Building An Enterprise Identity Security Practice

Industry Trends Heading Into The New Year

Dec 13, 2022 1:30 PM2:30 PM EST

Request The Full Recording

Key Discussion Takeaways

Now, more than ever, it’s crucial that companies do a deep dive into their identity governance to pinpoint burdensome areas and improve their security posture. Yet surprisingly, the majority of companies are lacking in their identity governance initiatives.

Many businesses either don’t have an identity program in place or they’re running on a bare-bones structure. This not only puts the company at a greater security risk, but it also means they’re missing out on major ROI. So what are the best ways to develop and implement a successful program?

In this virtual event, Greg Irwin is joined by Jeff Purrington, an Identity Strategist at SailPoint, to talk about identity governance, Zero Trust, and the future of identity security. Jeff explains what identity governance is and why it’s important, the benefits, and the most effective methods to improve your security posture in the new year.

Here’s a glimpse of what you’ll learn:

  • What is identity governance, and how do Zero Trust initiatives fit into that framework?
  • The four vectors where you can improve identity governance
  • Crucial priorities for the future of identity security
  • How to start an identity program — and why it can be more effective than a project
  • Jeff Purrington explains the benefits of improved identity security
  • How SailPoint helps organizations create automated identity governance solutions
  • Tips to drive alignment across departments and implement SoD solutions
  • The importance of role-based access controls and stakeholders
  • What is the best starting point to improve identity governance?
Request The Full Recording

Event Partners

SailPoint

SailPoint is an Austin Texas tech company that provides Identity management and Governance for Unstructured Data access.

Connect with SailPoint

Guest Speaker

Jeff Purrington LinkedIn

Identity Strategist at SailPoint

Jeff Purrington is an Identity Strategist at SailPoint, an identity security platform for the cloud. He has 25 years of experience in IT and information security as well as extensive knowledge of regulatory compliance initiatives.

Before joining SailPoint, Jeff was the Director of Product Management and an Engineering Specialist for Saviynt, the Director of IT Risk at RSM, and the Manager of Information Security Services at Accenture among many other leading roles. 

Greg Irwin LinkedIn

Co-Founder, Co-CEO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Event Moderator

Jeff Purrington LinkedIn

Identity Strategist at SailPoint

Jeff Purrington is an Identity Strategist at SailPoint, an identity security platform for the cloud. He has 25 years of experience in IT and information security as well as extensive knowledge of regulatory compliance initiatives.

Before joining SailPoint, Jeff was the Director of Product Management and an Engineering Specialist for Saviynt, the Director of IT Risk at RSM, and the Manager of Information Security Services at Accenture among many other leading roles. 

Greg Irwin LinkedIn

Co-Founder, Co-CEO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Request the Full Recording

Please enter your information to request a copy of the post-event written summary or recording!

Need help with something else?

Tiffany Serbus-Gustaveson

Senior Digital Strategist at BWG Connect


BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution.

Senior Digital Strategist Tiffany Serbus-Gustaveson runs the group & connects with dozens of brand executives every week, always for free.


Schedule a free consultation call

Discussion Transcription

Greg Irwin  0:18

We're here co hosting with SailPoint. Jeff Purrington, this is gonna be a pretty easy session, we've we've done these now for multiple years, I'm really, you know, the forms that we've run across security have never really covered all aspects. And one of the hottest areas has been elements of zero trust and elements of identity. So we're thrilled to continue the forum's here together with Jeff Purrington over at SailPoint, to talk about what companies are doing specifically to harden their identity programs. So we're co hosting on this, the format that we're going to do is basically Jeff's got some material and survey results that he's going to share.

 

We're gonna go maybe 10 minutes on that material, ask questions, drop your Joshua, drop your comments, questions into the chat. And we'll do it interactively. After that, I always like a more interactive session. So I'm gonna go around the group. And specifically, I'm going to be inviting people to share some stories good, bad and ugly, about what's happening around your own identity programs. Where the challenge is, where you know what you've been doing, that's going well. So don't be surprised if I if I call you out and ask you for a first story. Frankly, it just makes makes this a whole lot more fun to hear, to hear a whole range of stories.

 

One other point here, these forums are best when we're creating the elements of a community. So it's interactive, I want to create dialogue. And that means let's use the chat. It's really powerful drop questions in that way. We're, you're here spending an hour of your time, let's make sure that it's productive. So drop comments and drop questions and reply to others. And let's make sure this is a good productive session. So my name is Gregor, when I'm your emcee for the hour, Jeff Purrington is our emeritus speaker here from from SailPoint. And Jeff, I'm going to ask you to take a moment and please introduce yourself to the group.

 

Jeff Purrington  2:46

Hi everyone, my name is Jeff Purrington. I've been in information security over 20 years, I've started my career at Deloitte and doing application security, I've been a I've led an IT audit organizations have worked on PCI programs, HIPAA programs, and the like. And most recently, over the past seven or so years, I've been in identity. I'm an identity strategist here at SailPoint.

 

Greg Irwin  3:12

Excellent. Alright. So Jeff, you prepare some material here, for us to kind of walk through to kind of set the stage for this session, why don't I share that? And we'll start going through it. And and, yeah, and get it rolling here? Let's

 

Jeff Purrington  3:32

Sure yeah. And I'd like to say, you know, regarding some of these slides, there's a lot of content on some, I'm just going to kind of briefly talk about these just kind of let you know, a little bit about what we do, we've been doing around kind of implementing a strong identity program. And, you know, it starts really kind of an understanding of identity governance, when, if you want to go to the next slide. You know, when my when my son asked me, what do you do? You know, and I tell him, I'm an identity strategist, he kind of looks at me with a spill bewildered look on his face. Well, what is identity governance? Really? You know, I've heard it laid out in three basic fundamental tenants, you know, who has access, what do they have access to? And how are they using that access? Over the past couple of years, with the advent of the cloud and cloud applications and the pandemic and having a hybrid workforce, we've been talking a lot more recently about zero trust. So you know, that really is taking identity governance to a new level, or it's a new layer of identity governance, where we, you know, identity, now we're considering the new perimeter. No longer are your employees logging in from your network, behind the firewall. A lot of times people are using applications or they're connecting to your network from home. So really, it's important into to understand who has access what they have access to, and how they're using that access. So identity is the new perimeter. When it comes to, what do they have access to, we're looking at concepts that have been around since I took my CISSP. In 2002, you know, least privilege, you know, only having the access to do what you need to do, to do your job responsibilities, and hopefully, you know, maybe some applications that make you happy while you're doing them. Also, just in time, having time bound access for privileged access, making sure that users who are accessing the system, especially when they have privileged access, or having that access be monitored, having that access taking taken away after a certain period of time. And then continuously monitoring. We're using AI and ML and different tools these days to continuously monitor. So let's say Jeff Purrington, I'm always logging in from eight to five Pacific Standard Time, I'm always in the Southern California IP address. And then suddenly, I'm accessing a system from Europe. You know, do I have controls in place to shut down that access? Or maybe asked me additional security questions? Or have me, you know, maybe do some some additional MFA multi factor authentication to ensure that yes, Jeff is really Jeff, he's just on vacation in Europe. So Lee's zero trust is taking Identity Governance, kind of to a new level, so to speak. And we're using tools like I mentioned, AI and ML to make that make it more intelligent and make it less burdensome, burdensome on, you know, administration and on organizations, maybe doing user access based certifications, being able to raise the highest riskiest items to the top when you're doing those certifications, so that you're not just seeing people rubber stamp, you know, I have 1000 different users to certify. I can't do it. And I still have my job to do. So you know, you have you have people that just end up rubber stamping those types of certifications. And so we're using AI NML to raise the riskiest items to the top let's say you have an accounting department has 100 people on it. Yet two of the people in the accounting department have some privileged access, we're raising that privilege access to the top so the reviewers can see that and really certified the riskiest items. And that's all part of this, this journey. So that will kind of get to later in the slides.

 

Greg Irwin  7:32

Next, Jeff, let me pause. Let me pause you for a second. Sure. Sure. I'm gonna go through some of the material and some of the findings. I want to ask the group, Paul, Jamie, Pavel, Rob, Charles Bruce, anyone who's on the line here, do me a favor, drop one question. One question into the chat. I want to make sure that we're hitting on things, it doesn't have to be specific to the content that Jeff's got in front of us here. But I want to make sure we're hitting the core questions that you want to understand. I mean, I've I have a hunch that this whole group understands IGA pretty well. And the core, the core tenants of zero trust, reasonably well. So maybe you want some high level stuff? Or maybe you want something a little bit more detailed. But do me a favor, let's make sure and please drop drop a question into the chat. So I've got one of the projects that you're seeing right now. How often are they part of a broader zero trust program? versus, you know, hey, I'm having a management issue, I can't keep up with, you know, moves, Add leaves, and I just need to manage it better, which could be considered quite tactical. Yeah, how often is this part of a broader, you know, zero trust initiative. So we've

 

Jeff Purrington  8:54

just recently it'll come up in the next couple slides here, we've just recently did a survey of over we had over 350 participants and we and we, we, we use AI old Carnegie Mellon capability maturity model structure, and came up with this Horizon Report, we call them different horizon. So from zero to five, zero being really you don't have much in place at all to five being highly optimized and measuring and, and having a zero trust kind of strategy in place. You know, we found that probably less than 10% are in that zero trust strategy using AI ml and different technologies to to be able to enable them to do zero trust. A lot of companies are doing pretty bare bone identity management. You know, they only have it partially implemented. I was just at a CISO exchange where there were 20 Different CISOs there and every single one of them said they only have identity figured out partially. So a lot of a lot of organizations are using point solutions. They don't Have a comprehensive identity program in place, which is something we're going to talk about today. So I would say from zero trust strategy of being, you know, that being the the main use case driving the program or the project is very small at this point in time, but you know, we're seeing a lot of traction, we're, you know, you hear a lot about zero trust in the marketplace today. But that being the key driver and not it not being just your core basic, blocking and tackling the joiner mover levers, user access certifications, managing segregation of duties and privileged access, so seemed to be predominantly the main use cases, we're now getting to the point, like I mentioned, where we're integrating with different security information event monitoring logs, we're using our own AI ml so that we can understand when someone's logging in. Are there other risky elements to that login? Like, for instance, I mentioned Am I Am I logging in from the same location I typically log in from, am I accessing the same applications I typically do within the same timeframes, there's a lot more going into the analysis of who's accessing and what they're accessing, and how they're using that access. And as we'll get into these slides, I think the next slide mentions, you know, it's 84% of the breaches that have occurred over the last couple of years is is identity related. So who has access, what they have access to, there's three to 4 billion was a cost of the epsilon breach. Approximately 50% of it, helpdesk calls are to reset passwords and things of that nature, with a good identity governance solution in place that really goes to zero 58% of consumers have a difficult time with role based access controls and identity governance and and you know, when it's not effectively done, if you don't have an effective program in place, a lot of times it just gets pushed to the side because it's not as easy as it seems. So, kind of going to the next slide, I just wanted to show So, we took a survey, like I mentioned it 350 different organizations and it looked at identity governance across four different vectors, I am strategy, which is basically looking at Do you have a program in place? Is it something that is, is has been is being implemented to affect your entire organization to bring your entire organization under kind of one centralized single pane of glass when it comes to joiner mover levers, user base access certifications, and things of that nature. What kind of tools are you using? Are you using point solutions a lot, I was a director of IT audit. Like I mentioned, we had over 25 key applications in scope for Sox all were being managed in silos. Some of those applications got hit harder than others when it came to having terminated users still having access or not having the appropriate approvals for new access or not having you know the the appropriate user access certifications. So you know, what commonly happens is a CIO or a CIO, they'll have you know, a bunch of deficiencies that they need to accommodate from their Sox audit, and they'll just go out and they'll figure out okay, what's the solution? What's a band aid that I can put on that so that that goes away? Meanwhile, you know, it's more of a systemic problem, you don't have the right people administering these applications, there's too many silos, people aren't trained enough, you don't have the right technical expertise, a lot of times technical expertise to really audit these systems, like SAP mean, these people are extremely expensive. And finding them is difficult, especially in today's world where, you know, there's millions of job openings, and you know, not not enough people out there that are skilled to fill those job openings. So what kind of operating model do you have in place? Is that a program? Do you have a program in place? Or are you just basically managing a bunch of point solutions? And like I mentioned having the right talent and people. So on the next slide, I'll show we did this over. We these are the different horizons that we kind of came up with. This is like I mentioned, capability, maturity model stuff, and I apologize, going kind of quickly. I'm trying to get just kind of cover this content quickly so that we can have a more interactive, collaborative discussion. So just basically, this is the foundation of our horizons. Report assessment that we've done. One being your inhibition, you're mostly just using Manual processes. I remember back in the day when we first started doing Sox at Deloitte in 2002. Almost all the controls and the control environment were manual. So since then, you know, 20 years later, I still see a lot of companies struggle to change from having manual detective controls to automate automated preventative controls. And this is something that we've been trying to achieve for 20 years. And people are still like I mentioned, I went to a CCO exchange, everyone is still struggling with automating the, you know, the majority of their joiner mover lever user access certification type, you know, your basic blocking and tackling access controls that are audited for pretty much every compliance initiative out there, I would say the lowest common denominator of of GLBA, SOX, HIPAA, PCI, DSS, you know, all these NERC CIP, all these different regulatory compliance initiatives that organizations have to comply with? The lowest common denominator is who has access? What do they have access to? And how are they using that access, that just screams identity governance, and yet, still, 20 years later, companies are struggling with it, we did this survey, if you go to the next slide, over 350 people across multiple industries, and I'm just going to put this up for a second. As you can see, you know, when we get to h3, and h4, that's where you kind of start seeing more mature identity programs in place, right. And you can see that there's really, I mean, the the bright blue and the teal color there at the end, you can see the most the majority of these respondents are somewhere in the two twos to ones so that I like the seaso exchange confirm for me, people just really only have partial programs out there. So we're trying to assist our customers and potential customers to get to the four and the five area to mature their identity programs to automate their controls. We just have recently had a customer I saw the onboard 700 applications in 11 months, being able to universally give people access the day they start their jobs, instead of like, we were just up at a potential customer a month or two ago. And one of the guys in the conference room was brand new, he had been with the organization for I think, like 10 days, and he still didn't have access to any of the applications that he needed. And this is a, you know, fortune 500, you know, huge company. And he two weeks into having his, you know, starting his job, he still didn't have access to any applications and barely just had just got his computer. So being able to accomplish that and just, you know, a matter of minutes, certainly, you know, helps with productivity and getting people, you know, the access they need to perform their jobs.

 

Greg Irwin  18:02

So this is, this means if you're not very far along, you're not alone. No, you're not alone.

 

Jeff Purrington  18:08

No. And that's if you would like to get an assessment of where you're at today, we have a horizons assessment, there's a link on our website, and I can share it with you, if you reach out to me. And you can do an assessment of your organization and kind of where you stand in this whole identity journey, if you want to go to the next slide. And these are just some of the, you know, the benefits that you see, as you kind of move along the different horizons. We found in our research, we had a strategy consulting company do come in and do a bunch of research that, you know, faster to detect, respond to attacks by 40%. You know, we reduce manually kind of touched helpdesk tickets by 85%. I talked about audit and compliance who reduce the amount of your your audit costs by almost three times. Like I mentioned in past life, I was a director of IT audit, we had over 25 applications. Each audit that we did was over half a million dollars because you'd have to go to each application each application silo, you test for new users have they been approved, you would test to make sure that all terminated users have been removed from the system, you would test to ensure that the user access certifications, you know, those quarterly controls or bi annual or semi annual or annual controls that companies have had been performed. And you would do that over 25 times or 25 different applications. If you have an identity governance solution in place, like those costs are reduced dramatically. Like I mentioned, our audits would be just on the IT side would be over half a million dollar per audit and we had to comply with the California Department of Insurance, FINRA model audit rule GLBA SOX and we did those five different audits. Throughout the year, and each one was costing close to half a million dollars, if you can reduce that by almost three times, then that mean that pays for your your solution, you know, in and of itself, do you want to go to the next slide? So we have one of the one of the goals are one of the talking points of this was, you know, how do I get an identity program started, one of the things and the only reason why I have this slide up, I don't want to talk underneath anyone here, but a lot of times people approach identity with, you know, a project is, hey, we're going to implement this identity solution, and we're going to connect it to a few apps in our Sox critical apps, maybe, and then we're gonna, you know, we're just gonna let it go. Really, you know, we we talked to our customers about how it needs to be a program, you know, we need to have executive sponsorship, we need to have stakeholders involved in the program, that can enact change and get things done, we need to have application owners involved in the project, we need to have, let's say, GL, you know, VPS involved, you know, how who's going to have access to open and close accounting periods, who's going to have access to maintain the Chart of Accounts, we need to be able to get all of these, you know, stakeholders involved in these programs so that, you know, we're efficient and getting these applications connected, we're efficient and getting roles defined, we're efficient, and getting user access certifications, and approval workflow setup. So when we have a program, we have stakeholders, we have funding, these, these programs tend to be like, hugely more successful than when we treat them like tactically in the short term. So that's the reason why this is just because basically want to just, I don't know how everyone feels today on the call if they're part of an identity program, or if they see it at their company being more tactical, hey, this is just a project, you know, in six months, this is going to be over with and we're just going to let it let it run. I'd be interested to hear people on the call and how, how they do it at their organizations. Do you want to go to the next slide. And this is really the kind of ROI that we see with customers. This, this isn't just one customer. This is across the board, your access certifications. Typically, when you're doing them hybrid manual, automated, maybe you have, I don't know, a GRC tool that helps you to do certifications. But most of the time, you're just emailing spreadsheets back and forth. We see certifications go from taking anywhere from six months to a year to less than a month. We see like I mentioned onboarding applications, a user having access to all the things they need to do their jobs on the first day, sometimes we've seen that take up to two weeks. In this example, we're showing 14 hours, but that really kind of gets like down to two and a half minutes, just a few minutes. And someone has all the access they need to do their job. D provisioning worker accounts. Sometimes that can have take more than 30 days. Sometimes it doesn't happen until your user access review. And someone 60 Days Later says hey, this person doesn't even work here anymore. And they have access to all these systems, we see that go from you know, 30 plus days to seconds or minutes, you know, someone gets terminated, you know, within a minute of them that someone saying hey, this person's terminated in the system, having all of their access taken away. So you're not getting those deficiencies, or significant deficiencies or material weaknesses from your auditors. Because you have privileged users in the system that haven't been with the organization for 3060 days. Those those things stop happening when you automate these controls. And then self service access requests. Those, your helpdesk management like manually touch Help Desk, like I mentioned, goes down by 85% annual cost savings of close to a million dollars for some organizations, depending on your user base. And then password management. Like I mentioned, 50% of help desk calls are password related with a good identity governance solution in place those go away, really. And then I think the last is just question and answer. Now. Hopefully I've left enough time. It's I know we have minutes left. But

 

Greg Irwin  24:20

Jeff, that was awesome. And I think that it's the questions nature the questions that came in along the way, just speak to that this is this is the right topic. I'm going to stop the the slideshow here. And I'd like to get into some q&a in terms of specific enterprise stories. But Jeff, I'm going to keep you on I'm going to keep beyond here and the first story. So tell us about one enterprise that you've supported here who may or may have been in that horizon one horizon to what kind of invest It took to put the program you're talking about in place. And some of the I mean, you talked about the benefits, I love that last slide. Because that's like, that's something you can really hang your hat on in terms of business improvement, or driving efficiency and driving a better security narrative. But I'd like to hear it in the context of one customer. And then the group here has shared some specific questions we've asked for might ask for them, they provided them. Let's try and answer some of these. Let's start here with one customer story, don't give the name. But tell us about one customer that's trying that's at Horizon one or two and making a step to kind of move beyond it.

 

Jeff Purrington  25:44

Right. So I can think of a customer where we came in, and they were doing most of most manual, everything manually, they had an older legacy identity and access management. So you know, they were doing okay, at getting people access to things and implementing SSO. However, they didn't have access to all the different Sox applications, some Sox applications, or you know, you'll have applications in house that have been developed in house, there are potentially legacy applications that are, are important to that business developed by that company. And sometimes it's difficult to connect. And there's not a lot of connectors for custom applications. But we came in and we were able to connect all their socks applications. And like I mentioned, another customer 700 applications and in less than 11 months. So being able to really kind of put your arms around your entire application ecosystem, being able to handle unstructured data and structured data. So who has that, you know, all the time people are sharing information on SharePoint or box or office 365, or even in Slack. And depending on who has access to those channels, you could be passing back and forth, you know, financially sensitive information. Or you could be passing back and forth PII, maybe you have two HR people who have exchanged an employee list with a bunch of PII. And that goes on to SharePoint, well, who has access to those SharePoint files. So we handle data access governance, and file access monitoring, we handle segregation of duties on the SAP side, knowing where there's shadow it in your organization, understanding what Cloud controls exist, and how effective those those are, I mean, tackling there's so many different components, identity and access within your organization, and being able to put your arms around that, you know, I've seen plenty of, of, you know, like I mentioned, the one organization 700 applications connecting and now you utilizing SailPoint for identity governance across 700 different applications. And then the one I just mentioned recently that they had, I think about 30 different applications, and they are handling everything manually. Now, everything is done automated. And some of those metrics I just showed you, those are the benefits of enjoying an automated identity governance solution. I know is that say, like organizations that use systems like SAP, your auditors are also going to look at emergency access management and segregation of duties, a lot of different things that are go deeper into SAP, like with T codes and authorization. And we have a solution called Access risk management where we can provide down to that T code authorization object level, you know, who has access to what are their segregation of duties problems, like the people who can enter suppliers or vendors, can they also create invoices or payments on those vendors having appropriate segregation of duties? We have a full risk rule set for SAP. And that's that's something you may think about as well.

 

Greg Irwin  29:07

You made the point there in terms of it takes collaboration with HR and other departments. Jeff, would you share a comment or I put it out to the team here? You know, one one good practice in terms of really driving the alignment across departments who may not feel these deficiencies as acutely as as Jamie might?

 

Jeff Purrington  29:31

Well, so in this situation, you know, all the time where we hook we hook as an identity governance solution provider, we hook into the authoritative sources or HR sources. So as soon as HR says, Hey, this person's no longer being paid, they're they've been terminated. That triggers that person being removed from every single application in your application ecosystem, everything that's been connected and SailPoint, they'll be removed within minutes so you won't have that point. problem, I remember when I was the director of IT audit, you know, when I, when I was on the audit side, we'd say, Hey, you have a terminated user, in your system, that's a deficiency. And you're always going to have those when you're relying on manual human touch related controls. When I was on the information security side, I would say, hey, but that means I was 99.9%, effective, you know, all the other terminate users are out of my system, I was only one. So I was, I was pretty effective there. But that doesn't, you know, when it comes to compliance, and audit, you know, they want to see controls working and operating effectively. And if you still have terminated users that have access to your systems, those can be compromised. And you a lot of times in these breaches, you see where someone had privileged access that is no longer with the company. And it's that ID that was used to do something malicious in the system. And other another one that you want to make sure you get rid of this is for Jamie, and others, are generic IDs, IDs that aren't really necessarily tied to user A lot of times when I was an audit, I would come in, and I would see that you have like five or six privilege, generic IDs. And I would say, Well, who knows the password to this Id like let's say the SA password on on a SQL database, who knows the password of this idea, they say, well, it's shared amongst our data, our database group. And that's a big problem. Because if anyone uses that ID to perform some kind of some malicious fraud, you don't there's no accountability, you don't know who actually own the ID, you don't know who used the ID. And so really, clamping down privileged access is important getting it out on a time bound. You know, and being and being able to monitor that access while the users is using it as super important, but also getting rid of generic IDs, making sure that terminated users are gone from your systems, that's all super easy if you have an automated solution in place like SailPoint.

 

There's a lot of solutions out there that gos OD, like you mentioned FastPath, the only one of the one of the there's a lot of sad providers that don't do identity, there's a lot of identity providers that don't do s OD. We do both, especially when it comes to SAP and we're adding new ERPs to our library of solutions. But like you mentioned, for SAP, we have an out of the box rule set that has risks already defined, you you would only need to really kind of fine tune it to your processes. Like if you're not using it, let's say we in our rule set we have AP. So can you create a supplier and create a payment? Can you create a supplier and create an invoice? Can you create an invoice and also receive goods, all these different risks that you have? From an STD perspective, we have those rules in in our arm product access risk management. And the only thing you really need to do is say okay, well, we don't use SAP for AP. So we don't need those rules. Or if you have custom T codes that you've developed, you know, we obviously wouldn't know what those custom T codes are. So you would need to make sure that, hey, we're covering everything that you need to cover, if you're in a great partner to have is talking about having a program and identity security program, a great partner, a great stakeholder to have involved in that program is your internal audit team, because they can tell you, Hey, this is what we're auditing you. For an SAP, this is what we're looking at. So you need to make sure you're covering at least what they're covering, because you don't want them to come up with a deficiency. When you have controls in place that should shouldn't allow those deficiencies that even, you know, even happen. So they're a great partner to have. But like I mentioned, having the ability to do SSD, for SAP, but then also having that same solution to your identity for you to all your joiners, movers levers for all of your applications within your application ecosystem, having you know, user access reviews with artificial intelligence machine learning that raises those risky as items to the top so that people aren't just rubber stamping, because they have certification fatigue. I remember when I was a director of IT audit these business owners, these business users, these managers that would have to do these user access reviews on a quarterly basis. There, they would often complain and say, Hey, I have a normal job I need to be doing. This is taking me weeks to go through this process to manually review everything. So after a while, they just start saying yeah, it's good. I have my other job to do. I just did this last quarter, I'm sure nothing changed. So we use AI and ML to raise the riskiest things to the top to show you the new users that have received access to show you users that have Access to isn't really in line with all the other users in their department or or like peers in the system, we raise those riskiest items to the top so that you know the most important things are being looked at and reviewed without just being rubber stamp. So I have a feeling that you know, a solution like SailPoint would be really beneficial versus someone like you.

 

Greg Irwin  35:21

How often are you being deployed? Jeff, in combination with an I am like Okta? Yeah,

 

Jeff Purrington  35:27

I mean, a lot we have, I would say there's a huge percentage of our customers where we integrate perfectly with Okta. They're the Single Sign On side, the I the access management side, like you mentioned, Bolla, and we handle the identity governance side of it. So you know, when we get into like, who has access to what and you also mentioned, Bala segregation, or separation of duties, or segregation of duties, whatever, whatever you want to call it? Do we handle that for other apps other than SAP? And yes, we do. We have things that we use in our basic provisioning called segments, where if you have access, let's say, to create vendors, I can segment your those users from being even being able to request other roles that would create a segregation of duties conflict. So if you have the ability to create suppliers, in some system, you're given that role where you're trading suppliers. And if you have that role, we can set up segments so that you're not even able to request other roles that might be able to provide you with the ability to create an invoice or to create a payment, or to open or close an AP ledger receive goods, you know, other AP activities that might be in conflict with creating a supplier, we can segment those users, so they're not even able to request those. So you said you have often FastPath, so you're utilizing FastPath for your SSD. You're You're utilizing Okta for your identity and access management, the piece that you're really missing is in our wheelhouse is the identity governance piece. And using AI and ML to build out roles, using AI and ML to lessen that certification fatigue that we just talked about, using identity governance to get rid of users that have been terminated from, from your system from all the different applications they have access to. Those aren't things that Octa, Octa is doing it I know, it's on their roadmap, if you look at the latest quadrant that came out that shows leaders and Identity Governance octus Not even on there. So I mean, they're really good at identity and access management there. They've talked about getting into Identity Governance, I don't know when that will be a mature solution. FastPath, like I mentioned, does s od pretty well, but they don't do identity governance. So really, I mean, if you're looking for a great solution that will get rid of those situations where you have a couple of users in your SAP system that were terminated, but HR forgotten to tell you, those things go away with a good identity governance solution. I worked for a large healthcare provider here on the West Coast, a little north of Scripps, where you're at. It was a very interesting environment. I had never taken part. But a lot of things that you're seeing right now resonate. For me, I remember, you know, the oncology department and the pediatrics department. And, you know, all these different departments are acting autonomously, like you mentioned. And at the time, Linux, a Linux virus had come out it was I think zoo server, one of those that came out, and we couldn't really even identify if we had Linux systems, you know, they didn't really know who knows, because, you know, your oncology department may just go off to the closest staples, and buy a computer and plug it into the network, and no one has any idea what they're dealing with it and maybe, maybe it's a Linux machine, and there's this huge virus out. So it's important to find where all your Linux machines are in the healthcare environment, it can be super challenging, because a lot of times these these organization are they're acting in silos. So I would say the hugest the biggest thing is, you know, really kind of that whole stakeholder executive sponsor, that program, building up that program and getting buy in from all of the different departments and kind of really educating people as to why it's so important, especially when people are accessing now remotely. They're not within your networking, your network, I'm sorry, and you know, making sure that the right people are accessing the systems that they have the right access and being able to monitor utilizing like you mentioned, what are some of the new technologies that we're incorporating to make this better? AI and ML are huge ones that we've just recently, over the past couple of years have been building out. And it helps on the role side when we're trying to define roles. A lot of times I was in consulting, I was at Deloitte, those are huge moneymakers for your for your can, you're big for doing role based access control projects. And really, you need to go in there and you say, Okay, you have these 50 applications that are relevant for Sox. Okay, where does jet what access does Jeff have. So I need to get user lists from each one of those 50 applications, I need to look up Jeff and see what his roles are for all 50 different applications. And I have to do that across the board for 5000 different employees, those projects are massive moneymakers for the big four. And really using AI and ML and our role access modeling product which has just come out recently. It's a huge cost saver when you're trying to build out roles in your organizations, a lot of people have punted, they don't even want to touch our back. Because it's such, it's so difficult to even wrap your arms around the we've made that much simpler and role based access controls is a is an awesome way of governing access and birth writing users so that they have the right access from day one. So I would say AI and ML is a huge one. And you're seeing like for instance, in a medical organization I just talked about, so I'm going to buy a computer and putting it onto the network, we have products that look for shadow IT. So it'll go out onto your network and look for things that haven't been registered. And we can look at all those, like I mentioned, we just onboard 700 applications in less than 11 months, I think the hugest thing for a medical organization like yours is getting the program in place, getting all the right stakeholders in place. And getting everyone to buy in. That's that seems to be the hugest challenge, when I was at that health health services provider up in Westwood, so

 

we have dozens of healthcare customers that have you know, that are tackling is the same problems, those are pretty cool. I've noticed those exist across multiple hospital, those types of systems where you have all these different departments that have their own leaders that don't want to listen to anyone else. And they want to do things their way or the highway kind of so to speak, a lot of you know, intelligent, you know, minds that think they know, more than everyone else sometimes. But you know, training these people and getting them, you know, like you mentioned hurting the cats or whatever, you know, we have a lot of experience with those types of customers, we have dozens. So I mean, potentially putting you in touch with some customers that we have, that are trying to overcome the same pain points that you are, there's something that we can certainly look into. And a lot of times they'll just pay the HIPAA fines because they don't want to have to comply with

 

Greg Irwin  43:07

  1. It would be good to hear the spark. I mean, Jeff, you had it in your slide presentation. I mean, those are, you know, off the charts, good ROI and business case. And it's not outside of the fact that it's the right thing to do from a security posture and you know how to run a large enterprise. They're also really, really good ROI factors. The question is, for an organization that's just got a lot going on, you know, where have others found a spark, you know, that one catalyst outside of a breach? Yeah, that's always that's always That's always one. But I'd love to hear a story of others, like, hey, what's one story of something that created that spark, for, you know, to make this change happen?

 

Jeff Purrington  43:59

When I was the director of IT audit, sometimes people would come to me and say, I'm wanting to tell you what I know our deficiencies are because I know if you highlight them, they're gonna get visibility to the CIO and the audit committee. And finally, someone's going to do something about this because it's just not secure. I have people come to me all the sudden certainly also the people that said don't audit any anything, don't tell them anything unless they ask you the right question. You had those people but then you had the other people that wanted to their organization to get better at controls to automate controls to lessen the burden on their on their employees. And they would tell you right out Hey, your your you run it audit, you need to highlight this as a deficiency because we're not secure and then you know, you can use audit and that that way. You kind of show them what your what, what how things are bad in your organization and they'll definitely light a fire under the right people. Your CFO, your CIO, your CEO, your audit committee and those, those are the type of people that will say, okay, yeah, we need to spend money on that. Because, you know, sometimes they don't even know about it because someone in the organization somewhere in these compartmentalized org structures, someone's trying to see why, you know, someone doesn't want something to be known because they're worried they're gonna lose their job, I've seen plenty as lose their jobs from an audit

 

Greg Irwin  45:22

deficiency on it on it is a great catalyst. Great catalyst. Let's get a couple hours, we got three minutes left, I'm gonna invite Pavel to share a story. And maybe, maybe we'll wrap up from there. And there's certainly an opportunity to connect people not just obviously not to bury the lead, you want to talk to sell point about their solutions to teams here. And you know, this is they're doing it for awareness, and we'd love to follow up. So we'll do those outreaches. But even across others across the group,

 

Jeff Purrington  45:55

I hear someone someone's trying to ask a question, but they're really faint. Which suggests you know, we have that, like I mentioned in the beginning of the call the horizons assessment, you can kind of see where you are in that journey, and what different capabilities solute solutions that SailPoint provides that can help you kind of further mature your identity security program. And it goes beyond just the identity access management in the SSD. There's a lot of other components, like I mentioned, Shadow IT, Cloud. Cloud infrastructure, entitlements mapping is the new newer one, that we do AI ml. There's so many different components that you that you have within a good working identity program. So I think it makes sense if you want, I could share the link for you to take that horizons assessment. And certainly AI and ML will kind of push you towards a more optimized levels. In that report, like being able to know do you have metrics in place? Are you really measuring your efficiencies around joiner mover levers? Are you measuring your efficiencies around how long it takes to do user access certification? How many users does a typical manager have to approve? And how many applications do you have in place? How many applications are in scope for different regulatory compliance initiatives that you have to comply with, like Sox? More, you know, those types of questions, you know, come out in that horizons report and, and help to show where you kind of arm how you could improve.

 

Greg Irwin  47:34

There's one closing question there from Jamie. And then we're going to wrap it up. A quick one and, Jeff, a wrap up from you please do you need to have all your applications identified? Before you do the assessment, or can cell point help you identify the application.

 

Jeff Purrington  47:52

I mean, we can help you identify them, a great place to start would be all of those sis applications. And systems that are directly related to whatever's in the purview for your Sox audit, that's a great place to start. Of course, there's way more applications typically in an organization that are relevant for Sox. But those are a good starting point. Sox key applications really have a material materiality threshold to them. So they're the systems that have the greatest impact on your financials. So those, that's certainly the best starting point. But then, you know, there's a bunch of other applications that have unstructured data that wouldn't be included in Sox, or other key systems that may not be relevant to Sox that still need to be secure and still have the risk of if breached is going to cost me a lot of money and potentially a loss of PII, and bad media, and everything else. So I mean, that's a good starting point. Sometimes it's just, you know, what's in scope, clearly. And that's a good place to look, it's an easy list, because you just go to your internal audit department, you ask them, what applications are in scope, and they'll give you the list right there. And then you certainly you can add to that list with applications that you know, it's never going to be the entire population, but it's a good starting point.

 

Greg Irwin  49:11

Hey, Jeff, this was a great session. I know. I know. Some people had to had to jump here. But a big thanks to you and the team. Thanks, Greg. pulling this together. This was fantastic.

 

Jeff Purrington  49:21

I appreciate the time to share with everyone. Thanks so much.

 

Greg Irwin  49:24

All right, folks. Hey, thank you all for joining. Thank you those everyone sharing questions and participating. Let me know if I can help people connect and everybody have a great day.

Read More
Read Less

What is BWG Connect?

BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution. BWG has built an exclusive network of 125,000+ senior professionals and hosts over 2,000 virtual and in-person networking events on an annual basis.
envelopephone-handsetcrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram