Archives For March, 2010

March 30th, 2010

Provisioning made simpler

On March 22nd, SailPoint announced a next generation provisioning product that builds on the governance framework provided by our core product, IdentityIQ. The announcement is a culmination of almost two years’ work internally at SailPoint, and we believe it represents an evolutionary shift in the provisioning market that will benefit any company that is struggling to meet the need for business-friendly access request, effective user lifecycle management, and ongoing compliance and audit requirements.

In the coming weeks, we’ll devote much of this blog to providing you with more insight into our new approach and new products. First, I’d like to explain how SailPoint arrived at today’s announcement and what it means for our current and prospective clients.

SailPoint released the first iteration of our identity governance solution, IdentityIQ, in early 2007. Since then, we’ve been dedicated to helping customers achieve regulatory compliance at a reduced cost, improve internal controls and better manage the risks associated with access to sensitive data and applications across the enterprise. There was clearly a need for this solution in the market – as evidenced by the increasing focus industry analysts have placed on this space, as well as our own customer adoption.

In September 2008, we added business-friendly, self-service access request capabilities to IdentityIQ. As we worked with our customers to roll that capability out across their organizations, those same customers began pushing for SailPoint to manage the entire lifecycle of user privileges. The problem was that existing solutions for requesting and managing user access were at best outdated and inefficient, but more importantly, they were too complex to be used by business users.

As many of you know, SailPoint’s heritage dates back to Waveset (acquired by Sun in 2003), so many of our executive and technical staff have deep roots in the provisioning space. Leveraging that history and knowledge base, we began working on a solution that would better address the huge pain points our customers were experiencing with available provisioning technologies. Today, we’re not only announcing two new provisioning products, Lifecycle Manager and Provisioning Engine, we’re also announcing an entirely new approach to provisioning.

This new approach begins with our Governance Platform, which centralizes identity data, captures business policy, models roles and mitigates risk to support both compliance and user lifecycle business processes. As we stated in the press release, this governance-based approach to provisioning delivers three distinct advantages to customers:

  • Simplified deployments. SailPoint’s approach begins with the mining and modeling of all necessary information about users, access privileges, roles and policy into a single governance platform, enabling organizations to automate access request and provisioning processes without extensive workflow and custom coding. This reduces custom coding requirements by 200-300 percent.
  • Lower deployment costs. SailPoint provides an open and flexible approach to the “last mile” of provisioning – the connector layer where changes are executed on IT resources – by supporting multiple techniques and processes for making changes to resources. This eliminates the hundreds of thousands of dollars organizations typically spend on “last mile” integrations. It also allows customers to immediately focus their identity management efforts where the highest value exists: at the business process and governance layer to ensure consistent, enterprise-wide compliance with internal and external security mandates.
  • Business and IT alignment. SailPoint provides the first user interface designed specifically for business users to request access and manage user lifecycle events. Traditional provisioning tools were designed for use by IT administrators and were too cryptic and technical for business users. With its business-friendly user interfaces, SailPoint makes it easy to involve business users in all identity management processes, such as access requests, change approvals, access certifications and role lifecycle management.

The entire SailPoint team is excited about today’s launch. The early feedback from customers and analysts has been extremely positive, and we look forward to sharing more details with many of you during this spring’s tradeshow season (in the meantime, you can read more about the products here).

As I sit here, winging my way back to Austin from the Gartner IAM Summit last week in London, I can’t help but reflect on how much the identity market has evolved since SailPoint attended the first European IAM Summit in 2008. In addition to the fact that the attendees at the conference were vibrant, interested and full of questions – which I believe is an indication that people are back in the buying mode – the most obvious difference was the level of awareness and understanding that the attendees had for identity governance (or IAM intelligence, as Gartner likes to refer to it).

Two years ago, it was difficult to find many people who clearly understood the difference between what they were getting from their provisioning vendor and a true identity governance solution, so we spent a lot of time on basic education. This year, people were much better educated coming into the conference. They were keen to understand the nuances and differentiators between identity governance offerings and actively sought out vendors like SailPoint. In fact, identity governance was featured prominently in many of the conference speakers’ sessions in one form or another. One Gartner analyst even told me, “Identity governance is one of the hottest topics at the show this year.”

It’s taken a bit of time, but the fog is definitely clearing on the identity landscape, and it looks like 2010 may be the year that identity governance comes into its own.

We recently conducted our third Market Pulse Survey, which focused on the key drivers of access certifications and how organizations ensure their access privileges align with business policy. According to the 150 respondents, including many readers of this blog, there is clear evidence business users involved in these processes don’t fully understand what they are certifying. In fact, nearly 75% of the respondents believe business managers don’t understand the technical descriptions of the access privileges they certify.

Additional key findings from the survey include:

  • More than 50% of those surveyed confirm that IT is responsible for ensuring the security and managing the risk around sensitive applications and data.
  • 42% reported shared responsibility and accountability with business managers for the access certification process.
  • 61% of the respondents report that they use manual or homegrown processes to manage a company’s access privileges.
  • Only 14% of companies believe they have adequate controls in place to address the risk of insider threats in 2010 (which is a similar statistic from our May 2009 Market Pulse Survey).

The complete Market Pulse Survey results, as well as an in-depth analysis of what they mean, is available here.

Kevin is the President and co-founder of SailPoint, FPG’s partner for Identity Governance. During his February 2010 visit to Australia we had many customer meetings and discussions about the current state and future of the Identity Management market. While Kevin is able to offer a global perspective, we’re in agreement with his views, as we see customers focusing strongly on business ROI from Identity Management offerings. Over to Kevin:

Despite the economic challenges, 2009 was a record year for SailPoint as we’ve doubled our customer base and expanded into Europe and APAC. As we look forward to 2010, we have been reflecting upon the recession and how it will impact next year – particularly in regard to how companies consume, purchase and view technology. With that in mind, I offer the following four trends and predictions for 2010:

1. Cautious Investment Strategies Will Remain. The tough economy has made buyers more selective about how they invest in software solutions. The constricted budgets and constrained resources of 2009 in many cases brought clarity to project prioritization. CIOs have become more discriminating customers who want results quickly and who expect a solid near-term return on investment. Particularly in the identity governance space, companies expect to have full visibility and control over access privileges in months, if not weeks, with measurable results along the way. Even if companies enjoy larger budgets next year, CIOs will continue to be laser-focused on solutions that provide immediate, measurable results.

2. The Compliance Burden Will Grow. Compliance, transparency and risk management will remain top priorities for global companies. Everyone agrees that as fallout of what transpired in the financial markets in 2008, even more regulation is on the way, not less. The Model Audit Rule, which effectively requires SOX-like compliance for non-public insurance companies, takes effect on January 1st. Part of Obama’s stimulus package included the HITECH Act in healthcare, which effectively adds more “teeth” to HIPAA by requiring companies to disclose any privacy breaches. And most recently, the Personal Data Privacy and Security Act of 2009 passed a major hurdle and will be voted on by the Senate. Clearly these are US-only examples, but companies around the world are going to be bombarded with new requirements and more stringent rules.

3. Identity Management Will “Grow Up.” As a result of the growing focus on governance and compliance, organizations are starting to view IdM as more of a business-centric discipline than an IT-only domain. IdM processes can no longer be the exclusive realm of identity admins and help desk staff. To ensure compliance initiatives are successful, organizations must get business users involved in the process. It is the business user, after all, who has the most accurate knowledge of who should doing what with which applications and datasets. Collaboration is required across teams of business, audit/compliance and technical staff. As a result, there is a growing need for IdM solutions to evolve into business-friendly solutions to better manage IT and business risk. The IdM market will see more business process management (BPM) functionality in the coming year and will begin delivering business intelligence and decision support solutions.

4. Identity Governance Will Energize the IdM Market. As I’ve said many times, I believe the recession has served as a catalyst in IdM’s evolution – both by elevating the importance of transparency and risk management, as well as increasing corporate focus on rapid results and return on investment. I believe our industry is now at an inflection point where companies are starting to rethink how they approach IT risk management and what they expect from technology vendors. As identity governance technology matures, innovative startups will completely disrupt the IdM space by bringing a level of intelligence and risk management that is of high value to the business. We’ll see a few dinosaurs try to evolve, but this race will be a fast one and we’ll see if they can keep up.

Stay Connected

About First Point Global

From the innovative identity and access management solutions we propose, to the technology companies we partner with, to the way we design and deliver projects, everything we do at First Point Global is aimed at creating sustainable business value for our clients.