Tell us a little about yourself and your career journey.  

My career journey began in the restaurant industry. I started as a hostess, then waited tables and bartended, and eventually managed.  From there, I entered the insurance field, where I got my life and health insurance license and sold policies for 2 years before moving over to the tech industry My first inside sales role was with VMware, and it took about 9 years before finally landing my ideal sales role within the company.  I joined VMware as an ISR and worked my way up to lead SLED East for a few years, then a specialist team, and most recently managed the AMER Global and Telco team for the inside. Now, I’m the director of inside sales at SailPoint – a career goal I set for myself years ago. My path is unconventional compared to some, but I appreciate the unique route I took as it has given me so many perspectives to utilize as I look at any team or business.  

What do you think your career will look like in 10 years? Do you expect to see more women leaders in the field? 

I want to continue to challenge myself, grow, and develop in my career. In the next 10 years, I hope to be running an inside organization in a senior vice president capacity that scales worldwide. I expect to see more and more female leaders in the field as the world continues to shift its focus on our development and the value we bring.  

Who are some of the women that have impacted you in your career? Why? 

First and foremost, Victoria Abeling had a huge impact on my career. She hired me into my first leadership role at VMware and constantly challenged me to grow and expand. Another female leader I have always been motivated by is Nicole Collins. Nicole influenced me to get out of my comfort zone and reminded me that if you are comfortable in your role, it’s probably time to take on the next challenge. Being comfortable should make you realize you have hit your ceiling.  

Who do you follow on social media or what groups are you part of that positively influence your career as a Woman in Identity? 

I follow Leadership First on LinkedIn, and I am constantly finding new stories, blogs, and quotes that keep me inspired to be the best leader for my team.  

The post Women in Identity Security: Mariah Finleon, Inside Sales Director appeared first on SailPoint.

Question 1: Tell us a little about yourself and your career journey.

My career journey didn’t take the path I envisioned, and I am so thankful for that! I grew up as a fourth-generation farmer in the Midwest and found my passion in fine art photography in high school. I moved to Texas to pursue a degree in photography, and while attending college I worked at the fundraising call center on campus. This part-time job led me to a career in fundraising for higher education institutions. Fast forward a decade, I took a leap of faith and entered SaaS sales. With this career shift, I joined SailPoint as a part of the Inside Sales team under Katie Bucur. Even though my career didn’t take the path I planned, I couldn’t be more thrilled with where I am today. I was once told to be open to opportunities that didn’t “fit my plan” and it has been the best advice I have received.

Question 2: What do you think your career will look like in 10 years? Do you expect to see more women leaders in the field?

As I look forward to the next 10 years, I want to be a champion for women as they look to move into leadership roles or advance their leadership titles/responsibilities. I am where I am today because of the women who have come before me and mentored me along the way. I want to continue to pay it forward by lifting other women up and helping them reach their dreams. 

Question 3: Who are some of the women that have impacted you in your career (and/or influenced direction/decisions you’ve made professionally)? Why?

The first woman to impact my career was my mother. She never took the path that was outlined for her but paved her own instead. She is now a world-renowned expert in her field and takes every opportunity to give back to others. Today, I have found numerous female mentors within SailPoint who champion my success and continue to help me pave my own path.

Question 4: Who do you follow on social media or what groups are you part of that positively influence your career as a Woman in Identity?

I follow Brené Brown and love her philosophy on daring leadership. Her newest podcast, Dare to Lead, has been a staple for my weekly podcast listening, and I highly recommend it! 

The post Women in Identity Security: Kaylee Reardon, Inside Account Executive appeared first on SailPoint.

Earlier in the year we launched our open platform along with our developer community. With hundreds of available APIs and event triggers, any kind of integration is now possible on our SaaS platform. We’ve even taken it one step further and built connectors into common iPaaS (Integration Platform as a Service) platforms to make the creation of these integrations as frictionless as we can. 

An iPaaS platform gives you powerful tools and capabilities to create complex workflows and connect to other applications. Our SailPoint connector in Zapier, Workato, SnapLogic and other common iPaaS platforms allows you to drag and drop SailPoint’s event trigger functionality and leverage SailPoint APIs to easily create integrations to solve any number of use cases. 

You can now log into Workato, click on the SailPoint connector and be able to rapidly create a workflow that can trigger an automated certification campaign by monitoring changes that may have taken place with an employee’s cost center or department. You don’t have to worry about developing complex applications. Workato’s drag and drop workflow functionality allows you to rapidly create a connected ecosystem of applications with SailPoint at the center of it driving your desired business processes. 

Data governance, error handling, and lifecycle management all can be managed within an iPaaS platform. You can automate workflows where you’re constantly monitoring the risk level of your users and immediately take action when a threat is detected. For example, if someone inadvertently clicks on a phishing email, thereby compromising their user credentials, an automated workflow using our connectors can be set up where that specific user is quarantined right away. With SailPoint powering your identity security program, the iPaaS platforms vastly simplify the creation of risk and threat detection solutions. 

Other use cases that can be solved on these iPaaS platforms are custom approval workflows, delegation of work items to someone else while the main owner is out of office or reviewing specific certifications prior to approving critical application access requests. The possibilities are endless when it comes to leveraging iPaaS platforms in order to build comprehensive SailPoint identity security solutions. 

With an ever-increasing number of SaaS applications in an enterprise cloud environment, our pre-built iPaaS connectors makes it easier than ever to manage all the data and have SailPoint embedded within your business ecosystem. You can use pre-configured templates and not worry about developing workflows from scratch. And best of all, you can solve your toughest identity security challenges without needing a degree in computer science. Few clicks of a button and you’re done! 

The post Extensibility Made Easy with iPaaS Connectors appeared first on SailPoint.

In the coming months, SailPoint will be releasing the initial integration between its Cloud Access Management solution and market-leading SaaS identity platform, providing comprehensive cloud access visibility and governance for organizations across Amazon Web Services, Microsoft Azure, and Google Cloud Platform. This will allow SailPoint users to view IaaS access in real-time, arming their administrators and reviewers with the details they need to make more informed decisions around cloud access.  

What’s ahead 

Future expansion of this integration will continue to take advantage of SailPoint’s unique position for managing and governing cloud access with a particular focus in key areas of Access Requests, Certifications, and Separation of Duties Policies.  By linking identity security and cloud access management organizations will be able to enforce existing policies and procedures on cloud access, just as they are used for all other access across the enterprise. 

Head over to our Cloud Governance hub for more info!  

The post The Missing Link: Combining Identity Security with Cloud Access Management appeared first on SailPoint.

That’s why in today’s new normal, organizations need to figure out how to work smarter not harder.  By creating custom workflow and integration options, you can seamlessly embed identity security within an existing ecosystem of applications.  Instead of supporting hundreds of cloud applications in disparate systems, connecting all these platforms into your existing system is the preferred way to go.   

In a recent survey sent out to organizations moving to the cloud, 91% indicated that they are still relying on manual processes to document and report user access and activities. These manual processes are time-consuming, require more IT resources and most critically, can create security gaps and blind spots.  Automating workflows and processes around securing access will ensure that you have a program in place that is protecting your enterprise and meeting all compliance requirements. 

To tackle today’s highly complex and dynamic application ecosystem together with a growing virtual workforce, organizations must take a security and compliance approach that’s built on automation. To help you easily integrate identity management into your AWS-based IT application ecosystem and automate processes easily, SailPoint is excited to announce our new AWS integration with Amazon EventBridge as part of SailPoint’s extensibility capabilities.   

This integration, together with SailPoint’s APIs and Event Triggers, will help you to connect to various SaaS applications without a significant amount of coding or development work.  This enables you to build rich integrations quicker and accelerate your time to success. You can customize your integrations and create custom workflows within an AWS environment without having to worry about API-based integrations and tedious API management.  The Amazon EventBridge framework combined with SailPoint’s APIs and event triggers provide you powerful customization capabilities.  As an example, using Amazon EventBridge, you can easily set up custom notifications in Slack any time a new employee joins your organization.  Or you could set up automated certification campaigns triggered by an employee changing roles. 

SailPoint and AWS are building upon our existing partnership to ensure that our mutual customers have a simple, efficient way to design a tailored identity management program that takes minutes instead of days and weeks. With SailPoint’s latest Amazon EventBridge integration, organizations can now spend less time on time-consuming technical complexity and more time setting up a personalized experience to solve challenging identity use cases. 

Here’s how the integration works: 

• SailPoint sends an event to match an Amazon EventBridge rule, (e.g. an identity’s manager changes) 
• That matched event is then sent to AWS Lambda which then calls an endpoint, like Slack for example, to generate a notification 

• Alternatively, that event could be sent to Amazon Simple Notification Service (SNS) to send a simple text message or email  
• Any number of AWS services, like Amazon SQS, Amazon Kinesis streams, AWS Lambda can be leveraged to create custom workflows or take specific action based on this event 

Amazon EventBridge makes it much simpler to handle any changes or interesting events that are happening in SailPoint’s embedded identity solution within your organization.  A tailored solution can be created, and different applications can be connected to streamline the effectiveness of your identity governance solution within your AWS account.    

SailPoint and AWS together can help you secure your organization in the best way possible in today’s uncertain times. 

To see the SailPoint – Amazon EventBridge integration in action be sure to check out our joint Howdy Partner event on the AWS Twitch Channel on March 3rd  from 2-4pm PST.

The post Improve Process Automation using SailPoint and Amazon EventBridge appeared first on SailPoint.

For me the turning point of easy to use technology was my universal remote. I know many of you can relate. Having to bounce back and forth between all my various remotes drove me crazy when I just wanted to sit back and watch my favorite show. Inevitably, everything would get out of whack and then nothing would work. And having to teach my Mom how to use multiple remotes when she would come over to visit, well forget that.  My universal remote changed all that — one simple, intuitive interface that made my life easier.  

Technology has to be easy, and it must must be everywhere you are all of the time, where you live, work and play. 

Identity security should be the same way.   

At SailPoint, we are always trying to innovate to make our customers’ lives easier and simpler with identity security. An important way to achieve this is to provide identity security capabilities within applications that enterprises use most — which are most often collaboration tools like Slack.   

SailPoint now provides the power of identity security where your users are – their Slack workspace. SailPoint for Slack enables users to get the access they need to stay productive from within the tool they use the most, all while maintaining strict governance and compliance controls. SailPoint for Slack provide users access to corporate resources anytime, anywhere right from Slack.  

By enabling this functionality within Slack, organizations can improve employee productivity and at the same time reduce the turnaround time for requesting and approving applications that are mission-critical tasks in any organization.   

One of our core mantras at SailPoint is how to make onboarding and Day 1 access easier for new employees by giving or enabling them to get access in the quickest time possible. 

SailPoint for Slack enables users to stay productive from the tool they use everyday, all while ensuring access is always right-sized for each user. Enabling users with a more intuitive and familiar user interface allows organizations and users to gain a shorter learning curve and get the access they need when they need it.  

Each of these benefits below are accessible through the Slack mobile app as well, giving users secure access whether they  are at their computer or on the go: 

• Increase productivity and efficiency by requesting application access right within Slack 
• Eliminate the continuous distraction of switching between multiple applications
• Accelerate the delivery of application access – no more lengthy approval times or manual IT requests

See how easy it is to enable secure application requests and approvals right within Slack, anytime, anywhere. 

To learn more about SailPoint for Slack, be sure to check out our SailPoint for Slack integration page. 

The post Making Identity Secure and Easy with SailPoint for Slack appeared first on SailPoint.

Before making her way to the #SailPointCrew, she did some temping for Vodafone and then moved on to a data governance company. She stayed there for 10 years before finding her home (and happy place) at SailPoint in April 2018. We sat down with her to learn more about her career journey and leadership advice!  

What was your first career win, and how did that help you get to where you are now?   

My first career win and possibly the most symbolic event in my career was when I got the position working at the Police. I will never forget my father’s face when I told him I was offered the position. There had been 14,000 applicants for seven positions that were available, and I got one of them. “You see my girl, they see in you what I see you in you. Now you just have to believe in yourself.” Those words that he said to me have stayed with me forever and are the driving force for my success. Sadly, my father passed in Dec 2005, a year after I left South Africa, but every time I have a career win, I remind myself of how proud he was of me that day, and I give myself a small tap on the back, and I continue moving forward.    

What habits or rituals do you have when you feel stuck?  

Well, I look at this question as having two possible answers.   

If I feel stuck trying to solve a work issue or query, I like to doodle and draw on my notepad while thinking of the issue, and sometimes the answer will hit me from nowhere. Occasionally I discuss it with my partner. Although he is in no way a CSM, he has listened to enough of my stories and daily recollections that sometimes he even surprises me with the suggestions and ideas he comes up with.  

If I feel stuck in the sense of fight or flight, I face the situation head-on most of the time. Don’t get me wrong–I know when to pick my battles. But being the youngest of six daughters, you kind of learn to stand your ground and be assertive. My father used to say: stomach in, chest out, which in literal terms means “push your chest out and raise your shoulders to stand strong,” and those words resonate in how I take on every situation that comes my way.  

What are you most proud of?   

My biggest and proudest achievement in my life are my sons. To have had the opportunity to move to the UK when they were young so they could achieve their full potential with all the opportunities bestowed on them. To be able to share in our individual successes as adults and to appreciate being able to not only watch them grow into amazing young men but for them to be able to watch me continuously pushing and innovating to be the best version of myself. It is not easy immigrating and leaving family and friends at only 25 years old, but I am proud of myself and my boys for not wasting a single day and making sure that we embrace every opportunity that comes our way. 

The post Three Questions With Nicolette Stewart, Associate Manager, Customer Success Management appeared first on SailPoint.

Modern-day utilities look nothing like they did 20 years ago. While they still provide critical services to homes, businesses and communities, digitalization and decentralization have reshaped the industry from being traditionally cautious to one that’s digitally savvy and open to change.  

Along with addressing ever-evolving regulatory requirements such as NERC CIP to secure a ‘corporate digital identity’. Utilities today must update their organizational structures to keep up with market demands, control costs, and maintain the productivity of an increasingly varied and fluid workforce. Perhaps even more importantly, utilities must take steps to ward off potential cyberattacks to ensure critical infrastructure is always available.  

It’s not a question of “if,” it’s “when” will an attack occur. According to research by Ponemon Institute and Siemens, 54% of utilities expect their operation technology will be attacked within the next year. With 30% of all data breaches at utilities caused by internal actors, effectively managing identity and access to applications and information is absolutely pivotal.  

Relying on manual processes for access management and governance raises the potential for inefficiency, regulatory noncompliance and security risks. Automating identity processes gives utilities the power to increase visibility, generate efficiencies, and improve compliance and security.  

Increase visibility 

SailPoint’s identity platform enables utility organizations to see and control user access, providing answers to three critical questions:  

• Who has access to what? 
• Who should have access? 
• How are they using their access?   

With complete visibility into every digital identity found across the organization, utilities can ensure that only the right people have access to the right information.  

Drive efficiencies 

Manual onboarding simply cannot provide the same efficiency and security for granting access to employees and contractors as an automated platform. Utilities can quickly scale their workforces and reduce the time it takes to give them access to the right applications and information. Then once an employee leaves or a contract expires, access can be quickly terminated.   

Improve compliance  

Through SailPoint’s identity platform, utility organizations can see and control all user access – even to applications and data that are in the cloud, a hybrid environment, or in legacy and proprietary systems. Additionally, policy controls and audit trails reduce the burden on management to demonstrate compliance to auditors.  

Click below to learn more about how you can meet NERC CIP compliance and enhance identity security with SailPoint.   

The post Three Ways Identity Security Protects Critical Infrastructure for Utilities appeared first on SailPoint.

And this is where it gets interesting.

Identity security, our world, is about enabling access and protecting businesses everywhere. It’s not either/or. Access management (sometimes referred to as “IAM” or identity and access management) is simply focused on granting access. It’s about connecting workers to the apps and systems they need to do their jobs in a fast and efficient manner. But that’s where it stops: at the connecting of workers to apps.  While a necessary step, enterprises are now asking “How do I secure that access?”  “How do I know who is doing what and when?” “How do I protect sensitive business data from risk?”

This underscores this notion of the “dark side” of access management – the opening up of access creates many unintended risk implications. You might even think of it as a pendulum – on the identity security side, it’s about mitigating risk, and on the other side, this dark side is access management, and it invites risk with every door opened if access is left unsecured and ungoverned.

Swing Left: Access Management

Access management allows enterprises to grant workers the access they need to do their job. It sounds like a pretty necessary tool, right? And it is – today’s workforce certainly needs access to technology to be effective in their role. Today’s cloud business runs on technology. This is precisely what digital transformation is all about – the adoption of a slew of technology that drives the cloud enterprise. But in opening the door to grant workers access to all of this technology they now use to do their jobs, access management has just become a risk factor to the business, not a secure enabler.

Businesses can’t safely use technology without identity security. Put simply, no business can safely grant their workforce access to technology without putting proper security controls in place. Who should be given access? Should that access be granted? How long will that worker require that access? These are questions an organization cannot answer without identity security at the foundation.

Swing Right: Identity Security

This brings me to the other side of that pendulum – the side that helps enterprises mitigate their risk – identity security.

With identity security as the bedrock of today’s cloud business, suddenly, IT and security teams have a keen view across the entirety of its workforce, no matter if that workforce is sitting in the four walls of the office or working remotely. With that visibility, now the business has the intel it needs to see and understand all of its workers’ access and to start automating and accelerating the secure management of their access and entitlements to all business systems, data, and cloud services that speed the business forward. The key here is that it is not just about providing access but providing secure access that protects the business versus opening up new avenues of risk.

Picture an organization as a race car.

The business is gearing up to meet its goals for the new year; it’s gaining high velocity, granting access to keep its workers productive on day one, no matter the circumstances. All of a sudden, the business needs to hit the brakes. There’s been a security incident, but this race car was only built to go, go, go no brakes were built in. That’s the scenario if an organization only has access management — you can be speedy but there is no security protocol in place to pump the brakes if needed.

This is where identity security comes in — it allows for speed and brakes in one fell swoop. The security measure is in place to ensure the access you are granting is secure from the get-go, not taken into consideration after the fact. Organizations can’t just reach speeds of 100 mph, then all of a sudden turnaround. They need security measures in place to account for every scenario.

As businesses went into lockdown, granting access to technology that enables employees to work from anywhere was deemed “business essential” at that point in time, really enabling, the race car effect. It has quickly become apparent that providing access to today’s workforce requires strong oversight and security – the brakes, or identity security. Today, there is a new sense of awareness of the risk that technology access can pose to the business if not properly secured.

This is the critical difference that businesses worldwide now see and understand: without identity security, their business is not securely enabled, nor are their business assets fully protected. With identity security, they are fully equipped to reach full velocity and pump the brakes to mitigate risk from the explosion of technology access across the business.

So I have to ask, which side of the pendulum do you want to be on?

The post The Identity Management Pendulum: Identity Security Mitigates Access Management Risk appeared first on SailPoint.

Hello everyone, I’m Juliette Rizkallah, and I’m the Chief Marketing Officer for SailPoint. And I’m very excited today to welcome to “Identity Talks,” a very special guest, Paul de Graaff is now a SailPoint employee, joined us very recently, but he has been a customer of a SailPoint for many years.

Actually, I don’t even know how many years Paul, but probably close to 10. And Paul has a very unique perspective on identity, having been working with it for so many years, not just with SailPoint, but in his career.

So I thought that it was interesting to have him come and share a little bit, his perspective on this notion of identity security, moving from a governance focus to a security focus for what we call identity security now.

Paul, thank you for joining us.

We’re very happy to have you first at SailPoint and on this program. I’m going to let you introduce yourself and tell our audience what you’ve done, where you come from, and all the good stuff about you, and what makes you such an expert on identity.

Paul

Well, thank you, Juliette, for having me. So I’ve been a long career. And so you can see the gray hairs are there, it has been 40 years in IT, about 35 of that in security. I enjoyed doing many different things in security, starting back into operations, engineering, even being an author. I wrote a couple of books on security with various other folks. And did some ethical hacking in my days, and made quite a name for myself there, if you will. And then had the opportunity to become a CSO or two financial services companies, and more recently, for what’s now known as WW, leading their security practice, and ending up in leading the identity program there. So that’s in a nutshell what we’ve done that’s 40 years.

Juliette

So, and that’s what I like about you is that you’re coming with really the perspective of being a CISO in those companies, right? And your journey with identity has not been the same throughout the year. Obviously, identity governance was very different ten years ago than what it is today.

So tell us a little bit about the evolution of identity governance, aka identity security, or vice versa, Because what I’m trying to show to the audience, or trying to explain, is that we’re really talking about security now and less about governance. But this didn’t happen overnight, tell us a little bit from your perspective on how to use it for your organization, and you’ve seen that evolution, and what it makes so much sense to you, as you and I talked about many times.

Paul

Sure, so identity goes back a long time, but the first engagement with SailPoint was back in 2008 when I was the global CSO for AIG. And we were sort of in the aftermath of the Enron scandals, and AIG specifically had some problems with the New York attorney general that’s caused something. Everything was really compliance-focused, getting our auditors, external auditors were on our backs to get all these business processes in place, and ensuring we had the right controls in place, which was a big challenge, was a massive undertaking. AIG was a large organization at the time, and it was well over 120,000 people, 4,000 applications. So anything financial required a large number of applications. The main focus was first to get access certification under control, understand who had access to what, and certify access. So very compliance-driven, if you will. That was sort of the take, right? As of the whole Enron debacle, everybody on the bandwagon to sort of getting control over who had access to what, and making sure that that was managed appropriately. After the compliance efforts, it became more how do we enable people to have access to applications? And so that’s how it sort of matured. But then, looking back now in 2014, when I joined WW, the world had changed completely.

Juliette

So the WW for our audience, Weight Watchers, right?

Paul

Yes, it a new name for weight Watchers.

Juliette

And one thing that we may want to point out is Weight Watchers was a SAAS first, right?

Paul

Very much so. Yeah, we had a cloud-first strategy, even in 2014. We already saw the opportunity that the cloud provided. When we looked at solutions out there, there weren’t many SAAS solutions yet that did IGA, right? It was basically some of our competition at the time, was very much a hosted solution. They said, “Hey, we have a cloud solution.” But it really was just a hosted solution of what they did on-prem. And the other thing, when we looked at the SaaS world, I said this to SailPoint many times… it was like not many companies get to redo their solution. So SailPoint grew up with an on-prem solution and moved into the cloud. It wasn’t like, okay, let’s move what we have to the cloud, but really rethinking of how a SaaS solution should work and the features of the cloud solution. So that appealed to me again, to see that vision and addressing the issues that we had at the time. So, where it was compliance-driven initially with AIG, WW was all about enablement. How do we get our employees effective on day one? How do we do that? How would we put a processing place, still with some governance, of course? But it was really around enablement, kind of one they come in, and they have access to those services that they need or as much as the services they need.

Whether it was automatically provisioned through our policy framework or whether it will provide self-service. It wasn’t enabling employees to be productive, and then we still have to do the typical compliance stuff because of the regulations that are out there. Still, it was really broader looking at how do you do that enablement of employees and contractors, and business partners, giving them the right access, versus the compliance stake, if you will.

Juliette 

You were running identity for Weight Watchers. Remind us, how big was your organization in terms of users and applications? How many people did you have in your staff to run identity?

Paul

Sure, so that was quite a big difference between when we initially looked at assessing a solution; it was really around how simple is that solution? How many people do I need to manage that? Sothe organization was about 23,000 people. We had about 300, 400 applications. A lot of them were SaaS services.

It is a completely different set than like at AIG, with 120,000 people, 4,000 applications, andcompletely different mindsets. But the management of the actual program, we were a team of three. I had two engineers in my team that really were focused on that. And it wasn’t that you need developer level skills; the solution was quite simple. And that really what was appealing to us at the time, building a solution that doesn’t require a lot of handholding and doesn’t require deep technical skills to do that. So that was one of the other major reasons why we chose SailPoint at the time.

Juliette

Right, yeah, and I wanted you to say that because the whole topic of this chat together is to talk about the evolution of identity governance into identity security.

I want the audience to understand how much more simple we’ve made the solution. When you started with it, identity governance was kind of clunky, and it was a large implementation, and you needed a big staff. But this is not the case anymore, right? It could be because machine learning helps us do things that people were doing, but it’s also because we totally revamped the solution.

We didn’t take an old solution and put it in the cloud. We looked at different best practices on where to do things. So it is not what people may think, a huge undertaking, but it is critical for the security infrastructure.

Paul

So one of the things we did not discuss, but sort of in the vein of keeping it simple. I think a lot of people with the capabilities that we have now before when we looked at 2014 when we first started down this journey with IdentityNow. The key thing about what AI and ML can do now, it sort of flips the whole implementation cycle on its head because now you can implement the solution, build your connectivity to your key systems, and let AI/ML determine what those policies and roles are. And let them discover it all, and tell you what it should be, right? 

Where before, I mean, I hate to say it, but it was sort of a guessing game. You thought that people needed to have access to, based on what you saw.

So you built your roles around that, and was that really perfect? No, probably not. But now AI and ML can go in and say, “Hey, here’s what I’m seeing.” There are 80 people here, and this is the role. This is what the overlap is. That expedites the implementation cycle of an IGA program so much that was was never feasible before. 

The ROI is there straight away, where before, maybe it was an implementation of six months, a year, to get that into play. Now probably, you could expedite that so much faster. Organizations looking at that now should reconsider their implementation and look upon that with these new capabilities.

Juliette 

When did you see the focus becoming more security, and what triggered that notion of identity governance becoming more of a security solution?

Paul 

Yeah, it was kind of interesting. I mean, sort of coming back to the enablement piece. So normally, the way it was that IT was of slowing everything down. When we saw at WW that we sort of had our integration were very fast to connect. One of the things we did was, for example,

rolling out Google to the whole organization, the G Suite solutions. And once we have that connectivity established and put the right controls around that, for us, it was a push of the button to get the whole company access. Seeing that switch from being difficult and taking us a long time to do things, now switching over to a push of a button to provision the organization, gave companies a completely different perspective. They were flabbergasted, “What, you’re ready already?” And all these other things needed to happen. So the security switch was really, people were understanding more and more that identity became the underpinning of everything we did.

Whether that was rolling out Google, or other services, people quickly realized that identity needed to have its own focus. So management quickly realized that they needed to give it more attention. And basically, we built out an identity organization. That’s how we moved that over into the identity space, because it really, security sometimes has no notion on it. With identity, people could see the benefits. So it was clear how you enable the organization to do things faster. And yeah, really getting good feedback on what you’re able to do for the organization.

So the security switch sort of, people just saw it overnight. That hey, this is important, right? Anything we needed to do was identity-driven.

Juliette

Yeah, I know we’re giving access so fast, so quickly to a lot of people, kind of was a compelling argument to say, “Well, maybe we should look into it and make sure it’s secure. Because we’ll open so many doors to the organization with that broad access, and I think what you’ve seen at Weight Watchers, a lot of people started realizing it when the wells shut down with the pandemic, right?

Paul

Absolutely

Juliette

It was something that you’ve seen at the, because of your strategy, right? You had seen it. But many companies that were going a little bit slower when the pandemic hit, and everybody had to go remote, it was all about giving access to everybody super fast, so people will stay productive. But opening doors for risk and compromised accounts everywhere. And we’ve seen customers switching to that notion almost overnight.

Paul

Yeah, we were very fortunate, so the company was very leading edge and sometimes bleeding edge in adopting new technologies. So one of the benefits that we have was that we had already implemented a zero-trust architecture the year before and allowed people to work from anywhere and get the access they needed. Having SailPoint in that ecosystem was very important, from a provisioning perspective, and making sure that people have the right access. So we got fitted nicely. So when COVID hit for us, it was like business as usual from giving people access.

Yes, there were things like people were using a BYOD device, because they left their a laptop in the office, things like that. But from a pure day-to-day operations, things haven’t changed that much for the average person. Where we had the most impact was Weight Watchers had a lot of retail stores that we have to close. Suddenly, it was like, how do we provide the same kind of service in a digital world? And we were all in that transformation anyway. So then it became like, how fast can we switch from an in-store experience to a digital experience?

And the company accomplished that in seven days and switched to a full virtual digital experience. And SailPoint was a clear supporter of that in that enabling that switch within that short time, giving people access to that digital environment was key to the success of switching the company to that digital experience. The pandemic showed people how much you need what I call the identity fabric of capabilities to enable these kinds of things to react faster. We can roll out new products more quickly, and that’s key in this world.

Juliette

Right, so that evolution is fascinating, right? We went from a very heavy compliance focus to more enablement, without having the compliance going away, but becoming more secondary. And now the security, all of that creates an evolvement. So it’s something that keeps on piling up, but for identity security, aka identity governance, to be able to adapt like that, also needed to adapt the solution, right? And we see a lot of technology around AI and machine learning, and a lot of people may say, “Oh, that’s a buzz word.” Because it’s true, there’s a lot of high-tech companies that are doing that. 

But you were using those capabilities, right? Explain a little bit how that was a necessary evolution of the solution, to be able to go and evolve with the business.

Paul

Yeah, we were an early adopter of the AI and ML capabilities. And really what it brought to us like, at some stage you can hire enough people to manage all this, right?

That the data, the amount of identity data that-

Juliette

The data of identity, right?

Paul

It is just too much, so you need some solutions to help you manage that and let the humans deal with what I call the exception stuff, but the basic day-to-day stuff is where AI and ML came in. As organizations grow and bring more systems into this whole identity ecosystem, what was happening is that there is just fatigue in your organization. 

Managers were like, “Why do I need to do this again? “Why do I need to certify this? I did it three times already in the last year, and nothing has changed.” So using AI ML, initially maybe to make recommendations around access, and whether that’s approval for giving access, or in case of certifications, telling them, “Yeah, this is okay to approve.” And then morphing that eventually into more of an automated way of doing that is a crucial functionality. So for now, it was like, “Okay, we can help you make the right decision.” So that managers are at least encouraged by that, because a lot of managers don’t necessarily know what everybody has access to and what.

Juliette

Right. All of the rubber stamping, yeah.

Paul

The other thing I think that is very important, is as you mentioned earlier, is kind of like, are we doing over-provisioning? Is it because what we set up in our identity program is that reality, if you will. Just because people have access, and you brought that into one view, doesn’t mean that these people should have access. To give them only what they need for them to do their work. You don’t want to have everybody accessing everything just in case they will need it. So having AI and ML available to you, to give you that insight, to give you that look, and to say, “Hey, here’s what we’re making. And here’s where the outliers are.” To sort of say, “Hey.” There may be eight people in your organization who have that access, but these other two people, they have far too much access because they have the same type of role and getting that kind of information. I mean, people used to spend years designing all these roles, and whatever. And then, when the design was done, the organization had changed, and you could start again.

Juliette

Sometimes, it’s just a matter of people having access, and they don’t even know that they have access. So the account becomes orphaned, and that’s the best way for hackers to come in and take over an account and start maneuvering around the organization.

Juliette

Very much so. So what I think more than anything, AI and ML can help, is really giving that visibility, that before didn’t exist, if you will. And that helps people get that visibility.

CISOs are all about peace of mind, ensuring that every control you put in place is working as designed. And AI and ML have helped to visualize that that was working according to plan, or telling you that things are not working according to plan, right? So the next question I want to take you, to help clarify a little bit, is how as a user of identity, you look at the different categories within identity. Because identity has evolved, but it’s also emerging. 

The whole of identity management has three categories, right? There is the access management part. There is identity governance, aka identity security now, and privilege access management. And you worked with all of them, and you had a very specific use for each of them, and you understood the difference.

So what comments can you give to the audience to try to make sense of that landscape that’s becoming, the identity landscape that’s becoming a little bit more blurry and confusing?

Paul

That’s probably the right word, I was going to use, yeah. It’s definitely blurry between these three disciplines. And there’s a lot of talk in the analyst space, and the press at the moment, around the convergence of that. And if I look back in time, and when we looked at first, at security solutions. If you look at the semantics and the McAfee’s of the world, they were sort of the integrated solution and that most people were recommending. But most people in security, myself included, it’s still probably the discretion around best-of-breed versus an integrated solution.

The problem with an integrated solution is the 80/20 rule. 80% may be enough, but in certain industries, 80% is not enough. But it will always continue to choose the best-of-breed and make that integration happen. So they each have their play, and yes, there is blurring going on. But the best way to describe it is through an example. So let me give you an example where people may be blind to certain access. So if you look at an identity provider that they integrate with AWS, for example, then what the identity provider does is, you have your identity attributes, you have some roles, and basically in AWS, you back those groups that you’re a member of to roles within AWS. So if you just look at that piece, then you may say, “Oh, that’s great. “I have full visibility in it.” But then, if you look within AWS, somebody makes a change in AWS to a certain permission. Suddenly, that group has a lot more permission than you initially thought; the identity providers are completely blind to that. Where if you look at the identity governance solutions, we have full visibility into all those entitlements. So we know exactly what’s going on in AWS, and have that full visibility.

So it’s complementary to those solutions, giving you full visibility of what the user has access to and actually detecting any changes in that environment.

You think you know it all, but there are definitely reasons why I believe governance solutions are there, and providing that deep visibility.

Juliette

Yeah, I think that’s always important to remind, because we’re all going towards more simplicity more velocity, right? And the convergence can be appealing, but when we think about identity security, there are things that no matter how fast you want to go, no matter how you go, you cannot take shortcut on those.

And I think some of the things that we do and provide are part of that category. Last question for you, Paul. It’s the end of the year, and there’s always a lot of projection on industries and so forth. And all the vendors are here to kind of give their projections.

But what’s your vision for identity? You’ve been within this category for so long, you’ve seen it evolving based on your companies’ needs through the technology that it was providing and delivering. But if I ask you a little bit to be the visionary, because in a way that’s where you’re going to help us now at SailPoint.

Where do you see identity going? You’re talking a lot about being the fabric of the security infrastructure, and so forth. Tell us a little bit about that vision you have, and what it would look like in a few years.

Paul

Sure, I think the best way to describe it from a vision perspective is sort of how people look at a consumer identity. So if you look at people in the consumer space, they know everything about the consumer–what they’re buying, what they’re doing, and what they may be interested in, and the marketing around that is perfect. 

On the identity side, we just don’t have that 360 view yet. We need to move to get that 360 view, and part of that is, the best way I see other people describing it that way, is kind of like looking at Tesla has a self-driving car, can we get identity to do that self-governance. How far can we push that on that envelope, to get there by instead of having to ask: “Hey, here you make a recommendation.” But if the guard rails are put in place, then why wouldn’t you make that decision?

Juliette

The true autonomous identity. That’s where you’re talking about.

Paul

Yeah, absolutely, moving there. And that also becomes a key pillar of, as people move to zero-trust, right? In a zero-trust world, it’s all around that identity, that identity and the information surrounding it, is what how access decisions are made. Making sure that that identity is fresh is timely, up-to-date, and critical in that. That’s why as we move from static models to more dynamic models, taking in a lot more data, external data from maybe threat feed, or things like that. 

To put that into perspective gives us a complete view of that identity. So I see a lot more self-governance. I see a lot more visibility for organizations to secure their organization and ramp up the next thing without necessarily hiring another four or five people to do it. By really moving into that autonomous world, it allows them to be fast and furious if you will.

Juliette

Paul, thank you so much, identity security is all about rethinking identity, and we’ll talk even more about identity security in 2021. Thank you so much for your perspective. It’s a pleasure to have you on Identity Talks, and I’m very excited to have you at SailPoint, to help us push the vision faster and better. Thank you.

Paul

It’s my pleasure. Thank you very much.

The post Identity Security, A View From the CISO’s Seat appeared first on SailPoint.