Entitlement Enlightenment: SailPoint and AWS Enhance Identity Security

By Alec Gruss, Senior Product Manager, SailPoint Technologies
By Imaan Tariq, Customer Solutions Manager, AWS
By Karthik Ram, Principal Solutions Architect, AWS

Partner Name

SailPoint Technologies is a leader in the identity security domain, focusing on innovative solutions that enhance access governance and control. As businesses increasingly rely on cloud services, the complexity of managing identities and permissions has grown to an exorbitant level. SailPoint’s customers often struggle with the challenge of overseeing thousands, or even millions, of security entitlements, including policies, identities, and access rights.

A major challenge in entitlement management is the unclear descriptions for about 60% of customer entitlements, complicating access provisioning. This ambiguity can leave users uncertain about granting the correct access and meeting compliance requirements, akin to navigating a maze without a map, resulting in inefficiencies and potential security risks for organizations.

To address this, SailPoint has rolled out an innovative feature for their Identity Security Platform known as GenAI Descriptions for Entitlements. As we explore the development of this feature and the collaboration between SailPoint and AWS, we will uncover an accelerated journey of innovation reshaping the identity security landscape.

Demystifying Entitlements: Their Importance and Impact

Entitlements refer to the access rights assigned to a user, which can include group memberships or specific permissions. They represent the “smallest atomic unit of access” in an organization. Describing access at this fundamental level provides a foundation for future generative AI (GenAI) features and offers immediate benefits to users by providing clearer context for access management.

Business decision makers frequently face the task of certifying the access required by their teams. However, they often lack expertise in the various applications and must navigate the complexities of making decisions based on cryptic entitlement names with inadequate or unclear descriptions. This can lead to over-provisioning, since in the absence of information, users default to maintaining access. Meaningful entitlement descriptions help managers make better decisions, right-sizing their team members’ access and reducing risk due to over-provisioning.

Figure 1. Users asked to certify access for unclear descriptions

Well-described entitlements are also essential for compliance teams as they provide the necessary controls, clarity, and documentation needed to manage access rights effectively. This feature facilitates efficient accurate audits that help organizations demonstrate regulatory compliance.

GenAI Descriptions for Entitlements is seamlessly integrated into SailPoint’s industry-leading Identity Security Platform to support organizations that are struggling with the scale of today’s access management challenges.

From Concept to Reality: Listening to Our Users in Shaping the Solution

SailPoint’s journey with GenAI Descriptions for Entitlements began last year with a small project team that put the large language model (LLM) hype to the test through experimentation. Out of that effort, the team identified several use cases that were promising. Generating entitlement descriptions emerged as a top priority for productization. After showcasing a demo of this feature at Navigate 2023 (SailPoint’s annual conference), SailPoint actively listened to the feedback and insights from users.

SailPoint customers showed excitement at the prospect of quickly obtaining human-readable, understandable entitlement descriptions proliferated in their tenants.

They highlighted several benefits:

1. Simplified certification processes
2. A practical application of GenAI/LLM technology in identity and access management with significant positive impact
3. Potential cost savings by replacing consultant-written descriptions with AI-generated ones, which some were already validating using ChatGPT

The positive reception from customers validated SailPoint’s prioritization for GenAI Descriptions for Entitlements, setting the stage for its integration into their Identity Security Platform.

Seamless Integration: Enhancing Existing Workflows

SailPoint built this feature into the Entitlements Administration and Approvals page for it to be a natural extension of known workflows, rather than users needing to jump to a dedicated GenAI section. Administrators can straightforwardly kick off the process, and reviewers know where to go to approve the descriptions.

From numerous conversations with customers, SailPoint recognized that to achieve their goals, they needed to focus on two key objectives:

1. Simplifying the process of generating descriptions, and
2. Ensuring that subject matter experts could quickly review and edit these descriptions before they were finalized for the entitlements

Figure 2. User selects entitlements for their descriptions to be generated

Figure 3. Suggested descriptions can be approved or sent to reviewers who are familiar with access 

As SailPoint delved deeper into the technical aspects of implementing these objectives, they realized they needed to explore potential partnerships that could accelerate their development process.

A Collaborative Journey: From Ideation to Implementation

Figure 4. AWS and SailPoint joined forces to launch GenAI Descriptions for Entitlements

SailPoint already uses AWS for most of its infrastructure, so it was natural for the tiger team exploring the use case to reach out to their AWS partners. SailPoint worked closely with AWS in the ideation phase, jointly defining the use case and requirements for the GenAI Descriptions for Entitlements feature. This collaborative approach made sure that the solution directly addressed the core challenges faced by customers, in addition to any legal requirements. For an optimized technical solution, SailPoint chose Amazon Bedrock for its advanced capabilities, enabling the creation of high-quality, contextual entitlement descriptions. Initially, the Claude Instant LLM was selected, but as the project evolved, the team transitioned to the more advanced Claude Haiku model. To support the rapid development of the GenAI Descriptions for Entitlements feature, AWS conducted deep-dive sessions, demos and hands-on workshops allowing SailPoint team to familiarize themselves with Amazon Bedrock and related services. Additionally, AWS’s close collaboration made sure that the necessary models were available in key regions identified as significant for SailPoint customers, thereby expanding the feature’s reach. Feedback from the initial launch in February 2024 to a few customers was used to refine the capabilities before releasing the feature to all SailPoint Business Plus customers. This strategic partnership illustrates how collaborative efforts can drive innovation and improve customer experiences in the cloud security landscape.

The Architecture: Powering Intelligent Descriptions

GenAI Descriptions for Entitlement is a feature of SailPoint Identity Security Cloud (ISC) which uses Amazon Bedrock, a fully managed generative AI service that offers a choice of industry leading foundations models (FMs) along with other broad capabilities that is needed to build generative AI applications, simplifying development with security, privacy and responsible AI. The ability to switch between models and compare the accuracy and performance using Amazon Bedrock enabled SailPoint to rapidly develop this solution from concept to implementation in just a few weeks. Currently the solution uses Anthropic’s Claude Instant and Claude Haiku models for generating the descriptions.

Figure 5. An AWS Architecture diagram of the solution showing the different AWS services and components involved

The solution comprises of microservices hosted on Amazon EKS, a managed service from AWS that makes it simple to run Kubernetes without installing or operating Kubernetes control plane or worker nodes. Suggested D4E microservice handles the core logic of building the descriptions by sending the requests to a LLM Proxy microservice which acts as a gateway and handles the queuing of the requests through Amazon Simple Queue Service (SQS), another fully managed service from Amazon for managing message queues. The response from Amazon Bedrock, including the descriptions, entitlement, and user information gets persisted to an Amazon Relational Database Service (RDS) database for PostgreSQL.

The Approval service listens to new Kafka topics and handles the approval process. Apache Kafka is an open-source, high performant, fault-tolerant, and scalable environment for building real-time streaming data pipelines and applications. Apache Kafka is hosted on Amazon Managed Streaming for Apache Kafka (MSK), a managed AWS streaming data service that manages the Apache Kafka infrastructure and operations, making it simple for SailPoint to run Apache Kafka on AWS. The Kafka topics handle the state of the record from the time the user clicks on Generate Descriptions until the approval workflow is complete, including handling the state of the request from Requested, Suggested, Pending Review to Approved statuses.

Early Success Stories: Transforming Identity Governance

Once the feature was introduced to SailPoint ISC Business Plus, over 30% of eligible customers used the feature within the first month of release. The users appreciate the ease with which they are able to generate descriptions and find its capability to generate meaningful entitlement descriptions pretty impressive. GenAI Descriptions for Entitlements can assist consultants in writing entitlement descriptions, resulting in tangible cost savings for the organizations.

Looking Ahead: The Future of AI-Powered Identity Security

As SailPoint continues to iterate, the focus is on improving the output quality of generative AI-suggested descriptions. This involves a new feature called Generative AI Knowledge Base, which lets customers add custom context, tailoring descriptions to their specific organizational needs and industry-specific acronyms. To learn more about the upcoming iterations please visit SailPoint’s public site.

The AWS and SailPoint partnership has not only led to the successful launch of GenAI Descriptions for Entitlements, but has also set a precedent for future innovations in identity security. This collaboration demonstrates the value of using technology to simplify complex processes. By adopting this approach, organizations can save time and resources, enabling them to focus on their core business rather than managing overhead and risks. Companies are urged to foster collaboration and experimentation to drive technological advancements. Let’s continue to innovate, share insights, and create solutions that empower organizations to thrive.

.

.

SailPoint Technologies – AWS Partner Spotlight

SailPoint Technologies is an AWS Advanced Technology Partner and AWS Competency Partner that provides an advanced monitoring solution for cloud apps and modern infrastructure that aggregates metrics across distributed services to alert you on service-wide issues and trends in real-time.

Contact SailPoint Technologies | Partner Overview | AWS Marketplace