Air New Zealand takes zero-trust to the skies

Jason Stevens

“Privileged access management is a core pillar of our cybersecurity program going forward,” said Phil Ross, chief information security officer at Air New Zealand — an airline handling sensitive customer data, including millions of frequent flyer accounts. 

“We need to earn customers’ trust back,” he said during the latest episode of Identity Inside/Out: Getting identity security right, an podcast series produced in partnership with SailPoint.  

This need became more acute following the recent Star Alliance data breach, which highlighted vulnerabilities in data security across the aviation sector. The incident exposed hundreds of thousands of sensitive airline passenger details, including frequent flyer names and statuses. 

“It’s not just what’s happening in New Zealand or Australia or the United States,” said Simon Ell, A/NZ sales manager at SailPoint. “If you’re holding customer data of European citizens, then GDPR [General Data Protection Regulation] applies,” illustrating the broad impact of international regulations on Airport security practices.

SailPoint focuses on unified identity security, aiming to safeguard human and machine enterprise identities across several industry sectors, including aviation. 

The airline sector faces heavy flight safety and engineering maintenance regulations, but the “regulation of cybersecurity aspects, particularly in comparison to sectors like banking, is still evolving,” Mr Ross said. 

SailPoint is helping Air New Zealand apply zero-trust environments to regain customer trust, a dire need for a company facing high operational complexity and legacy technical debt. The company isn’t just flying planes but also running a retail business selling tickets and a cargo business moving freight. 

“Complexity arises through organic growth of networks, personnel, and applications,” Mr Ell said. “Over time, people are added to directories without adequately governing their access.” 

Consequently, identity management, a foundational element, must be addressed in large organisational structures. 

During the COVID-19 pandemic, the challenges of managing this diverse complexity mounted. The airline had to navigate massive staff changes and the associated implications for access rights and identity management.  

“The pandemic was a good wake-up call for us from the identity aspect,” said Mr Ross, who leaned heavily on SailPoint’s AI-driven ID management expertise. 

He points out the difficulties in managing access for employees, particularly those temporarily laid off or moved to other companies.  

“We didn’t have a way of providing granular access control. It was either all or nothing.”

SailPoint helped the airline rethink its approach to identity management completely, including secure and appropriate access for various third-party stakeholders covering airport operators and other airlines, who had different levels of access to critical systems and sensitive customer data. 

“From a SailPoint perspective, it comes down to who has privileged access to those systems or in that process and can we affirm to make sure that an audit that the right people have access at the right time,” said Mr Ell. 

SailPoint emphasises that it’s crucial for companies like Air New Zealand to meet regulations and have systems that automate these processes. 

“If you don’t have some way of automating it… you’re going to get [a] garbage in, garbage out experience,” continued Mr Ell, underscoring the importance of clear understanding and active participation in managing access to avoid confusion and errors. publisher Corrie McLeod with SailPoint A/NZ sales manager Simon Ell and Air New Zealand CISO Phil Ross

The future challenge for Air New Zealand is the increasingly interconnected nature of cybersecurity and flight safety in modern, digitally-enabled aircraft.    

Cybersecurity is no longer separate from the physical aspects of flight safety. Initially, flight deck systems were distinct from other systems like Wi-Fi and inflight entertainment, but this distinction has diminished as systems have intertwined. 

As this line blurs, identity management becomes crucial.  

“With tighter integration into safety means that identity is then playing a pivotal role in flight safety,” said Mr Ross. 

SailPoint is helping the airline formulate plans to integrate identity systems with physical access controls. “If people haven’t done their required eLearn[ing] or health and safety modules… then their access control on the card system no longer works.”

Mr Ell said the evolution of identity management within Air New Zealand’s zero trust journey illustrates the buy-in required from CISOs like Mr Ross and higher board-level executives. 

“We went from a tiny identity team to one making up half of the entire cyber security team,” Mr Ross said.  

SailPoint, he concludes, has been invaluable regarding the employee experience, contributing heavily to the bottom line.  

“All Phil and I are trying to do with the SailPoint solution is to make sure that we’re providing the plumbing to allow that business process to take place,” said Mr Ell.

This podcast series is being produced by in partnership with SailPoint. 

Do you know more? Contact James Riley via Email.

Leave a Comment