A Texas-based company has come up with a solution for large enterprises to protect themselves from disgruntled internal staff, which it says is a growing risk for companies forced to lay off staff during these tough economic times.
"How does a company protect itself from internal people in these turbulent times of layoffs?" asked Jackie Gilbert, VP of marketing and founder of SailPoint Technologies, speaking to Techworld at Burton Group's Cataylst Conference in Prague last month.
Gilbert says that SailPoint's aim is to help organisations better manage these insider risks, by helping them implement strong and consistent controls over user access to business critical applications and data - identity governance in other words.
"We take a data mining or BI (business intelligence) approach, and mine the data to come up with people's access privileges," Gilbert said. "The company conducts an 'access review', where we aggregate the access information, and send it to the line manager and ask them to approve it."
This allows SailPoint to determine the ‘segregation of duty' or policy enforcement.
"It scans all the access data, and a set of rules looks for the 'toxic combinations'," Gilbert said. For example, it will pinpoint if a company has someone with the ability to sign and authorise cheques by themselves, instead of requiring two people to authorise payments.
"At the moment, people are mostly compiling this data manually," Gilbert said. She thinks that IT departments typically tend to use spreadsheets to collate data on access privileges, if at all.
SailPoint is aiming to replace this manual process.
Gilbert also points to the problems of orphan accounts. These are common when companies are in layoff mode, and the IT department struggles to manage the deletion of old accounts. "It can be a very manual process to turn off email for example," said Gilbert. Indeed, it not uncommon for staff who have left a company, or have been made redundant, to still be able to access their email accounts many months after they have left the company.
SailPoint aims to solve this with its Access Request Manager. "If Joe is leaving, companies ask 'how do we know what Joe has access to?' said Gilbert. "This product shows them." It also works the other way as well. "If a company hires Joe, does the company know what systems he needs to access in order to do his job?"
Gilbert also warned of the danger of what she terms 'entitlement creep'. This is where an employee accrues more and more access privileges during their time with the company. She points out that there is never a 'reality check assessment', over whether some of those privileges are still necessary for the person to fulfil his role.
All this issues are proving to be a good business for SailPoint. According to Gilbert, the company is on track to more than double its customer base by the end of the year, despite only being publicly launched in 2007 (it was founded back in 2005). Already, five of the world's top 10 banks and some of the world's largest insurance, telecom, manufacturing, and healthcare companies are using SailPoint IdentityIQ for their identity governance initiatives.
This is very much an enterprise focused package. A typical SailPoint installation costs in the region of $200,000 and scales up, depending on the size of the company, because "with larger enterprises there is more complexity, more churn, and more insider breaches."
Gilbert admits that you can't always prevent the danger posed by insiders, but with SailPoint software, she insists that companies can at least limit the risk of damage.