Coming off the heels of our own SailPoint Navigate, Gartner Security & Risk Management Summit and this week’s Identiverse, it is clear that Identity is undoubtedly a hot topic and such a critical aspect of an organization’s cybersecurity strategy.
Last week, over 2000 Identity professionals (AKA Identerati) descended on Washington DC for the 10th annual Identiverse event. As a gold-level sponsor for our third year, it was exciting to see the focus and consistency of the event themes closely align with SailPoint. Those themes include using identity as the new security perimeter as well as placing identity at the center of an organizations’ IT, security and governance-based initiatives.
There were so many great messages, keynotes and sessions so here are some of my key takeaways from this year’s event (of course other than the cool Identiverse t-shirt):
Digital Transformation Still Top of Mind
One of the main themes that was weaved in just about every keynote, breakout and conversation I had was around the aspect of Digital Transformation and the associated benefits as well as the challenges. Now I know that this is such a vast concept and means so many things to each organization. To me, the basic premise is how today’s modern enterprise must continuously evolve and innovate to remain agile, competitive and user-centric. This evolution, or digital transformation, create opportunity, but also has security and compliance implications, that if not adequately addressed, impacts every part of the organization.
Organizations that are successfully navigating their digital transformation are focusing their efforts on creating a secure foundation built upon identity as the primary control plane and including it as a core component of their security strategy.
Continued Threat of Cyberattacks and Breaches
Cyberattacks and data breaches were of course, top of mind at this year’s Identiverse as is every year. Richard Bird summed it up great during his keynote presentation; he stated we are still not getting the security return that we need based on our investment. Just consider the over 400 million unique identity records that were exposed in 2018 and the forecasted loss of $6 trillion due to cybercrime by 2021, and you may quickly agree with Richard. He also discussed how corporations have spent millions, and collectively, billions of dollars on security programs in the last decade and yet we are still seeing billions of records and data being breached and exposed.
Having an identity-centric security approach is the only way to win in a world where every information security organization is already out-manned, out-gunned and out-maneuvered.
Zero Trust was certainly a growing theme throughout the event. At its core, it means we need to build our solutions to continually ask who someone is and what they want to do. We can no longer blindly trust a person that comes from a known location. We need to keep asking questions.
At the center of those questions is a critical concept: identity. We must continually validate the identity of the person accessing our applications and data. That includes authentication, authorization, and administration. I kept hearing the quote from Ronald Regan during the cold war, “trust but verify,” and on a cynical note, I also heard “distrust and monitor.” Glass half full or empty – in the end, it is a matter of how you approach trust.
With this as the baseline, identity becomes the key to ensuring that users always have the least amount of privileges needed to do their job successfully. This includes trusted sources that tell us who someone is and what access they should have. From there, we can form the foundation of our policies that determine how things are accessed.
Data Privacy and Compliance
Data privacy and compliance was also a priority to the attendees I spoke with. These discussions especially include GDPR and the upcoming California Consumer Privacy Act (CCPA), and with so many other states and countries developing their data privacy regulations, organizations are finding themselves needing to find a way to address these regulations as well as anticipate any new ones on the horizon. What was interesting was one of the speakers talked about how these regulations center around protection of assets but not the full aspect of the user’s identity. When talking with attendees, it’s clear that compliance of these regulations is still a bit of a mystery, and part of that stems from the fact that most organizations are struggling with how to manage all the data they have stored in files and, as it relates to GDPR, how to find the sensitive data stored within those files.
This data, commonly referred to as ‘unstructured data’ (think of all the files you have stored in Box, out on SharePoint, in PDFs, etc.), is everywhere, it’s growing rapidly, and organizations are struggling to get it under control in the face of these and future regulations that will surely follow.
Artificial Intelligence and Machine Learning
AI and ML were also one of the new themes and discussions this year at the event. As digital transformation means more users, more apps, and more data – it also means more risk. It’s also becoming nearly impossible for human processing to scale to this volume and variety of access and data. Because of this, AI and ML enablement will play an integral role in shaping, evolving, and streamlining identity programs going forward.
Using intelligent identity controls and the power of AI and machine learning, organizations can make sense of all the data to ensure every user or ‘digital identity’ only has access to what they need to do their jobs successfully.
This data point backs up what we at SailPoint have known for quite some time, for companies to take their identity programs to the next level, they need to be able to:
• know what they can safely automate,
• leverage identity data to define roles and policies,
• be continuously compliance vs. reactionary and;
• be more predictive when it comes to identifying risk.
AI and ML offer valuable advanced governance abilities that not only help your people make better decisions when approving or revoking access, but it also helps free identity practitioners from manual and repetitive low-risk activities so that they can focus on areas of high-risk and drive a more secure and efficient digital transformation initiative across the organization.
This predictive approach, offers up AI-enabled recommendations, dynamically anticipating user access needs, allowing for much quicker time-to-value right out of the gate. To learn more how AI and ML can empower your identity program, be sure to check out SailPoint Predictive Identity.
It certainly is an exciting time to be in identity. As evidenced by Identiverse ’19, the world’s digital ecosystem is in a constant state of evolution, and identity needs to evolve to meet these new challenges.