With an AI-based access modeling approach you can create new roles that align with the changing needs of your business. Watch this webinar to learn how identity can help you:
- Answer the question: “Who gets access to what?”
- Quickly develop your identity program by removing manual processes
- Use an AI-driven process to suggest potential roles
- Provide the right-sized access to your users
SailPoint Marketing: Welcome to the SailPoint Rethink Identity webinar series, our topic for discussion is rethinking identity with AI based role creation.
SailPoint Marketing: With us we have Dana Reed, distinguished engineer from our office of the CTO, he’s going to walk us through how SailPoint is adopting a new rethink identity approach to basically embrace the abruptly changing landscape of identity governance.
SailPoint Marketing: Then we’ll cover specifically how the explosion of access and leveraging AI and machine learning is one of the primary variables behind our rethink identity approach.
SailPoint Marketing: And then how you can take advantage of AI based access modeling to get control of your ever changing user access will also demo our access modeling solution. So you can see it in action.
Dana Reed: Well, thank you very much. Again, my name is Dana Reed. I’ve been working at SailPoint about nine years now. But, you know, when you look at identity. It’s been around for quite some time and a lot of us here on the call have seen the evolution of identity. But in the beginning it was really just around user provisioning getting people the right access they needed to do their jobs.
Dana Reed: You know, but over the years, identity, really has evolved into a strategic security and compliance solution that helps organizations answer some basic questions. Who has access to what, who should have access, and how are they even using that access.
Dana Reed: And so when you look at at the way digital transformation has introduced so many new variables in the world, organizations are really struggling to keep up and a robust identity governance program has really become much more center to that that work.
Dana Reed: You know, we have employees and vendors and partners, the number of people that are interacting with our organizations is ever increasing. The number of applications that we are onboarding is increasing and we are letting now the business actually sign those checks and so it no longer has capability and control over what is in the environment.
Dana Reed: Additionally, the firewall is now kind of a relic of the past like the Great Wall of China. And we now have applications that live everywhere out in Azure, AWS, GCP SaaS based life and services. All kinds of new variables are really interesting to us and we now need to manage it. So the key here is for us to start to be more effective at the way we manage exception based governance, that base governance.
Dana Reed: Bring governance closer to the events that are taking place and enable the business to take on a lot of those governance challenges. So for those of you that have not experienced identity, you may think of identity simply as access management.
Dana Reed: But it’s a whole lot more than that. Identity helps you control access, once your workers gain entry into your network.
Dana Reed: So each individual can see and touch only what is relevant to their job function. And that’s becoming more and more important today than it ever has before with remote worker enablement with the whole coronavirus situation, etc. But what is acceptable, it’s no longer acceptable, we now must rely on only what is adequate.
Dana Reed: And so what we are doing inside of SailPoint is taking AI and machine learning technologies and techniques applying them to IGA and trying to figure out if we can come up with better solutions and better answers to this long time struggle of managing who has access to what.
Dana Reed: So if you’ve been engaged in identity, you’ve seen this evolution take place. A lot of us on the call here, we’ve watched this maturation.
Dana Reed: The good news is that AI and machine learning are their big game changers for your identity and your IT teams, especially if you have thousands or millions of identities and identity to entitlement connections that you’re managing. It’s much easier now to create access models and roles that safely automate IT tasks and keep your policies dynamically up to date as your organization changes.
Dana Reed: So with AI recommendations, your line of business managers now have control and they have the capability to get a better understanding of what I call sent, as to whether a user actually needs access or not. We can focus on the outliers. We can become more effective, rubber stamping techniques become a thing of the past.
Dana Reed: Relocation rates go up. All of this has a positive effect on A. your security posture, but also B. on how role mining and access modeling techniques take place in your organization.
Dana Reed: So the bottom line here is that the new security perimeter is the identity. When you look at businesses, businesses are in business to make profits.
Dana Reed: Profits are maximized by a better customer relationship. Customer relationship is enabled by digital transformation.
Dana Reed: And digital transformation is delivered by zero trust type networks. And we’re seeing that even more important now because the customer can be anyone from a vendor to an employee to a physical person that buys your products, etc.
Dana Reed: But zero trust networks are 100% reliant on the people having the right access to the right things at the right time. The rule of least privilege and nothing more.
Dana Reed: So now we will start to deep dive into what we’re doing with AI and they techniques around access modeling, and we’ll go ahead and talk about about roles.
Dana Reed: You know, the traditional role modeling. I always refer to as the role flaw. And what I mean by the role flaw is that role definition was always a static solution to a dynamic business problem.
Dana Reed: It was expensive and once you got done defining all of your roles you had to start back all over again because the roles were outdated.
Dana Reed: And so as the role was defined it was immediately outdated because the business moved forward.
Dana Reed: The problem is that we are now moving forward at an accelerating pace. We’re onboarding new applications, the business now is enabled to do that. And of course roles become outdated.
Dana Reed: And so role definition once thought of as a sunk cost was in fact a recurring costs. And the problem is that as roles were defined in the business, the business now moved beyond them.
Dana Reed: We turned into kind of a square peg, round hole situation. And what we did was we had to build one-off roles to handle our users.
Dana Reed: And to do that, that is what that is the nature of what role explosion is by definition. So role explosion really was a condition affected by the initial role flaw of a static solution to a dynamic problem.
Dana Reed: So the way we handled it in traditional robotic techniques, was that we wanted to minimize the amount of manual effort it took to get our users access. We want to minimize the number of access requests, right, because there’s a time component there we can easily quantify that.
Dana Reed: It’s the same reason why people used to quantify IGA projects with password management because it was very easy to to do a cost savings type of analysis.
Dana Reed: So what we did was we gave people adequate or acceptable access we give them too much. It was just in case you need it. I want to make sure you have it so you don’t have to have to request it.
Dana Reed: The problem is what we’re seeing now, especially around coronavirus and the enablement of remote workers, is that we are taking down actually some security controls, because we need to move from 2000 people onboarded to be remote, to 200,000 in 10 days.
Dana Reed: And so we are leaving ourselves susceptible to if people can do more than they should, what actually could happen to the business.
Dana Reed: And so I always kind of use the analogy of, you know, when you’re in the deep south at night, you don’t leave your windows open, even for a short period of time because even for a short period of time, the mosquitoes get in.
Dana Reed: And so we need to rethink identity, the identity is now the the main security perimeter and we have a much more deeper reliance on identities, having adequate access only the right amount of access to do their jobs.
Dana Reed: So we need to rethink from an access modeling perspective, how do we actually filter and focus on adequate access evaluation as opposed to what what I call acceptable access evaluation.
Dana Reed: And what that means is to rethink the problem or re-address the problem. Instead of role mining being a static solution to a dynamic problem role mining needs to be a dynamic solution to a dynamic problem.
Dana Reed: And what that means is that looking at a role, a role is simply a guess. It’s a point in time guess as to what a user needs to do their job at that point in time.
Dana Reed: What we need to start doing now is continuously test that hypothesis and keep moving from acceptable access to adequate access, and test that over and over and over again. And that is the methodology that we are now taking with with role management.
Dana Reed: So when you look at our products. We talked about this thing called called predictive identity.
Dana Reed: And what it means is that we are traversing from a world in which I call assisted identity, where you log into our products and they do something for you. You ask it to change the password, to provision a user or build a role, whatever it is, the product will assist you in that activity.
Dana Reed: We are planting our flag in this world now called autonomous identity and we are rushing towards that autonomous world as as fast as we can.
Dana Reed: Now, it’s possible we will never actually get there and no one will ever get there, but the process of getting there is this world that which we call augmented identity.
Dana Reed: Autonomous is where our, our systems think for themselves. They give and take away access by themselves based on data points that they have access to, big data lakes of identity information and decisions. Augmented identity is where our product start to build brains.
Dana Reed: And we have now branded this world predictive identity. So when you hear the word predictive identity. There are a lot of services that now lie under inside this augmented world.
Dana Reed: But we are building brains specifically around the area of access modeling first. Around making sure people have the right access to the right things at the right time. Doing it from a bottom up approach, instead of a top down approach.
Dana Reed: A bottom up approach is very interesting because we can now use standard social structure technologies and analysis to better understand what you will have. I don’t care who you are. I don’t care what your job title is, what I’m focused on is what you can do with the access that you have and people that are much more similar to you, and then I will figure out who you are. We are doing correlation before we are doing causation. Bottom up instead of a top down. So we are applying AI driven driven role modeling to identity. Now what does that mean? What does a role model entail? And I think there are best scenario role modeling is really an optimization curve that includes three variables.
Dana Reed: The first variable is coverage optimization. You have all kinds of users that have access these connections millions of them, if not billions of them in your environment.
Dana Reed: We want to build a role model that optimizes the amount of coverage that we contain think of this almost like as an eclipse of how many roles can can encapsulate the majority of those connections.
Dana Reed: The second part of this is outlier minimization, you will always have snowflakes. You’ll always have individuals that have unique positions in their jobs.
Dana Reed: We need to be able to identify those users and actually exclude them from the results that we are trying to get because once we can exclude them. We actually have our data science folks have found that we have better results on the actual role mining scenarios. So what we want to do is we want an optimization curve here. We want to provide you a role model with the minimum number of roles that provide the maximum number of coverage while providing the least percentage of outliers outside of those roles.
Dana Reed: And for every organization. We recognize that this optimization curve is going to be different. And so we want to help you better to understand what that what that is and then move forward. Some of this is gonna be roadmap for us some of the stuff we’re actually delivering on on today.
Dana Reed: So what we do is we use a few different algorithms, it’s not really important to understand what they are but it’s important understand what they do.
Dana Reed: And we look at every single user in in your organization and we evaluate what I call your entitlement DNA. So it’s a term I kind of just coined, but it makes sense. It’s about the things you can do the access you have and I compare you against everybody else in the organization.
Dana Reed: And I do that recursively and once I do that for everybody, what I’m able to do is actually utilize what’s called unsupervised learning. And take that entitlement DNA and map you on a graphic database. And so what you start to see here are actually clusters of users that have similar job function or job access.
Dana Reed: Now through standards, social structure approaches, I can assume that people that have similar job access actually have similar job function.
Dana Reed: Now I always equate this back to high school, when you were in high school, you had folks have hung out together and had similar interests. Just like the people in marketing have similar interests about marketing they hold meetings about marketing subjects they go to lunch with marketing people and they all have a background, probably a marketing. Just like in high school, the athletes hung out with the athletes.
Dana Reed: That is what it’s called a homophilic environment with high modality. When you were in high school you hung out with your friends and you had similar interests and those were called clicks.
Dana Reed: In the API world these clusters of users that have like job access i.e. like job function are actually called clicks.
Dana Reed: So you can think of, you know, think of these analogies back to like the different departments, finance, marketing it HR call centers, etc. It really from a standard social structure perspective, it’s no different than the way it was back when you were in high school.
Dana Reed: So let’s talk about what’s in a role model. And I think when you understand our approach, I think it really starts to make a whole lot of sense.
Dana Reed: Think about yourself in the organization and what access you have, and I want you to visualize that cluster of access as an onion.
Dana Reed: Right. And what we’re able to do now through AI and machine learning technologies is to start building out peer groups so we’re actually able to start looking at your onion and identify how much of that is part of what a peer group may have now from a role modeling perspective. We want to encapsulate as much of this peer group in a role as humanly possible.
Dana Reed: But what we also want to do is we want to take all this stuff that everybody has, and actually exclude that maybe that’s the all users role, etc. We want these peer groups to be as functional based as we possibly can.
Dana Reed: And so what that means is that when you start to look at the layers of the onion where we want to continue to deliver from a roadmap perspective, it starts to better identify the different layers of the onion, that we can peel back and continue to exclude
Dana Reed: So that the core of the onion, your function really is what we want to focus on.
Dana Reed: So let’s get rid of all the users access. Let’s identify active user access versus leave of absence versus inactive.
Dana Reed: Let’s identify user type access what contractors get composed as opposed to employees or vendors or partners.
Dana Reed: Let’s then look at maybe location access, whether it’s region or campus or or city or branch, whatever that is. And let’s start peeling back the onion and excluding those from our results.
Dana Reed: And eventually, our peer group analysis really becomes based off of function and also the outliers, because the outliers are where the risk is. And we want to help you better identify what those outliers are and help you mitigate them.
Dana Reed: So when you look at your onion, what we want to do is we want to start taking function and delivering continuously on better ways of filtering out each of the layers. And so we end up purely on on a functional basis.
Dana Reed: So let’s start talking about risk mitigation. We’re talking about role mining, but a lot of role mining means identifying the things that people don’t need anymore, right, and getting rid of all that stuff, poor governance has made a lot of your users over entitled within your organization.
Dana Reed: And so, traditionally within SailPoint we’ve really adopted or addressed two different types of risk from an entitlement perspective. I almost look at each entitlement as its own little personal grenade, right, like, you know, what can you do with that grenade. If it goes off.
Dana Reed: And so, you know, when you look at at risk. Risk initially there is what’s called inherent risk. Inherent risk means that a user has access to something that you can do a lot with. Domain admin is an inherently risky piece of access because it can do a lot of stuff.
Dana Reed: But what we did at SailPoint initially is we actually wrapped that risk in another layer, which I called situational risk.
Dana Reed: And situational risk means that you know you are an admin and you are trusted with this inherently risky piece of access. So the risk level actually goes down.
Dana Reed: But if you’re a contractor with that exact same same entitlement and you are untrusted perhaps the risk of you that connection of you without a title it actually goes up.
Dana Reed: What we’re trying to do with AI and ML techniques is to actually add one third layer of risk and it’s a layer of risk that I have labeled obsolescence risk.
Dana Reed: Obsolescence risk means it’s obsolete. So get rid of it. Why do you have it? Where we are starting with is we’re actually starting by flipping those graphs upside down.
Dana Reed: And instead of focusing on the clusters, focusing on the outliers. This is the person that is probably one of you on the phone if not many of you.
Dana Reed: This is the person that joined the organization as a contractor on the project got some access did a great job.
Dana Reed: And so of course we kept them around. We put about another project gave them more access and maybe we cleaned up some of the stuff, maybe we didn’t.
Dana Reed: They did another great job. So of course we hired them in. And since then, he or she has worked their way up the organizational hierarchy. Now what’s happened is we’ve never gotten rid of the access that this person has, and because of that, when you graph this person on the graphing database, they no longer actually relate to their current job function, click or cluster.
Dana Reed: They actually relate to many of them. And so the obsolescence risk in this user is very, very high.
Dana Reed: We want to help you identify what that risk is so that you can mitigate it. By mitigating this risk you will end up with a with better access modeling results. Access modeling has always been a bad data in, bad data out type of scenario.
Dana Reed: Now, we call this person is unfortunately in the coronavirus world, but we call this person a highly contagious individual.
Dana Reed: And the reason we call them that is simple, because this person has a current job and they’re over entitled.
Dana Reed: If the business expands when we hire a net new person. What do we do, we look at the net new person and we say, Hey, what should, Judy get? I don’t know. Give her what Jason has, they are doing the same job. So now we have taken this obsolescence risk with over entitlement and moved it further into the business.
Dana Reed: The problem. If that’s not enough, is that you have a team somewhere that is doing top down role modeling real mining, they’re saying show me what people with this job title have.
Dana Reed: They now see two people with the same job title with the same access and what do they do they build a role around it.
Dana Reed: And so what we want to help you do is identify this obsolescence risk and help you get it out.
Dana Reed: So we’re doing this through our access recommendations, this is part of our predictive identity approach that we have. We will have another seminar to talk specifically about access recommendations, but their thumbs up, thumbs down are sent to help you raise relocation rates.
Dana Reed: We also have what are called access insights. It is where to start. It’s the state of governance within the organization, how long things are taking whose book approving things. These are all things that work in tandem together to help aid for better role mining.
Dana Reed: This is one of our early access clients. It’s actually a department.
Dana Reed: And what you can see here. Hopefully it as this moves forward is that through access recommendations what you’ll see as user peer groups actually start to cluster together and they start to get more more well defined and actually due to the to the dynamic nature of the business. What happens is that a new peer group actually gets created.
Dana Reed: So again at the end goal of this is, if I’m doing role mining activities, I would much rather do role mining activities on a population of users that look like this, than a population of users that looked like it did before. Secondarily, my security posture is much better here and much more conservative than what it was in the past.
Dana Reed: Now, this is all based off of actually an incomplete assumption. There’s one more part of the puzzle that we need to deliver on as we move into the end of 2020 and early 2021.
Dana Reed: We’re looking at outliers here because they don’t relate to the peer group. But what if this access everybody has, no one uses. In a licensed based subscription model, we need to actually get rid of that because, why are we paying for box.com if you don’t use box.com?
Dana Reed: And secondarily, if everyone has access to the finance share and that has highly sensitive data in it, but yet, only two people are using that finance share why does everybody else have access to it, especially when we are a provisioning and fulfillment engine ourselves? We can give users the access back that they need.
Dana Reed: I’m going to move into the demonstration, but I want to at least give you a good idea of where SailPoint’s at and why we really believe our technology is quite superior to to the rest of the other things that are out there and really quite disruptive.
Dana Reed: So access modeling begins with a search, as all access modeling does. Now a search in our case is going to be much more broad because we are doing bottom up role mining instead of top down. Top down role mining is going to be a very finite micro level search, job title equals.
Dana Reed: What we’re going to be doing actually is much more broad search. It can begin as as as broad as all users, shall we what everybody has. Let’s build peer groups off everybody.
Dana Reed: Or we may say, you know, we only we see that the people making the most access requested in our business is the consumer loans department. And so they’re costing us the most money, let’s let’s evaluate peer groups on just that department first
Dana Reed: So here we can go in through IdentityNow or IdentityIQ, depending on which platform you’re using. And you can actually create a search and with that population of users in real time you can call out to IdentityAI our predictive Identity Services, and we will actually generate peer groups based off of that.
Dana Reed: Now I talked earlier about how role models are based off of optimization. So we can look at the granularity of the role model, we can change that we can change the number of identities that maybe are the minimum filter to help you identify what are the best roles.
Dana Reed: The beauty of this is that we didn’t look at who these users were. I don’t know what their job title is their name, their department. I know nothing about them, except for what access they have.
Dana Reed: But the cool thing is we get it right. So if you look at these potential roles here. We found the call center specialist by not even knowing who they are, just looking at their access and AI & machine learning techniques to role mine results have some really, really neat results.
Dana Reed: Now I can choose to go ahead and work on this role, we are delivering and have just delivered, what I would consider to be a very disruptive role generation tool.
Dana Reed: This tool will progress into a full on role management tool where what you can expect things like workflow role states around in test production, etc. We are looking at in the near term at importing your existing role model and then comparing these insights against those roles to actually provide insights to you that, hey, maybe this role needs to be needs to be changed because you’ve onboard more applications or because people aren’t using it. There’s all kinds of really cool things in the future that we can do.
Dana Reed: But what I want to show. Here’s a couple things. One is you can see now all of the entitlements that these users have with within this peer group.
Dana Reed: Now notice that we’ve are we’re already excluding the common access as we showed earlier, the first layer of the onion, but we will continue to to exclude more here you can see these people there in the core colocation.
Dana Reed: And so maybe we want to exclude the court location role. Some of these are employees or contractors. We want to exclude some of that access. What happens is that roles will always have what we call a cliff.
Dana Reed: And the cliff in a lot of times if we are, if it’s a dispersed population, maybe location based access, it may be contractors versus employees are things like call centers etc hotel chains, etc.
Dana Reed: But we want to do is we want to exclude as much data out as we can and other predefined roles and so that this cliff that you see here is as functional as it can possibly be.
Dana Reed: If you’re a manager to an employee. If the cliff is the additional approve entitlement, you know, to the end users insert entitlement, etc.
Dana Reed: But what we’re able to do here is to actually look at the access that these users have and then exclude a certain amount of popularity. So maybe we only want to build a role that had that everybody has everything. And so what we’ll scroll up to at least a 50% threshold here.
Dana Reed: And once we’ve done that, we can then now go ahead and take this role definition export it as an artifact that can now be used and imported into IdentityIQ or into IdentityNow.
Dana Reed: Now as we move forward. Of course, the integrations here are going to become a whole lot tighter more seamless. The role management tool. There’s a whole roadmap around approaching roles from a dynamic solution, which means bringing up and bubbling up insights to role changes as we see them.
Dana Reed: But again, I was kind of looking at SaaS based services as like a baby. You know, you never look at a baby and look at the parents and say, that’s a great baby. What version is that baby? The baby just grows up and it continues to get better and better and better.
Dana Reed: So we released the first version of of access modeling, about a week ago. Our team is is continuously delivering on this product. And we really are excited about what not only we have delivered today, but the role model or the future roadmap around what we’re going to be continually delivering in the future.
You might also be interested in:
Find out how SailPoint can help your organization.