Mark McClain, CEO of identity governance company SailPoint, discusses the importance of keeping tabs on data access and the company’s journey from US startup to billion-dollar multinational corporation
Who has access to what, who should have access to what, and how is that access being used?
These three key questions are critical (and often headache-inducing) for any company when it comes to managing its data – and they are precisely the questions identity governance platform SailPoint looks to answer.
In an increasingly cloud-based world where end-users as well as staff and companies are rightly becoming increasingly concerned with what happens to their data, SailPoint aims to help companies manage digital identities so that access can be clearly defined and securely managed.
Having grown into a $2.2bn NYSE-listed company, Austin-based software developer SailPoint dates back over a decade but went public in November 2017, achieving a value of over $1bn on its first day of trading, with an IPO that raised $240mn.
CEO Mark McClain recalls the client server era of the early 1990s. “You had tonnes of Unix servers and Windows servers all over the place.” In 2000, McClain founded identity management company Waveset Technologies, growing the business 250% year on year for the first three years before it was acquired by then-giant Sun Microsystems.
The main issue McClain was dealing with in his Waveset days is known as joiner/mover/leaver: the granting of access to data when a stakeholder joins an organization or moves departments, and the rescinding of this when it’s no longer needed. “People now, not just employees but contractors and business partners who can look a lot like employees, they’re certainly insiders who can access your systems and data.
“Today, the interesting challenge is around non-human identities,” he adds. “These are software bots or robotic processes where software is effectively imitating the behavior of people, in AI and other applications. Today, it’s not uncommon for a loan to be processed initially by software bots that categorize and evaluate, and then go to humans for the next step… The same things we worry about with people and their access now also apply to non-humans.”
In 2004, when SailPoint was being conceived, joiner/mover/leaver and the associated issues were top of mind: namely, process management and identity. “That was the emerging challenge of compliance and governance,” says McClain.
Following the Sarbanes-Oxley act of the early 2000s, data access became an increasing concern – and today we are familiar with the same issues due to the EU’s GDPR. “People got nervous that the wrong people had access to data and could tamper with it – so the beginnings or governance and compliance in the industry were around making sure the right people had access to the right information.”
In McClain’s view, the industry evolved the wrong way around, automating before looking at security elements. SailPoint, however, decided to remedy this by looking at how well a client’s current state matches its desired state in terms of cybersecurity. “That’s the analysis of what the current access privileges are of the organization – once I get that right, then I want to run that into an automated system,” McClain points out.
A common issue, says McClain, is atrophy: when an organization grants access temporarily or to an employee who has moved, but then does not take the access away after it ceases to be necessary. McClain likens this to having a bunch of keys that can open doors you don’t need – or shouldn’t have – access to.
With shifts to cloud and mobile, it’s even harder to ensure data remains ‘safe inside’ a company – “but the processes we use assume it still is, and that’s what customers are really wrestling with. The days of being sloppy about access management are quickly ending.”
What identity governance software, and particularly SailPoint’s offering, can be boiled down to are three key benefit areas: compliance, security and operational expense. In terms of security, McClain says simply: “If you don’t know exactly who has access to what, and that they are using it correctly, bad things can happen.” SailPoint aims to solve the problem of ensuring only the right people have access.
In terms of compliance, SailPoint works not only to manage the ongoing maintenance of identity but also audit compliance validation of identity. GDPR is an example of where businesses, not just in the EU, need to remain compliant. “If a customer says ‘I want you to forget me’, a core tenet of GDPR is that you have to know where that data is and who has access to it so you can turn it off… somewhat broader than security, GDPR is a board-level discussion and yet it’s really about identity,” he adds.
Automating security and governance through SailPoint can also bring about significant cost savings. “It’s not uncommon for a 50,000-person enterprise to have hundreds of people working on nothing but joiner/mover/leaver,” says McClain, adding that through automation this repetitive and costly process is cut down.
Having started with larger organizations, around 2012 SailPoint began to target medium-sized enterprises, developing a software-as-a-service (SaaS) offering called SaaS. “Mid-size organizations today almost never buy software and install it – wherever they can, they want to buy SaaS,” says McClain, who puts this down to the fact that mid-sized organizations want a less sophisticated solution, and often don’t have the time to customize and configure.
The next issue SailPoint is tackling is data being removed from its original location, often to a less secure home. “Every day, people export and download data onto spreadsheets, PowerPoints, and other documents to be stored in things like SharePoint and Dropbox.” SailPoint is therefore looking at what McClain calls ‘unstructured data’ and how AI could be utilized to protect it.
“For an organization with 50,000 people and 10,000 applications, it’s hard to figure out where you might have exposure to risk,” he explains. “In most organizations, there’s no single system of records – who an employee is, what they do, and what access they have across mainframe, client server, cloud, SaaS… finding anomalies of access privileges is very painful.”
An ongoing commitment to solving these pieces of the identity puzzle, as well as adapting solutions for businesses of various size and scale, has contributed to SailPoint’s solid growth into a mature public company. Having begun in North America, the business soon moved into the European market via London due to its volume of clients in the finance sector, and is now growing in the APAC market.
Instead of opting to work with smaller companies and branching out as the likes of Salesforce did, McClain puts SailPoint’s growth to just the opposite. “We wanted to tackle some of the largest, most complex organizations in the world because we had a belief that if we could get those folks hooked and bought into our products, we could leverage that down the market,” he explains, adding that over time investors have certainly ‘voted with their wallets’. “They’ve come into the stock and pushed the value up – the security market has certainly emerged as a very important submarket within IT.”
As a final word of advice for any business, McClain says that a period of automating or moving to the cloud is the ideal time to examine security. “Digital transformation is an opportunity and a reason to evaluate your current state of identity controls and governance and shore up your policies and processes to prepare for the future. If you just take those poor policies to the cloud, it’s going to explode and get worse.”