Bots: The new challenge for identity management
- 22 August, 2018 15:42
Mark McClain, founder and CEO of identity management software developer SailPoint says robotic process automation bots are rapidly emerging as a new form of identity that needs the be managed in the same way as human identities.
Speaking to Computerworld ahead of the company’s Navigate user conference in Sydney, McClain said the use of robotic process automation was growing rapidly, and putting pressure on identity management systems because such bots have largely been left unmanaged by identity governance programs, leaving organisations exposed to security and compliance risks,
“In the US we are surprised at how rapidly people are adopting robotic process automation: Writing software bots that are automating relatively simple analytic tasks that a human used to perform,” he said.
“Some of these processes look just like a human identity to the system and they don't know who is accessing their data, processing it and making decisions. Some of our more forward thinking customers are pressing us on this.
The Institute for Robotic Process Automation and Artificial Intelligence describes robotic process automation (RPA) as using a robot to “capture and interpret existing applications for processing a transaction, manipulating data, triggering responses and communicating with other digital systems.”
It adds: “RPA provides dramatic improvements in accuracy and cycle time and increased productivity in transaction processing while it elevates the nature of work by removing people from dull, repetitive tasks.”
SailPoint expands identity management to bots
SailPoint this week released a new version of its identity management product, IdentityIQ 7.3, that enables organisations to manage non-human identifes such as software bots and RPA bots.
SailPoint said IdentityIQ now enables organisations to govern bots and their access to enterprise applications and data by enforcing processes like requesting, approving and certifying access and by extending access-based policy definitions to these non-human users.
McClain said that, without proper management bots could access and make available to human users, information that should be subject to access restrictions.
“Just as organisations need to understand what a human has access to they need to understand what those processes have access to. If a person can go rogue a process can go rogue,” he said.
He said users going rogue, what he called ‘the Snowden Effect,’ was now one of the biggest issues facing identity management: Not the correct configuration of access to data and applications, but identifying people’s unauthorised use of that access.
“For example, Apple arrested a guy at an airport who was about to fly to China with a bunch of data about driverless cars. They only found him out because somebody noticed that he was downloading 20 times the amount of data he used to do his normal job.”
With so much information now moving around corporate networks, McClain said the only way to detect such behaviour was to use intelligence to identify normal patterns and detect abnormal patterns.
To this end SailPoint last year announced a product called Identity AI. “Its initial intent is to help customers do a better job with that signal to noise problem,” McClain said.
“What we are trying to bring to the industry is identity awareness. Knowing who is trying to do what within their systems, their networks, their data. There are millions of accesses happening every day. The trick is to find out which are inappropriate and try to stop them.”
SailPoint’s Australian journey
John Mabbott, head of enterprise security and fraud, Asia Pacific, for Vanguard Investments has a long association with SailPoint. In 2009 working as a security professional within the Macquarie Bank Group where he was responsible for the group becoming SailPoint’s first Australian customer.
He told Computerworld that, at the time, major disasters at other banks enabled by improper access management had spurred the need for better systems at Macquarie Bank.
“I was responsible for risk and security for Macquarie Securities Group and Macquarie Capital. We had a need to solve our identity management problems. We were doing a lot of work of spreadsheets and not really managing our risk properly.
“There had been two major rogue trading incidents at UBS and Société Générale when people were moved from the back office to the front office, kept their access to the back office systems are were able to create fake hedges to hide the extent of their rogue trading. Those were big failures of identity and access management.”
“At the time SailPoint was rising up in analysts’ rankings and making an impact in the US,” Mabbott said.
“We did some analysis and identified them as one of the market leaders. That was SailPoint’s entry into the Australian market and it is possibly still the most extensive implementation in Australia.
“After that SailPoint very quickly won most of the financial services accounts in Australia. Their other two big verticals in Australia are public sector and healthcare.”
Mabbott moved to ANZ bank which had also adopted SailPoint for identity management. His next move was to KPMG where he worked to implement SailPoint at Westpac in Australia and New Zealand, at NAB and at BankWest (since acquired by the Commonwealth Bank).
US-based Vanguard Investments, according to Mabbott, is the second-largest investment company in the world with A$6.8 trillion under management and 16,800 staff, 550 of them in Melbourne. It is headquartered in Valley Forge Pennsylvania.
Mabbott said Vanguard used a single instance of SailPoint to manage identity globally. Out of its 510 strong IT security team 130 are dedicated to identity management. There are 126 in Malvern, Pennsylvania, four in Melbourne on the operational side.
He said one of the biggest challenges in identity management was defining roles and determining what resources those roles should have access to.
“It is more of an art than a science getting roles right. The software helps but you need somebody to make a decision,” he said.
“We have a role engineering team, and a manager will come to us and say they want to set up a new role, but there is problem with role explosion where you end up with more roles than people. I think we have about 28,000 roles for 16,800 people. It is very common problem across organisations.”