Navigate ’17 Identity Panel: Lessons Learned

Anyone who is attending Navigate ’17 is going to want to hear about the lessons learned from others who take identity management as seriously as this panel does. And that’s exactly what they got to hear at this year’s Identity Panel.

Lead by SailPoint’s Dave Hendrix, senior vice president, general manager IdentityNow, this year’s panel included Sheri Munro, director, access governance, global information risk management at Manulife; a senior manager information security (IAM) at a nationally-known healthcare provider; Andrew Linn, senior vice president and chief information security officer at Orrstown Bank; and Paul de Graaff, head of security and compliance at Weight Watchers. All are SailPoint customers for a number of years now.

Hendrix’s first question to the group was about the initial pain points they needed to solve. For Weight Watchers Paul de Graaff, it was about reining too many passwords and IDs, and the need to recertify access and improve the end user experience with single sign-on. “The benefit now is that they are all enjoying the SSO experience, and now we have developers asking how to get them into SailPoint. That’s not something that always happens in security,” said de Graaff.

For the security manager at the healthcare provider, for their security program it was crucial to centralize their identity management program and identity governance. “It was about building the foundation, focus on building access requirements, approval requests for onboarding and getting consistency [in our program] over time,” he said.

“Access control is one of the most fundamental controls, but also one of the hardest to get right,” said Linn.

What are some of the most important lessons learned among the panelists? For Munro that would be building internal support first, specifically among business leadership. “Getting executive support is a key factor. We are a global organization with many different regions, and many CISO as well as global business needs. The business needs to drive this [the identity effort] forward with us through executive leadership and board support,” she said.

For Linn, the most important lesson was about getting the identity data right and keeping quality identity data over time.

“The data quality [you use] will drive the quality of data you will get out of your efforts. Scrub the data clean before you bring it into your identity system,” Linn said. And be prepared to take the time needed to get the identity data right. “Your data quality is the number one thing to think about,” he said.

Having clean identity data has its rewards, Linn said. “We have all of the data about logical access in one place, and the ability to mine that data and create insights from it,” he said. When it comes to access attributes everyone is a “unicorn,” he said. “Even people with the same job title have different access [attributes],” he said.

Weight Watchers de Graaff agreed wholeheartedly on the importance of having clean identity data to work with. “Make good friends with those who manage your workforce,” he said. “You want to understand how they onboard and offboard people. And you may be surprised just how they use that data if you come to depend on that data. You better come to understand them, have good communications with them. If you don’t, you may have deprovisionings that you may not want,” he said.

Getting identity management right isn’t easy, so it’s important to pick your battles in the beginning Munro explained. “You have to prioritize. Some access [attributes] may not be important. Just because you have a system that can handle it all, maybe you don’t need to handle it all, and you pick and choose how you approach it,” she said.