Identity Security, A View From the CISO’s Seat

With more than 40 years in IT, about 35 of that in security, Paul de Graaff knows identity inside and out. From implementing a cloud-first strategy to using AI & ML to do more with your program, Paul shares his identity insights in this interview with SailPoint CMO Juliette Rizkallah.

Hello everyone, I’m Juliette Rizkallah, and I’m the Chief Marketing Officer for SailPoint. And I’m very excited today to welcome to “Identity Talks,” a very special guest, Paul de Graaff is now a SailPoint employee, joined us very recently, but he has been a customer of a SailPoint for many years.

Actually, I don’t even know how many years Paul, but probably close to 10. And Paul has a very unique perspective on identity, having been working with it for so many years, not just with SailPoint, but in his career.

So I thought that it was interesting to have him come and share a little bit, his perspective on this notion of identity security, moving from a governance focus to a security focus for what we call identity security now.

Paul, thank you for joining us.

We’re very happy to have you first at SailPoint and on this program. I’m going to let you introduce yourself and tell our audience what you’ve done, where you come from, and all the good stuff about you, and what makes you such an expert on identity.

Paul

Well, thank you, Juliette, for having me. So I’ve been a long career. And so you can see the gray hairs are there, it has been 40 years in IT, about 35 of that in security. I enjoyed doing many different things in security, starting back into operations, engineering, even being an author. I wrote a couple of books on security with various other folks. And did some ethical hacking in my days, and made quite a name for myself there, if you will. And then had the opportunity to become a CSO or two financial services companies, and more recently, for what’s now known as WW, leading their security practice, and ending up in leading the identity program there. So that’s in a nutshell what we’ve done that’s 40 years.

Juliette

So, and that’s what I like about you is that you’re coming with really the perspective of being a CISO in those companies, right? And your journey with identity has not been the same throughout the year. Obviously, identity governance was very different ten years ago than what it is today.

So tell us a little bit about the evolution of identity governance, aka identity security, or vice versa, Because what I’m trying to show to the audience, or trying to explain, is that we’re really talking about security now and less about governance. But this didn’t happen overnight, tell us a little bit from your perspective on how to use it for your organization, and you’ve seen that evolution, and what it makes so much sense to you, as you and I talked about many times.

Paul

Sure, so identity goes back a long time, but the first engagement with SailPoint was back in 2008 when I was the global CSO for AIG. And we were sort of in the aftermath of the Enron scandals, and AIG specifically had some problems with the New York attorney general that’s caused something. Everything was really compliance-focused, getting our auditors, external auditors were on our backs to get all these business processes in place, and ensuring we had the right controls in place, which was a big challenge, was a massive undertaking. AIG was a large organization at the time, and it was well over 120,000 people, 4,000 applications. So anything financial required a large number of applications. The main focus was first to get access certification under control, understand who had access to what, and certify access. So very compliance-driven, if you will. That was sort of the take, right? As of the whole Enron debacle, everybody on the bandwagon to sort of getting control over who had access to what, and making sure that that was managed appropriately. After the compliance efforts, it became more how do we enable people to have access to applications? And so that’s how it sort of matured. But then, looking back now in 2014, when I joined WW, the world had changed completely.

Juliette

So the WW for our audience, Weight Watchers, right?

Paul

Yes, it a new name for weight Watchers.

Juliette

And one thing that we may want to point out is Weight Watchers was a SAAS first, right?

Paul

Very much so. Yeah, we had a cloud-first strategy, even in 2014. We already saw the opportunity that the cloud provided. When we looked at solutions out there, there weren’t many SAAS solutions yet that did IGA, right? It was basically some of our competition at the time, was very much a hosted solution. They said, “Hey, we have a cloud solution.” But it really was just a hosted solution of what they did on-prem. And the other thing, when we looked at the SaaS world, I said this to SailPoint many times… it was like not many companies get to redo their solution. So SailPoint grew up with an on-prem solution and moved into the cloud. It wasn’t like, okay, let’s move what we have to the cloud, but really rethinking of how a SaaS solution should work and the features of the cloud solution. So that appealed to me again, to see that vision and addressing the issues that we had at the time. So, where it was compliance-driven initially with AIG, WW was all about enablement. How do we get our employees effective on day one? How do we do that? How would we put a processing place, still with some governance, of course? But it was really around enablement, kind of one they come in, and they have access to those services that they need or as much as the services they need.

Whether it was automatically provisioned through our policy framework or whether it will provide self-service. It wasn’t enabling employees to be productive, and then we still have to do the typical compliance stuff because of the regulations that are out there. Still, it was really broader looking at how do you do that enablement of employees and contractors, and business partners, giving them the right access, versus the compliance stake, if you will.

Juliette 

You were running identity for Weight Watchers. Remind us, how big was your organization in terms of users and applications? How many people did you have in your staff to run identity?

Paul

Sure, so that was quite a big difference between when we initially looked at assessing a solution; it was really around how simple is that solution? How many people do I need to manage that? Sothe organization was about 23,000 people. We had about 300, 400 applications. A lot of them were SaaS services.

It is a completely different set than like at AIG, with 120,000 people, 4,000 applications, andcompletely different mindsets. But the management of the actual program, we were a team of three. I had two engineers in my team that really were focused on that. And it wasn’t that you need developer level skills; the solution was quite simple. And that really what was appealing to us at the time, building a solution that doesn’t require a lot of handholding and doesn’t require deep technical skills to do that. So that was one of the other major reasons why we chose SailPoint at the time.

Juliette

Right, yeah, and I wanted you to say that because the whole topic of this chat together is to talk about the evolution of identity governance into identity security.

I want the audience to understand how much more simple we’ve made the solution. When you started with it, identity governance was kind of clunky, and it was a large implementation, and you needed a big staff. But this is not the case anymore, right? It could be because machine learning helps us do things that people were doing, but it’s also because we totally revamped the solution.

We didn’t take an old solution and put it in the cloud. We looked at different best practices on where to do things. So it is not what people may think, a huge undertaking, but it is critical for the security infrastructure.

Paul

So one of the things we did not discuss, but sort of in the vein of keeping it simple. I think a lot of people with the capabilities that we have now before when we looked at 2014 when we first started down this journey with IdentityNow. The key thing about what AI and ML can do now, it sort of flips the whole implementation cycle on its head because now you can implement the solution, build your connectivity to your key systems, and let AI/ML determine what those policies and roles are. And let them discover it all, and tell you what it should be, right? 

Where before, I mean, I hate to say it, but it was sort of a guessing game. You thought that people needed to have access to, based on what you saw.

So you built your roles around that, and was that really perfect? No, probably not. But now AI and ML can go in and say, “Hey, here’s what I’m seeing.” There are 80 people here, and this is the role. This is what the overlap is. That expedites the implementation cycle of an IGA program so much that was was never feasible before. 

The ROI is there straight away, where before, maybe it was an implementation of six months, a year, to get that into play. Now probably, you could expedite that so much faster. Organizations looking at that now should reconsider their implementation and look upon that with these new capabilities.

Juliette 

When did you see the focus becoming more security, and what triggered that notion of identity governance becoming more of a security solution?

Paul 

Yeah, it was kind of interesting. I mean, sort of coming back to the enablement piece. So normally, the way it was that IT was of slowing everything down. When we saw at WW that we sort of had our integration were very fast to connect. One of the things we did was, for example,

rolling out Google to the whole organization, the G Suite solutions. And once we have that connectivity established and put the right controls around that, for us, it was a push of the button to get the whole company access. Seeing that switch from being difficult and taking us a long time to do things, now switching over to a push of a button to provision the organization, gave companies a completely different perspective. They were flabbergasted, “What, you’re ready already?” And all these other things needed to happen. So the security switch was really, people were understanding more and more that identity became the underpinning of everything we did.

Whether that was rolling out Google, or other services, people quickly realized that identity needed to have its own focus. So management quickly realized that they needed to give it more attention. And basically, we built out an identity organization. That’s how we moved that over into the identity space, because it really, security sometimes has no notion on it. With identity, people could see the benefits. So it was clear how you enable the organization to do things faster. And yeah, really getting good feedback on what you’re able to do for the organization.

So the security switch sort of, people just saw it overnight. That hey, this is important, right? Anything we needed to do was identity-driven.

Juliette

Yeah, I know we’re giving access so fast, so quickly to a lot of people, kind of was a compelling argument to say, “Well, maybe we should look into it and make sure it’s secure. Because we’ll open so many doors to the organization with that broad access, and I think what you’ve seen at Weight Watchers, a lot of people started realizing it when the wells shut down with the pandemic, right?

Paul

Absolutely

Juliette

It was something that you’ve seen at the, because of your strategy, right? You had seen it. But many companies that were going a little bit slower when the pandemic hit, and everybody had to go remote, it was all about giving access to everybody super fast, so people will stay productive. But opening doors for risk and compromised accounts everywhere. And we’ve seen customers switching to that notion almost overnight.

Paul

Yeah, we were very fortunate, so the company was very leading edge and sometimes bleeding edge in adopting new technologies. So one of the benefits that we have was that we had already implemented a zero-trust architecture the year before and allowed people to work from anywhere and get the access they needed. Having SailPoint in that ecosystem was very important, from a provisioning perspective, and making sure that people have the right access. So we got fitted nicely. So when COVID hit for us, it was like business as usual from giving people access.

Yes, there were things like people were using a BYOD device, because they left their a laptop in the office, things like that. But from a pure day-to-day operations, things haven’t changed that much for the average person. Where we had the most impact was Weight Watchers had a lot of retail stores that we have to close. Suddenly, it was like, how do we provide the same kind of service in a digital world? And we were all in that transformation anyway. So then it became like, how fast can we switch from an in-store experience to a digital experience?

And the company accomplished that in seven days and switched to a full virtual digital experience. And SailPoint was a clear supporter of that in that enabling that switch within that short time, giving people access to that digital environment was key to the success of switching the company to that digital experience. The pandemic showed people how much you need what I call the identity fabric of capabilities to enable these kinds of things to react faster. We can roll out new products more quickly, and that’s key in this world.

Juliette

Right, so that evolution is fascinating, right? We went from a very heavy compliance focus to more enablement, without having the compliance going away, but becoming more secondary. And now the security, all of that creates an evolvement. So it’s something that keeps on piling up, but for identity security, aka identity governance, to be able to adapt like that, also needed to adapt the solution, right? And we see a lot of technology around AI and machine learning, and a lot of people may say, “Oh, that’s a buzz word.” Because it’s true, there’s a lot of high-tech companies that are doing that. 

But you were using those capabilities, right? Explain a little bit how that was a necessary evolution of the solution, to be able to go and evolve with the business.

Paul

Yeah, we were an early adopter of the AI and ML capabilities. And really what it brought to us like, at some stage you can hire enough people to manage all this, right?

That the data, the amount of identity data that-

Juliette

The data of identity, right?

Paul

It is just too much, so you need some solutions to help you manage that and let the humans deal with what I call the exception stuff, but the basic day-to-day stuff is where AI and ML came in. As organizations grow and bring more systems into this whole identity ecosystem, what was happening is that there is just fatigue in your organization. 

Managers were like, “Why do I need to do this again? “Why do I need to certify this? I did it three times already in the last year, and nothing has changed.” So using AI ML, initially maybe to make recommendations around access, and whether that’s approval for giving access, or in case of certifications, telling them, “Yeah, this is okay to approve.” And then morphing that eventually into more of an automated way of doing that is a crucial functionality. So for now, it was like, “Okay, we can help you make the right decision.” So that managers are at least encouraged by that, because a lot of managers don’t necessarily know what everybody has access to and what.

Juliette

Right. All of the rubber stamping, yeah.

Paul

The other thing I think that is very important, is as you mentioned earlier, is kind of like, are we doing over-provisioning? Is it because what we set up in our identity program is that reality, if you will. Just because people have access, and you brought that into one view, doesn’t mean that these people should have access. To give them only what they need for them to do their work. You don’t want to have everybody accessing everything just in case they will need it. So having AI and ML available to you, to give you that insight, to give you that look, and to say, “Hey, here’s what we’re making. And here’s where the outliers are.” To sort of say, “Hey.” There may be eight people in your organization who have that access, but these other two people, they have far too much access because they have the same type of role and getting that kind of information. I mean, people used to spend years designing all these roles, and whatever. And then, when the design was done, the organization had changed, and you could start again.

Juliette

Sometimes, it’s just a matter of people having access, and they don’t even know that they have access. So the account becomes orphaned, and that’s the best way for hackers to come in and take over an account and start maneuvering around the organization.

Juliette

Very much so. So what I think more than anything, AI and ML can help, is really giving that visibility, that before didn’t exist, if you will. And that helps people get that visibility.

CISOs are all about peace of mind, ensuring that every control you put in place is working as designed. And AI and ML have helped to visualize that that was working according to plan, or telling you that things are not working according to plan, right? So the next question I want to take you, to help clarify a little bit, is how as a user of identity, you look at the different categories within identity. Because identity has evolved, but it’s also emerging. 

The whole of identity management has three categories, right? There is the access management part. There is identity governance, aka identity security now, and privilege access management. And you worked with all of them, and you had a very specific use for each of them, and you understood the difference.

So what comments can you give to the audience to try to make sense of that landscape that’s becoming, the identity landscape that’s becoming a little bit more blurry and confusing?

Paul

That’s probably the right word, I was going to use, yeah. It’s definitely blurry between these three disciplines. And there’s a lot of talk in the analyst space, and the press at the moment, around the convergence of that. And if I look back in time, and when we looked at first, at security solutions. If you look at the semantics and the McAfee’s of the world, they were sort of the integrated solution and that most people were recommending. But most people in security, myself included, it’s still probably the discretion around best-of-breed versus an integrated solution.

The problem with an integrated solution is the 80/20 rule. 80% may be enough, but in certain industries, 80% is not enough. But it will always continue to choose the best-of-breed and make that integration happen. So they each have their play, and yes, there is blurring going on. But the best way to describe it is through an example. So let me give you an example where people may be blind to certain access. So if you look at an identity provider that they integrate with AWS, for example, then what the identity provider does is, you have your identity attributes, you have some roles, and basically in AWS, you back those groups that you’re a member of to roles within AWS. So if you just look at that piece, then you may say, “Oh, that’s great. “I have full visibility in it.” But then, if you look within AWS, somebody makes a change in AWS to a certain permission. Suddenly, that group has a lot more permission than you initially thought; the identity providers are completely blind to that. Where if you look at the identity governance solutions, we have full visibility into all those entitlements. So we know exactly what’s going on in AWS, and have that full visibility.

So it’s complementary to those solutions, giving you full visibility of what the user has access to and actually detecting any changes in that environment.

You think you know it all, but there are definitely reasons why I believe governance solutions are there, and providing that deep visibility.

Juliette

Yeah, I think that’s always important to remind, because we’re all going towards more simplicity more velocity, right? And the convergence can be appealing, but when we think about identity security, there are things that no matter how fast you want to go, no matter how you go, you cannot take shortcut on those.

And I think some of the things that we do and provide are part of that category. Last question for you, Paul. It’s the end of the year, and there’s always a lot of projection on industries and so forth. And all the vendors are here to kind of give their projections.

But what’s your vision for identity? You’ve been within this category for so long, you’ve seen it evolving based on your companies’ needs through the technology that it was providing and delivering. But if I ask you a little bit to be the visionary, because in a way that’s where you’re going to help us now at SailPoint.

Where do you see identity going? You’re talking a lot about being the fabric of the security infrastructure, and so forth. Tell us a little bit about that vision you have, and what it would look like in a few years.

Paul

Sure, I think the best way to describe it from a vision perspective is sort of how people look at a consumer identity. So if you look at people in the consumer space, they know everything about the consumer–what they’re buying, what they’re doing, and what they may be interested in, and the marketing around that is perfect. 

On the identity side, we just don’t have that 360 view yet. We need to move to get that 360 view, and part of that is, the best way I see other people describing it that way, is kind of like looking at Tesla has a self-driving car, can we get identity to do that self-governance. How far can we push that on that envelope, to get there by instead of having to ask: “Hey, here you make a recommendation.” But if the guard rails are put in place, then why wouldn’t you make that decision?

Juliette

The true autonomous identity. That’s where you’re talking about.

Paul

Yeah, absolutely, moving there. And that also becomes a key pillar of, as people move to zero-trust, right? In a zero-trust world, it’s all around that identity, that identity and the information surrounding it, is what how access decisions are made. Making sure that that identity is fresh is timely, up-to-date, and critical in that. That’s why as we move from static models to more dynamic models, taking in a lot more data, external data from maybe threat feed, or things like that. 

To put that into perspective gives us a complete view of that identity. So I see a lot more self-governance. I see a lot more visibility for organizations to secure their organization and ramp up the next thing without necessarily hiring another four or five people to do it. By really moving into that autonomous world, it allows them to be fast and furious if you will.

Juliette

Paul, thank you so much, identity security is all about rethinking identity, and we’ll talk even more about identity security in 2021. Thank you so much for your perspective. It’s a pleasure to have you on Identity Talks, and I’m very excited to have you at SailPoint, to help us push the vision faster and better. Thank you.

Paul

It’s my pleasure. Thank you very much.


Discussion