Vinita Bhushan, Co-founder of Pontis Research, spoke with SafetyDetectives about the company’s focus on Identity and Access Management (IAM) and its role in today’s digital landscape. Pontis Research offers a range of IAM services, helping organizations navigate the evolving privacy landscape while emphasizing the importance of proactive planning for privacy compliance. Bhushan foresees stricter regulations and greater accountability shaping the future of privacy-focused services and solutions.
Can you tell me a little about your journey and what motivated you to establish Pontis Research?
Hi, I am Vinita Bhushan, and I have been with Pontis Research since it started. Initially, it was a subsidiary of a British company called Pontis Consulting, that was started in the early 1990s. We were a group of senior executives at Unisys, and our goal was to provide systems management and security services to the financial sector.
Originally, a lot of our security work was done with banks in Europe. But in the next few years, we noticed the US market was picking up. Meanwhile Pontis Consulting was bought by Cap Gemini. Rather than being part of the merger, I bought out the US division in 2000.
My goal was to build a security practice in the US. Given the newness of it all we rapidly earned globally distributed, large customers, and our early successes earned us recognition from the security vendors, and that’s what helped us go forward. At heart we were a really technical bunch of security consultants who knew what we were doing in the space.
Over time we grew organically. Coming to Identity and Access Management (IAM), we got into that largely because it was the piece that we most understood at the time. While we offered penetration testing, vulnerability analysis etc., we noticed that every single time we went into an organization, the piece that they fully appreciated and understood but had nothing in place for, was identity and access. So we pigeonholed ourselves into IAM and super specialized our team with all the products in that space.
What are the main services offered by Pontis Research?
The primary services revolve around IAM. We do everything from guidance to implementation, to managed services and these days a lot of modernization. We help companies go from where they are to where they need to be with IAM assessments, maturity planning, looking at risks and compliance and then building a roadmap. Then, based on that roadmap, we help them implement solutions. And we’ve built products to help them measure productivity and how they’re doing against the actual roadmap. So it’s a full IAM lifecycle.
Can you explain the evolving importance of Identity and Access Management (IAM) in today’s digital landscape?
In the old days, people had networks, they had firewalls, and they had everything secured within them. So it was like you had a compound, and you had everything secured in that.
What changed was the whole globally distributed landscape and cloud services. Now it was more important that you could identify who the person was because that was the critical entry point. Who is this person?
Identity in this globally distributed, fuzzy boundary space became critical. And then the minute you say identity, the next thing is, what can that identity do, and then how do you govern it? What are the rules around it? So Identity and Access sort of grew because of the key fact that it was the entry point for any individual or account in a digital landscape?
Privacy concerns have taken center stage in recent years. How does IAM play a role in enhancing privacy for both businesses and individuals?
So, let’s talk about identity, right? We said identity is critical. It’s the entry point for privacy.
There’s all this talk about sensitive personal data versus non-sensitive personal data. But the key thing is most companies take identity data, take information about the person, and then they have no idea where it goes.
I’ll give you an example. We had a client who used Amazon for fulfillment of their distribution of goods all over the world. They were providing identity information about their consumers to Amazon. When GDPR came in and compliance came in, and privacy concerns started going through the roof, they realized they knew about the data they had internally, in fact they had some pretty good controls. But when it came to the data they passed off to Amazon, there was no oversight.
So what is changing in the privacy landscape is that the company that collects and distributes identity and consumer data becomes accountable for where that data is stored, how it’s distributed. It’s the accountability that has changed, and with accountability, Identity and Access become critical. Because who can provide that data? Who decides where that data goes? Suddenly, you’ve got a whole identity space, which is critical, both from an administration standpoint and from a consumer data standpoint.
As organizations navigate the evolving landscape of data privacy, what key policies and safeguards do you recommend implementing to effectively protect sensitive identity data?
Before you even get there, I think organizations have to take a step back. They have to see what they have.
The challenge I’m seeing in the privacy landscape is people are knee-jerking. Suddenly, there’s a fine, suddenly there’s an audit looming, and their reaction is, “Oh, let’s just put something together.”
You’ve got to step back, have a plan, and then implement it. You cannot just rush off and say, “I’ll have a tactical solution” and cross your fingers and pray that it will get you through the next compliance audit cycle. So privacy is going to become critical in that it has to be built into the lifecycle of every organization’s application delivery, management of software, etc.
As privacy concerns continue to evolve, what trends do you foresee shaping the future landscape of privacy-focused services and solutions?
I think what’s going to change is the rules and laws will get a lot more stringent. Accountability is going to change, and individuals whose data is being stored will have a lot more say, when their data gets exposed. Laws are going to come in, organizations are going to put regulations in place and the minute there’s a fine associated with violation of regulations, you’re gonna see people get more compliant.
But what is going to be challenging is to avoid the spikes of money spent on tactical responses. Just like we would talk about information security in the past and say build it into your planning from the start, we’re going to have to do the same thing with privacy.