SailPoint : "You can only make smart decisions about things you can see."
November 2022 by Yelena Jangwa-Nedelec, Global Security Mag
At it-sa 2022, we met with Klaus Hild, Principal Identity Solution strategist and Arne Ohlsen, Senior Marketing Manager at SailPoint. They talked to us about IAM and Cloud Management and insisted on the importance for companies of taking care of their certifications and connecting their applications to their Identity Management System in order for them to have an idea of what is happening in their company.
Global Security Mag: Who is Sailpoint ?
SailPoint: We care about identity security. It is mainly managing all the access a user has. So it basically answers 3 questions: Who has access to what and why? It’s that easy. But putting it into practice is harder to do. We help our customers with our technology to answer those questions. The idea is to get a single source to find all the information needed about the access of a user. The customer has to use a lot of different applications. Nowadays, in a midsized company, you have around 5000 to 10000 users, that means hundred thousands of entitlements you have to care about, coming from all the different applications you have to connect to a system.This is way above what human beings could do on a keyboard. This is one of the reason why we introduced AI (artificial intelligence) to that game a year ago.
If we take the example of a jumbo jet, 90% of the flight is more or less automated and the pilots, as experts, are trained for the really critical situations.
So why not do identity management in the same way? This is our idea. You can have machine learning to help you find a certain peer group, tell you information about this group, who has which rights, and help you give recommendations to a new user, build their role and then sharpen it up… So at it-sa we want to talk about artificial intelligence and how it can really help the customers.
GSM: About that, what are the solutions you are now presenting at it-sa?
SailPoint: Well, several things. Identity Management has been in the market for 20 years and the whole technology is changing permanently. There are new trends that the customer has to care about, such as seal trust or digitization, and that means that they have to have knowledge of what they are doing in their systems. A lot of customers are struggling to even connect their applications to the identity management system. Most of them have connected applications, but when we ask them how many of them are connected, they sometimes answer « around a dozen », and that’s more or less nothing. To have at least 300 to 400 applications for a standard company of 1000 to 1500 users is normal.
If you only connected 12 applications, what information do you get regarding your accounts and your accesses? Not much.
Everyone think about connecting the big ones like AD, SAP, any kind of EIP (Enterprise Information Portal) system, and it’s a good step in the right direction but it is absolutely not enough to get good information about what is going on in their systems.
GSM: What are your key differentiators in the market?
In IT, there are a lot of iterations steps to do to be ready. So when we start with AI, we have recommendations in certifications to say if it makes sense to keep a certain certification or if it makes more sense to revoke it. The idea is to revoke a lot of rights, so that you have the least amount of rights possible for a user so that they can do what they need with the minimum rights needed.
Our second pillar is the broadness of the solutions we have, we’re not just doing and caring about IAM but the Cloud is also really important for us. The Devops working with the cloud have their own tools, wich they know how to use, and they know exactly what happens in the cloud but their managers often have no idea, because they can’t use those tools. This is why we introduce Cloud Access Management to give a perfect overview of the cloud in terms of who has which rights. This information could also be brought to the IAM system.
GSM: What are your key messages to advice CISOS and our readers?
SailPoint: Don’t follow trends. Care about your certifications, your access rights, connect your applications to your Identity Management System. If you don’t have one, buy one and connect as many applications to it as you can, in order for you to have an idea of what is happening in your company. You can only make smart decisions about things you can see. If you have the information, you can chose what is necessary to do and what is not important. Zero trust and digitization is not the point going forward, this doesn’t solve anything, they are just passwords.
GSM: What do you think about the agreement between ANSSI and BSI and the recognition of certifications?
SailPoint: It’s a good thing! In every regular market, you need certifications. If you don’t follow GDPR, you have to give 4% of your revenue. Regulations are very often not the main business of companies, so they have to follow the regulations but it is more annoying than they’re enjoying it, so they need some advice to know how to do things as easy as possible but with security, which is very much needed. For the C5 certification from the BSI, for example, it’s necessary to have guidance in order to know how to do every step correctly. We follow those certifications as much as we can, as they are very important to us and we are working towards and getting closer to our C5 certification, which we hope to obtain at the end of 2023 or the beginning of 2024.
- Joerg Vollmer, Qualys: it is essential that senior executives can provide the CISO with a clear view of the challenges to be faced
- Ramon Mörl CEO of itWatch: our partnership with Gatewatcher will contribute to the Franco-German agreement in the field of Cybersecurity
- Jean-Noël de GALZAIN, Wallix: autonomy and sovereignty should be integral to cybersecurity choices
- Mike Polatsek, CybeReady: Companies should adopt an APT approach, Advanced Persistent Training
- Hanspeter Karl, Pentera: To mitigate cyberattacks, Pentest is now a must to have !
- Dominique Meurisse, Gatewatcher: European cyber security is no longer a myth and is becoming a reality
- Mirko Bulles, Armis: visibility is the key to security
- Jelle Wieringa : "We don’t want to force anyone to do cybersecurity training, we want to enable them and motivate them to do it themselves!"