Bear,
You’ve asked a simple question which begs a complex answer. First, let me emphasize that I have not performed an in-depth product review. I have only done a very cursory, high level review of the offerings of these companies. So, part of my answer will be based on my experiences as an enterprise architect at a very large company. I was not part of the IT security organization, but I often worked closely with them.
First, look at the problem we are trying to solve. In a nutshell, we want people (and machines and “things”) to have unfettered access to the IT resources they are supposed to have access to in order to perform certain prescribed functions. At the same time we want to make attempted unauthorized access so opaque that knowledge about whether or not the requested resources even exist is not disclosed. At least, that’s the ideal.
What does that mean? Let’s just look at some numbers. I worked at firm with well over 100,000 employees. Every one of them had some kind of access to some parts of the IT infrastructure. Many of them (like myself for example) had access to numerous applications, and because I was an IT guy often involved with application development, I had numerous securities to certain applications hosted in different domains (dev/test/frz/prod) as I took on different roles during the development process. I often had multiple ID/pswds during test cycles in order to emulate different user roles. And it was not unusual for users to have multiple ID/pswds as well as they functioned in different roles. And now, there are myriad entry points to most applications, via hard wired on campus networks, but external internet access is common, and cloud is generally approached via the internet and may or may not house the data repository and may or may not host the applications. And then there’s machine to machine and the IOT and probably other means of gaining entry. In other words, there really is no periphery to the enterprise any longer.
Now layer on top of that devices. Where I worked, the company used to issue computers to the employees. At first they were dumb terminals, later, hard wired desktop computers (or more sophisticated devices depending on use). Then they issued laptops. All the while precluding access via any personal devices. But that eventually unraveled as well. Suppliers and customers needed access to certain resources. Now, phones and tablets are common. There’s no way to control all the devices. Even the general public can access the public facing corporate website from almost anywhere there’s an internet connection (we can prohibit certain IP addresses, but they can be spoofed) with just about any device in their possession.
I could expound on this further, but I assume that’s enough to provide a picture. So, there’s no periphery most anyone (or thing) from anywhere might gain access, a vast array of people, machines and things that have a legitimate need for access and even a great many anonymous users.
Security seems like it’s just a dream in an environment of this nature. let’s discuss how this mess is managed in a reasonably efficient, pragmatic manner.
First, I’ll address users and machines as they are more or less treated similarly. IOT is not something I dealt with (the company I worked at was just beginning to explore this domain with product embedded sensors that “reported” home on status, but it had not really been incorporated. However, I assume it to be handled much the same as any other entity needing IT access).
So, let’s break it down. We’ve got resources, we’ve got users, we’ve got roles (or jobs), and we’ve got the intersection between users (machines, etc) in roles that require different levels of access to different resources. What does “access” mean? I’m not sure anymore with all the different information types, but in the old days we talked about the CRUD matrix. That was Create, Read, Update and Delete. That was pretty much OK for a captive text oriented database records. But, that soon proved insufficient. How about print, copy, attach, forward, save to a usb drive, etc? How is all this supposed to be managed?
Well, we need to have a directory of authorised users. “Authorised” refers to those who have need to access some set of resources beyond what is permitted to anonymous users. There are different ways of addressing this. AD stands for Active Directory (a Microsoft product for the Windows/NT environment), LDAP stands for Lightweight Directory Access Protocol (this in industry standard, I think it evolved in the UNIX environment).
Sailpoint provides a directory as well. I’m not sure if it complies with industry standards or if it’s proprietary. So all our users (and machines, I assume “things” have a class identity, but probably not an individual identity) have an entry in the directory. But it would be a nightmarish task to try and manage every security individually. Just like you have a UID/pswd for access to TMF, your bank, broker, Amazon account, etc. so too do users in the corporate environment.
I didn’t work for HR, but I could go online and review my work history. I could see my current pay grade, salary, benefits, etc. I couldn’t update anything but my address, phone number and few other Personal Information (PI) items. On the other hand, I had quite extensive access to other applications and file servers. My security was not centrally managed for all my authorized access capabilities, but ideally it would have been. Instead, I had to logoff of each application when I was finished and logon to the next one, just like accessing your different accounts on the web. And worse still, different people administered my security depending on which applications were involved. When folks changed jobs or left the company, security updates were often ignored. I wouldn’t be surprised if I still had some orphaned securities even though I retired 8 years ago.
A better approach is to centrally manage IDs (the directory) and place IDs (users) in roles as many users would be in the same role. Access permissions should be written as machine readable policies and the policies are assigned to roles as opposed to individuals. Hence, every user in a given role inherits the permissions assigned to those roles. With this arrangement we are no longer trying to manage each individual’s permissions as a separate set of rules.
But, we still have to manage the security policies, the role descriptions, the user assignment to roles, and the UID/pswd assignments to applications. Still a somewhat daunting task, but more manageable then treating every person and every permission assignment individually. Even if the information is centralized, the job of assignments can go to the appropriate parties. HR can manage the directory. Managers can assign the roles of their subordinates. They can work with security experts on policy definition, etc.
So, let’s get back to these three companies and their offerings. First, from my quick review, it is obvious that there is overlap in their product offerings. Especially between OKTA and Sailpoint (Zscaler is in a different category, I’ll get to that in a bit). But even with some product overlap, they are not necessarily competitors. First, because they have different emphasis, but also due to the way companies implement security.
Where I worked, they IT security folks talked about “layered security in depth.” What that means is that no single product was adequate or even desired as the security solution. This is just about the last thing you want to do. That’s designing a single point of failure into your security architecture. Bad idea. And there’s myriad points of potential failure. So far I’ve mostly addressed (inadequately, I might add) access to information via man/machine access to applications. There remains database security (which applications can access which stores) and server security (similar to database security). Network security (which devices are permitted to enter data to the network within geographic constraints). And so forth.
Sailpoint, as I understand it is long and strong in the governance domain. The directory, policy definition, role description and ID assignment thereto is what they do best. OKTA provisions authentication and ID/pswd authorization. Authentication is the act of insuring that the ID attempting to gain access is in fact the entity to which the ID is assigned. This can be accomplished in a number of ways. 2 factor authentication forces the entity to provide a secondary proof they are who they say they are. If you’ve ever had to get a code via a text or email which had to be entered in order to proceed, that’s an example. Biometric ID (fingerprint access to your phone) is another authentication method. And OKTA also keeps track of all your ID/pswd combinations to various apps and presents them on a menu so the user only has to signon once (authorized) instead of the time consuming, error prone routine of logon/logoff to every app. In a way, OKTA implements the permissions governed by Sailpoint.
Zscaler is a different critter and addresses a different security problem. You probably have Norton or McAfee or similar on your devices. These are intended to protect you from malware. They do this by “signature.” These companies maintain databases of known malware and other threats. They regularly update the signatures (think of it as the names) of all these threats and distribute that list to their customers devices. This is an endless task of discovery as the signatures can be slightly modified in order to create a new threat.
Another approach is to look for odd behavior. Assuming that some threats will gain access, they are not really a threat until they do something unexpected. Is there some app that appears to be capturing keystrokes and sending the info off to an unknown IP address? Is there some odd internal information handling going on that is not characteristic of any application (like writing database records to a file server)? Etc. The Target breach a while back was observed as anomalous behavior. It was not interfered with due to management failings.
Zscaler takes a different approach. No matter what threat, it can only gain access (unauthorized or authorized with stolen credentials) via the network. Information is moved across the network in packets or discrete chunks. It’s not just one continuous stream of information. There’s all kinds of good reasons for that, I won’t go into it. As I understand it, Zscaler inspects every packet. Their product is able to determine whether a packet contains a threat as well as which other packets it’s linked to. Don’t ask me how that is accomplished as I don’t know. But that seems to be what they claim. And, in fact I tend to believe that claim because if they couldn’t provide what they claim, they’d be out of business. Exactly how this ties in with their cloud architecture is not something I took the time to explore, but it relates to having a hundred or more of data centers around the world that coordinate this inspection process. There is no single point of failure.
I have in fact only scratched the surface, I’ve simplified and left other aspects completely out of the discussion. IT security is one of the most complex subjects in the entire IT milieu and I’m not an expert so there’s a good chance I’ve made a few inaccurate statements. But this isn’t a bad overview I think. I hope this helps.
I’m long OKTA and Zscaler. I’ve not really looked at Sailpoint from an investment perspective at all. But, my impression is that they are more of complementary product for OKTA than a head on competitor. I’m reasonably certain I read somewhere that they have some kind of partner agreement with OKTA.