Sitting down with Computer Weekly during a brief break from scouring London’s shops and malls for presents for his grandchildren, SailPoint founder and CEO Mark McClain reflects on how the concept of identity has similarly developed and evolved over the years, and the future it now faces as a core element of organisational cyber policy.
McClain was among the first through the identity door back in the latter half of the 1990s when he was still working at systems management specialist Tivoli in the midst of its $743m (worth approximately $1.45bn now) purchase by IBM.
“It was the early era of what we then called distributed computing, when the world was moving from centralised datacentres with mainframes to distributed Unix servers, Windows servers, desktops and PCs. Instead of one big intelligent device with a network and a lot of dumb devices, you had intelligence at multiple levels, and that drove a bunch of changes in the realm of what was then called systems and network management,” explains McClain.
“In that world, one of the things that emerged in the mid-to-late 90s, before we even used the term identity, was user management.
“The idea was you had accounts on multiple Unix servers or Windows servers and you could be represented by all these different accounts. It was a royal pain to keep all of that straight in a big enterprise.”
As such, one of Tivoli’s early developments was an application to oversee the processes associated with people joining, leaving, and moving jobs within organisations. However, although identity was clearly part of the picture, this was not done in the context of it, but rather in that of business efficiency and productivity.
“That was kind of the first iteration of identity, when we didn’t even call it identity,” says McClain. “It was less about security that productivity, less about security than about saying, ‘Well, this is an inefficient process, let’s make it efficient’.”
The story continues
Through the 2000s, a second wave of change manifested as an increase in complexity introduced by new compliance requirements, driven by regulations like Sarbanes-Oxley and high-profile corporate failures and scandals such as the Enron affair.
This wave added validation to the picture in addition to user management, as organisations found they not only needed to manage multiple identities but ensure their behaviour was appropriate. SailPoint, incidentally, was founded in the midst of this evolution in 2005.
Then, from around 2010 onwards, the arrival of software-as-a-service (SaaS) applications, mobile computing, and the degradation of traditional forms of computing, also brought radical change to the picture.
“All of a sudden you had a situation where everything had opened up. As a corporation, through the 60s, 70s, 80s and 90s you owned the compute, the network, the device. By the 2010s, you didn’t own any of that,” says McClain.
It was at this point that that identity management and cyber security started to run towards one another at full tilt.
“The thing that began to emerge as a control point was identity, which is also why I think the bad guys began to attack that as a way to get into organisations,” says McClain. “It’s one thing to break through the firewall to try to get to the data, but it’s way easier if I can get your credentials naturally.
“So it’s those two things together that conspired to make this such an interesting area, because identity had always had aspects of operational efficiency and enablement, but all of a sudden it had a deep security component.
“In some ways, Covid exposed a lot of insufficiencies in the security arena and now they couldn’t unsee that”
Mark McClain, SailPoint
“We developed SailPoint initially for the compliance piece, and ultimately incorporated all of that in our first decade, and then the security part really escalated in the past decade.
“Now that we’re almost 20 years in I don’t think any of us could have predicted how identity would become such a centralised point of dialogue inside the enterprise.”
Then, in the past four years, the Covid-19 pandemic also had a profound influence on the evolution of identity into a security play, the implications of which are still playing out.
“Nothing new got introduced necessarily during Covid,” says McClain, “but the rate and pace of change dramatically increased because – though people worked remotely before Covid – the rate of all that also escalated.
“It’s kind of like when you’re in your house and you have a flashlight and you shine it and see a bunch of cobwebs. It’s very difficult to just turn the light away and say, ‘I will ignore these cobwebs’. In some ways, Covid exposed a lot of insufficiencies in the security arena and now they couldn’t unsee that,” he says.
But not every change and evolution in the technology industry is always entirely down to Covid. In this corner of the cyber world, it is the sheer proliferation of identities – in which Covid was certainly a factor – that is now driving change.
“At its core, identity is about who has access to what. That’s the nature of this industry – who are these identities,” says McClain.
“The who has generally been people. The what has been mostly applications; can you access SAP or can you access WorkDay or whatever. The nature of our space has been [to ask] how you make that efficient through provisioning and lifecycle management? How do you validate it’s correct and compliant?”
What has now happened, says McClain, is that volumes of whos and whats are both exploding. In the first instance, the number of people needing to be identified expands to include not just employees but contractors, and employees of organisations in the supply or distribution chains.
In the second, the number of things needing to be identified is also skyrocketing as more and more data moves across more and surfaces, from app to app, from email, through SharePoint, DropBox, or a myriad of other tools that are at best poorly managed, and usually not managed much at all.
Both of these growth curves are serving to grow the attack surface and increase the risk to identities.
“What that’s driving people to is to say, ‘I must have intelligence and automation or I will never keep up with this problem,” says McClain.
“So, the investments in AI [and] the investments in automation that we’re driving are about getting people to recognise your problem is not a 10,000 person organisation with 400 applications; you might have in that 10,000 person organisation 150,000 identities you care about and access to data that is four orders of magnitude larger than that application environment.
“There’s no way you’re going to manage that with spreadsheets and email and routing around for approvals – you’re hopelessly behind the game if you don’t start to automate this and use a lot of AI and machine learning to understand patterns and risk profiles,” says McClain.
“We’re one of those industries where AI has not become this new topic in the last year and a half – it’s been on our radar for six or seven years because we knew it would be the only chance to keep up with this volume explosion.”
New opportunities, new threats
But as he thinks about AI, McClain is also acutely aware of the threat to identities that it poses, in a world where text, video images and voice prints can now be easily manipulated in order to spoof a trusted identity, all bets would seem to be off.
McClain can actually claim some experience of having his identify spoofed by an AI himself, albeit in a controlled, test environment with no cyber criminals involved.
He explains: “We used an AI tool to sample my voice from podcasts, talks I’ve done and so on, and we gave it a script to read and then I read a script about the very important issue of my favourite cookie.
“It turns out I really like oatmeal and raisin, but the AI went with a more traditional chocolate chip. So, we ran both – and people knew it was a test – but a third of them got it wrong. The fake was so good that a third of our own people thought the fake was me.”
McClain foresees further rapid evolution in this regard as AI-enabled cyber criminals are able to leap more of these identity hurdles with ease. “I think it’s about to escalate,” he says.
A good example of an incoming problem could be in financial services, where machines are already doing a lot of heavy lifting processing loan applications on behalf of humans. But in an era when human identities can be readily spoofed by an AI, how do you stop the machines being fooled by the machines?
“There are some really hard programming problems that are emerging if you’re using bots to service accounts and intelligent devices to replace what was formerly done by humans, and now identity is an attack vector, how do we set up protective capabilities around nonhumans like we have around people? How does it validate?
“We’ve done all this training to try to enable people to combat people-based attacks. How do you take that into the world of non-human identity?” he says.
Identity is still a developing discipline, says McClain, and he reckons SailPoint’s evolutionary history puts it in an interesting position when it comes to future developments.
“It’s almost impossible to talk about something that doesn’t come into that purview [of identity and data management,” he says. “What in your enterprise does not relate to identity or data. In that sense our purview is incredibly large.
“We can’t solve all of these problems, of course, but we can be well-positioned to be a single source of truth,” he concludes.