Increase Security: Put Open Identity at the Center of IT

If Confucius were a nerd and still quipping today, we’d hear something like “May you live through an entire infrastructure transition.” But we don’t need Confucius to know that we are deep in the middle of one. What started as an exciting transition to mobile, social and cloud is now trying to mature in all those awkward but important places. Enterprise mobility management technologies are enabling us to support and control the shift to mobile consumer devices. IT service management technologies are automating and guiding the way we manage change in our digital infrastructure. Privileged user management technologies are applying strong controls to the privileged accounts so often exploited in security breaches. Security monitoring and analytics technologies are finally processing enough data in batch and real-time modes to help us make some sense of what’s happening in our networks and on our systems and with our data. Security enforcement technologies continue to chase the threat horizon with ever-more intelligent algorithms and rule frameworks.

The problem is that in most enterprises, all of this is happening without an existing foundation of identity management, let alone in concert with that foundation. When this automated and policy-based identity foundation is placed at the center of all these ongoing changes, the entire digital experience benefits. Users receive the access they need, when they need it. This precision reduces risk and satisfies auditors. IT is better able to provide the occupational baseline that employees crave and, when combined with effective business management, IT can resume the role of competitive weapon that drove its invention in the first place.

I can see these possibilities because at SailPoint I am enjoying a front row seat observing this transition, its challenges, and its opportunities. I am certain that my view is at least somewhat clouded by the bias that comes with this seat, but I am equally certain that our collective biases have enough common ground to make massive progress in this domain. Who could argue with the following precepts?

  • In the digital enterprise, all access right changes (grant, change, revoke) should be conscious and with intent that matches enterprise policy
  • Establishing and maintaining this conscious intent delivers critical business benefits in two forms: user empowerment and digital security
  • Integrating both the empowerment infrastructure (all the services that provide value) and security technologies with the identity and access management system of record streamlines and improves overall operations

The cumulative truth of these precepts motivated me to join SailPoint and take up a role in making them a reality for the industry. SailPoint is dedicated to helping its customers achieve this reality, but more important than that, SailPoint recognizes that this is an industry movement with plenty of opportunity for a great variety of participants. Accordingly, SailPoint balances its efforts across these strategic imperatives:

  • Delivering the best identity and access governance solution in the industry, so that enterprises can be more thorough and effective at managing who has access to what
  • Opening its platform and facilitating interoperability so that enterprises can more easily put identity at the center of IT
  • Participating in industry standards initiatives like SCIM (system for cross-domain identity management), so that enterprises can leverage future product generations that embody useful seams between best-of-breed functionality

While these efforts are relevant to the entire digital infrastructure, they are most urgent in the area of IT security. Our security monitoring, analytics and enforcement technologies must stop groping for identity context and instead harness precise sources of truth to understand who is involved in a security incident, determine what this involvement could mean based on that individual’s access rights, and remove access as required by the circumstance.

Here’s an example. When a user accesses a sensitive resource from a foreign location at an odd hour, shouldn’t we activate a sequence of controls that manages the risk until it is mitigated? The incident could be prioritized relative to other incidents based on the user’s entitlement to access sensitive resources. The first automated response could be a message to the user’s supervisor inquiring if the situation is expected. If the supervisor knows the user to be traveling to that foreign location, she can waive the alert on her mobile device. If the supervisor escalates the alert or doesn’t respond within a set time period, the next control could force the user to re-authenticate with a “stepped up” method such as a one-time password or challenge question. If the user fails to authenticate, all access rights could be suspended immediately. If automated suspension of access takes too long for any reason (perhaps the underlying system is not responding to the access right change request), we could activate a more blunt control such as kicking the user off the VPN. What would have been a “first resort” in a basic active response system is now a “last resort” in an identity-centric active response system. While this example may seem complicated, it illustrates the sort of granular, policy-based risk management that enterprises require to battle current generation threats.

And its real: the SailPoint Identity+ Alliance, launched in December 2015 with nine partners and already doubling to eighteen partners in April 2016 (just announced today, in fact), is enabling all of these use cases and more.

As an industry vertical, banks figured out how to manage equally complex situations to reduce credit card fraud (via more identity-centric controls!), because it made a massive business more profitable. Are enterprises of all verticals not sufficiently motivated to take similar steps with their horizontal infrastructure? I say it’s time to put identity at the center of IT, so we can optimize our workforce, reduce security risks and maximize the return on our computing, networking and application investment. Interesting times indeed!