managing access risk - controlling the identity life cycle · sailpoint’s open identity platform...
TRANSCRIPT
-
Managing Access Risk - Controlling the Identity Life Cycle
ISMG SECURITY EXECUTIVE ROUNDTABLEsponsored by SailPoint and PwC
Agenda6:00 – 6:30 p.m.
Registration & Networking
6:30 – 6:45 p.m.
Introductions and Opening Remarks
• Tom Field, SVP, Editorial, ISMG• Mike Kiser, Architect and Evangelist, Office of the CTO, SailPoint• Trey Gannon, Principal at PwC
6:45 – 8:30 p.m.
Roundtable Discussion
8:30 p.m.
Program Concludes
-
Introduction
In the age of cloud and IoT, identity and access management are
becoming mission critical for a successful cybersecurity strategy.
But managing visibility, security and governance of all of your users, including privileged accounts, is an
onerous task given today’s connected environment and the expanded attack surface.
How do you fully manage privileged access in such a complex and increasingly decentralized
landscape? How do you deal with regulatory compliance throughout the customer life cycle as roles and
privileges change over time?
If you’re looking for answers to these questions, then please join me for an exclusive executive
roundtable on Managing Access Risk - Controlling the Identity Life Cycle.
Guided by insight from Mike Kiser, architect and evangelist at event sponsor SailPoint, and Trey Gannon,
principal at PwC, this invitation-only dinner will draw from the experiences of the attendees who will offer
insights on how they have been able to help their organizations rethink their own identity and access
management strategy. Among the discussion topics:
• Why is provisioning and deprovisioning identities so problematic today?
• What are the repercussions of users being over privileged?
• How can technology better mitigate identity risk?
You’ll have the opportunity to discuss identity risk with a handful of senior executives in an informal,
closed-door setting, from which you will emerge with new strategies and solutions you can immediately
put to work.
Managing Access Risk - Controlling the Identity Life Cycle 2
-
Discussion Points
Among the questions to be presented for open discourse:
• How has the identity risk landscape evolved in the age of cloud computing?
• What do you identify as your greatest identity vulnerabilities in your enterprise today?
• Where are you on the roadmap to protecting your business from identity risk?
• How do you articulate the need for identity management tools to C-level executives?
• How do you encourage buy-in from employees to adopt secure identity and access management
policies?
• What and where will investment will be made in protecting the identity lifecycle for 2019?
Managing Access Risk - Controlling the Identity Life Cycle 3
-
About the ExpertJoining our discussion today to share the latest insights
and case studies is:
Mike KiserArchitect and Evangelist, Office of the CTOSailPoint
Mike Kiser is insecure. He has been this way since birth, despite holding a panoply of industry positions
over the past 20 years—from security strategist to security analyst to security architect—that might imply
otherwise. In spite of this, he has designed, directed, and advised on large-scale security deployments
for a global clientele. He is currently in a long-term relationship with fine haberdashery, is a chronic
chronoptimist (look it up), and delights in needlessly convoluted verbiage. He has been a speaker on
topics ranging from identity governance to security analytics, network security, and various related
privacy issues, and is the co-host of a podcast illuminating all things identity. He warmly embraces the
notion that security is more of a state of mind than a destination
About SailPoint
SailPoint, the leader in enterprise identity governance, brings the Power of Identity to customers around
the world. SailPoint’s open identity platform gives organizations the power to enter new markets, scale
their workforces, embrace new technologies, innovate faster and compete on a global basis. As both
an industry pioneer and market leader in identity governance, SailPoint delivers security, operational
efficiency and compliance to enterprises with complex IT environments. SailPoint's customers are among
the world’s largest companies in a wide range of industries.
Managing Access Risk - Controlling the Identity Life Cycle 4
-
About the ExpertJoining our discussion today to share the latest insights
and case studies is:
Trey GannonPrincipalPwC
Gannon is a partner in PwC's cybersecurity and privacy practice in Philadelphia. With over 18 years of
experience in cybersecurity, he brings a deep understanding of information security risk controls and IT
processes. He has designed and delivered large-scale, high-profile user access management programs
with a focus on user experience, automation and cloud enablement. Much of his work with clients starts
with strategy, but his focus is on assisting with implementation of processes and software solutions
spanning data protection, identity and access management and privileged access management. He is
passionate about providing solutions that enable the business and enhance organizations' cybersecurity
capabilities.
About PwC
PwC is a global network of firms delivering assurance, tax and consulting services for your business.
We have a long history helping organizations strategically assess, design, deploy and improve
cybersecurity programs. We've built trusted relationships with business leaders at all levels. Our more
than 2,900 practitioners include specialized consultants, former law enforcement agents, cyber forensic
investigators, intelligence analysts, technologists, attorneys and industry leaders in cybersecurity and
privacy. PwC can help you design transformation strategies with security in mind from the very start, with
the foresight to help you see what’s on the other side of the leading edge.
Managing Access Risk - Controlling the Identity Life Cycle 5
-
About the ModeratorLeading our discussion today is:
Tom FieldSVP Editorial Information Security Media Group
Field is responsible for all of ISMG's 28 global media properties and its diverse cadre of senior-level
editors and reporters. He also helped to develop and lead ISMG's award-winning summit series that has
brought together security practitioners and industry influencers from around the world, as well as ISMG's
series of exclusive executive roundtables.
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely
to information security and risk management. Each of our 28 media properties provides education,
research and news that is specifically tailored to key vertical sectors including banking, healthcare
and the public sector; geographies from the North America to Southeast Asia; and topics such as
data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects
senior security professionals with industry thought leaders to find actionable solutions for pressing
cybersecurity challenges.
Managing Access Risk - Controlling the Identity Life Cycle 6
-
NOTE: In preparation for this event, Tom Field, senior vice president
of editorial at Information Security Group, interviewed Mike Kiser,
architect and evangelist at SailPoint, and Trey Gannon, principal at
PwC, about identity and access management. Here is an excerpt of
that conversation.
Biggest ProblemsTOM FIELD: What are the biggest problems today with identity and
access management?
MIKE KISER: Effective identity and access management is absolutely
critical to reducing risk of malicious activity, be it external or internal.
Inappropriate access – whether through stolen credentials or
overly permissive access – ends up being the root cause of an
overwhelming number of newsworthy IT events.
Getting identity and access management right can be a true
enabling force within organizations. Great IAM programs can enable
rapid application onboarding, real-time access provisioning and
provide a great employee onboarding experience, with all access
and devices provisioned and provided on day 1.
A big challenge in today's organizations is that only a small
percentage of applications are integrated into their organizations'
centralized identity solutions. This results in real risk related
to not having direct control over access (both granting and
revoking entitlements). Additionally, identity and access related
processes for most organizations still require multiple manual
steps to complete, which results in slow, error-prone tasks. In the
case of cloud adoption, lack of speed results in lack of adoption.
Therefore, greater integration and automation become the
biggest opportunities within identity and access management for
organizations today.
Provisioning and DeprovisioningFIELD: Why are provisioning and deprovisioning identities so
problematic today?
TREY GANNON: Provisioning and deprovisioning are problematic
largely due to the manual work required throughout the process –
manual request, manual approval, manual review, manual creation
and closure of ticket and manual entitlement provisioning and
deprovisioning at the majority of target applications.
These manual steps are typically required due to a lack of direct
integration with target applications, a lack of automated access
CONTEXT
Managing Access Risk - Controlling the Identity Life CycleQ&A with SailPoint's Mike Kiser and PwC's Trey Gannon
“Getting identity and access management right can be a true enabling force within organizations.”
Mike Kiser
Trey Gannon
Managing Access Risk - Controlling the Identity Life Cycle 7
-
request and approval and lack of real-world role-based access
control.
There are many great examples today of organizations using
automation tools to reduce manual, repeatable work across the
identity lifecycle and using analytics tools to get better insight on
business roles.
Impact of the CloudFIELD: How is the cloud impacting identity risk today?
KISER: The risk that the cloud imposes on identity programs today is
two-fold:
1. Cloud applications are typically accessible from outside the
organization's network. Therefore, network access is no longer
the first-stage access control.
2. Access and entitlements for cloud applications are often not
managed by organizations' central identity function. This results in
real risk around terminated users still having access and greater
potential for segregation of duties conflicts unknown to the
organization.
For many organizations, 90 percent of new applications are cloud-
based, while 90 percent of existing entitlements are on-premises
based. Cloud-based applications and development enable greater
efficiency by providing significantly enhanced modularity and
automation.
When organizations' existing processes for application onboarding
and identity management cannot keep pace with cloud pace,
we inevitably see application owners "opting out" of centralized
processes. This results in shadow IT and rogue identities that cannot
be seen or managed by centralized identity solutions.
Gaining Buy-InFIELD: How do you encourage buy-in from employees to adopt
secure identity and access management policies?
GANNON: Employees want to do the right thing. Providing training
to employees that helps them understand threats and providing
them a great experience – mobile request and approval, highly
intelligent "birthright" provisioning, insight into where requests are
in process, self-service for application development teams – goes
a long way to getting better adoption. And don't forget that in many
organizations, contractors and business partners have similar access
profiles to employees.
Carrot vs. StickFIELD: What is better – carrot or stick?
KISER: A combination of carrot (pull) and stick (push) incentives
can be a highly effective method to drive adoption for risk and
compliance related policies and procedures.
An example of "carrot" for identity is providing application
development teams with significant self-service capability to embed
centralized identity capability into their applications. It simply takes
the development less time to use existing self-service tools than to
code bespoke solutions.
An example of "stick" for identity is requiring onerous reporting
and auditing processes for applications that are not compliant with
centralized identity functions. In this model, application owners must
choose to take on more work (via reporting) than if they were to
integrate with the centralized identity functions.
Mitigating RiskFIELD: How can technology help mitigate identity risk better?
GANNON: It can provide a great end-user experience for customers
and employees. Key steps include:
• Automation of manual processes, such as using robotic process
automation for "closed-loop" provisioning and deprovisioning
target application entitlements;
• Use of analytics for both role-based access and identification of
abnormal access. n
Managing Access Risk - Controlling the Identity Life Cycle 8
-
Notes
Managing Access Risk - Controlling the Identity Life Cycle 9
-
Notes
Managing Access Risk - Controlling the Identity Life Cycle 10
-
902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information
security and risk management. Each of our 28 media properties provides education, research and news that is
specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from
North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.
Our annual global Summit series connects senior security professionals with industry thought leaders to find
actionable solutions for pressing cybersecurity challenges.
Contact
(800) 944-0401 • [email protected]
CyberEd