Welcome to our podcast today. I'm speaking with Paul Trulove who's chief product officer at SailPoint. Our topic for today is "the future of IAM is automated", which is a statement, but perhaps, it might be some sort of a question. Welcome, Paul.
Yeah. Thank you. Excited to be here and chat about this.
Okay, great. So we had many talks over the past year, so we know he tried to quite well. We, we frequently agree. Sometimes we disagree a little vicious lesson. Okay. So, but let's start today to conversation with how would you see the state or how would you describe the state of identity today?
I think identity is in a state of change today. You know, in, in reality, we are bridging from an old world where generally people were, you know, operating in a, in a relatively static environment to a much more dynamic world, particularly on the end systems that we're trying to manage. And so, as we are going through that change identity is also having to change radically from the way that we've approached it over the course of the last decade or so.
Okay. And so I would agree, we see identity management shifting in, I would say all areas, so partially driven by what happens in it. So we see a shift to other types of architectures was microservices is containers. We see cloud first strategies. We see the need for, for a faster time to, well, you have what we do and I in it, and I think all of this is affecting all areas. We are looking at it in it, but it also clearly affects the way identity management looks like. So, so when you look at why does has been so challenging, what would you say are the biggest challenges of traditional approaches in identity management?
I think historically identity management project started from an infrastructure perspective. And so it was, you know, generally an operations team. You know, some of the, the newer identity teams just, you know, really came into being over the course of the last several years, you know, and, and, and because they were infrastructure projects, they tended to want to boil the ocean, put a big piece of infrastructure. And, you know, that required a lot of customization, you know, required really, you know, sometimes months, if not years of, of design and implementation, you know, before they would turn on the identity management system. And I think we saw this, you know, particularly with some of the legacy provisioning products that, you know, were, were in place, you know, really in, in the early two thousands all the way through just the last couple of years. And in those, those lengthy projects make it hard to, to show value. It also makes it hard to, to the changing it environment. And so I think, you know, ultimately because the projects themselves were long, it made it difficult for people to, you know, maintain consistent funding and all of those kinds of things that are necessary to ultimately grow an identity program, you know, from where it starts to where it ultimately needs to be, to add value to the business on a day-to-day basis.
Yeah. I think they address things like, but when you look at how ex-US reviews frequently are done today, I think I've rarely heard companies, which said, okay, excess reviews a lot. I went off to coolest things we have in place it's really
More durable. I've never been, that's never been said, right? So access reviews are a great example of something that I think, you know, maybe 15 years ago were completely manual over the last decade organizations that had to do access reviews on a regular basis, moved into a semi-automated state where they could use a product like SailPoint to gather the data, create the certification, distribute the certification, but it still required all of the managers or application owners to log in, review the data, complete the certification process. And, you know, if you were only targeting a handful of critical systems, which most organizations, you know, start with, it's maybe not an arduous process, but as you onboard more applications, the scope of the certification can grow so large that ultimately what happens is the users get bogged down and they return to what we were trying to avoid from the beginning, which is rubber stamping.
And so they just go through the process so that they can get the check box compliance, part of it completed and moved back to their day job because nobody wakes up in the morning and says, Hey, I want to do access certifications. They wake up and say, I have a real job. Part of that is providing access to the users on my team or the users and the business that I own the application for. And so they, they do the certification process, but it's not really part of their, you know, their real business business value.
Paul boson, you and I, we know that identity management on one hand still has its challenges. That's what we were talking about. But you also note that there has been a huge progress. So when you look, when I go back to my early days in identity management, it was very different for what we do today. And a lot of things have really got much better, but so, so when you look at the trends we see in identity management, we drop the trends you see, as the most influential to, to help us sort of stepping or going to the next level of, of identity management, to improve recertifications, to get processes, moose it, to be more at trials, which audits things you see as most influential here.
Yeah. I think one of the biggest areas that's changing and identity management today is looking at it through the lens of, of real business enablement, as opposed to infrastructure for an it administration team. And one of the reasons is organizations are now fully digitizing their world. And so whether it is the latest cloud application, the cloud infrastructure, you know, business operations systems, marketing systems, all of those things are going online. We're moving away from paper-based models. And so the amount of access required by a user to do their job in the enterprise is significantly greater than what it was, you know, 10 years ago. And so I think as organizations begin to realize that, and they realize that identity is at the center of that model, right? The, the ability to get the right people, the right access at the right time is a critical business function. We're starting to see, you know, a real rotation around the priority of identity, but we're also looking at changing the way that we think about identity from, you know, maybe just implementing it to the high churn systems or, or compliance relevant systems to it underpins everything that the business does and everything that they are using from an it management perspective. And that's a pretty significant change from where we've been over the course of the last decade or so.
So, so it's, it's a lot about really going to take a different perspective. It's from a technical perspective, I secure, or I brought up this as a service. So, so getting more into services. I, I personally, I believe I was at that shifting into smaller units, so smaller services, which have well-defined API APIs helps us if you do it right to, to better orchestrate, to better change things. Because we have a lot of small entities and a lot of big trunk dealers. And I think that that does nursing, but there's one other area which is the entire field of AI and ML. Or sometimes we have to put it in big quotas as we know. So a lot of things are called AI and the Malevich aren't that much of AI or ML, but anyway, there's a trend to augment what people can do to automate, to analyze, to identify anomalies, to provide recommendations. How do we see that impact on the future of identity management and where identity measurement disability?
Yeah. So I guess a couple of things, you know, first people are absolutely looking for solution orientation, as opposed to, you know, thinking about identity as just infrastructure. And so, you know, one of the, one of the things that is top of mind is, is maximizing the value that you get, you know, as you turn on the system and begin to use it versus, you know, the big bang effect that we we've traditionally saved. I think artificial intelligence and machine learning, and those technologies are actually giving us the ability to help organizations shift their perspective on identity from one of, you know, a lot of them have semi-automated processes to true autonomous actions taken by the system. And while AI and machine learning are both buzzwords that a lot of people throw around. The reality is I think identity in particular is well suited because of the amount of data that's generated in the collection of applications and accounts and entitlements and permissions to running through an AI or ML process in order to help really pattern match in a very different way than a human can do on their own.
So we're, we're seeing lots of new opportunities, you know, to, to, to not only take certain use cases that have been prevalent and identity like access certifications or access request and approval processes and, and AI enabled them by, by pre-processing, you know, information in a way that we can maybe simplify or add additional context to the user as they're interacting. But we're also seeing the opportunity to introduce completely new paradigms because of AI. That just changed the way that the enterprise will think about identity. And, you know, a great example would be, you know, really removing the need to do access certifications for a majority of the access out there, because we can let the system evaluate whether access is appropriate based on, you know, the policy model that exists. And if it's appropriate, it should be auto certified. If it's anomalous or high risk, then we can pop it out. And we can ask somebody to participate in an actual certification. And that's a, that's a big change in something that I think is going to be incredible powerful.
And I think that this is where you, you touched us topic for off semi-automation and moving to full automation already. And I think this is an important area because, you know, I have a strong believer, a feat Crohn's entitlements based on policies in an automated manner. Then we don't need to do menu or recertification of the entitlements that are assigned. We just need to ensure that the policy is correct, and that it's working correctly, which is far less work than going through solves and sense of entitlements, which are then crafted, why a bisexual policy. So I also would go with you that this is really one area where I feel we can do a lot of things very, very efficiently. And I think this, this is what it's really about a Daniel's date of the date, increasing efficiency, reducing the workload. And on the other hand, doing six better doing things, right by providing derived recommendations, by doing reviews in an automated manner or avoiding that you need to do reviews by also identifying anomalies in the assigned entitlements.
Maybe also at some point into the way entitlements are used. So we, which all come together. And I think this is really one of the areas where we can help making identity measurement broach. It's far more successful by applying the right technologies, right? Men are. So we touched a little bit of trends and, and w what a state is. And I think they're talking about six can get really better. And so you'd have chief product officer of SailPoint, and maybe you'd like to touch a little bit on what you're actually doing and what your intent to do soon so that you can give some more concrete examples, sort of real-world examples of what is already here. We're looking at your portfolio. Yeah.
So, you know, we're, we're very excited about, you know, what the next 10 years of identity is going to look like. You know, I think first identity, you know, is becoming a well-recognized, you know, part of the it environment, you know, within the enterprise and enterprise world. So, you know, when I first started at SailPoint, you know, over 13 years ago, identity was kind of buried, you know, in, in the back of the it organization. It's not in front and center, because if you can't get people, the access that they need, then ultimately you're going to fail on your business objectives. You know, I, however, one of the things that I think is also true is people don't want to wake up and necessarily have to think about identity management day to day. And so, you know, when, when, when SailPoint got started, you know, or early days, you know, we, we definitely had a lot of these ideas in mind, but the technology wasn't available to implement some of the automation the way in which, you know, the new AI frameworks and the big data frameworks allow us to, to implement them today.
And so, you know, over the course of the past several years, we've been hard at work at, at, you know, not only looking at our existing products and determining new ways that we can simplify identity management, both from a deployment perspective, but also day-to-day usage perspective. We're looking at ways that we completely change the identity management paradigms that we're, that we're used to, you know, and, and, and a couple of great examples, you know, in, in our products today, we actually use AI to generate recommendations on whether somebody should accept access or reject access in the context of a certification or an approval. We can take that recommendation. We can use it to actually automate the entire certification process for entitlements, where the system has confidence that, you know, it, it knows the right decision to make. We're also looking at ways you, you brought up the policy example a minute ago, and, and I think policy, you know, regardless of how you define it, exactly is going to be a critical way that we ultimately get to the self-driving state for identity, where we can define what's right, and what's wrong.
And the system can actually be in charge of bringing those two worlds into alignment. And, you know, I think if you look at traditional role management projects, as an example of setting access policy, they were fraught with challenges because organizations would spend years trying to define the perfect role model. They might spend months implementing it in a tool like SailPoint, but the day that they turn it on the business, they add new applications, they decommission applications. And all of a sudden the role or policy model has, is now broken. What we want to be able to do is move that into a continuous state of analysis so that, you know, we don't do big bang roll management projects or role mining. You know, as part of that, we actually let the system continuously look at the information and pop out recommendations on ways to evolve the policy that's assigning access and improve that policy so that, you know, more access can be automated when people are on board or move within the organization, sort of occasions can be automated from the perspective of signing off on existing access and making recommendations on where maybe deep provisioning is, is appropriate for extraneous entitlements.
We also want to look at how we bring activity information, right? Usage data about what users are actually doing with their access and use that to improve, you know, the assignment models that we're using. Use that to actually reduce the amount of access that is actually provisioned in the environment, which ultimately allows us to reduce the threat operator that's out there for, for the bad guys.
Yeah. Th that sounds interesting. And I think this is well aligned with what we were seeing. So going to more flexible deployment models, more flexible architectures, but really making use of technology to reduce the manual work, which can be well automated. There are a lot of things which can be automated, which can be done better. So I think we are really seeing the next wave, the next shift. And I would agree with once you state a future of IMS really automated the less manual work, the better it is with that. I think we already, at the end of our talk, Paul, thank you very much for taking the time. Thank you very much for all the insights you've provided.
Appreciate, Martin. It was great a conversation. Thank you.
