Freely subscribe to our NEWSLETTER

Global Security Mag: Who is Sailpoint ?

SailPoint: We care about identity security. It is mainly managing all the access a user has. So it basically answers 3 questions: Who has access to what and why? It’s that easy. But putting it into practice is harder to do. We help our customers with our technology to answer those questions. The idea is to get a single source to find all the information needed about the access of a user. The customer has to use a lot of different applications. Nowadays, in a midsized company, you have around 5000 to 10000 users, that means hundred thousands of entitlements you have to care about, coming from all the different applications you have to connect to a system.This is way above what human beings could do on a keyboard. This is one of the reason why we introduced AI (artificial intelligence) to that game a year ago.

If we take the example of a jumbo jet, 90% of the flight is more or less automated and the pilots, as experts, are trained for the really critical situations.
So why not do identity management in the same way? This is our idea. You can have machine learning to help you find a certain peer group, tell you information about this group, who has which rights, and help you give recommendations to a new user, build their role and then sharpen it up… So at it-sa we want to talk about artificial intelligence and how it can really help the customers.

GSM: About that, what are the solutions you are now presenting at it-sa?

SailPoint: Well, several things. Identity Management has been in the market for 20 years and the whole technology is changing permanently. There are new trends that the customer has to care about, such as seal trust or digitization, and that means that they have to have knowledge of what they are doing in their systems. A lot of customers are struggling to even connect their applications to the identity management system. Most of them have connected applications, but when we ask them how many of them are connected, they sometimes answer « around a dozen », and that’s more or less nothing. To have at least 300 to 400 applications for a standard company of 1000 to 1500 users is normal.
If you only connected 12 applications, what information do you get regarding your accounts and your accesses? Not much.
Everyone think about connecting the big ones like AD, SAP, any kind of EIP (Enterprise Information Portal) system, and it’s a good step in the right direction but it is absolutely not enough to get good information about what is going on in their systems.

GSM: What are your key differentiators in the market?

SailPoint: Innovation is part of our DNA, so we are more or less always the firsts to come with new things around the corner. A few years ago, we introduced File Access Management because every other management system has blindspots in terms of user reading rights, for example. It can read all the files and give that information back to the Identity Management system to see if the rights are correct, if they were modified… You can see if the reading rights for example are only a normal right or a modified right, that could give the user other rights.

In IT, there are a lot of iterations steps to do to be ready. So when we start with AI, we have recommendations in certifications to say if it makes sense to keep a certain certification or if it makes more sense to revoke it. The idea is to revoke a lot of rights, so that you have the least amount of rights possible for a user so that they can do what they need with the minimum rights needed.

Our second pillar is the broadness of the solutions we have, we’re not just doing and caring about IAM but the Cloud is also really important for us. The Devops working with the cloud have their own tools, wich they know how to use, and they know exactly what happens in the cloud but their managers often have no idea, because they can’t use those tools. This is why we introduce Cloud Access Management to give a perfect overview of the cloud in terms of who has which rights. This information could also be brought to the IAM system.

GSM: What are your key messages to advice CISOS and our readers?

SailPoint: Don’t follow trends. Care about your certifications, your access rights, connect your applications to your Identity Management System. If you don’t have one, buy one and connect as many applications to it as you can, in order for you to have an idea of what is happening in your company. You can only make smart decisions about things you can see. If you have the information, you can chose what is necessary to do and what is not important. Zero trust and digitization is not the point going forward, this doesn’t solve anything, they are just passwords.

GSM: What do you think about the agreement between ANSSI and BSI and the recognition of certifications?

SailPoint: It’s a good thing! In every regular market, you need certifications. If you don’t follow GDPR, you have to give 4% of your revenue. Regulations are very often not the main business of companies, so they have to follow the regulations but it is more annoying than they’re enjoying it, so they need some advice to know how to do things as easy as possible but with security, which is very much needed. For the C5 certification from the BSI, for example, it’s necessary to have guidance in order to know how to do every step correctly. We follow those certifications as much as we can, as they are very important to us and we are working towards and getting closer to our C5 certification, which we hope to obtain at the end of 2023 or the beginning of 2024.