud and SaaS models.

Evidian, with more than 900 active clients worldwide, cannot remain static in the face of this changing landscape. Our strategy relies on both innovation and the retention of our installed base. We invest in R&D projects funded at the French and European levels, focusing on the use of artificial intelligence to automate more processes and the development of sovereign digital identities. These open the way to new models of user-controlled identity attribute control.

Informations Entreprise: What are the challenges and successes of Evidian in terms of international exposure?

David Leporini: It would be wrong to assume that the longevity of a French company could be a hindrance to its international expansion. On the contrary, we have the honour of counting among our clients a Japanese entity, where we have deployed one of the largest identity governance infrastructures. This is a long-standing partnership with Nippon Telegraph and Telephone, or NTT, which has seen the deployment of a solution for more than 350,000 users. This reference is undoubtedly a top-notch business card for our company, especially in Asia and Japan.