Identity Security, A View from the CISO's Seat
hello everyone i'm juliette rizcala i'm the chief marketing officer for sellpoint and i'm very excited today to uh welcome to identity talks um a very special guest uh paul the graph is actually now uh a cellphone employee joined us very very recently but he has been a customer of uh southport for many years actually i don't even know how many years paul um but probably close to 10 and um paul has a very unique perspective on identity having been worked with it for uh for so many years not just with cell points but in his career so i thought that was really really interesting to have him come and share a little bit his perspective on this notion of identity security moving from governance um focus to a security focus for what we call identity security now so paul um thank you for joining us we're very happy to have you first at southport and on this program um i'm gonna let you introduce yourself and tell uh and tell our audience um you know what you've done where you come from and all the good stuff about you that makes you so special and such an expert on identity cool thanks julia for having me kind of uh so i've been a long career as you can see the gray hairs are there uh that's been 40 years in i.t about 35 of that in security and had the pleasure of doing many different things in security starting back into operations so engineering um even being an author wrote a couple of books on security with various other folks and uh did some ethical hacking in my days and they made quite a name for myself there if you will and then had the opportunity to become a cso for two financial services companies and more recently for um what's now known as wwe leading their security practice and ending up in leaving the identity program there kind of so uh so that's in a nutshell what we've done last 40 years so and that's what i like about you is that you're coming with really the perspective of um being a saiso in those companies right and your uh your journey with identity has not been um the same uh a long longer year obviously identity governance was very different 10 years ago than what it is today so tell us a little bit about the evolution of identity governance aka identity security or vice versa um because what i'm trying to um show to the audience or trying to explain is that um we're really talking about security now and less about governance but this didn't happen overnight tell us a little bit uh from your perspective um how um using it to you know for uh for your organization that you've seen that evolution and what it makes so much sense to you as we you and i talked about many times for sure so um so identity goes back a long time but the the first engagement with sailpoint was back in 2008 when i was a global cso for aig and we were sort of in the aftermath of the enron scandals and uh aig specifically had some problems with the new york attorney general that caused something kind of so everything was really compliance focused you know getting our auditors external auditors or on our backs to get all these business processes in place and making sure we had the right controls in place which was a big challenge was a massive undertaking aig was a large organization at the time it was well over 120 000 people 4 000 applications so anything that was anything financial was a large amount of applications so the main focus there was first to really get access certification under control understanding who had access to what and and certifying access so very you know compliance driven if you will that was sort of the take right after the whole and one debacle everybody was on the bandwagon to sort of get control over who had access to what and making sure that that was managed appropriately and then sort of you know after the compliance efforts it became more uh how do we enable people to have access to applications kind of and um so that's how it sort of matured but then sort of looking back now in 2014 when i joined wwe the world had changed completely so wwe for against weight watchers right is the new name for weight loss no no weight watchers more towards the full they definitely do yes they definitely do that but very different model than very good right um and uh and uh one thing that um when they want to point out is uh what watchers was was sas first right very much so yeah we had very much a cloud first strategy kind of uh even in 2014 already we were on the we saw the opportunity that the cloud provided and so when we looked at solutions out there there weren't many sas solutions yet that did iga kind right it was basically some of our competition at the time was very much a hosted solution you know they said hey we have a cloud solution but it really was just a hosted solution of what they did on prem and and the other thing when we looked at sort of the sas world was sort of you know i i said this to cell point many times scott it was like not many companies get to redo their solution if you will kind of right so you still grew up with an on-prem solution then moving to the cloud it wasn't like okay let's move what we have to the cloud but really rethinking of how assassin's solution should work and what are the features of the cloud solution so that really appealed to me again kind of uh to really see that forward looking uh vision kind of um and really helping us uh address that the the issues that we had at the time so where it was sort of compliance driven initially with aig at wwe was all about enablement how do we get our employees effective day one kind of how do we do that how do we put the process in place still you know with some governance of course kind of but it was really around enablement kind of you know they're very much in the moment day one they come in and they have access to the services that they need or as much as the services they need whether it was automatically provisioned through our policy framework or whether it was self-service it really was enabling employees to be productive uh as more than and then you know we still had to do the typical compliance stuff because of the regulations that are out there but it was really more broader looking at how do you do that enablement of employees and contractors and business partners giving them the right access versus the compliance stake if you will you were running identity for weight watchers um remind us how big was your organization in terms of users and application and how many people you had in your staff to run identity sure so that was actually quite a big difference between when we looked initially at a solution uh it was really around how simple is that solution how many people do i need to manage that so [Music] the organization was about 23 000 people back in the day we had about probably yeah many using how many applicants about 300 400 applications if you will uh a lot of them were sad services uh if you will a complete different set than like an aig with 120 000 4000 applications completely different mindsets a lot easier um but the management of the actual program we were a team of three i had two engineers in my team that really was focused on that and it wasn't that you needed developer level skills kind of this the solution was really quite simple and that really what what was appealing to us kind of at the time to sort of build a solution that really doesn't require a lot of hand-holding and doesn't require deep technical skills kind of to do that so that was really uh one of one of the other major reasons why we chose at the time right yeah and i wanted you to say that because we talk a lot i mean the whole topic of this chat together is to talk about the evolution of identity governance into identity security what i want audience to really understand as well how much more simple we've made the solution any governance you know when you started with it it was kind of clunky and you know it was a large implementation and you needed a big staff um but this is not the case anymore right it could be because machine learning is helping us do things that people were doing but it's also because we revamped totally the solution we didn't take an old solution and put in the cloud we really looked at um different best practices on a way to do things so it is not what people may think a huge undertaking but it is something that is critical for the security infrastructure so yeah absolutely one of the things we did not discuss but sort of you know in the vein of keeping it simple kind of i think a lot of people with the capabilities that we have now before when we looked at 2014 when we first started down this journey with identity now the key thing about what ai and ml can do now it sort of flips the whole implementation cycle on its head because now you can say you know implement the solution build your connectivity to your key systems and let ai ml determine what those policies and those roles are and let them just discover it all and tell you what it should be kind of right where before i mean i hate to say it but it was sort of a guessing game kind of you sort of thought that people needed to have access to based on what you saw kind of so you built your roles around that but was that really perfect no probably not but now actually you know aiml can go in and say hey here's what i'm seeing there's 80 people here this is the role this is what sort of the overlap is so that expedites the implementation cycle of an iga program so much kind of that was before was never feasible so the roi is there straight away kind of where before maybe it was an implementation of six months a year to get that into play now probably you can expedite that so much faster so for organizations that are now looking at that should really reconsider what their implementation is kind of how they look upon that with these new capabilities that we now have so when did you see the focus becoming more security and what was the trigger for that notion of identity governance becoming more of a security solution yeah it was kind of interesting i mean sort of coming back to the enablement piece so normally the way it was that it was sort of uh slowing everything down kind of right um what we really saw at wwe that we sort of had our integrations were very fast to connect to things so one of the things we did was for example rolling out google to the whole organization the g suite solutions and you know once we had that connectivity established and put the right controls around that for us it was a push of the button to basically give the whole company access so seeing that switch from you know being difficult it takes us a long time to do things now switching over to like a push of a button to sort of provision the organization gave the company a whole complete different perspective they were really flabbergasted but you're ready already and all these other things needed to happen kind of so the security switch was really people were getting more and more to understand that identity became the underpinning of everything we did kind of whether that was rolling out google or other services people were quickly realizing that identity needed to have its own focus and part of that security is swear so management quickly realized that they sort of needed to give it more attention and basically we build out an identity organization and that's how i move that over into the identity space because it really you know security sometimes has this no notion on it kind of with identity people could see the benefits right so it was clearly how you enabled an organization to do things faster and yeah really getting good feedback on what you're able to do for the organization so the security switch sort of people just saw it overnight that hey this this is important right anything we needed to do was really um you know identity driven if you want yeah in a way giving access so fast so easily to a lot of people kind of was a compelling argument to say well you know maybe we should look into it and make make sure it's secure because we're opening so many doors to the organization with that wide access and i think what um you've seen that with watchers a lot of people started realizing it when uh when the world shut down with with the pandemic right so um it was basically you know something that you've seen at the because of your strategy right you you i'd seen it but a lot of companies that were going a little bit more slower when when the panamic hit and everybody had to go remote it was all about giving access to everybody super fast so people will stay productive but opening doors for risk and and compromise um uh account a little bit everywhere and and we've seen customers switching to that notion almost overnight yeah yeah we were very fortunate guys so the company was very leading edge and maybe sometimes bleeding edge if you will in adopting new technology so one of the benefits that we have was that in the year before we had already implemented the xero trust architecture to allow people to basically work from anywhere and get the access that they needed so having sell point in that ecosystem was very important from a provisioning perspective and making sure that people had the right access so that fit it nicely so when covet hit for us it really was like business as usual from giving people access yes there were things like um people were using a byod device because they left their uh laptop in the office things like that but from the pure day-to-day operations things didn't change that much for the average person where we had the most impact was you know weight watchers had a lot of retail stores that we had to close so all of a sudden it was like how do we provide the same kind of service in the digital world and we were on that transformation anyway so then it became like how fast can we switch from sort of a an in-store experience to a digital experience and the company actually accomplished that within seven days we switched to a full virtual digital experience and simpon was a clear supporter of that in that enabling that switch within that short time giving people access to that digital environment was key to the success of switching the company kind of to that digital experience and you know really with the the whole pandemic if you will it just shows to people how much you need kind of that what i call the identity fabric of capabilities to enable these kind of things so that the organization can react faster you can roll out new products faster and that's key in this world right so that evolution is fascinating right we went from a very heavy compliance of focus um to more of an enrollment without having the compliance going away but you know becoming more of a secondary and now the security of that create enablement so it's kind of something that keeps on powering up but for sick for for identity uh uh security aka identity governance to be able to adapt like that we also needed to adapt the solution right and we're seeing a lot of um uh technology around ai and machine learning and a lot of people may say oh that's buzzword because it's true there's a lot of high-tech companies that are doing that but um you you were um using those uh um those capabilities right um explain a little bit how that was a necessary evolution of the solution in order to be able to go and evolve with the business yeah we were an early adopter of the ai and our capabilities and really what it brought to us like at some stage you can't hire enough people to to manage all this right the data the amount of identity data the data of identity right it is just too much so you need some solutions to help you manage that and sort of let the humans deal with what i call the exception stuff kind of but the basic day-to-day stuff kind of that's where ai and ml came in and also you know as organizations grow and bring more systems into this whole identity ecosystem what was happening is that you know there was just fatigue in the organization managers were like why do i need to do this again kind of why do i need to certify this actually i did it already three times in the last year nothing has changed why you're asking me to do these things right so using ai and l initially maybe to make recommendations kind of around access and whether that's an approval for giving access or in case of certifications telling them yeah this is okay to approve and then morphing that eventually into more of an automated way of doing that is a key functionality so for now it was like okay we can help making you the right decision so that managers are at least encouraged by that so that they're not built because a lot of managers don't necessarily know what everybody has access to and what them but giving that information the other thing i think that is very important is sort of as you mentioned uh earlier is kind of like you know are we doing over provisioning kind of is it because what we set up in our identity program is that really reality if you will kind of that just because people have access and you brought that into one view does it actually mean that these people should have access yeah or having a way to to to just reduce your risk right to give them only what they need for for them to do their work you don't want to have everybody having access to everything just in case they will need it right yeah so having aiml available to you to really give you that insight to give you that look and to say hey here is what we're seeing and here's where the outliers are to sort of say you know hey you know there may be eight people in your organization that have access but these other two people they have far too much access because they have the same type of role in getting that kind of information i mean people used to spend years designing all these roles and whatever and then when the design was done the organization had changed and you could start again and sometimes it's a matter of people having access they don't even know they have access so their account becomes our friend and that's the best way for hackers to come in and take over you know an account and start maneuvering around the organization very much so kind of so you know what what i think more than anything ai and ml can help is really giving that visibility that before didn't exist guided if you will kind of and that really helps people um getting that visibility so giving somebody outliers and spotting offering accounts and things like that yeah you know but also given the confidence that you know your established policies are working as design right gsos is all about the ease of mind if you will making sure that every control that you put in place is working as designed and ai and ml has really helped visualizing that that that is working according to plan or telling you that things are not working according to plans right so i the next question i want to take you um to help uh clarify a little bit how um as a user of identity you kind of look at the different categories within identity because identity has evolved but it's also merging right the the whole identity management has really three categories right there is the access management part there is the identity governance aka identity security now and privileged access management and you worked with all of them um and you know you you you um you had a a very specific use for each of them and you understood the difference so what what uh what comments can you uh can you give to the audience to try to make sense of that landscape that's becoming the ideal landscape that's becoming a little bit more um blurry and uncomfortable probably that's probably the right word i was going to use yeah it's extremely blurry between these three disciplines and there's a lot of talk in your in the um analyst space in the press at the moment around the convergence of that and you know if i look back in time and you know when we looked at first at security solutions you know if you look at the semantics and the mcafees of the world they were sort of the integrated solution guided and that's what people were recommending but most people in security myself included it's still probably the discussion around disagreed versus you know an integrated solution the problem with an integrated solution is you know it's the 80 20 rule 80 may be enough but in certain industries 80 is not enough okay but they will always continue to choose best of breed and make that integration happen so they each have their play and yes there is definitely blurring going on but the best way probably to describe it is through an example so let me give you an example where you know people may be blind to certain access so if you look at you know an identity provider that they integrate with aws for example then what the identity provider does is you have your identity attributes you have some roles and basically in aws you met those groups that you remember off to roles within aws so if you just look at that piece then you may say oh that's great i have full visibility in it but then if you look within aws and somebody makes a change in aws to a certain permission now all of a sudden that group has a lot more permission than you if you thought the identity providers are completely blind to that where if you look at the identity governance solutions kind of you know we have full visibility into all those entitlements so we know exactly what's going on in aws and have that full visibility so it's really a complementary to those solutions to give you that full visibility of what the user has access to and actually protect any changes in that environment as well so it's very important that people understand the distinctions kind of and sometimes you know you could be blind to that you think you know it all but there are definitely reasons why i believe government solutions are there and providing that deep visibility yeah yeah i think that's always uh important to remind because we're all going towards more simplicity more uh velocity right and the convergence can be appealing but when we really think about identity security there's things that no matter how fast you want to go no matter how you go you cannot take shortcut on those and i think uh some of the things that we do and provide are part of that category um last question for you paul right we it's the end of the year and uh there's always a lot of projection on industries and so forth and all the vendors are here to kind of give their the projection but what's your vision for identity right you've been with this uh category for so long you've seen it evolving right based on the needs of uh of your companies also uh through the technology that it was um that it was uh uh providing and delivering but you know if i ask you a little bit to be the visionary because in a way that's where you're going to help us now at southpointe right where do you see identity uh uh going you're talking a lot about being the fabric of the security infrastructure and so forth tell us a little bit about that vision that you have and what it would look like in a few years sure um i think the best way to describe it from a vision perspective is sort of how people look at a consumer identity so if you look at people you know the consumer space then they know everything about it about a consumer right what they're buying what they're doing what they may be interested in and the marketing around that is perfect they know exactly how that's on the identity side we just don't have that 360 view yet kind of right so we need to move to get that 360 view and part of that is you know the best way i see other people describing it that way it's kind of like looking at tesla as a self-driving car kind of can we get identity to do that self-governance kind of you know how far can we push that envelope kind of to get there by instead of having to ask for hey here you make a recommendation but you know if the the guardrails are put in place then why wouldn't you make that decision for this true autonomous identity that's where you're talking yeah absolutely moving there and and that becomes also a key pillar of as people move to zero trust right in a zero trust world it's all around that identity that identity and the information surrounding that identity is what what access decisions are being made of so making sure that that identity is fresh is timely is up-to-date is critical in that and that's why as we move from static models to more dynamic models taking in a lot more data external data from maybe a threat feed or things like that to put that into perspective gives us a complete view of that identity so i see a lot more self-governance i see a lot more visibility for organizations so that they can secure their organization but also can ramp up that thing without having to necessarily hire another four or five people to do that stuff by really moving into that autonomous world allows them to uh to be fast and furious if you will very good paul thank you so much identity security it is where it's all about rethinking identity and um 2021 we'll talk even more about either insecurity thank you so much for our perspective it's a pleasure to have you on this program and i'm very very excited to have you at southport to help us push the vision faster and better thank you it's my pleasure thank you very much
2021-01-10 03:23