How ‘identity governance’ addresses new attack vectors opened by ‘digital transformation’

By Byron V. Acohido

Mark McClain and Kevin Cunningham didn’t rest for very long on their laurels, back in late 2003, after they had completed the sale of Waveset Technologies to Sun Microsystems. Waveset at the time was an early innovator in the then-nascent identity and access management (IAM) field.

The longtime business partners immediately stepped up planning for their next venture, SailPoint Technologies, which they launched in 2005 to pioneer a sub segment of IAM, now referred to as identity governance. Today SailPoint has 800-plus employees and growing global sales.

Related article: What the Uber hack tells us about DevOps exposures

The company is coming off a successful initial public offering last November in which it raised $240 million. SailPoint’s share price has climbed from the mid-teens to the mid-twenties since its IPO.

I had the chance to visit with McClain, SailPoint’s CEO – Cunningham serves as chief strategy officer—at RSA Conference 2018. We had an invigorating discussion about how “digital transformation” has intensified the urgency for organizations to comprehensively address network security, and how identity governance is an important piece of that puzzle. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: Your focus is on helping companies do much better at a fundamental security best practice.

McClain: Exactly. Within the big realm of security, we’re within the realm of identity, which is getting a lot of airtime these days.  And within identity, our focus is on what’s called identity governance . . . The company has been around for a while now. We work in almost every industry vertical and focus on mid-sized enterprises with 2,000 to 3,000 employees all the way to the largest global enterprises in the world.

LW:  How has ‘digital transformation’ changed things?

McClain: Companies are adopting SaaS, and they’re adopting cloud and mobile, we use the term digital transformation for all of that. They’re rapidly trying to open up their IT infrastructure and applications, not just to their employees, but also to contractors and business partners in their supply chain. There is this desire to be open and collaborative and interconnected. But by opening all those things up we’re also opening up the attack surface. So, understanding who is accessing what information is pretty critical.

LW: This was an issue 10 years ago with the use of default logons for system administrator accounts being a weak point, but it seems like the problem has mushroomed.


McClain:  It has. It’s more complex. It’s certainly larger scale, in many cases. In the old days I might have been primarily concerned about whatever number of employees I had that could access data.  Now outsourcing is a big trend, and I’m connecting my business to other businesses more and more. I might have a few thousand employees, but I might have 10,000 people that are accessing my systems.

LW: We never really fully addressed the identity risks associated with legacy systems and now along comes this next generation of exposures.

McClain:  That’s right. Part of the reason it wasn’t as well managed in the past is because the original approaches to security were largely about building a moat around your castle, putting a big perimeter defense around this core data center, with a lot of critical information in it. A lot of large organizations even today have mainframe apps and client-server apps still running.

And then along comes the web era, and now the cloud era. Now organizations are taking apps that were in their data centers and moving them to Amazon or Azure to save costs.  So, these big organizations are dealing with this massive layered infrastructure.

LW: And now we’re seeing data breaches like Equifax and Uber that take advantage?

McClain: Exactly. A lot of those hacks start with the problem we address which is, ‘If I’m not sure who you are, or whether you should be accessing this information, then I don’t know that I should stop you.’ So many of the bad things that have happened come down to a bad actor emulating a good actor.

LW: Can you walk us through identity governance, and how it can help?

McClain:  People are talking a lot about single sign-on. The idea is to have all my users log in at a secure portal, and effectively get everywhere they need to from there. But people don’t think as much about what the user can get to behind that portal; what, specifically, the user can do by logging on to Salesforce or Workday. That’s referred to as an entitlement in our industry. So, it’s not just that I can access the application, it’s understanding that I can specifically access a certain subset of the data and maybe only read the information, but not change it.

Understanding that entire picture across myriad applications, some in the cloud, some in an on-premises data center, is critical to controlling that you, Byron, can access exactly what you’re supposed to. If I can’t see and control all of that, I can’t govern what you’re accessing.

LW: Multiply that by X number of employees and contractors, and X number of applications, and that quickly becomes a challenge?

McClain: I’ll do an Austin Powers thing for you.  At the end of the day, in a large organization with 100,000 employees there might be 10,000 applications and each of those applications might have hundreds of entitlements, so you can do the math. It’s billions and billions of entitlements to manage.

LW: Is this another area of security where machine learning and data analytics can be brought to bear?

McClain: We’ve launched an analytics tool that can deeply understand patterns of access. But, honestly, we’re in a crawl, walk, run situation. Most organizations today are kind of crawling. They really today cannot answer the simple question: ‘Do I know exactly who has access to what information in my organization?’

As an employee, or a contractor or a partner you are the only one who knows all of the privileges you’ve been given. A system administrator may have given your application access to SAP, and the network guy gave you access to Active Directory.  But they might not be there anymore. You’re the only one who knows all of the access rights you have because the world is constantly churning and changing. At this point in time, it’s very hard for the organization to get a snapshot of who Byron is, what you do for the organization and what access you have across all company systems. We’re able to bring all that information together into a single view for each identity.

LW: So, crawl first.

McClain: Crawl first. Get your visibility right, then begin to work on the controls. That’s what we tell the organizations we’re working with.

(Editor’s note: Last Watchdog has supplied consulting services to SailPoint Technologies.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone