The Australian market sees identity and access management as a priority, SailPoint co-founder and chief strategy officer Kevin Cunningham told iTWire.
All of the big banks, a major airline and several retailers are among SailPoint's Australian customers, he observed.
While the financial services sector is always an early adopter of technology, retail, transportation and mining are among the "followup markets", Cunningham said.
They realise that it isn't a matter of ticking the boxes to comply with regulations, and instead focusing on securing the enterprise and managing risk.
{loadposition stephen08}A big change in the market during 2017 was the introduction of identity analytics products that use machine learning to identify anomalies in the access rights granted to people or in the way an individual is using those rights.
For example, someone may have been granted much broader access rights than their peers. That could be a mistake (perhaps they still have rights associated with a former role within the organisation), it could be malicious (they have deliberately obtained excessive rights through social engineering or by being in cahoots with a member of the IT or security staff), or it could be above board (eg, if they have unusually broad responsibilities, perhaps as the result of being given multiple roles).
Those patterns can be detected almost immediately, but it takes longer — perhaps one to three months — to spot behavioural patterns. That's partly due to the cyclic nature of some activities; for example, certain tasks may only be performed at the end of each quarter.
Another consideration is that the organisation isn't starting from a "known good" situation. Rather, it is possible that improper access is taking place the very first time an identity analytics system is activated. So it takes time to detect abnormal patterns.
Cunningham suggested this is similar to the way financial institutions have learned to spot credit card fraud by detecting variations from cardholders' normal behaviour, whether that's in terms of geography or the type or merchant.
He gave the example of a scientist who, in preparation for quitting a chemical company, suddenly started downloading large amounts of data. That activity represented a deviation not only from the person's normal behaviour, but also from that of their peers.
Such analytics systems are aimed at finding the needle in the haystack of data generated by a wide variety of systems, but "we've built the connections", Cunningham said, both to SailPoint's own products and to third-party software such as Splunk.
But IdentityAI and the company's other products are still "fairly sophisticated software" in terms of implementation, so they are largely marketed to organisations with at least 5000 employees, he said.
The introduction of the cloud-based IdentityNow identity governance system has "opened up a whole new market" of organisations with between 1000 and 9000 employees, thanks to its claimed flexibility and ease of consumption.
Like many SaaS products, it is more prescriptive than its on-premises equivalents, he warned. It embodies best practices for common processes, and is not designed to accommodate idiosyncratic processes.
Organisations are making two main mistakes regarding identity governance, Cunningham told iTWire.
There's still "a head in the sand mentality in some organisations", he said, although most have woken up to the issues, thanks to "all kinds of legislation" including Europe's GDPR and mandatory breach disclosure in Australia.
Secondly, there is a feeling in some quarters that home-grown solutions are adequate. This is particularly common in the financial services industry, largely because they recognised the need for such systems before they became readily available. But identity governance is not part of a bank's core business, and SailPoint's products are often used to replace those in-house efforts.
Access governance is critical to corporate security, he noted.