Q&A with Darran Rolls: The Identity-Aware Infrastructure
The identity-aware infrastructure is a big topic this year at Navigate ’17. During his keynote address, Darran Rolls, SailPoint chief technology and chief security officer detailed what he means by the identity-aware infrastructure and how enterprises can build their own. But for those who couldn’t attend this year’s Navigate conference, we pulled Darran aside from his busy schedule for a few minutes to help explain the concept and how enterprises can benefit from having their own identity-aware infrastructures in place.
In this chat, we explore how identity management toolsets have evolved, what is meant by the identity-aware infrastructure, and its security benefits.
Where do you see the current identity management state-of-art, and how has identity management changed over the years?
Over the last 15 years we’ve seen the move from first generation identity management, which was really tools focused on the ability to create access to various operating system platforms and distributed systems. Next came the era of identity as part of the general systems management frameworks where identity management was all about delegation.
Now we are in the age of the identity platform. This is where we view identity governance as a strategic, essential and integrated part of the overall infrastructure. Today’s identity platform is all about integration with other security and management disciplines to create identity-aware infrastructure: something that brings control and governance to all applications, users and all levels of access.
Today we see that security and identity are essential. No one builds out infrastructure without including identity. This is because what we do is now squarely and strategically integrated.
Traditionally, why is identity and access management so complicated for enterprises, and what can be done to simplify identity management?
The reality is access control is inherently complicated. Providing fine-grained access to application on-prem and in the cloud is complicated. I wouldn’t say it’s never going to get any simpler, but because it’s inherently fine grained it requires focus and concentration. If you look at the type of customer that we deal with, they invariably have multiple identity sources. They have every type of access control you can possibly imagine. And because of this, there is a lot of complexity to deal with.
To help simplify this, we’re overlaying controls and governance to create a stable, consistent and sustainable set of controls. We have to be able to answer the question who has access to what and why, in order to meet our compliance needs, and drive better operational security.
We have designed our open identity platform to create a buffer between the conflicting and very complex needs of the business AND the technical complexity of access. The right solution here glides like a swan on the water. All smooth and grace above the water, whilst under the surface its legs are paddling crazily to get from A to B.
Could you explain the concept of the identity-aware infrastructure?
What we’re bringing to the table for an identity-aware infrastructure is this idea of identity context. All the things we manage and all the data that we maintain is like gold – extremely valuable. Dealing with things like ownerships, access history, and all the attributes that exist in order to provide access are an essential security ingredient. When you leverage this value, it’s like the discovery of salt or the spices that first traveled the Silk Road many years ago; It adds a certain something to the security recipe that is missing today without it.
The identity-aware infrastructure set out to make security policy more identity-aware, and at the same time to make identity policies more security aware. This makes the security and identity context flow bidirectionally. The context that we share between security and identity systems enriches the entire ecosystem with a level of meaning that is game changing.
What does this identity-aware infrastructure look like in practice?
There are lots of great examples of creating identity-aware infrastructure. When we integrate technologies like Privileged Account Management (PAM), Access Management (AM) and Security Event and Information Management (SIEM) systems with core identity governance, we create a responsive identity-aware ecosystem.
In each functional security area we’re able to increase the value of what identity management can provide to the rest of the environment. And because the platform is open its ready to integrate with other vendors who perhaps even compete with us in certain areas.
How does SailPoint help enterprises build an identity-aware infrastructure?
I would say it’s via three things. An open platform, and open program and by taking an open approach. Let me explain each. The open platform is something we’ve been talking about for awhile. It’s been a long-term product driver for us for some time now. This means building the the core functional capabilities that we deliver in the product, so things like compliance, identity analytics, data access, governance, password management and access request, are all built on top of a set of open API’s plugin frameworks and SDK’s.
For us, an open program means the Identity+ Alliance – an alliance of like-minded industry leading vendors that have come together to create an integrated ecosystem based on that open platform. It defines a structured program, a managed community, a support model and a set of certified integrations. These integrations create a key net of coverage that extends our reach.
And the open approach brings the platform and the program together to create some very interesting new governance approaches. A great example of this an open approach is our new PAM Management Module. This module does a lot more than integrate with PAM via a standards interface. It creates a whole new operational paradigm for managing the lifecycle of PAM vaults and safes. Providing full visibility into container access; allowing specific users to pivot from an identity centric view to a container or vault/safe centric view; showing from a container perspective, what is being contained AND who has access to that container. Pretty cool stuff.