The three questions you should always ask with identity governance

SailPoint works on an identity governance platform which answers three important questions:

• Who has access to what?
• Who should have access to what?
• How is that access being used?

Paul Trulove, Chief Product Officer at SailPoint has been with the company for 11 years, and now spends most of his time now focusing on innovative product strategies and customer collaboration. This ensures there is a continuous link through all of SailPoint’s products. Taking the time to explain that identity and access management as a market is a lot bigger than people realise, Trulove said: “There are different pieces of technology and problems that identity access management tries to solve. We focus on identity governance, which is really focusing on who has access to what, and what they should have access to, and making sure that stays in sync. This is throughout the enterprise, and every users lifecycle, whether that is an internal employee, or a business partner or potentially even a B2B customer.”

Trulove added: “This is the more focused area for SailPoint compared to other vendors who steer more to privileged management, where they vault credentials so there is a clear check-in and check-out system.”

When Trulove was faced with the question: ‘Has security and identity governance become more of an issue since IoT and the Cloud?’ He broke it down simply, and said there are three things that are fundamentally changing for identity governance.

Digitalisation of the enterprise
There is so much more information and business processes that people interact with and manage day to day that are digital, and therefore there is a greater need to grant and revoke access, and a greater need to secure that access, so that only the right people are using it.

The Cloud
More recently you see large enterprises that consist of averagely 1,000 cloud applications, and most of these cloud applications are not following under the identity governance programme. More importantly they are being manually administrated which is basically doing things that are convenient, not controlled. Which is then creating risk exposure, which eventually will lead to costly repercussions.

IoT
Then we come into the IoT and some of the other emerging technologies, which are creating a lot more complexity in environment on what needs to be managed.

“The hot topic in this area is the RPA – Robotic Process Application, which is not really an IoT device, it’s taking a manual process that used to be done by a human, and using a software to replicate it. What I have created in that process is really a fake human, that has the same access as a human but we don’t need to review their access and grant certain permissions. However if someone gains that access it can be very dangerous.”

Does security put people off robots?
Trulove said: “I don’t think a lot of people have fully considered it. It’s the typical reaction in a larger workplace – costs need cutting so they can’t hire as many people, so instead they just automate something. However further down the road someone on the security side or IT side will realise the risks this has caused and make them aware of what they have just done, a little too late.”

Quite often what seems an easy job has dangerous repercussions, many are justified business reasons but with lack of understanding of the security and compliance implications. With RPA you have no way of tracing it back to an individual, and these risks aren’t always recognised so that is what SailPoint try and help with. As Trulove added: “Identity ends up being the elements that connects worlds together.”

SailPoint offers a couple of different software applications, and also offers software as a service application too. Trulove explained: “At the end of the day it’s all software, it just depends on how you want to ultimately consume it.”

It all begins with connecting to what you need to manage, Trulove said. “We are generally going to connect to a source of identity, which gives them the information on all of the humans that need to be managed so they can create a digital database. Then we start to connect to the targeted systems, and there we can create an identity cube, which is everything I know about the user and the access, so that creates a single place in the enterprise that I can easily go to and see what I need about a certain person.”

After identifying comes the governance model, taking a look and thinking what level is the correct access for certain users, and this can be established through roles or through strict policies.

SailPoint deal with a varied number of situations for customers, naturally the company aims to prevent problems before they arise, but of course there have been situations where customers have approached the company seeking for help to fix a problem that has already happened.

Trulove commented: “We have a couple of situations where customers have to come to us, mostly with legacy replacement who have tried something that isn’t scaling with their business, and are looking to replace that. We have also had customers that have some kind of audit deficiency or data breach. Almost all security breaches result in some sort of failure of identity governance controls. We do however see some customers who are just going through the natural process of eliminating potential deficiencies.”

Currently we are seeing a lot of people transferring jobs and not cleaning up the access so they are just gaining more access. “One of the things we see in a lot of customers that have not had good identity management programmes is finding a tenure employee and they will have a massive amount of access they should not have in their current job. Additionally if they had moved different job functions it could been a lot worse.”

Can you overthink it?
One of the most basic simple things in identity management is deprovisioning someone’s access when they terminate their employment in the company. Trulove said: “It is shocking in 2018 that we are seeing that as one of the most fundamental security gaps in existence in enterprise.”

It happens mostly because people don’t have good visibility to what users have access to, and companies don’t have the software to go in and do it automatically, therefore you end up on relying on someone knowing when they terminate employees, what they have access to, and they end up guessing. Which more often than not leads to accounts and parts being missed off when removing access. This is an easy way for malicious actors to come in from the outside, finding a dormant account that no one is using, and they begin to utilise it in a bad way.

Other simple ways of people gaining access where they shouldn’t include people coming out of retirement to do some smaller jobs for a previous company, trying to log back into their old system and still having full access to many systems they shouldn’t.

Contrastingly companies can often lose sight of who they have delegated jobs and access to, Trulove explained: “Creating a map of who can access the CEO’s email and calendar, you will find a shocking number such as several admins who have been promoted over the years.”

Trulove finished by stating how simple these mistakes are: “It’s the little things like these that people lose sight of. And these things you would think that any mature organisation in 2018 would have their hands around – but they don’t.”

If we struggle at the simple things now, are we going to get better or worse?
Trulove answered: “I think we have the opportunity for it to get better, and the reason I say that is the first ten years of identity related technologies, companies struggle to get implemented and successful. I think a lot of the new things we’re doing now are making identity more accessible to people who don’t necessarily have the expertise, where that be subscribing to it as a service, or whether that is the available expertise on the market.”

Trulove explained that as the technology and knowledge develops it will become harder for people to suffer these silly mistakes, and will allow organisations to make modest investments to improve on risks. A lot of the time people just need to be educated – there is a big gap and we need to help bridge the gap. “There are now more tools available for companies to do a good job at identity governance than we have ever had before.”