Orchestrated Identity and Access Control

The dissolution of the traditional network perimeter. i.e., a barrier between “external” and “internal,” trusted and untrusted, has created a new quasi perimeter in the form of identity: identity of the humans using machines, identity of the machines themselves, and identity of the applications and workloads used by people and machines. While these identities always existed, the focus on their worth has increased, especially as companies aim toward zero trust security models in which every entity on the network—be it on-premises, cloud, hybrid cloud, virtual, or some combination thereof—is explicitly checked and rechecked for verification in an effort to reduce the risk of unauthorized processes and individuals traversing the network and introducing cyber threats.

While identity and access management used to be the purview of IT teams, separate from any cyber security responsibility, identity and access have now become central to the security conversation. And if the conversation were simply about provisioning users and groups to specific resources, it might still be a short conversation. However, identities have grown like gremlins as companies’ digital ecosystems have transformed, leading to complexity in tracking and managing identities—again, of machines and processes, not just users—and causing governance problems.

As one could have reasonably predicted well before identity became the “new perimeter,” securing these identities is now a top-line priority for security teams. Yet, the identity and access security tools market has grown in such a way that enterprises must stitch together disparate tools with sometimes-overlapping functionality, ensuring that each moving part is doing its job to secure the corporate ecosystem. The problem with this approach, though, is that it’s hard to become a good seamstress.

Pioneering the identity governance market

Enter: the identity governance market. Identity governance emerged in the late 2000s as a way for companies to orchestrate user identity management and access control. Spurred on by then-new regulations including Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) identity governance allowed IT and security teams to more easily adhere to compliance. SailPoint, an identity governance provider out of Austin, TX, helped pioneer the identity governance market starting in 2007 and has since evolved to cover SaaS and cloud using an automated approach.

Today SailPoint is a leader in the space, acting as a governance overlay which orchestrates identity and access management for multi-cloud infrastructures and the systems, apps, and data that reside in them. Speaking with SailPoint’s team, Paul Trulove, Chief Product Officer, explained that the company’s SailPoint Predictive Identity™ platform is the synthesis of the company’s experience building identity products over the years. “The genesis of the idea,” he said during a recent briefing, “was the automation of general user flows. Older identity solutions couldn’t be repositioned to meet regulatory requirements, but companies still needed visibility into who had access to what. Then, companies started needing monitoring and detective controls, and this couldn’t be done manually.” Today, this vision drives SailPoint Predictive Identity, allowing companies to make identity lifecycle management a completely autonomous process.

Easy overlay model

SailPoint is compatible with all the major cloud providers and seamlessly integrates via API, SDK, or plugins with dozens of leading security providers including enterprise applications and infrastructure, storage, access management, service management, GRC, and SIEM. In areas where the platform intersects with IAM and PAM, SailPoint Predictive Identity provides additional context through machine learning and AI algorithms which improve performance of the platform over time, helping drive down customers’ risk.

Grady Summers, SailPoint’s EVP of Solutions & Technology, explained that the company’s vision is to be “the foundation of an identity-aware enterprise. We believe in a completely autonomous process for identity verification, and that connectivity is the fabric that is emerging. With that, we need to provide operational efficiency in a secure and compliant way and give our customers the ability to hyperscale, even across heterogenous or legacy environments.”

Identity governance powered by AI

The SailPoint team told us that the company’s strategy for the future of identity is full automation powered by machine learning and AI. The overlay model, working like an orchestration layer for identity, allows their customers to remain agile, constantly adjusting the tools, systems, and data they use to drive business performance, while meeting compliance requirements and remaining secure.

Though the identity governance space has several big-name providers competing for market share, SailPoint is as strong a contender as any. The company has a history of building identity and authorization products, which says a lot about their ability to produce effective solutions, yet the team understands that new cyber security solutions aren’t always rooted in tradition—in other words, security solution and control providers can’t focus solely on repurposing older technologies into new environments. SailPoint has the legacy merged with a vision for the future that should give prospective customers confidence in the company’s approach towards identity governance.