We are currently in the middle of an explosion of digital information. Today, people expect access to applications and data, from anywhere, at any time, and on any device. But with so much information to monitor, how will you ensure a high level of security for your company?
In this interview, Paul Mezzera, cybersecurity expert and Saviynt’s VP of Strategy, talks with Tracy Holtz of The Holtz Story about protecting your people, data, and infrastructure in today’s rapidly accelerating digital landscape through Zero Trust. Listen to the full interview to learn more about:
- The benefits of automation and machine learning – and how they can keep access secure
- The importance of continuous identity monitoring in risk detection
- The tenets of Zero Trust and the importance of establishing the right mindset
- Zero Trust adoption tips and how Saviynt can kickstart your journey
Zero Trust is not a one-time solution or project; it’s more of a mindset of questioning access. Learn how to shift your mindset toward continuous monitoring of access rights, understanding risk, and focusing on high-value opportunities. Listen to the full interview below or read the transcript.
Welcome to The Holtz Story, a podcast where tech leaders discuss the biggest trends and challenges in cybersecurity technology. Brought to you by Tech Data, one of the world’s largest technology distributors.
Tracy Holtz: Welcome everyone to another episode of The Holtz Story, where we go deeper into the topics and technology impacting our industry. I’m your host, Tracy Holtz, and today’s guest is Paul Mezzera, vice president of Strategy at Saviynt. Paul guides Saviynt go-to-market strategy. Before Saviynt, he was a director analyst at Gartner focusing on identity, governance and administration, privilege access management, customer IAM and cloud infrastructure entitlements management, and identity access management architecture and program management research.
Paul has more than 20 years of experience in identity and access management, and previously served as systems and security architect for Fortune 500 companies, including Pfizer and McKesson. Welcome Paul. It’s really great to have you on as the Holtz story, I’ve been looking forward to this podcast for a bit now. Saviynt is very innovative around technologies, around administrative and compliance and a newer vendor for legacy Tech Data and now TD SYNNEX. So I’m really excited to have you on.
Paul Mezzera: Great. Thank you. It’s good to be here, Tracy.
Tracy Holtz: Well, thanks so much. I’m going to jump right in. And I know you’ve spent a long time at Gartner and as a senior director analyst there previously, you focused on the identity governance and administration kind of category amongst many others, I’d say in PAM and then on cloud infrastructure. So I’d love to maybe talk a bit about to our listeners around what, based on your background at Gartner, where are you seeing the future around PAM and Identity moving in this cybersecurity world?
Paul Mezzera: That’s a great question. I think up to before Gartner, I was a long time practitioner, so I kind of come full circle to seeing, to being much like your listeners looking at what should we be implementing and how to prioritize what we’re doing and how to evaluate vendors and then going to Gartner kind of help confirm all those assumptions that I had talking to thousands of clients about a lot of common problems. What are some of the capabilities that we need to be focusing on? The biggest one is – with the advent of the cloud, and the advent of access from anywhere by any number of devices and just the whole digitalization of our economy – we’re going to have a scale that we’ve never seen before.
So there’s going to be all this explosion of information, everyone logging in, accessing applications and it’s just humanly impossible really to keep track of that. So we used to assume that we could look at reports and logs and see if someone was misusing or not using their access.
That’s just not going to be doable in the future so we need some sort of analytics coupled with machine learning I think that will allow us to the computers to process that in information, look at what’s kind of normal behavior, anomalous behavior, and maybe even fine tuning our access rights in our roles and groups and be able to see exactly, “Okay, is this person really using this particular entitlement? Does this role have five different entitlements and is it really appropriate for this group of people that I’m assigning it to?” And really have the machine really figure that out for us, or at least help us to come up with recommendations.
So you’re seeing products like Saviynt and others building that kind of recommendation aspect of you as a manager, you get a request for approving access of your employee. What kind of information should you have in front of you to kind of help you make that right decision? A lot of times, at least when I was a manager, I’d get requests from one of my admins, you needed some kind of access to some machine, and it was some very cryptic description. I didn’t know, I’d have to go over to his desk and ask him what it was. So we need more tools like that, that should say, okay, well, if that person is asking for access, what about his peer? Does he have the same access or not? And if he doesn’t, then you could start questioning and kind of challenging them, well, why do you need that access? Right.
And that’s kind of also what Zero Trust is all about, right. Is that not always just assuming someone needs access when they ask for it. So I think so going back to your question, I think the machine learning and analytics is really going to, we’re going to really need that to be able to have computers really help us to go through that processing and help us to really understand what our risk posture is and what type of access we should really be granting to our employees.
Tracy Holtz: I have to imagine after the last 19 months that we’ve all been a part of this huge transformation, whether it be in a hybrid work environment today, being remote and in the office, that’s coming into play with most companies today or to a hundred percent remote workforce because the last 19 months, everyone’s been extremely successful through this. So a lot has changed in the company’s logistics and the kind of environments that cloud played an important role in that entire transformation. So I have to imagine as a company, your automation strategy around log management reporting and making recommendations is a huge opportunity for any company because to your point, managing logs and sustaining them from reports is not sustainable in a digital cloud infrastructure plus kind of a hybrid acceleration move to the cloud.
Paul Mezzera: Definitely. Definitely. And with the cloud comes the ability to also, given that back in the day, to get a machine up and running, you’d have to go and purchase a machine, rack and stack it. I mean, now you just execute a script and you have a whole set of machines pre configured at your disposal. So with that, you could also see exactly and programmatically be able to assign that access or if it’s a server and there’s some built in administrative accounts, you could automatically onboard those into your PAM tool, so that now you’re managing those administrative accounts right through your PAM system. That’s kind of what we do from a Saviynt perspective is that discovery of those workloads and onboarding those accounts to the system, so you know what accounts you’re having to manage.
Tracy Holtz: I think about the provisioning aspect of it and the automation. I think it’s an enormous opportunity in this space. When we think about that entire management, how can a partner or listeners today, right? Whether there are reseller partners or clients of theirs, what are some best practices that you would recommend to them?
Paul Mezzera: I think in general, that you just have to be looking at your unique situation in your environment. Because even if you have a very similar company in the same industry it is going to be a lot different because everyone’s procurement journey is different. We don’t all buy our tools at the same time. So our tools are in various stages of maturity, right? In one case you might have a pretty antiquated identity management system that’s breaking at the seams and that’s your priority, but in other cases, maybe you just recently upgraded to a cloud version and then now, maybe your problems are more in the network. So let’s just always be looking at where you are and where your soft spots are. And then building a roadmap on that and looking at where in each of those areas, where is that crawl, walk, run.
You can’t really get to the run until you crawl and walk. So don’t try to be too ambitious in your projects and always try to set those expectations with your sponsors. Don’t try to over promise and under deliver, in fact, do the opposite. So always set expectations, and if you do more, then you gain that momentum. Because one of the things about the IGA and the PAM, they’re the very challenging softwares to get integrated because they’re very process oriented. So you’re impacting the way people are doing their jobs. If you’re introducing automation, you have to get those people on board. You have to get resources committed from them to help you understand what the current processes are that you’re automating.
And then you have to get commitment from their managers that they’re going to spend time with you. So at least as a practitioner, I’ve always tried to focus on the people in the process aspect, making sure that you got the right people committed to the project before you try to do anything.
Tracy Holtz: Those are great words of wisdom. I would say and you mentioned Zero Trust and I’ve always used an analogy around Zero Trust is really never trust, always verify and I’m sure that’s pretty standard in the industry today as an analogy. But when you think about Zero Trust, where do you think companies fail around or maybe not so much fail, but where do they struggle with getting Zero Trust into place?
Paul Mezzera: I’d say that one of them is just buying into the hype a bit of the Zero Trust or think about some of the myths of Zero Trust really not understanding, it’s not really, there’s a one solution, one size fits all solution to the problem and that it’s a one time project. So I think, again, it’s all about not just the technology, but it’s people in process, right? In the case of Zero Trust as I was referring to earlier, it’s that mindset, right? It’s like we tend to want to just help people and sometimes give too much information out. That’s why this social engineering is such a soft spot or we click on emails and it just seems like something that we can’t help ourselves.
So the Zero Trust mindset is really about questioning that access if you’re someone who gives access to information. It’s always just in a nice way, always challenging and questioning why that access is needed. And part of Zero Trust too, is to avoid “set and forget.” Once you give that access, you should always be reevaluating whether that access is still appropriate. And I think that’s where some of these solutions come in, where they can automate some of that for you.
Tracy Holtz: I think that’s a big opportunity because as you think about access down to individual team members and across divisions, to your point, you mentioned where one individual team member may have access to multiple systems architecture. And then another colleague comes in and you’re verifying that they should have the same access. And then what do they do with that access? Have they logged in? Have they leveraged the access over a period of time? Because if they are not logging in and leveraging it, why do they need to have access to it? Because there certainly is risk in any of that, that there could be financials or other kind of information stored within those means that those colleagues have access to. So it’s a huge opportunity for any company to enhance what I kind of view as their data strategy. And their strategy because compliance comes into all aspects of identity access management PAM to me.
Paul Mezzera: Exactly. I think you mentioned risk too. And I think going back to that example of the person that’s asking for access, you also, it’s also helpful to know what their kind of holistic access is. What other access do they have? And in some cases you have people that have a lot of access to sensitive information. So their overall risk profile for that person is higher. So there, you’d want to even scrutinize even more so than normal. And again, you got to focus on the high risk, high value areas.
You just don’t have the time and the data to scrutinize every access. But at least if you’re aware of what that risk is and you know that these are your crown jewels applications, that if they go down that your company is going to take a real hit, then you try to focus on those.
Tracy Holtz: When it comes to the education piece of this, I know we touched briefly on it. I think that that’s a large opportunity for companies and partners to spend time educating around privilege access and identity access management and compliance and just really the automation capabilities. How would you, what’s your recommendation there? Are there specific kinds of experts in the field that companies should be employing that they should be looking at hiring or investing in skills around this area?
Paul Mezzera: That’s a good question. Actually at Gartner, I did a paper on skills for an IAM architect and Gartner did a whole thing on skills for cloud, for data architects and I did the one on identity and there’s this, the unique thing about the identity is that it requires knowledge in so many different areas and because it touches everything. I mean, you think about the developer, right? So they’re coding their applications and they need to authenticate the user. So there’s the ability and the need to understand at the API level and the code level how that integration works. So that’s one extreme and then there’s maybe someone that’s a database expert that needs to understand how they integrate at the database level. So it is a challenge in what to focus on.
But the good thing is that you could tap into potentially a developer that wants to get the foot in the door into security. And they would make a good identity person, right. Because they would be able to help other developers to do the right best practices from an IAM perspective. So I think you don’t necessarily have to have a specific education in IAM or in security, but just curiosity and willingness to learn and take what you know and use, apply that into that subject matter that you’re used to that what your background is.
Tracy Holtz: I often think that in this industry, especially in this field, I think that you’re very involved in or interested in mysteries or any kind of researching clue, any kind of gaming kind of where you’re really having to be thought provoking and thinking into next step, next level future, I think is a great opportunity for those kind of individuals with those skill sets to get involved in cyber, but more importantly into this particular field. Because those skills will go a long way with identifying, to your point, where there’s risk and identifying those pieces because they have those skill sets to be able to do so.
Paul Mezzera: Right. And one of the things that I, one of the quadrants that I put in my paper was the non-technical or the soft skills or business skills, I think that’s sometimes what’s lacking. I’ve had a long career as a developer in IT, and I’ve worked with a lot of smart people, but not very good people skills, they’re hard to work with. So they just want to do their coding and they just don’t want to be bothered. And this is from an interpersonal relationship, very challenging. So I think those kinds of skills are needed so much by cybersecurity and identity architects because they rely and have to talk with people outside of their community, the business folks, the audit folks, the executives, just all the different populations. And it’s really critical to have those people skills that kind of build those relationships with those individuals because you’re dependent on them committing resources to you in most cases.
Tracy Holtz: That’s very well said. I’ve got over a hundred folks in my organization and I talk often around relationships and the meaningfulness of those relationships. And I highly respect them because who you work with today could be certainly different tomorrow or comes full circle, right. You might have been a competitor to somebody and they’re now your boss.
Paul Mezzera: Exactly.
Tracy Holtz: So it’s a very small world in this entirely large IT industry, but it is relatively small in a lot of ways with the key folks and colleagues that we all get to know. So that’s what I love most is building those relationships and holding them very close to heart because that to me carries anyone as an individual long term, those people skills to your point.
Paul Mezzera: I agree with you 100%.
Tracy Holtz: If we touch on maybe just a few minutes about Saviynt and where you’re going as a company, what does the next three years look like for you as you continue chartering this remote hybrid cloud, heavy cloud, right? It’s going to continue, big investments around the cloud for every company on IT infrastructure. Where do you see your roadmap going?
Paul Mezzera: One is just a matter of adoption and making it easier for organizations to adopt identity access management solutions like Saviynt. So as we mentioned about the lack of skill sets, it’s really about how do we enable quicker onboarding, and being at SaaS product or as a cloud product that runs in the cloud, you do not have to worry about all the infrastructure that supports the solution. So that’s going to help right there onboard, make it easier as an organization to onboard, but still you have the configurations, the workflows and different things.
So my goal, because I used to be on the other side of it, implementing the software, is how can I make it easier to get up and running and show value quickly? And then also how do I empower my business really to make those access decisions, right? Give them, delegate them to make those decisions of who should I give access to or not. So making the user experience more business friendly so that you don’t need an IT person to support that system.
Because I used to be on the other side of it, implementing the software, my goal now is to make it easier to get up and running and show value quickly? And then also how do I empower my business really to make those access decisions, right? Give them, delegate them to make those decisions of who should I give access to or not. So making the user experience more business friendly so that you don’t need an IT person to support that system.
So looking at the modern UI, all those kinds of new technologies from a user experience perspective, no code, low code approaches to building workflows and connectors, the connectors are those that are used to connect say to your act directory or to your Salesforce SaaS solution. So those are what allows our software to talk to those systems and be able to create identities and remove identities. So as I mentioned at the beginning, it’s going to explode to not just hundreds, but thousands of applications.
We need to empower the organizations to do some of the building. Get out of the way, let them do more of the configuration and if we’re able to make it so they don’t need to have deep programming skills, in C Sharp or Java, then that’s going to help accelerate the adoption of IAM solutions. So I think those are some key areas.
And then as I mentioned earlier about machine learning, automating, ingesting that information activity logs and pulling information in and being able to make the system more autonomous, self-driving is kind of what I’ve heard another paradigm like a self-driving car. It kind of knows where you’re going, what speed to go.
And then you’re only involved when something out of the ordinary, so you’re not doing those mundane kinds of activities on the system, so that’s where I really like to see Saviynt accelerate there is to make it easier from a granting access and improving access and compliance perspective.
Tracy Holtz: I know they’re so exciting. And I haven’t jumped onto the self-driving ability yet. I still want a bit of more control. I think that being the cyber person that I am, it’s an opportunity for all of us. And I think it’s certainly exciting on how the future is shaping and just transportation and motor vehicles in general. But I like the safety phase. That’s where I’ll kind of lean in. I do think that there’s a greater enhancement around our safety features and our cars, but I love that because what you talked about there to me is very transformational as a workshop. And how we help as a distributor with you Saviynt as a manufacturer, help our partners really around that digital transformation kind of evolution. So I don’t want to summarize it, but if I quickly think of how a quick workshop could look like, it’s really, it’s how digital transformations accelerate identity access management, and what does that mean for companies around automation.
And to your point, the configuration, because in a cloud infrastructure where it could be API is to machine automation there, there’s a tremendous opportunity for us to build solutions and then deploy them through even like our click to run platform, which ultimately does a lot of that configurations in the cloud through all the major platforms. So really exciting times and a huge opportunity for both of us and our partners and their clients to really reshape their entire identity strategy and manage through compliance, because compliance is only going to continue in this space as government regulations come down or amendments are released.
Paul Mezzera: Exactly. I agree with you. I mean, that’s one of the big benefits of a identity governance solution is that SOCs, HIPAA, all those different compliance mandates and what’s the information that say an auditor needs to see and the automating some of that information so that you have those prebuilt reports that probably require some tailoring, but you already have a lot of what you need to be compliant from an industry specific regulation.
Tracy Holtz: No, absolutely. And it’s much more than beyond a Multi-Factor Authentication kind of solution as that next level into the compliance aspects of it and administrative aspects of how we manage users and authentications.
Paul Mezzera: No, I agree. I think the access management is a key piece and going back to Zero Trust, we sometimes think, on the authentication piece, that we don’t trust someone that we, or we’re continually assessing the user’s behavior and it will maybe log them off or require MFA. But the Zero Trust also has to do with all the backend stuff that something like a Saviynt does is making sure that the user, when they transfer to another group, that’s picked up and there’s some sort of a workflow that’s triggered that then the new manager checks, hey, does this person really need that same access? So Zero Trust’s got to be in every aspect of identity, not just the access management, but all the backend as well.
Tracy Holtz: Absolutely. My husband loves me, but he absolutely hates that I tell him not to click on anything to never trust anything because of the phishing world that we live in today. And frankly, when it comes down to the in question every ability of why you got that email or the link and to never click on it. So he always thinks I’m a bit more radical on my cyber security policies in general, but if we weren’t in security, then probably we wouldn’t have that same perspective.
Paul Mezzera: That’s true.
Tracy Holtz: Well, Paul, thank you so much for joining me today. This was absolutely an intriguing conversation. I know our listeners got a lot out of it. To me, identity access management is an area that I’d love to see more of our partners get involved in. And it’s a huge services opportunity for them as well. And just where the transformation around the cloud and data and compliance is absolutely where it’s at today for our market, but going forward is a huge opportunity for all of us. So thank you again for joining me. It was great to have you on.
Paul Mezzera: You’re welcome. I’d love to visit you again. Maybe we could dive into specific areas or however you want to take the conversation. So thank you for inviting me.
Tracy Holtz: No, absolutely. I will take you up on that and into our next coming year, we’ll definitely have you on again, and we can go deeper into some of these areas. And I think even just think about just the education aspects that we could talk deeper into with our partners around how both of all companies owned really an education aspect of it too. I’d love to continue the dialogue and it was great to meet you and have you on The Holtz Story and look forward to hosting you again in the coming months.
Paul Mezzera: Great. Thanks again, Tracy, very much.
Tracy Holtz: Thank you. Thanks again, Paul. And thank you everyone for listening. If you enjoyed this episode, I really appreciate you taking the time to subscribe using your favorite podcast application. We are hosted on Apple, Spotify, iHeartRadio, Stitcher, and many other podcast platforms. We’re adding new podcasts monthly, and you can also access our podcast at theholtzstory.com.