Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Managing Access Risk - Controlling the Identity Life Cycle
ISMG SECURITY EXECUTIVE ROUNDTABLEsponsored by SailPoint
Agenda6:00 – 6:30 p.m.
Registration & Networking
6:30 – 6:45 p.m.
Introductions and Opening Remarks
• Nick Holland, Director, Banking and Payments, ISMG• Jeff Bounds, Distinguished Engineer, Office of the CTO, SailPoint
6:45 – 8:30 p.m.
Roundtable Discussion
8:30 p.m.
Program Concludes
Introduction
In the age of cloud and IoT, identity and access management are
becoming mission critical for a successful cybersecurity strategy.
But managing visibility, security and governance of all of your users, including privileged accounts, is an
onerous task given today’s connected environment and the expanded attack surface.
How do you fully manage privileged access in such a complex and increasingly decentralized
landscape? How do you deal with regulatory compliance throughout the customer life cycle as roles and
privileges change over time?
If you’re looking for answers to these questions, then please join me for an exclusive executive
roundtable on Managing Access Risk - Controlling the Identity Life Cycle.
Guided by insight from Jeff Bounds, distinguished engineer for event sponsor SailPoint, this invitation-
only dinner will draw from the experiences of the attendees who will offer insights on how they have
been able to help their organizations rethink their own identity and access management strategy.
Among the discussion topics:
• Why is provisioning and de-provisioning identities so problematic today?
• What are the repercussions of users being over privileged?
• How can technology better mitigate identity risk?
You’ll have the opportunity to discuss identity risk with a handful of senior executives in an informal,
closed-door setting, from which you will emerge with new strategies and solutions you can immediately
put to work.
Managing Access Risk - Controlling the Identity Life Cycle 2
Discussion Points
Among the questions to be presented for open discourse:
• How has the identity risk landscape evolved in the age of cloud computing?
• What do you identify as your greatest identity vulnerabilities in your enterprise today?
• Where are you on the roadmap to protecting your business from identity risk?
• How do you articulate the need for identity management tools to C-level executives?
• How do you encourage buy in from employees to adopt secure identity and access management
policies?
• What and where will investment will be made in protecting the identity lifecycle for 2019?
Managing Access Risk - Controlling the Identity Life Cycle 3
About the ExpertJoining our discussion today to share the latest insights
and case studies is:
Jeff BoundsDistinguished Engineer, Office of the CTOSailPoint
Jeff has over 18 years of experience in Identity Governance and Access Management. He is a certified
information systems security professional (CISSP). Jeff has extensive expertise in security architecture,
application security, identity management, compliance, access management, and directory services. He
has worked with clients in multiple verticals including healthcare, finance, retail, federal, and state/local.
Jeff was recently appointed as a SailPoint Distinguished Sales Engineer as part of the Office of the CTO.
This role allows him to evangelize the company vision and technical strategy. Prior to SailPoint, he
worked at Sun Microsystem and Oracle in the Identity Management and software practices.
About SailPoint
SailPoint, the leader in enterprise identity governance, brings the Power of Identity to customers around
the world. SailPoint’s open identity platform gives organizations the power to enter new markets, scale
their workforces, embrace new technologies, innovate faster and compete on a global basis. As both
an industry pioneer and market leader in identity governance, SailPoint delivers security, operational
efficiency and compliance to enterprises with complex IT environments. SailPoint's customers are among
the world’s largest companies in a wide range of industries.
Managing Access Risk - Controlling the Identity Life Cycle 4
About the ModeratorLeading our discussion today is:
Nick HollandDirector, Banking and Payments Information Security Media Group
Holland, an experienced security analyst, has spent the last decade focusing on the intersection of
digital banking, payments and security technologies. He has spoken at a variety of conferences and
events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by
The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine,
The Economist and the Financial Times. He holds an MSc degree in information systems management
from the University of Stirling, Scotland.
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely
to information security and risk management. Each of our 28 media properties provides education,
research and news that is specifically tailored to key vertical sectors including banking, healthcare
and the public sector; geographies from the North America to Southeast Asia; and topics such as
data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects
senior security professionals with industry thought leaders to find actionable solutions for pressing
cybersecurity challenges.
Managing Access Risk - Controlling the Identity Life Cycle 5
NOTE: In advance of this event, ISMG’s Nick Holland spoke about
the issue of managing access risk with SailPoint’s Jeff Bounds. Here
is an excerpt of that conversation.
Key IssuesHOLLAND: What are the biggest problems today with identity and
access management?
BOUNDS: There are multiple issues today:
1. The business doesn’t understand the true security threat that
exists (how do you quantify what didn’t happen)?
2. The business doesn’t understand the increased need for an
emphasis on application-level security and knowledge of new IAG
control/security models.
3. Cross-platform integration must be much better. There is a real
need for actionable insights driven from cross-platform data
sources. The insights are all there. We just need the integrated
data to bring them to light.
4. Unstructured data and structured data need to be seen as two
sides of the same coin.
5. Usage data is not leveraged in the ways it can be (i.e. AI and ML
can use this to help control and refine access models).
6. We still have IAM debt, including gaping de-provisioning holes and
orphaned account management/entity account ownership.
7. Robot and process automation accounts are left ungoverned.
The ChallengesHOLLAND: Why is provisioning and de-provisioning identities so
problematic?
BOUNDS: We don’t simplify when we can. We build binary rules-
based solutions for problems in which the rules must always be
broken. But they are our own rules. We do it to ourselves.
Countless times have I encountered IAG projects that begin with
goals of process simplification and often end with “just make it
look like what’s currently there.” We kick the can down the road,
as projects never get the bu- in from the right management level
with the right selling criteria to make real business process re-
engineering changes.
IAM projects take vision, buy-in and an acceptance of incremental
change. They take support from the highest levels of management,
a seasoned vendor with trusted advisory status and a sticky and
accretive solution – a solution you can iterate upon.
CONTEXT
Managing Access Risk - Controlling the Identity Life CycleQ&A with SailPoint’s Jeff Bounds
“The key game changer, as I see it, is for us to leverage new technology to consume and compute these disparate data sources and to identify actionable insights to actively drive access models.”
Jeff Bounds
Managing Access Risk - Controlling the Identity Life Cycle 6
I do think the real risk-specific problem is less provisioning, however,
than it is de-provisioning. Untangling a set of Christmas lights is
much harder than winding them up in the first place -unless, of
course, you provision to a model in which de-provisioning is taken
into account.
The Cloud’s ImpactHOLLAND: How is the cloud impacting identity risk?
BOUNDS: Identity is now ubiquitous. Fallback controls (i.e. the
firewall) are no longer effective means of backup protection. The
notion of “zero-trust” identity constructs are moving to the forefront
of risk mitigation techniques. Access security models are changing,
and the roles of application-level security, knowledge and trust are
now more critical than ever.
Cloud identity adoption also has financial risk. SaaS solutions are
often seat-based licenses. There is a real cost associated with
“wasted” accounts.
Gaining Buy-InHOLLAND: How do you encourage buy-in from employees to adopt
secure identity and access management policies?
BOUNDS: Humans pay attention to what they identify as being in
their best interest and pay little to that which is not. They also will
voluntarily operate inside a construct that is given to them, assuming
that construct is enforced.
The same is true for good IAM practices. People will adopt good
policies if a) it enables the way they do their job, and b) controls are
built in to the processes in which they operate and enforced.
The companies I see with the best IAM policy adoption are the ones
in which the employees hold themselves accountable.
HOLLAND: What is better – carrot or stick?
BOUNDS: The stick. I’ve never learned anything from a trophy. I’m
not a better player for seeing a ball I put in the net. I’m a better
player for having gotten on the field with my team, dribbled it down
field, passed it back and forth together in order to beat the defense
and made the shot. The reward is found in the journey.
Mitigating RiskHOLLAND: How can technology help mitigate identity risk better?
BOUNDS: Technology is meant to be an enabler. The market is full
of great tools which support their own swim lane of protection of
assets and susceptible threat targets.
The key game changer, as I see it, is for us to leverage new
technology (i.e. AI and machine learning) to consume and compute
these disparate data sources and to identify actionable insights to
actively drive access models. The closer we get to an environment
in which those who have access to a resource are really only those
that use it, and the ones that need it can get it in real time in an
efficient manner, the better off we will be.
“I do think the real risk-specific problem is less provisioning, however, than it is de-provisioning.”
Managing Access Risk - Controlling the Identity Life Cycle 7
Notes
Managing Access Risk - Controlling the Identity Life Cycle 8
Notes
Managing Access Risk - Controlling the Identity Life Cycle 9
902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information
security and risk management. Each of our 28 media properties provides education, research and news that is
specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from
North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.
Our annual global Summit series connects senior security professionals with industry thought leaders to find
actionable solutions for pressing cybersecurity challenges.
Contact
(800) 944-0401 • [email protected]
CyberEd