Managing Access Risk - Controlling the Identity Life Cycle

ISMG SECURITY EXECUTIVE ROUNDTABLEsponsored by SailPoint and PwC

Agenda6:00 – 6:30 p.m.

Registration & Networking

6:30 – 6:45 p.m.

Introductions and Opening Remarks

• Tom Field, SVP, Editorial, ISMG• Mike Kiser, Architect and Evangelist, Office of the CTO, SailPoint• Trey Gannon, Principal at PwC

6:45 – 8:30 p.m.

Roundtable Discussion

8:30 p.m.

Program Concludes

Introduction

In the age of cloud and IoT, identity and access management are

becoming mission critical for a successful cybersecurity strategy.

But managing visibility, security and governance of all of your users, including privileged accounts, is an

onerous task given today’s connected environment and the expanded attack surface.

How do you fully manage privileged access in such a complex and increasingly decentralized

landscape? How do you deal with regulatory compliance throughout the customer life cycle as roles and

privileges change over time?

If you’re looking for answers to these questions, then please join me for an exclusive executive

roundtable on Managing Access Risk - Controlling the Identity Life Cycle.

Guided by insight from Mike Kiser, architect and evangelist at event sponsor SailPoint, and Trey Gannon,

principal at PwC, this invitation-only dinner will draw from the experiences of the attendees who will offer

insights on how they have been able to help their organizations rethink their own identity and access

management strategy. Among the discussion topics:

• Why is provisioning and deprovisioning identities so problematic today?

• What are the repercussions of users being over privileged?

• How can technology better mitigate identity risk?

You’ll have the opportunity to discuss identity risk with a handful of senior executives in an informal,

closed-door setting, from which you will emerge with new strategies and solutions you can immediately

put to work.

Managing Access Risk - Controlling the Identity Life Cycle 2

Discussion Points

Among the questions to be presented for open discourse:

• How has the identity risk landscape evolved in the age of cloud computing?

• What do you identify as your greatest identity vulnerabilities in your enterprise today?

• Where are you on the roadmap to protecting your business from identity risk?

• How do you articulate the need for identity management tools to C-level executives?

• How do you encourage buy-in from employees to adopt secure identity and access management

policies?

• What and where will investment will be made in protecting the identity lifecycle for 2019?

Managing Access Risk - Controlling the Identity Life Cycle 3

About the ExpertJoining our discussion today to share the latest insights

and case studies is:

Mike KiserArchitect and Evangelist, Office of the CTOSailPoint

Mike Kiser is insecure. He has been this way since birth, despite holding a panoply of industry positions

over the past 20 years—from security strategist to security analyst to security architect—that might imply

otherwise. In spite of this, he has designed, directed, and advised on large-scale security deployments

for a global clientele. He is currently in a long-term relationship with fine haberdashery, is a chronic

chronoptimist (look it up), and delights in needlessly convoluted verbiage. He has been a speaker on

topics ranging from identity governance to security analytics, network security, and various related

privacy issues, and is the co-host of a podcast illuminating all things identity. He warmly embraces the

notion that security is more of a state of mind than a destination

About SailPoint

SailPoint, the leader in enterprise identity governance, brings the Power of Identity to customers around

the world. SailPoint’s open identity platform gives organizations the power to enter new markets, scale

their workforces, embrace new technologies, innovate faster and compete on a global basis. As both

an industry pioneer and market leader in identity governance, SailPoint delivers security, operational

efficiency and compliance to enterprises with complex IT environments. SailPoint's customers are among

the world’s largest companies in a wide range of industries.

Managing Access Risk - Controlling the Identity Life Cycle 4

About the ExpertJoining our discussion today to share the latest insights

and case studies is:

Trey GannonPrincipalPwC

Gannon is a partner in PwC's cybersecurity and privacy practice in Philadelphia. With over 18 years of

experience in cybersecurity, he brings a deep understanding of information security risk controls and IT

processes. He has designed and delivered large-scale, high-profile user access management programs

with a focus on user experience, automation and cloud enablement. Much of his work with clients starts

with strategy, but his focus is on assisting with implementation of processes and software solutions

spanning data protection, identity and access management and privileged access management. He is

passionate about providing solutions that enable the business and enhance organizations' cybersecurity

capabilities.

About PwC

PwC is a global network of firms delivering assurance, tax and consulting services for your business.

We have a long history helping organizations strategically assess, design, deploy and improve

cybersecurity programs. We've built trusted relationships with business leaders at all levels. Our more

than 2,900 practitioners include specialized consultants, former law enforcement agents, cyber forensic

investigators, intelligence analysts, technologists, attorneys and industry leaders in cybersecurity and

privacy. PwC can help you design transformation strategies with security in mind from the very start, with

the foresight to help you see what’s on the other side of the leading edge.

Managing Access Risk - Controlling the Identity Life Cycle 5

About the ModeratorLeading our discussion today is:

Tom FieldSVP Editorial Information Security Media Group

Field is responsible for all of ISMG's 28 global media properties and its diverse cadre of senior-level

editors and reporters. He also helped to develop and lead ISMG's award-winning summit series that has

brought together security practitioners and industry influencers from around the world, as well as ISMG's

series of exclusive executive roundtables.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely

to information security and risk management. Each of our 28 media properties provides education,

research and news that is specifically tailored to key vertical sectors including banking, healthcare

and the public sector; geographies from the North America to Southeast Asia; and topics such as

data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects

senior security professionals with industry thought leaders to find actionable solutions for pressing

cybersecurity challenges.

Managing Access Risk - Controlling the Identity Life Cycle 6

NOTE: In preparation for this event, Tom Field, senior vice president

of editorial at Information Security Group, interviewed Mike Kiser,

architect and evangelist at SailPoint, and Trey Gannon, principal at

PwC, about identity and access management. Here is an excerpt of

that conversation.

Biggest ProblemsTOM FIELD: What are the biggest problems today with identity and

access management?

MIKE KISER: Effective identity and access management is absolutely

critical to reducing risk of malicious activity, be it external or internal.

Inappropriate access – whether through stolen credentials or

overly permissive access – ends up being the root cause of an

overwhelming number of newsworthy IT events.

Getting identity and access management right can be a true

enabling force within organizations. Great IAM programs can enable

rapid application onboarding, real-time access provisioning and

provide a great employee onboarding experience, with all access

and devices provisioned and provided on day 1.

A big challenge in today's organizations is that only a small

percentage of applications are integrated into their organizations'

centralized identity solutions. This results in real risk related

to not having direct control over access (both granting and

revoking entitlements). Additionally, identity and access related

processes for most organizations still require multiple manual

steps to complete, which results in slow, error-prone tasks. In the

case of cloud adoption, lack of speed results in lack of adoption.

Therefore, greater integration and automation become the

biggest opportunities within identity and access management for

organizations today.

Provisioning and DeprovisioningFIELD: Why are provisioning and deprovisioning identities so

problematic today?

TREY GANNON: Provisioning and deprovisioning are problematic

largely due to the manual work required throughout the process –

manual request, manual approval, manual review, manual creation

and closure of ticket and manual entitlement provisioning and

deprovisioning at the majority of target applications.

These manual steps are typically required due to a lack of direct

integration with target applications, a lack of automated access

CONTEXT

Managing Access Risk - Controlling the Identity Life CycleQ&A with SailPoint's Mike Kiser and PwC's Trey Gannon

“Getting identity and access management right can be a true enabling force within organizations.”

Mike Kiser

Trey Gannon

Managing Access Risk - Controlling the Identity Life Cycle 7

request and approval and lack of real-world role-based access

control.

There are many great examples today of organizations using

automation tools to reduce manual, repeatable work across the

identity lifecycle and using analytics tools to get better insight on

business roles.

Impact of the CloudFIELD: How is the cloud impacting identity risk today?

KISER: The risk that the cloud imposes on identity programs today is

two-fold:

1. Cloud applications are typically accessible from outside the

organization's network. Therefore, network access is no longer

the first-stage access control.

2. Access and entitlements for cloud applications are often not

managed by organizations' central identity function. This results in

real risk around terminated users still having access and greater

potential for segregation of duties conflicts unknown to the

organization.

For many organizations, 90 percent of new applications are cloud-

based, while 90 percent of existing entitlements are on-premises

based. Cloud-based applications and development enable greater

efficiency by providing significantly enhanced modularity and

automation.

When organizations' existing processes for application onboarding

and identity management cannot keep pace with cloud pace,

we inevitably see application owners "opting out" of centralized

processes. This results in shadow IT and rogue identities that cannot

be seen or managed by centralized identity solutions.

Gaining Buy-InFIELD: How do you encourage buy-in from employees to adopt

secure identity and access management policies?

GANNON: Employees want to do the right thing. Providing training

to employees that helps them understand threats and providing

them a great experience – mobile request and approval, highly

intelligent "birthright" provisioning, insight into where requests are

in process, self-service for application development teams – goes

a long way to getting better adoption. And don't forget that in many

organizations, contractors and business partners have similar access

profiles to employees.

Carrot vs. StickFIELD: What is better – carrot or stick?

KISER: A combination of carrot (pull) and stick (push) incentives

can be a highly effective method to drive adoption for risk and

compliance related policies and procedures.

An example of "carrot" for identity is providing application

development teams with significant self-service capability to embed

centralized identity capability into their applications. It simply takes

the development less time to use existing self-service tools than to

code bespoke solutions.

An example of "stick" for identity is requiring onerous reporting

and auditing processes for applications that are not compliant with

centralized identity functions. In this model, application owners must

choose to take on more work (via reporting) than if they were to

integrate with the centralized identity functions.

Mitigating RiskFIELD: How can technology help mitigate identity risk better?

GANNON: It can provide a great end-user experience for customers

and employees. Key steps include:

• Automation of manual processes, such as using robotic process

automation for "closed-loop" provisioning and deprovisioning

target application entitlements;

• Use of analytics for both role-based access and identification of

abnormal access. n

Managing Access Risk - Controlling the Identity Life Cycle 8

Notes

Managing Access Risk - Controlling the Identity Life Cycle 9

Notes

Managing Access Risk - Controlling the Identity Life Cycle 10

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information

security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from

North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.

Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismg.io

CyberEd