Managing Access Risk - Controlling the Identity Life Cycle

ISMG SECURITY EXECUTIVE ROUNDTABLEsponsored by SailPoint

Agenda6:00 – 6:30 p.m.

Registration & Networking

6:30 – 6:45 p.m.

Introductions and Opening Remarks

• Nick Holland, Director, Banking and Payments, ISMG• Jeff Bounds, Distinguished Engineer, Office of the CTO, SailPoint

6:45 – 8:30 p.m.

Roundtable Discussion

8:30 p.m.

Program Concludes

Introduction

In the age of cloud and IoT, identity and access management are

becoming mission critical for a successful cybersecurity strategy.

But managing visibility, security and governance of all of your users, including privileged accounts, is an

onerous task given today’s connected environment and the expanded attack surface.

How do you fully manage privileged access in such a complex and increasingly decentralized

landscape? How do you deal with regulatory compliance throughout the customer life cycle as roles and

privileges change over time?

If you’re looking for answers to these questions, then please join me for an exclusive executive

roundtable on Managing Access Risk - Controlling the Identity Life Cycle.

Guided by insight from Jeff Bounds, distinguished engineer for event sponsor SailPoint, this invitation-

only dinner will draw from the experiences of the attendees who will offer insights on how they have

been able to help their organizations rethink their own identity and access management strategy.

Among the discussion topics:

• Why is provisioning and de-provisioning identities so problematic today?

• What are the repercussions of users being over privileged?

• How can technology better mitigate identity risk?

You’ll have the opportunity to discuss identity risk with a handful of senior executives in an informal,

closed-door setting, from which you will emerge with new strategies and solutions you can immediately

put to work.

Managing Access Risk - Controlling the Identity Life Cycle 2

Discussion Points

Among the questions to be presented for open discourse:

• How has the identity risk landscape evolved in the age of cloud computing?

• What do you identify as your greatest identity vulnerabilities in your enterprise today?

• Where are you on the roadmap to protecting your business from identity risk?

• How do you articulate the need for identity management tools to C-level executives?

• How do you encourage buy in from employees to adopt secure identity and access management

policies?

• What and where will investment will be made in protecting the identity lifecycle for 2019?

Managing Access Risk - Controlling the Identity Life Cycle 3

About the ExpertJoining our discussion today to share the latest insights

and case studies is:

Jeff BoundsDistinguished Engineer, Office of the CTOSailPoint

Jeff has over 18 years of experience in Identity Governance and Access Management. He is a certified

information systems security professional (CISSP). Jeff has extensive expertise in security architecture,

application security, identity management, compliance, access management, and directory services. He

has worked with clients in multiple verticals including healthcare, finance, retail, federal, and state/local.

Jeff was recently appointed as a SailPoint Distinguished Sales Engineer as part of the Office of the CTO.

This role allows him to evangelize the company vision and technical strategy. Prior to SailPoint, he

worked at Sun Microsystem and Oracle in the Identity Management and software practices.

About SailPoint

SailPoint, the leader in enterprise identity governance, brings the Power of Identity to customers around

the world. SailPoint’s open identity platform gives organizations the power to enter new markets, scale

their workforces, embrace new technologies, innovate faster and compete on a global basis. As both

an industry pioneer and market leader in identity governance, SailPoint delivers security, operational

efficiency and compliance to enterprises with complex IT environments. SailPoint's customers are among

the world’s largest companies in a wide range of industries.

Managing Access Risk - Controlling the Identity Life Cycle 4

About the ModeratorLeading our discussion today is:

Nick HollandDirector, Banking and Payments Information Security Media Group

Holland, an experienced security analyst, has spent the last decade focusing on the intersection of

digital banking, payments and security technologies. He has spoken at a variety of conferences and

events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by

The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine,

The Economist and the Financial Times. He holds an MSc degree in information systems management

from the University of Stirling, Scotland.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely

to information security and risk management. Each of our 28 media properties provides education,

research and news that is specifically tailored to key vertical sectors including banking, healthcare

and the public sector; geographies from the North America to Southeast Asia; and topics such as

data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects

senior security professionals with industry thought leaders to find actionable solutions for pressing

cybersecurity challenges.

Managing Access Risk - Controlling the Identity Life Cycle 5

NOTE: In advance of this event, ISMG’s Nick Holland spoke about

the issue of managing access risk with SailPoint’s Jeff Bounds. Here

is an excerpt of that conversation.

Key IssuesHOLLAND: What are the biggest problems today with identity and

access management?

BOUNDS: There are multiple issues today:

1. The business doesn’t understand the true security threat that

exists (how do you quantify what didn’t happen)?

2. The business doesn’t understand the increased need for an

emphasis on application-level security and knowledge of new IAG

control/security models.

3. Cross-platform integration must be much better. There is a real

need for actionable insights driven from cross-platform data

sources. The insights are all there. We just need the integrated

data to bring them to light.

4. Unstructured data and structured data need to be seen as two

sides of the same coin.

5. Usage data is not leveraged in the ways it can be (i.e. AI and ML

can use this to help control and refine access models).

6. We still have IAM debt, including gaping de-provisioning holes and

orphaned account management/entity account ownership.

7. Robot and process automation accounts are left ungoverned.

The ChallengesHOLLAND: Why is provisioning and de-provisioning identities so

problematic?

BOUNDS: We don’t simplify when we can. We build binary rules-

based solutions for problems in which the rules must always be

broken. But they are our own rules. We do it to ourselves.

Countless times have I encountered IAG projects that begin with

goals of process simplification and often end with “just make it

look like what’s currently there.” We kick the can down the road,

as projects never get the bu- in from the right management level

with the right selling criteria to make real business process re-

engineering changes.

IAM projects take vision, buy-in and an acceptance of incremental

change. They take support from the highest levels of management,

a seasoned vendor with trusted advisory status and a sticky and

accretive solution – a solution you can iterate upon.

CONTEXT

Managing Access Risk - Controlling the Identity Life CycleQ&A with SailPoint’s Jeff Bounds

“The key game changer, as I see it, is for us to leverage new technology to consume and compute these disparate data sources and to identify actionable insights to actively drive access models.”

Jeff Bounds

Managing Access Risk - Controlling the Identity Life Cycle 6

I do think the real risk-specific problem is less provisioning, however,

than it is de-provisioning. Untangling a set of Christmas lights is

much harder than winding them up in the first place -unless, of

course, you provision to a model in which de-provisioning is taken

into account.

The Cloud’s ImpactHOLLAND: How is the cloud impacting identity risk?

BOUNDS: Identity is now ubiquitous. Fallback controls (i.e. the

firewall) are no longer effective means of backup protection. The

notion of “zero-trust” identity constructs are moving to the forefront

of risk mitigation techniques. Access security models are changing,

and the roles of application-level security, knowledge and trust are

now more critical than ever.

Cloud identity adoption also has financial risk. SaaS solutions are

often seat-based licenses. There is a real cost associated with

“wasted” accounts.

Gaining Buy-InHOLLAND: How do you encourage buy-in from employees to adopt

secure identity and access management policies?

BOUNDS: Humans pay attention to what they identify as being in

their best interest and pay little to that which is not. They also will

voluntarily operate inside a construct that is given to them, assuming

that construct is enforced.

The same is true for good IAM practices. People will adopt good

policies if a) it enables the way they do their job, and b) controls are

built in to the processes in which they operate and enforced.

The companies I see with the best IAM policy adoption are the ones

in which the employees hold themselves accountable.

HOLLAND: What is better – carrot or stick?

BOUNDS: The stick. I’ve never learned anything from a trophy. I’m

not a better player for seeing a ball I put in the net. I’m a better

player for having gotten on the field with my team, dribbled it down

field, passed it back and forth together in order to beat the defense

and made the shot. The reward is found in the journey.

Mitigating RiskHOLLAND: How can technology help mitigate identity risk better?

BOUNDS: Technology is meant to be an enabler. The market is full

of great tools which support their own swim lane of protection of

assets and susceptible threat targets.

The key game changer, as I see it, is for us to leverage new

technology (i.e. AI and machine learning) to consume and compute

these disparate data sources and to identify actionable insights to

actively drive access models. The closer we get to an environment

in which those who have access to a resource are really only those

that use it, and the ones that need it can get it in real time in an

efficient manner, the better off we will be.

“I do think the real risk-specific problem is less provisioning, however, than it is de-provisioning.”

Managing Access Risk - Controlling the Identity Life Cycle 7

Notes

Managing Access Risk - Controlling the Identity Life Cycle 8

Notes

Managing Access Risk - Controlling the Identity Life Cycle 9

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information

security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from

North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.

Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismg.io

CyberEd