Navigate 2019: My Five Lessons Learned and Key Takeaways
The job of identity governance is never done. Whether it’s improving the efficiencies of the existing program, adopting new technologies such as artificial intelligence to long-held challenges such as ensuring users have the right access levels or learning how identity management can help organizations to more effectively utilize new technologies. At Navigate 2019, the presentations and the attendees tackled all of this and more.
That’s why, as always, I learn a lot at Navigate. So when I decided I’d list my top five insights from this year, I knew it wouldn’t be easy. If you attended Navigate this year, we’d love to hear what you discovered new at the show. Here are my five lessons learned and the key takeaways:
Lesson One: Big wins take time.
In his talk, Every Breath You Take: How AI Can Make Identity Sing, Mike Kiser, global strategist office of the CTO at SailPoint shared how it took just over 36 years for the Police’s Every Breath You Take to become the most played song in history.
But more than Every Breath You Take displacing You’ve Lost That Loving Feeling by the Righteous Brothers as the most played song of all time (a spot the Righteous Brothers held since 1996), Kiser detailed how The Police built their musical success with the song, with painstaking detail after painstaking detail starting with a crude demo cut to its rock and pop music masterpiece.
My Takeaway: It’s essential to keep in mind that significant transformative changes don’t have to happen overnight and that anything worth doing will require a plan and taking the small, incremental steps necessary to getting there.
Lesson Two: Machine learning is needed to help with today’s complex environments.
Throughout Navigate, it became clear that many organizations are frustrated with the traditional ways of identity management. As Mike Wyatt, a principal with Deloitte’s Risk and Financial Advisory said, “identity is the fabric of the digital economy, and with the growing volume of data, it is challenging to use the traditional models that we’ve built over the last decade to manage identity effectively.” True story.
My Takeaway: When it comes to reducing data risks, as well as enhancing the end-user experience, machine learning, and artificial intelligence will have a dramatic impact on the effectiveness of identity management and governance programs. As I wrote in Predictive Identity: The Future of Identity Governance, with enterprise technology becoming complex and interdependent, and user roles ever-changing, humans will need a little bit of help from the machines when it comes to looking at vast amounts of data, and spotting trends and outliers, and making the appropriate decisions, or kicking them up for human to review for exceptions. The status quo, as they say, doesn’t scale.
Lesson Three: When it comes to identity, bots and humans have a lot in common.
Discussions of software automation ran throughout Navigate. Enterprises are increasingly turning to robotic process automation to automate away manual processes. While the benefits are high, bots don’t come without potential danger. If not appropriately managed, bots can open enterprises to increased security and regulatory compliance risks.
As the identity and access management executive at a national bank explained last week, when you introduce non-human identities into the enterprise tech mixture, it can be very challenging balancing their benefit with their risk. “This is specifically true when it comes to access governance. You have to work with the business line and understand their business use cases and their business processes to do it effectively, especially when considering non-human identities are going to leverage service accounts across the enterprise, including privileged accounts,” he said.
My Takeaway: Organizations must begin to think now, not a year from now, about developing the right software bot management strategy and how to implement the proper levels of identity and access governance over these software bots or they’re going to create a lot of management and governance debt around the management of these entities that will need to be undone.
Lesson Four: AI will help identity management become proactive
Over time, as AI learns the organization relative to identity, AI will become more proactive and be able to anticipate changes that will be needed. In his keynote, Paul Trulove, SailPoint Chief Product Officer, provided an example. He discussed a user in finance who has been assigned to a new project. Typically, such a user would have to log on to their identity management system, and they’d have to go to the access request system. They would have to search for whatever they think that user will need access to. After they finished with their part of the request, their request would be routed for approval. This finance employee would then wait for access to be granted, and they would wait and wait. And wait.
My Takeaway: As identity-related machine learning algorithms learn the environment, they will be able to understand enough about users’ access needs to see that user’s access is changing, and automatically grant the appropriate access. Getting this right is going to take a lot of useful clean identity data and system training. It’s time organizations make sure their data is clean and identify the data sources that they will use to feed their identity machine learning systems.
Lesson Five: Identity plays a crucial role in DevOps. Shawn Lawson from Silicon Valley Bank spoke about how DevOps and digital transformation dissolves traditional networks and the importance of strong identity access in these environments. John Masserini, CISO at Millicom, said they are looking to be able to roll out applications faster, more quickly than they could ever before. “Security has typically been viewed as a roadblock. The applications team would say they are moving a new application into production and we need to integrate authentication. We need to extract the authentication layer, so it relies less on custom development and more on API integration, enabling a zero-trust model for all of our critical applications.”
“We want to automate all of that away,” Masserini said.
My Takeaway: Through helping to automate software bots, having AI help anticipate user access changes, govern who has access to what resources more effectively, identity governance can move further away from its focus on security and compliance and truly help organizations be more agile than ever.