Cure Your Certification Headaches

Large-scale certification campaigns can slow your business down and if not intuitive enough, can leave risky access within your organization.

Video Transcript

SailPoint Marketing: Welcome, everyone, and thank you for joining us for today’s webinar. We think identity can cure your certification headache. I’m Shae Mann and I will be your moderator today.

SailPoint Marketing: Joining us today is James Honey, Technical Product Marketing Manager of Identity Solution here at SailPoint, and Dave Bullas, Technology Evangelist Cloud Platform at SailPoint. We have got a lot of great stuff to cover today, so with that, James, I’ll pass it over to you to get us started.

James Honey: Thank you Shae.

James Honey: So we’re going to cover quite a few things for you guys today. We’re gonna look at why it’s time to rethink identity.

James Honey: We’re going to go through kind of an understanding of access requests and certifications and we’re going to talk about a better approach using AI and machine learning. And then next we’re going to have Dave do a demo for us and kind of go through some use cases for us.

James Honey: So with that, let’s get started. So what we’ve been seeing over the last few months is organizations have been navigating their way through some unpredictable and unprecedented times, and through it all, there’s been a few items that have been common for most. First, is organization digital transformation plans.

James Honey: Even before the current crisis, a lot of organizations were running through digital transformation or they were starting it or somewhere on the tail end, but as we all know, some of those plans had been on the table for some time and others were slow moving. However overnight, almost, many of them were immediately fast tracked and executed upon in order to support the changing needs of the business.

James Honey: And a large part of what was included was ensuring workers have the right access to the right tools, applications and data they need to do their jobs, no matter their location.

James Honey: In many of these cases, now with these new remote workers, they had to be provisioned with new or additional hardware, such as VPN access or access to essential applications, including collaboration tools that might not have been needed previously, are widely used across the organization.

James Honey: So, because of this help desk and IT departments were constantly being asked to respond swiftly and continuously way, including provisioning their access and helping these new remote workers with their password resets.

James Honey: In, in many instances you have industries like healthcare where they needed to respond quickly about bringing on contingent workers, such as new doctors or nurses that were either retired or they weren’t on their payroll, but we were volunteering to help, so they had to determine how quickly to onboard them with the right access for medical information to treat patients. And other industries where you had to respond quickly by bringing on temporary workers to handle a new demand as far as driving more production lines or demand for consumers or even vendors and suppliers. And then unfortunately on the other side of the coin, we had organizations that were having to furlough workers because of mandated restrictions. And as expected, with all this change in behaviors, there was a shift of priorities in organizations who typically would have security at the top of their priority list, who had to switch the priority to probably productivity.

James Honey: Because of certain actions were taken in the spirit of maintaining the productivity and function of the business, security and compliance were still important and critical, but they usually took a backseat, just because of the changing times.

James Honey: And this was seen as just, get them access they need so they can keep moving forward, which has been the result in many users, perhaps being over provisioned with access.

James Honey: Now that now that organizations have made this pivot and are beginning to settle into this new normal, some questions are beginning to emerge, such as, What does good security posture and hygiene mean going forward? How prepared are we for the rebound? How agile and resilient are we in supporting the business today in any additional changes to come?, and then last but not least, How has all this impacted our compliance and governance stance?

James Honey: And lastly, in addition to the shift and initiatives and need questions, there’s still a critical item that must be addressed and that is the bad actors are still active.

James Honey: So, as we all know, cyber criminals thrive on change and they’re not stopping even when it feels like the rest of the world has. If you watch the news lately you’ve seen that attacks are still happening whether it’s against a state unemployment agency, phishing attacks against these new remote workers, or directly attacking the various tools that remote workers are using, these actors are constantly adapting to this new normal and looking for any advantage that they could get.

James Honey: This is why organizations need to start looking back at their actions with the security and compliance eye, and make sure that changes are needed to keep the business running were that were done securely, and then identifying any gaps it created.

James Honey: So with all this in mind, David and I are going to talk through how AI based recommendations can help your organization quickly and efficiently certify your workforce access, for helping approvals make quick informed decisions, helping them automate low risk request and help prevent audit and security issues. So Dave, why don’t you get started by going through access certifications.

David Bullas: Thanks James. So there’s a number of factors, COVID-19 being a big one over the last few months, but every business is experiencing an expanding role of access.

David Bullas: The number of things people have access to, the number of things people need to monitor and take care of, it increased and increased. When we suddenly shifted and everybody went online, all of a sudden, all these people had all this new access.

David Bullas: And one of the key controls that helps keep that sane and helps keep people restricted to the lanes they’re supposed to be in, is the access certification and its sister, the access request. And that’s what we’re here to talk to you about today. This is a critical feature of keeping people compliant, making sure people have the right access at the right time.

David Bullas: Now the access certification has evolved over time. It started with a very simple need, I want people to have access to, and I want to know what applications they have access to, and you know what, I want to control access to that. I want to make sure that we review on a regular basis what this person has access to.

David Bullas: Over time, it’s not just that one person now and such as that one set of data. Now it’s access to databases. It’s access to mainframes. It’s access to things in the cloud. It’s access to files and folders.

David Bullas: The needs for certifications have increased. People recognize that it’s not just application, but all of the stuff that moves around them that people need to review.

David Bullas: And it’s not just one person or one division. It’s everybody in the company and the company you know your company, keep growing.

David Bullas: Look at what’s what’s happened to a lot of companies recently they have both grown and moved remotely.

David Bullas: The increasing needs to demand us to take a look, a wider look at what people have access to, and our reviewers. The people looking at that access are getting busier and busier.

David Bullas: Not only that, it’s not just human actors non human and bot accounts as well.

David Bullas: These are accounts with specific purposes in the business. But we got to keep an eye on those two to make sure they’re not being granted access to stuff. They don’t need and that they’re being properly used within the business.

David Bullas: And it’s not just our people and our bot accounts. It’s also external actors and contractors and partners, people outside of our business need access to some of the things that we hold within our data.

David Bullas: That’s critical to making sure we’re playing nice with our friends and they’ve got access to the things they need and they’re able to contribute to our bottom line.

David Bullas: But all of these different types of actors have access across the board and all of it. All of it needs to have that that sober second thought to say, well, hold on a second, do they really need that access and is that access appropriate.

David Bullas: And that’s where access certification comes in. This is the process where we get our business people to come in and have a look, a sanity check on the access that has been granted.

David Bullas: Whether it’s a manager reviewing access to all the people that report to them or it’s an application owner or an area specialist is focusing on a specific part of the business, we get people, people with a wide range of technical ability to come on in and say, hey, this doesn’t make sense. This isn’t access people need. Or maybe it is.

David Bullas: We also don’t want to inundate them with thousands and thousands of access reviews and entitlement reviews so we’re consolidating right, it needs to include when people are reviewing access the key applications. And the key data. Well, we just saw, what’s happened. Things considered key and important and necessary for security have increased. We know there’s more of those things. People need to look at across many different types of things files applications cloud, etc.

David Bullas: Additionally, the number of people they’ve had to review is increasing.

David Bullas: Both of these are having a detrimental effect of the accuracy of their reviews.

David Bullas: One of the other thing that really important for access certifications, is that we’re following along at home. We have the ability to track what decisions were made over time. So auditing.

David Bullas: Making sure that people can understand what’s been changed when it was changed who approved it. That’s all critical parts of successful certification program.

David Bullas: The outcome of all of the digital change, whoever is there some that the sort of acute patient campaigns are getting larger and larger.

David Bullas: And just like the Golden Gate Bridge where they’re they’re touching up the paint on that bridge every single day.

David Bullas: People feel like they’re doing compliance every single day. When you start really start painting the bridge right they go from one side to the other. By the time they get to the end they got to go back to the beginning and continue on, because they’ve got rough spots that need touching up at the starting in. It’s the same thing with your certification campaigns.

David Bullas: Your business users just get to the end of this three month campaign and the next ones coming on top of their inbox. They might even be finished the old one, new ones coming through tie in there. Also, the need to request the app to respond to access requests that the people that report to them are making and there’s too many users and too many entitlements and it’s starting to feel a bit overwhelming.

David Bullas: When you feel overwhelmed what happens? Well, you’re like, listen, I just need to get through this. I need to get it done. I’m just gonna take everything out here and we just to say yes. For now, I’ll take a look at that again next quarter, but man, this quarter. I’m really busy.

David Bullas: Bulk approvals rubber stamping, not paying attention, not even being able to see the trees, the trees for the forest, but there’s so many entitlements, trying to figure out which ones are important and which ones to spend time on becomes impossible.

David Bullas: This has been a problem for a long time. And here at some point, we’ve taken the approach of saying all right. What’s a better way. How can we do this better.

David Bullas: And the key insight for us was, you know what, there are tools out there that are good at crunching through huge amounts of data and figuring out that structure and providing guidance and that set of tools.

David Bullas: Let us ask this question, hey, what if AI and machine learning can answer these challenges?

David Bullas: So we turned a team on to it for quite some time they tried a number of different things. They worked with a number of our customers.

David Bullas: And what they came out with is what we’re calling the predictive identity advantage, our ability to merge machine learning and AI with the recommendation and access request process to ensure that business people have lower load and they’re able to make better decisions. How does that work well.

David Bullas: The first thing we did is recognize that for a lot of machine learning systems you pour garbage on the top, the stuff that comes out the bottom isn’t pure and clean.

David Bullas: The better you can clean up your data and make it easier for the machine learning algorithm to find those really interesting things, the better off you are. So we took a pass with one approach with one type of machine learning techniques to say, all right, first thing we do, let’s get rid of some of the background noise within every business. There are people whose entitlement needs are really unique.

David Bullas: I’m not saying they’re slightly different than the guy next to them. That’s natural. I’m saying, they’ve just got unique roles within the business. Okay.

David Bullas: We don’t need to use those when we’re trying to figure out the things that we have in common. So we get rid of some of the junk and then turn loose our peer group analysis technique to find within the business those areas where we’ve got similarities.

David Bullas: And once I have a group of similarities, then we eliminate the rest of them and say, okay, these are people who have very similar entitlements. We’re looking permission by permission person by person.

David Bullas: Eliminate the noise and then let the machine learning crunch away on the numbers to say these are people who are similar to other people.

David Bullas: And if I’ve got 250 employees in the same job and 220 of them have access to something when one of those 220 first guys asks for access to it. You know what I give that a thumbs up.

David Bullas: On the other hand, if I have a group that I found. And there’s 100 people in there, and none of them have access and someone selling puts their hand up and says, hey, I need this special access, well I want to bring that to someone’s attention. Highlight places they need to spend time, the limited places that we know, the right apps before they even get to it. That’s the basic idea.

David Bullas: This let’s computers do what they’re really good at, crunch numbers, and leaves the bigger decision making to the people, but not just decision making across all the entitlements, prioritizing.

David Bullas: Some decisions are easy. We can make those for you. Some of the reasons are really hard, focusing on those ones. You don’t have to look at every single entitlement the same. You can focus down on the ones that matter.

David Bullas: This eliminates a lot of the work, allowing your reviewers to spend their time and actually running the business, which is what you want them to do.

David Bullas: And on top of that you’re actually getting better, more consistent security decisions because the people are only focusing in on the stuff that really matters. We’ve automated the stuff that’s easy to say yes, easy to say no. And the automation is repeatable and auditable.

David Bullas: We’ve actually achieved results of both ends of the scale. We’ve made it simpler for your business users. That’s a win animated more accurate and better for your auditors. That’s a win if these intelligent access decisions are used to help people figure out if access should be added and if they should be removed. We can take a look and say, you know what, out of a hundred people 99 of them don’t have this access. We’ve got a guy with this access. Let’s record when that comes off. We’re also surfacing high risk access and then giving you the ability to auto accept recommendations both on entitlement reviews and especially on access requests.

David Bullas: So let’s take a look what this looks like. And you can get a feel for how easy it will be for your business to adopt this technique.

David Bullas: So this is our identity governance platform. Many of you will have seen this in the past.

David Bullas: You can see here I’ve logged in as one of our business users. You can see they’ve got some direct reports doing some approvals and they have an access review in here but this, this isn’t any old access review. This is a recommendations based access review.

David Bullas: When they drill in, to get a quick reminder, this is what it looks like right. We have these reviews, we have these access items, these entitlements.

David Bullas: We need to go over them, but we’re going to give you some recommendations, we’re gonna give you some thumbs up, thumbs down real simple metric easy for the business to understand.

David Bullas: Within that access review, you have all of the governance tools you need. You’ve got separation of duty policies where we can highlight places where we know there’s conflicts.

David Bullas: To allow the business to focus on those when we look across the entitlements. This is where the real enhancement is, this is where we’re able to say, you know what some of these entitlements really easy to say yes and some of the entitlements, they need some down thumbs here as well.

David Bullas: When I look at a request, and I say, aha, look. This one’s got a recommendation I can quickly see why that recommendation has been made.

David Bullas: This helps your business owner make better decisions. Look everyone else is similar to this person has this access. A lot of people reporting, you have this access. A lot of people in the cost center have the access. That’s easy. Prove approval. Prove. Prove that these ones are not recommended. Why is that, well, you know what, nobody like this guy has this access. Nobody none of people reporting, you have this access and none of the people in their call center have this access. Revoke.

David Bullas: It doesn’t have to be manager doesn’t have to be a cost center, every business has their own set of identity attributes that are important to them.

David Bullas: You can use the identity attributes that makes sense for your business. Those identity attributes will be used for access recommendations.

David Bullas: Like we’re doing here and reviews and also for the access requests this but you can see very, very quickly. I’ve eliminated 60% of my access review here.

David Bullas: I’ve done it in a way that’s provided insight to the business users so they can make those quick decisions, but be confident that they’re doing the right thing. It’s all audited, including the recommendations themselves.

David Bullas: In short, the business is getting the job done quicker and easier.

David Bullas: And it’s not just entitlement reviews either. So let’s take a quick look at how that looks from the access request side of the house.

David Bullas: Where I was looking at a business user before I’m now looking at IT administrator and the administrators got a few more tools at their disposal. But what the important thing for this demonstration is is to look at that access request history.

David Bullas: Well, why haven’t I gone to the admin console, and why am I looking at it this way. Well, it’s because this particular request. Audited, tracked we know who did it. We know what the decision was made, but you know what, since the decision was made automatically by that end user, the business owner, Linda Davis never even thought. She didn’t have to.

David Bullas: A recommendation engine looked at it, we had a high enough confidence score in this particular recommendation that we’ve just made it. DING! DING!

David Bullas: So the business user Paul Walker came in and said, I need this access it would normally be routed to Linda Davis, but you know what a recommendation engine stepped in.

David Bullas: And said, hey, actually I’m going to automatically approve this don’t bother Linda, with this, we know this is something Paul should have access to or can have access to. It meets all of our requirements. Thumbs up, access request approved, no email gets sent to Linda, we don’t bother. We don’t interrupt her day.

David Bullas: Better entitlement reviews, more accurate, better recommendations, better decisions, and the ability to automate decisions to say, you know what, let’s make sure that the computers do what they’re good at. Figuring out when we can make quick decisions and let’s leave it alone for people. And let’s let people focus in on the stuff that really matters. That’s what we’re doing with the recommendations engine.