11
Managing Access Risk - Controlling the Identity Life Cycle ISMG SECURITY EXECUTIVE ROUNDTABLE sponsored by SailPoint and CyberArk Agenda 6:00 – 6:30 p.m. Registration & Networking 6:30 – 6:45 p.m. Introductions and Opening Remarks • Nick Holland, Director, Banking and Payments, ISMG • Dana Reed, Distinguished Sales Engineer, SailPoint • Michael Marino, Global VP of Solution Engineering, CyberArk 6:45 – 8:30 p.m. Roundtable Discussion 8:30 p.m. Program Concludes

Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

Managing Access Risk - Controlling the Identity Life Cycle

ISMG SECURITY EXECUTIVE ROUNDTABLEsponsored by SailPoint and CyberArk

Agenda6:00 – 6:30 p.m.

Registration & Networking

6:30 – 6:45 p.m.

Introductions and Opening Remarks

• Nick Holland, Director, Banking and Payments, ISMG• Dana Reed, Distinguished Sales Engineer, SailPoint• Michael Marino, Global VP of Solution Engineering, CyberArk

6:45 – 8:30 p.m.

Roundtable Discussion

8:30 p.m.

Program Concludes

Page 2: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

Introduction

In the age of cloud and IoT, identity and access management are

becoming mission critical for a successful cybersecurity strategy.

But managing visibility, security and governance of all of your users, including privileged accounts, is an

onerous task given today’s connected environment and the expanded attack surface.

How do you fully manage privileged access in such a complex and increasingly decentralized

landscape? How do you deal with regulatory compliance throughout the customer life cycle as roles and

privileges change over time?

If you’re looking for answers to these questions, then please join me for an exclusive executive

roundtable on Managing Access Risk - Controlling the Identity Life Cycle.

Guided by insight from Dana Reed, distinguished sales engineer for SailPoint, and Michael Marino,

global vice president of solution engineering for CyberArk - co-sponsors of this event - this invitation-

only dinner will draw from the experiences of the attendees who will offer insights on how they have

been able to help their organizations rethink their own identity and access management strategy.

Among the discussion topics:

• Why is provisioning and de-provisioning identities so problematic today?

• What are the repercussions of users being over privileged?

• How can technology better mitigate identity risk?

You’ll have the opportunity to discuss identity risk with a handful of senior executives in an informal,

closed-door setting, from which you will emerge with new strategies and solutions you can immediately

put to work.

Managing Access Risk - Controlling the Identity Life Cycle 2

Page 3: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

Discussion Points

Among the questions to be presented for open discourse:

• How has the identity risk landscape evolved in the age of cloud computing?

• What do you identify as your greatest identity vulnerabilities in your enterprise today?

• Where are you on the roadmap to protecting your business from identity risk?

• How do you articulate the need for identity management tools to C-level executives?

• How do you encourage buy in from employees to adopt secure identity and access management

policies?

• What and where will investment will be made in protecting the identity lifecycle for 2019?

Managing Access Risk - Controlling the Identity Life Cycle 3

Page 4: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

About the ExpertJoining our discussion today to share the latest insights

and case studies is:

Dana Reed

Distinguished Sales EngineerSailPoint

Reed has over 15 years in identity management, having worked with clients in healthcare, retail, finance,

defense, higher education and other sectors. His experience in IAM spans software development and

design, business process consulting, software sales and sales engineering.

Reed was recently appointed as a SailPoint distinguished sales engineer, evangelizing company

vision and technical strategy. Previously, he worked as a consultant at Andersen Consulting in its

telecommunications and high-tech division designing and building enterprise-level software solutions.

About SailPoint

SailPoint, the leader in enterprise identity governance, brings the Power of Identity to customers around

the world. SailPoint’s open identity platform gives organizations the power to enter new markets, scale

their workforces, embrace new technologies, innovate faster and compete on a global basis. As both

an industry pioneer and market leader in identity governance, SailPoint delivers security, operational

efficiency and compliance to enterprises with complex IT environments. SailPoint's customers are among

the world’s largest companies in a wide range of industries.

Managing Access Risk - Controlling the Identity Life Cycle 4

Page 5: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

About the ExpertJoining our discussion today to share the latest insights

and case studies is:

Michael Marino

Global Vice President of Solution EngineeringCyberArk

Marino is responsible for the pre-Sales engineering team and is the liaison between the field and

product management. He has over 19 years of experience in designing, architecting and implementing

security and compliance solutions in the majority of the Fortune 100 and beyond. He has in-depth

technical knowledge of privileged account security, regulatory compliance, policy management,

vulnerability and configuration management, intrusion detection and incident and change management.

About CyberArk

CyberArk (NASDAQ: CYBR) is the global leader in privileged access security, a critical layer of IT security

to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps

pipeline. CyberArk delivers the industry’s most complete solution to reduce risk created by privileged

credentials and secrets. The company is trusted by the world’s leading organizations, including 50

percent of the Fortune 500, to protect against external attackers and malicious insiders. A global

company, CyberArk is headquartered in Petach Tikva, Israel, with U.S. headquarters located in Newton,

Mass. The company also has offices throughout the Americas, EMEA, Asia Pacific and Japan.

Managing Access Risk - Controlling the Identity Life Cycle 5

Page 6: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

About the ModeratorLeading our discussion today is:

Nick Holland

Director, Banking and Payments Information Security Media Group

Holland, an experienced security analyst, has spent the last decade focusing on the intersection of

digital banking, payments and security technologies. He has spoken at a variety of conferences and

events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by

The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine,

The Economist and the Financial Times. He holds an MSc degree in information systems management

from the University of Stirling, Scotland.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely

to information security and risk management. Each of our 28 media properties provides education,

research and news that is specifically tailored to key vertical sectors including banking, healthcare

and the public sector; geographies from the North America to Southeast Asia; and topics such as

data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects

senior security professionals with industry thought leaders to find actionable solutions for pressing

cybersecurity challenges.

Managing Access Risk - Controlling the Identity Life Cycle 6

Page 7: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

NOTE: In advance of this event, ISMG’s Nick Holland spoke about

the issue of managing access risk with SailPoint’s Dana Reed. Here

is an excerpt of that conversation.

Key Issues

HOLLAND: What are the biggest problems today with identity and

access management?

REED: There are multiple issues today:

1. The business doesn’t understand the true security threat that

exists (how do you quantify what didn’t happen)?

2. The business doesn’t understand the increased need for an

emphasis on application-level security and knowledge of new IAG

control/security models.

3. Cross-platform integration must be much better. There is a real

need for actionable insights driven from cross-platform data

sources. The insights are all there. We just need the integrated

data to bring them to light.

4. Unstructured data and structured data need to be seen as two

sides of the same coin.

5. Usage data is not leveraged in the ways it can be (i.e. AI and ML

can use this to help control and refine access models).

6. We still have IAM debt, including gaping de-provisioning holes and

orphaned account management/entity account ownership.

7. Robot and process automation accounts are left ungoverned.

The Challenges

HOLLAND: Why is provisioning and de-provisioning identities so

problematic?

REED: We don’t simplify when we can. We build binary rules-based

solutions for problems in which the rules must always be broken. But

they are our own rules. We do it to ourselves.

Countless times have I encountered IAG projects that begin with

goals of process simplification and often end with “just make it

look like what’s currently there.” We kick the can down the road,

as projects never get the bu- in from the right management level

with the right selling criteria to make real business process re-

engineering changes.

IAM projects take vision, buy-in and an acceptance of incremental

change. They take support from the highest levels of management,

a seasoned vendor with trusted advisory status and a sticky and

accretive solution – a solution you can iterate upon.

CONTEXT

Managing Access Risk - Controlling the Identity Life CycleQ&A with SailPoint’s Dana Reed

“The key game changer, as I see it, is for us to leverage new technology to consume and compute these disparate data sources and to identify actionable insights to actively drive access models.”

Dana Reed

Managing Access Risk - Controlling the Identity Life Cycle 7

Page 8: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

I do think the real risk-specific problem is less provisioning, however,

than it is de-provisioning. Untangling a set of Christmas lights is

much harder than winding them up in the first place -unless, of

course, you provision to a model in which de-provisioning is taken

into account.

The Cloud’s Impact

HOLLAND: How is the cloud impacting identity risk?

REED: Identity is now ubiquitous. Fallback controls (i.e. the firewall)

are no longer effective means of backup protection. The notion of

“zero-trust” identity constructs are moving to the forefront of risk

mitigation techniques. Access security models are changing, and

the roles of application-level security, knowledge and trust are now

more critical than ever.

Cloud identity adoption also has financial risk. SaaS solutions are

often seat-based licenses. There is a real cost associated with

“wasted” accounts.

Gaining Buy-In

HOLLAND: How do you encourage buy-in from employees to adopt

secure identity and access management policies?

REED: Humans pay attention to what they identify as being in

their best interest and pay little to that which is not. They also will

voluntarily operate inside a construct that is given to them, assuming

that construct is enforced.

The same is true for good IAM practices. People will adopt good

policies if a) it enables the way they do their job, and b) controls are

built in to the processes in which they operate and enforced.

The companies I see with the best IAM policy adoption are the ones

in which the employees hold themselves accountable.

HOLLAND: What is better – carrot or stick?

REED: The stick. I’ve never learned anything from a trophy. I’m not

a better player for seeing a ball I put in the net. I’m a better player

for having gotten on the field with my team, dribbled it down field,

passed it back and forth together in order to beat the defense and

made the shot. The reward is found in the journey.

Mitigating Risk

HOLLAND: How can technology help mitigate identity risk better?

REED: Technology is meant to be an enabler. The market is full

of great tools which support their own swim lane of protection of

assets and susceptible threat targets.

The key game changer, as I see it, is for us to leverage new

technology (i.e. AI and machine learning) to consume and compute

these disparate data sources and to identify actionable insights to

actively drive access models. The closer we get to an environment

in which those who have access to a resource are really only those

that use it, and the ones that need it can get it in real time in an

efficient manner, the better off we will be.

“I do think the real risk-specific problem is less provisioning, however, than it is de-provisioning.”

Managing Access Risk - Controlling the Identity Life Cycle 8

Page 9: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

Notes

Managing Access Risk - Controlling the Identity Life Cycle 9

Page 10: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

Notes

Managing Access Risk - Controlling the Identity Life Cycle 10

Page 11: Managing Access Risk - Controlling the Identity Life Cycle · roundtable on Managing Access Risk - Controlling the Identity Life Cycle. Guided by insight from Dana Reed, distinguished

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information

security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from

North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.

Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • [email protected]

CyberEd