Saviynt’s Principle Solution Strategist breaks down the key elements of good identity governance and why it’s become so important.
Joe Raschke, the Principle Solution Strategist for Saviynt, has a wealth of knowledge in identity, governance and security, spanning more than 20 years of delivering business change and strategic IT deployments.
He’s held a CISO role at a major global manufacturer with over 50,000 employees and 85 different divisions – giving him first-hand experience of the challenges of building intelligent identity governance and security solutions that span the entire enterprise.
At a recent partner catch up, we spoke to Joe about how Saviynt’s identity governance solutions have been designed to help organisations dramatically improve visibility, intelligence and fine-grained access management – across the entire enterprise estate.
Joe Liptrot: Hi Joe, thanks for taking the time to talk to us today. Can you start by telling our readers why identity governance has become so important in recent years?
Joe Raschke: Okay, that’s a big question, which I think can be answered in a few parts.
First, the fast-evolving technology landscape is exponentially increasing the risk to all enterprise organisations. Digital transformation is really creating a big increase in risk exposure as organisations grow their digital infrastructure. It’s providing many new attack vectors that need to be considered. There’s simply a lot more of your organisational assets that are now open to external access.
Take, for example, the 20 billion or so internet of things (IoT) devices that are going to be coming online over the next few years – exponentially increasing the marketplace for customers to interact with vendors, suppliers and services in the Cloud.
We see clear issues where CISOs and organisations as a whole struggle to keep up with the growth of cloud applications and shadow IT in their organisation. A typical enterprise organisation, for example, may have 40 top-level applications that run their business. Below that, they will have 40 additional supporting applications that they ‘know something about’. Then you’ll typically see there’s about another 400 SaaS websites and web/cloud-based applications that are being used on a day-to-day basis. Ensuring the correct user privileges for all these cloud apps is always going to be a challenge.
The second factor is the unrelenting pace of cloud adoption. If the pace of cloud adoption is left unchecked or unmanaged, there is a real danger that access privileges can be overlooked in the rush to get to market. A lot of times those fine-grain privileges that people have really aren’t being tracked, and there’s no easy visibility into what’s happening with those extended privileges. This causes organisations a big headache in terms of knowing exactly who has access to their sensitive data.
JL: Yes, I agree. A lot of our clients are saying that they can’t easily see the rights that people have in their cloud services when using individual vendors’ technology.
JR: That’s right. In my previous role, I saw situations where we knew someone’s email was compromised but we couldn’t easily understand what they had access to and what the associated risks were to the organisation.
With modern IGA platforms, you have that power.
Finishing up on your original question… A third reason governance and compliance is becoming increasingly important is to stay ahead of rapidly evolving regulatory environments. With GDPR and tightening regulations in the financial services industry, companies really must start doing a better job of embedding continuous governance and compliance into their culture and processes. No-one wants to risk 4% of their global turnover due to poor governance and compliance practices, right?
From a governance and security standpoint, all these challenges can seem overwhelming, and that’s why we get a lot of CISOs coming to us saying: “How do I get a single lens of visibility into user access across all our systems?”
JL: For those who might not know, can you define what identity governance and administration solutions are exactly?
JR: I’d say identity governance and administration (IGA) is the evolution of identity and access governance (IAG), identity access management (IAM) and the user administration and provisioning (UAP) practices.
(Editor’s note: old IAG included access management, policy/role management, entitlement review and risk assessment; UAP was the practice of managing user identities and access across multiple systems.)
For me, IGA breaks down neatly into 7 key buckets:
At Saviynt, we see IGA as a focal, holistic solution to identity, access and security governance, as opposed to a bolt-on identity or security solution. More specifically, IGA tools give you in-depth control to manage:
Discover how you can get a powerful blend of provisioning, governance, and compliance capabilities. We'll show you:
JL: What are the top three governance challenges solved by Saviynt’s IGA solution?
JR: Answering at a high level, I would list them as:
Let’s talk about those three in a little more detail…
Here’s the common problem. When people are at a company for a long time (getting promoted, moving roles and departments), they accumulate a lot of access. We see regularly that it’s easy to gain access, but, more often than not, tenured employees have way too much access – because it’s never reviewed or removed. This problem is exacerbated if HR/IT then provision new user access based on mirroring access rights from staff in similar roles.
Through our visibility lens, you can see and report on who has access to what. How are users accessing the systems? What are they doing with that access? Etc. With intelligent reporting and analysis tools, you can easily start to see risky actions vs. risky people. You can build up a risk scoring matrix that clearly indicates when toxic levels of access are starting to occur.
Saviynt has great tool sets to help with this from a role mining/roll modelling perspective.
“IT needs a way to easily see over-privileged accounts and that’s where Saviynt can really add value.”
As I said above, role sprawl is a common issue – but through combining attribute-based access control alongside Saviynt predictive and usage analytics, you are able to easily see who the potential outliers (anomalous users with elevated privileges) are in certain types of roles.
Also, when you have usage analytics, attribute-based access control (ABAC) and predictive analytics – all layered in together across your entire enterprise estate – you’re able to start seeing correlations and examples of where you have the access rules just right. Many organisations find it a useful exercise to be able to consolidate and model access into a smaller number of groups that are easier to manage and control.
For example, with Saviynt’s usage analytics, you could look at a group of users with a certain high level of privilege – a group of administrators, for example. Through the usage analytics tools, you might be able to see that 8 out of those 10 administrators with that elevated level of privilege aren’t actually using it, so you can safely take action, based on this intelligence, to temporarily lower the privilege level or even remove it. We had one client who, once we did the role mining exercise, saw a 75% reduction in elevated privileges – with no resulting impact to the business. A great and quick way to boost security.
Over 50% of all data breaches stem from bad access management issues, including lapses in provisioning, de-provisioning, or access exceeding a user’s needs. IGA solutions prevent this from happening.
IGA provides you with fine-grain access management controls within all your cloud-based applications. IGA can also give you management capability to take real-time action based on what you are seeing. For example, with IGA, once you discover a user email has been compromised, you can see app by app what they have access to and take immediate actions to remediate – useful if one of your finance users is compromised and they have access to payment systems.
The ability to set consistent segregation of duty rules also gives you peace of mind here.
With an IGA solution in place, you are getting the benefit of closed-loop reporting and auditing tools. A consistent approach to compliance is built-in rather than being a bolt-on or manual task, like tracking user access in spreadsheets!
The problem with point-in-time or manual compliance audits is that they are already out of date by the time the report is complete. An IGA solution will automate this process by automatically tracking entitlements and presenting them in a way that’s easy to digest and manage – the organisation can then act decisively on any outliers and anomalies.
All of this can be automated and carried out continuously, in real-time – all recorded and logged to prove your compliance efforts.
“It doesn’t matter if you have 1 HR system or 10, or whether you’re running SAP in the USA market and Oracle in EMEA, the Saviynt tool can bring visibility of all of that together.”
JL: What are the key differentiators between Savinyt’s IGA solution and the competition?
JR: At its highest level, the real value and differentiator of our IGA platform is that all this intelligent visibility, fine-grained control, reporting and analytics can be applied on all your applications and across multiple cloud tenants such as Azure, AWS, Oracle, SAP – you name it. This is the real time saver and you get all the security benefits from having that consistency across your organisation.
Our approach and engagement with customers also sets us apart from the rest. I think we offer real flexibility in our solutions to be able to meet our customers’ needs.
We’ve taken a modular approach to the solution and pricing, meaning organisations are not constantly trying to boil the ocean. You can take it a module at a time and scale and grow with it. It enables you to get some quick and valuable wins with the knowledge you’re on a journey towards a holistic solution. We keep our solution flexible because we know it’s something our clients really value.
“Our assured compliance feature works on a set of rules, defined at a granular level, mapped to business processes – that intelligently identifies SoD conflicts across all of an organisation’s enterprise and cloud applications.”
On a features level, I think a key differentiator for us is our ‘always on’ segregation of duties approach. What we at Saviynt call assured compliance.
SoD is fundamental to remediate access risk by requiring different people to perform different parts of a task in order to complete a sensitive business process. In modern organisations, with complex architecture, enforcing SoD principles can be a big challenge for most enterprises. It’s an important process that you need to be automating, as any attempt to run it manually doesn’t scale. Automation is the only way to keep up with real-time risk monitoring and compliance audits.
Our assured compliance feature works on a set of rules, defined at a granular level, mapped to business processes – that intelligently identifies SoD conflicts across all of an organisation’s enterprise and cloud applications.
Our SoD features include real-time policy analysis that prevent users from acquiring conflicting access. They also automate the process of granting ‘privileged’ access on a temporary, (time limited) basis and escalate the visibility to admins/management teams for monitoring purposes. This significantly reduces risk from SoD violations.
The solution integrates three types of controls to perform the above-mentioned functions: detective controls, preventive controls and reactive controls.
No other IGA vendor can offer SoD functionalities to the same depth as we do. Either they offer products designed to work with a specific ERP or they only provide high-level capabilities that won’t cut it in an audit.
JL: How does Saviynt integrate with Microsoft technologies, and how can your solution help organisations on their digital transformation journey?
JR: Well, Microsoft is a good partner of ours. We built the Saviynt Express product to provide deep integration with Microsoft’s Identity Manager and Azure AD technologies. Our fine-grained governance controls really augment the identity and security tools within the Azure portal. It provides MIM and Azure users a one-click integration to easily manage and review access in an efficient manner with a continuous compliance approach.
Companies are constantly changing, and our clients realise the importance of being able to partner with a provider that understands that. It’s why we are cloud-based and why we offer integration into all the major cloud and ERP providers, so, no matter what happens – for example, a merger or acquisition – as your business changes and you gain more complexity, the tools will continue to work. It doesn’t matter if you have one HR system or 10 across all your divisions, or whether you’re running SAP in the USA market and Oracle in EMEA, the Saviynt tool can bring visibility of all of that together.
Also, because we are cloud-based, we are better prepared to help companies who are making their own transition to the Cloud. We really have a detailed understanding of what security governance and compliance looks like for cloud applications. In general, cloud applications tend to be a lot more challenging than their traditional on-premises counterparts.
JL: Lastly, can you tell us what Saviynt’s solution roadmap looks like? What new tools are you working on, and will you continue your close partnership with Microsoft?
JR: It’s really a case of continuous improvement and continuing to work with Microsoft very closely.
Saviynt’s IGA solutions are now getting rolled out into Microsoft’s Technology Centers (MTC) – global centres of excellence, helping to accelerate organisations with digital transformation.
We are working closely with Microsoft to really help organisations with their Azure AD clean-ups – helping them get to the root of large organisation visibility issues.
Typically, a lot of identity projects stall when people say, “We have to do analysis first.” Saviynt’s intelligent visibility tools really help expediate that part of any identity project.
We are also looking to develop more usage and behavioural analytics functions. These will really improve understanding about what those risks are in your Azure AD environment and when you really need to take more action.
Next, find out more about the existing governance controls within Azure AD or watch our on-demand webinar to see how Saviynt and Microsoft’s technologies work in tandem to deliver the depth of visibility and control you need to remain secure and compliant.
Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.
Responsible for ThirdSpace’s identity and access management practice, Joe is a member of both the leadership team and the technical leadership committee. You’ll frequently find him working onsite...
READ AUTHOR'S FULL BIO
Discover a powerful blend of provisioning, governance, and compliance capabilities.Watch now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.