Whether it’s concerns about data breaches, increased regulatory mandates, trying to keep pace with the rush of transformational technologies such as cloud, robotic software processes, or the exponential increase in data enterprises are creating — there’s no shortage of trends that are keeping enterprise security teams on edge. But what do these trends mean for identity?
To get answers, I reached out to SailPoint CEO and co-founder Mark McClain. Mark shared his insights on how these trends are likely to impact enterprises in the near future and provided more depth on the new frontiers in identity.
George: The growth of non-human identities, or Robotic Process Automation, is one of the three new identity frontiers. Could you expound on what you mean by this trend?
Mark: This idea of moving into the realm of non-human identities is picking up steam faster than we expected, and until recently, we didn’t have a lot of statistical data on it. Just a couple of weeks ago, we took a quick poll at the Gartner IAM Summit and found that 70% of companies we surveyed are employing software bots as part of their workforce to drive business efficiencies.
I see people across almost every type of business increasingly looking for ways to take costs out of their operations. To do so, they’ll try to more rapidly adopt robotic process software bots as a way to automate human tasks that are fairly repetitive and simple. This way, humans are freed up to focus on tasks that are less repetitive or not as simple. As a result, I expect we will see a fairly aggressive adoption of that kind of capability, and the larger, more strategically-minded customers certainly are aligned with our thinking on the fact that these RPAs are identities that require management. This is not something that’s irrelevant to identity management. Rather, if you’re going to create a process that behaves and looks like a person, then you need to put the same kind of governance mechanisms around RPAs that you do with people.
In other words, we have to apply the classic “joiner, mover, leaver” and certification aspects of identity management to RPAs. How do you determine when one of these RPAs should start? How do you modify them over time as things change? How do you take them out when they’re no longer relevant? How do you validate that they’re still relevant during the course of their lifecycle?
All of the things we do for human identities, at least at some baseline, apply to these bots or software processes. Going back to that poll I mentioned, only 5% of those same companies are actively incorporating software bots into their overall identity governance programs. That is a very small number considering how many are adopting software bots today.
Clearly, this will become a more interesting part of the user frontier landscape as we step into the new year.
It makes sense to me, if you are giving bots access to data and the ability to do certain things, even if those things are low-risk activities, you still need some level of governance. This will be a challenge for many organizations as they are not yet as mature when it comes to managing traditional identities as they should be.
Yes, and I think today, if you really talk about the state-of-the-art, most companies are, to use an old phrase, “fair to middling” at how well they manage those non-employee identities that are not true company employees, like partners and contractors. A lot of companies are still spreadsheet oriented.
Quite often, even companies that are rigorous about managing identities through their human resources software are still pretty sloppy when it comes to managing contractors. Here, they often still use spreadsheets. It’s a big challenge because they often have one third as many contractors as they have employees.
So even those organizations who are on the cutting edge when it comes to RPA and bots quite often still have a lot of work left when it comes to good governance over human identities.
How do you see the increasing use of cloud services and applications affecting identity management?
We see a continuously high rate of adoption of SaaS, cloud and mobile apps across all enterprise customers. Beyond that, quite often, the decisions to acquire these apps are made outside the purview of IT. You’ve got new applications showing up all the time in organizations. Theoretically, the apps that end up having access to critical data are managed and controlled by IT, but I’m not sure that assumption always holds. The marketing department, the procurement group, or the manufacturing organization often go out and procure something that makes their life better and easier and will sometimes use it to access important data. These are actions that IT may or may not fully understand or have proper visibility and control over.
This rapid adoption of apps outside the purview of IT ultimately becomes an expansion of the organization’s attack surface, which is starting to make CISOs increasingly nervous. They can’t manage and control what they don’t know about.
In addition to applications, we’re also seeing an increase in the amount of enterprise data that is unstructured and sprawling throughout the organization.
Indeed. I think there is high agreement that people are going to continue to extract data out of their structured systems and manipulate it in various analytical tools to gain new insights on the business. This is only going to increase. People are going to increasingly extract large amounts of data that may once have been considered only transactional data and analyze and share it with different users and toolsets.
While this helps them to make better business decisions, there’s a risk to having all of this unstructured data out there. If you have the past 12 years of historical financial data out on some collaboration platform in a spreadsheet, you better know it’s there. You better have a very good handle on who can access that platform and that data, or you’re just as exposed as giving someone access to the core Financials system.
This is where tools like SailPoint SecurityIQ and other tools in the industry can help. The key is the ability to always be aware of what sensitive or important data is available in the environment. That’s critical. Where is it? Where is there personal health information? Where is the personally identifiable information? Where is the critical company financial data? When you identify its locations, you can then focus on who is permitted to access that data.
You have to know where it is, so you can then either delete it or control access to it. Over time, we believe this is going to be an area that gets greater attention from the regulators.
In the year ahead, I expect we will see forward-looking enterprises focus on how to better manage the adoption of bots, cloud, and mobile apps outside of IT, as well as all of the unstructured data that is finding its way through everyone’s environment. It’s going to be an interesting year in identity.