I Think, Therefore IAM…
My first introduction to real identity management was around 25 years ago. A public sector customer that the company I worked for was supporting had a complex and highly secure environment, which meant that strict identity and permissions management were absolutely paramount. I didn’t really understand it if I’m honest; it seemed like a real faff. Why add an additional layer of complicated middleware to Windows NT User Manager (and subsequently Active Directory), I wondered? Aren’t roaming profiles enough for us to have to deal with?
The answer, of course was that the users were accessing way more than simple, straightforward Windows file systems and shares. They were accessing AIX platforms, old legacy mainframes, a plethora of tightly integrated systems via point to point, hard-coded connections and all of this was of a highly sensitive, security-critical environment. So to try and keep all of that in sync meant that a level of abstraction was required. Enter Evidian Accessmaster.
It certainly wasn’t pretty and it definitely wasn’t user friendly for the operator. It required a replacement of the Windows GINA on every machine, for example. But what it was, was rock solid for its time, introducing a way to manage a shedload of multiple identities securely and even to offer SSO via what was effectively a primitive - although innovative - way (scrape the screen of the login and password boxes, encrypt and hash the passwords at the back end and pass them through when the login dialogue box was detected. And it worked most of the time).
It also frightened the life out of me. Here was the “brains” of the entire security backbone for a national public service that allowed the operator to grant or deny access to assets of high importance and sensitivity. More than that though, the highly convoluted nature of the multiple logins meant that configuration was a pain, resulting in many walk-ups to our desks on a daily basis.
So why is this relevant today and why is it relevant to you? Well, at SPG over the past few years, we’ve seen first-hand an increase in hacking and ransomware cases, several of which that have resulted in £multi-million payouts to attackers. Although not a silver bullet, secure identity is a crucial component of the much sought-after “zero trust” model (although it’s questionable if many organisations have really implemented true zero trust end-to-end in the purist sense).
Through the course of being exposed to - and being asked to help remediate - some of the attacks mentioned above over the last several years, we’ve learned that without proper Identity Governance and Administration (IGA), former employees’ accounts can remain active long after their departure, and temporary access granted for a short-term project may never be revoked, both of which attackers can - and do - exploit. You’d be surprised (or maybe you wouldn’t) at how many organisations still manage their joiners/movers/leavers process with a spreadsheet and no real owner.
When it comes to sensitive accounts - such as those belonging to administrators or service accounts with broad systems access, a lack of Priveleged Access Management spells trouble. Going back to my first introduction to identity management, I saw first-hand that pretty much every service account in the NT4 domain ran with a universally shared and known Administrator account and password. I can still remember the password to this day, and I’d hazard a guess there are still services running on that network that are using it. Attackers could acquire these credentials by searching code repositories, sniffing network traffic, exploiting web application vulnerabilities, or using social engineering tactics. Once in possession of a privileged account, attackers can move laterally, install malware or disrupt services, all while remaining undetected due to incomplete visibility and auditing.
That brings us to today’s modern IGA and PAM solutions. The SPG team looked at many vendors and evaluated several of the market leaders. By the end of the evaluation process, we decided to partner with only one: Saviynt.
This partnership is actually well established; we started speaking to Saviynt in early 2023, and my interest was piqued having read about their converged identity solution, EIC. We knew identity was a pervasive issue, but the thing that really drove my pursuit of this partnership was data and observability aspects.
Anyone who’s read my LinkedIn posts will know that SRE and observability (before observability became the new en vogue name for systems performance management) is one of my technical obsessions. So it stands to reason that what interested me about Saviynt’s solution was the ability to tie observability and identity together in a consolidated - and hence searchable and intelligible way.
We’ve seen the trend for a few years now - the number of endpoints continues to grow and as each asset comes online, it needs access to a variety of systems, datasets and accounts. How do you manage that? How do you predict and secure these access pathways?
Well by tying together ‘observability’ data and identity data, you can.
Saviynt’s guiding principle is that of convergence; managing all identities - human identities inside an enterprise and outside, regular and privileged, as well as non-human identities from service accounts, API processes, IoT, RPA workflows, etc. - in one framework.
Of course, all of this requires improvements in the discovery of access, the sophistication of automation, and the intelligence of alerting, monitoring, and recommendation tools since no human administrators will be able to supervise every identity, endpoint, and privilege manually.
Identity and Access Management is, in our opinion, a no-brainer use case for large language models too. AI can feel like a hammer looking for a nail sometimes, but in this instance there’s a clear and unambiguous opportunity to leverage the technology. Earlier in 2024, Saviynt launched Savi, their user co-pilot, the first generative AI tool native to an IGA system so that it can provide answers, recommend actions, navigate the service and even follow user instructions as part of our goal to increase user productivity.
The broader platform is currently the first and only Identity Governance and Administration solution with native machine learning that can revise, update and improve its own models for complex tasks like access recommendations without assistance, and that add role recommendations, role consolidations, birthright role assignments and more to role-mining processes. It’s also the first to include governance tools for external identities including customisable onboarding forms, blending governance workflows, and pre-built integrations with identity-proofing services that can be invoked within provisioning or certification workflows.
What started as a way to make a complex, multi-system environment a little more manageable has evolved into something far more pivotal. For SPG, working with platforms like Saviynt is about more than ticking a compliance box or selling a product. It’s about helping organisations stay one step ahead of attackers, protecting their people, their data, and their finances. When we think about the security challenges we’ve witnessed over the years, we know that every improvement we make - whether it’s a smarter role recommendation or a more intuitive user experience - brings us closer to a safer, more resilient landscape. And it’s for those reasons that SPG is passionate about identity and why we believe it’s central to every organisation’s safety, security and success in the modern techology-led world..
Saviynt is actively working with Microsoft to integrate with their very latest and most powerful generative AI tools like the MS Security Co-Pilot that uses generative AI to produce risk intelligence from 65 trillion daily signals produced by real-time analysis of events observed by Microsoft Sentinel, Microsoft Defender XDR and their other security tools which will soon be able to provide risk data for EIC's data lake and ML tools to use for proactive access decisions and risk-based policy enforcement in real time.
From an AWS perspective, Saviynt is actively improving how complex machine identities and synthetic identity types - like access rights for human identities - are tracked in AWS Identity Center, created by service accounts from AWS Console in new tenants that include lifted and shifted workloads with access rules and rights created in yet another system). Saviynt's Identity Cloud is the only IGA service that can unify visibility and governance of overlapping and related identities, both human and non-human, from disparate tools built by each IaaS service like AWS Access Analyzer, AWS Identity Center, and AWS Consoles.
The technical advantages we saw and liked about the Saviynt solution are exhaustive and too many to list here; but it’s not just the technology that attracted us to the solution. SPG employs an accelerated methodology for conducting a problem diagnosis - the Lightning Insights methodology - which emphasises rapid problem identification and immediate value delivery. This approach aligns perfectly with Saviynt's Time-To-Value packages that eschew lengthy customisation in favour of proven, quick-to-deploy solutions. This strategic combination means clients benefit from SPG's swift, forensic analysis of their identity challenges, seamlessly transitioning into Saviynt's structured 'Fast Start' packages that can be deployed in as little as 4-16 weeks. We’ve learned through doing that our partnership is really good at identifying, isolating and solving common business challenges through standardised, best-practice solutions - from automating identity lifecycle events to enabling compliance controls and managing third-party access.
In closing, this partnership marks a pivotal step in enhancing SPG’s ability to address the evolving landscape of identity and access management. By leveraging Saviynt’s comprehensive, converged identity framework and its pioneering approach to machine learning and generative AI, we’re equipping our clients with a future-ready solution that not only secures identities but also optimise productivity. This collaboration isn’t just about deploying cutting-edge technology; it’s about creating a cohesive, responsive, and intelligent ecosystem that transforms how identity is managed, securing organisations while enabling them to thrive in an increasingly interconnected world.
Artificial Intelligence (AI) is no longer a futuristic concept - it’s woven into the very fabric of modern business. But as the technology advances, so does the need for responsibility. The era of responsible AI is here, and in 2025, it’s a top priority for organisations wanting to build trust and safeguard operations.