Monday, October 27, 2008

Identity Governance Becomes Must-Do Item on Personnel Management and Security Checklist

Transcript of BriefingsDirect podcast on the identity governance and best practices for IT systems access provisioning.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, a sponsored podcast discussion about a serious and potentially catastrophic set of issues for many companies. I’m going to be talking about security and risk aversion around personnel, applications, and IT systems. We’re looking how companies can more properly manage identity information and access rules for the users of applications and systems. We will also develop an understanding of a new class of solutions to this growing problem.

The goal is to work more toward identity governance, a step above simply giving access and privileges, and of getting pro-active in managing access across multiple dimensions in a business.

We use the word “governance” because it helps to develop an appreciation for the large-picture solution of properly provisioning users, giving them the right level of access privilege, and then being able to exercise lowering risk from the people, process, and systems perspective -- a comprehensive control and monitoring capability.

These issues and risks are reinforced these days by the sudden and unexpected financial pressure affecting many banks. There are dislocations, mergers, acquisitions, and most likely significant downsizing. There are a lot of bright people who have access to a lot of very sensitive systems. These are very powerful applications. If there were ever a need for identity governance, this would be it.

To help this better understand these issues and some of the newest solutions around identity governance, we are now joined by two executives from SailPoint Technologies. We’re talking with Mark McClain, the CEO and founder, and also Jackie Gilbert, the vice president of marketing and also a founder at SailPoint Technologies. Welcome to you both.

Mark McClain: Thank you, Dana.

Jackie Gilbert: Thanks, Dana.

Gardner: There was a time, and it doesn't seem that long ago, when folks would get themselves a directory and provision people on and off of IT systems through that. It was fairly straightforward. A limited number of people in IT managed this. But it seems that times have changed fairly rapidly. Mark, help me understand what's different now. Why do we need this more holistic governance approach to identity issues?

McClain: Sure, Dana. That's an accurate representation of where the market has evolved to, or it's continuing to evolve to. Some of this has been around for quite some time. It was probably initially referred to in many peoples' minds as a concept of user management, when we first went to distributed computing, and we had all these challenges of managing a whole bunch of identities on systems that were distributed around the enterprise, as opposed to a single well-maintained mainframe or something like that.

The advent of distributed systems, and, to some degree, the Internet drove us to seek how to secure the open enterprise. That was a challenge, as you said, of a lot of provisioning and de-provisioning of accounts, focused on operational efficiency, because it became a very costly solution in many organizations.

They understood that they had some security risk, but many times, their biggest concern was how much it was costing to manage, and also the very poor quality of service that, in many cases, was being offered to their users and partners. Someone would start with the company and not get everything they need to do their job for a few weeks, which is highly unproductive and quite costly.

But then I think if you look back over most of this decade, back to the turn of the century – it’s still funny to say that phrase – you see a series of issues with breaches. There’s been a series of issues with fraud or potential fraud, everything from Enron to things that happened with other companies where there are questionable practices, and then various clear issues of fraud or criminal activity.

And all of that together has brought about a new focus on privacy, financial oversight, and good governance, which is, in many cases, all related to the management of risk.

It comes down to how we get a good handle on who has access to what in our enterprises -- which critical data and applications are exposed to which people? The better we understand that, the better we can understand the actual potential risks we have in sharing that information or allowing it go sometimes outside of our four walls.

In many ways, this focus on governance has been driven by those kinds of things. Now, in the current situation, as you just said, there is lots of churn in the financial markets and in the companies that make up those markets, where people are potentially moving inside of companies, changing jobs, lots of potential lay-offs happening.

That's when these issues of good governance, good controls over who has access to which critical information become very, very acute. That's because people are very sensitized to, "Hmm, if I get a disgruntled employee who may reach back and do something negative, do I have people who have been moved around quickly in a state of churn and now they have access to multiple things that they shouldn't?

It's this segregation of duties challenges. There are lots of issues that we can continue to talk about, but I think it's a well-understood pain-point that's getting more intense all the time as we see kind of more churn and concerns in the markets.

Gilbert: To add to and build on what Mark just said, the other thing that is unique in the current phase we are in, which is all about oversight, audit, risk-management, is that it has created a need for more and more people from the business side of organizations to become involved with identity management – and that has real implications.

When you are just focused on automation and making processes more efficient, that stays within the realm of IT and can be very much a focus for IT tools and technical users. Now, you have executives, boards, and business managers, who are being asked to be accountable and to gauge the risk and the effectiveness of controls around identity.

Those people are being asked to use tools and approve, certify, and deem whether access privileges and the accounts the users hold are correct, and do not place businesses at risk. So, if you think about it, it has actually forced the marriage of business and IT all around this issue of identity governance.

Gardner: I suppose it's not that people are any better or worse than they used to be, but that these systems are extremely powerful. One person with access to some trading applications, for example, can suddenly lose $5 billion. Right?

McClain: Absolutely. As to your comment there about the nature of people, you'd hope that the fundamental moral fiber of the country hasn't declined. But having said that, there are a couple of interesting things that have changed.

One is that, the world of hackers has evolved from seeing what they can get away with to prove their technical prowess, and has now really migrated to a fairly significant level of organized-crime involvement.

We've heard stories from companies of their employees being solicited by criminal elements to give up information. There were people getting phone calls saying, "Hey, would you be willing to sell access to your systems for some amount of money? Are you in credit trouble? Are you having financial difficulties?" People are soliciting employees to perform criminal behavior for money, which is a completely new element in the last 5 to 10 years, for sure.

Gilbert: A recent example of that was at Countrywide Financial. There was just some recent news this week about the arrest of a former employee who was actually selling Social Security numbers and mortgage information over a two-year period to the black market. This person admitted, I think, to receiving more than $70,000, by just selling this proprietary information. I think over 45,000 people were compromised that were Countrywide customers, and this isn't an isolated example.

There have been many cases of bank employees selling costumer information to collection agencies. So I think what Mark was referring to is that there is actually more temptation and more opportunities to commit fraud now because there is a market for it.

Gardner: So, that means that we need to plug these holes and almost develop the ability to forecast vulnerabilities in advance – and that cuts across a chief security officer (CSO), the IT people, line-of-business people, and for the human resources department. So who owns identity governance, if it, in fact, cuts across so many different aspects of a large enterprise?

McClain: It's a good question. I think that's one of the challenges that businesses are wrestling with today. As Jackie pointed out earlier, we saw, when we were focused on the identity provisioning challenges a number of years ago, then it was kind of the help desk and the security group, all within IT, that were wrestling with the problem. Now, you have those constituencies as well as two or three key others.

We now have the auditors, both internal and external, and/or the compliance people who want to have a say, or a seat at the table, to talk about how well we are managing these kinds of access privileges and what risks are involved, when they are not managed well.

You certainly have the business people paying attention now because you have senior management who are highly motivated to avoid being the next headline. They don't want their company showing up out there with Cox Communications, the IRS, Wachovia, and any number of companies like Dupont, which have hit the headlines in the last two or three years with some sort of significant breach related to access.

Business people are very tuned-in to the risk and the potential for fraud, or the potential for abuse – and they are motivated. Your ownership questions are good ones, Dana. This is such a rapidly evolving challenge, but all those people are certainly at the table.

There is a little a bit of a hot potato now going on where IT and security groups are saying, "Hey, I am not going sign-up and own this problem entirely, because I don't have the business context to know exactly what does or doesn't represent risk. You business people have to define that for us."

Gardner: It's tough to be responsible for something that you don't have authority over.

McClain: Absolutely.

Gilbert: One of our customers at a financial institution, the vice president of IT, told me that he has become more savvy and is actually pushing back on the lines of business. He said that when the IT auditor comes in and shows a bunch of red ink, he says that his counterpart in the line of business needs to help own and resolve this issue because IT alone really doesn't have the knowledge that it takes to figure out where is the risk and how to mitigate the risk.

Gardner: As we've seen in other aspects of maturing business processes and IT, solutions often involve bringing enough information up to the right people, through management consoles, analysis, and good data. How do we give whoever becomes the owner of this problem, or perhaps those managing a federated approach to the problem, the tools, the visibility, and the comprehensive access that they need to the right information? What is our first step toward the solution here?

McClain: You partially answered your own question, because you used the word "visibility," which we think is one of the three core pillars of this emerging segment of identity governance. It starts first and foremost with visibility. As a business person or even as an IT or control audit person, I can't define and manage the risk in my organization, unless I understand the current state of the union.

So it really does start with answering the fundamental question that most companies wrestle with, which is "Who has access to what?" One of my customers has joked about the fact that on the day you start with the company, you have access to nothing, and on the day you leave, you have access to everything. Quite often, the only person who actually knows all of the access privileges I may have after 15 years at a company is me.

There have been multiple groups I have moved through, multiple help desks, and IT organizations that have been part of granting me access over the years. So, it's quite probable that, literally, only I understand all of the privileges I have as an employee -- and that's a problem.

This problem starts by helping customers understand the criticality of gaining visibility across critical applications and data for who has access to what. We have to be able to correlate and aggregate a lot of technical information. We have to figure out that "D Gardner" and "Dana G" and "Dana_Gardner" are, in fact, the same person, and then correlate all the privileges that you have into a single view, so I can at least start with visibility.

Gilbert: If you think about it, for most Fortune 1000 companies that is a very difficult thing to do – just based on the fact that they have tens of thousands of employees, and hundreds -- maybe even thousands -- of applications that span mainframes, UNIX, Windows, and custom and packaged applications. The more complex and varied the IT is – and the bigger the company is – the more frequent churn of people.

Some industries have 30-percent churn, with people coming in and out of the organization. All that makes this an extremely difficult problem, as Mark said, just getting proper visibility.

Gardner: Are we talking about this problem in a way that we are going to just grab all of this information, data and access information, and then put it all in one big, honking repository to manage it centrally?

Or are we talking about, "Let's leave the access privileges and controls where they are, but elevate the metadata and put that into some sort of a management framework that we can act on"?

McClain: We would say it is the latter. In other words, efforts to completely centralize all of the real-time access control, real-time authorization of who can get to what has almost always have failed.

There were a number of projects years ago, where people were going to create one enterprise directory. What you find now is that a lot of the more modern applications do rely on a directory, and that directory has become more standardized and more carefully managed. We would say philosophically that this is really more like a business intelligence (BI) application.

In that sense, I want to leave the operational data in the transactional systems that it belongs to. Yet, I have to be able to pull out of that, aggregate it, and put it into a repository that can be searched and cross-referenced across all the information, so that I can get that visibility.

By the way, a highly related point here is, if I just aggregate and correlate all this information from all the underlying systems – like Jackie said, from the mainframes and directories and Windows and UNIX servers – just getting it in one place is only part of the problem. The other huge part of the problem is giving it the right business context.

That's because one of the dirty, dark secrets today is that governance and compliance have become harder, and auditors have been forcing more frequent and periodic review of the access information. Quarterly or annually, these managers and applications owners need to re-certify who has access to what.

Another dirty secret in the industry right now is that managers and applications owners must sign-off on these reports, but they don't understand them, because those reports are generated out of the IT systems and they are incomprehensible to the business people.

Knowing that Dana has access to "server FQ 93T," doesn't tell me much of anything about what Dana can do. If I can understand that that server actually is the front end to the accounts payable system, then now I know something about whether that's appropriate for Dana to have access to.

A second core pillar that we've spent a lot of time talking to our prospects and customers about is this concept of business context. Not only do they have to aggregate and correlate visibility across everything they do, I, as a customer, need to give it context so I can understand the business risks and the criticality of the information that you can access.

Gilbert: Part of the way that context is accomplished can be as simple as just providing business-friendly descriptors for entitlements. We also use the context of business roles, so that we can take a group of entitlements and assign them to a business role.

For example, a "database administrator in the Austin region" gets these types of privileges. By making that linkage and creating that higher level of abstraction around a role, we can ask people to approve whether "Joe" should be in that particular role. And they are much more likely to understand that than they are just looking at the low-level entitlements, and trying to make an intelligent decision about whether that is appropriate.

Gardner: I’m fairly clear that we have a distinct problem here, and that we are not going to solve it through a central forced march into a single approach or product. And, I understand that the identity governance solution has to be understood in the business context.

I guess what I am not clear about is how we actually go out and get this information, make it visible, get that single view of the employee, and then create the opportunity for execution and action against that information?

Gilbert: As Mark said, it's pretty analogous to BI and even data warehousing or data mining, if you will. Our approach is to take a very lightweight, read-only access to the data. We pull entitlement data and account data from applications and servers throughout the enterprise and we aggregate that into what is basically an entitlement warehouse.

We physically create a common data view of users and their entitlements. What that gives you is not only the visibility in one, single place, but it gives you the business context to better understand it. And it allows us to do some automation of controls and policy enforcement, and some risk assessment. It's amazing the value you can derive, once you get the data all in one place and normalized, so that you can apply all kinds of rules and logic to it.

For example, we can much more easily send and route that information around to the people who need to approve access or review it on a quarterly basis. And, it's all in one place. They’re not getting a single spreadsheet per application. They’re getting it all centralized per employee or per application, however they want to see it.

We can also scan that data, looking for policy violations. A good example of that would be what we call "toxic combinations," such as “you can't have an employee who both has the ability to set up a vendor and pay a vendor.” Those are two different access privileges that together indicate a high potential for fraud. So by combining all the entitlement data into one single database, you can much more easily scan for and detect potential policy violations and also the potential for risk to the business.

Gardner: I suppose carrying on with that analogy about BI, that the same information, those same rules, can be used by a number of different constituencies in the organization, whether it's provisioning, personnel, security, or compliance. It all seems to have a common reach, but a differentiation in terms of how people can then use it.

McClain: Yes, I think that's right. The idea of that once you have defined business roles. Once you have defined access policies, these segregated duties, and "toxic" combinations, that that's useful information, whether you are doing annual or quarterly re-certification processes, but also when you are taking on a new employee or adding a new partner or something.

You want to be able to refer to those kinds of systems that data of who has access to what and which are the appropriate policies, what are the appropriate combinations to avoid. So that if I’m going to provision someone, for instance, to a new system, or give them new entitlements, I can check it against that same repository of information on the users and the policies that I care about. I can make sure I’m not creating any problems at the time that I grant access.

Gardner: You can use this identity governance, of course, for prevention and insight. But, it also sounds like it would be very powerful, if we were doing a merger and acquisition (M&A), or if I were forced, tough as it maybe, to fire everybody and then re-hire them under a different ownership or structure. Trying to do something like that without this sort of comprehensive information set would be really onerous.

Have you had any customers or use-case scenarios where people have used these ID governance systems to that degree, and what sort of paybacks have they seen?

Gilbert: That's a really good point. In fact, M&A activity, is a use-case that we have seen with our customers.

A typical example would be that one bank has just bought another bank, and there is going to be a gradual process of integrating the new bank into the larger bank. During that time, we want to manage the population of users in a very shared way, so that a certain set of people will maintain access to just the old bank and then others will get merged access to the combination of the two banks.

Then, for people who potentially are being laid off or replaced as part of the M&A, we are going to manage them with potential risks in mind. So, we are going to limit their access and we may want to monitor their activity.

We actually provide a tool to segment user populations and then manage them differently in terms of the kind of controls and monitoring that we would allow the company to provide around that M&A acquisition activity.

Gardner: When it comes to implementing something like this, and I believe your product is called SailPoint IdentityIQ 3.0, is this strictly a product approach, or is this professional services and consulting or some level of competency or skill-sets within the organization's combination? I suppose the question is how much of this is actually accomplished by the product, and to what degree is the user company's skill sets required?

McClain: We would love to say you drop it in and it works, but it's not quite that simple. Many times, this is a fairly substantial project, although the ability to get to value quickly is something we've demonstrated with a number of our companies. We work with them to scope an appropriate size project, some limited number of applications or users – to show how the technology can significantly help them with these processes of certification or managing roles or better risk management.

But, quite often there is a very fairly significant consulting part of the conversation, because ultimately this is an opportunity to bring these constituencies to the table, sometimes for the first time. The auditors, the application people, and the IT security people sit down and say, "What do we want to accomplish here? How can we best provide good governance, meet our compliance requirements, and manage our risks appropriately?"

So, there is often a very beneficial set of conversations that come out of that. Then, of course, the challenge of our tool, of our software, is to capture those policies, capture those things in the product.

We have definitely seen very significant payback conversations because of the amount of manual effort and money being spent on these projects, particularly the Sarbanes-Oxley related certification projects, where not only can we save the companies a great deal of money – either in "soft" dollars internally or "hard" dollars being served with consultants.

But frankly, one of the things we hear consistently is that SailPoint IdentityIQ 3.0 is a big frustration reducer for the business.

This is a very significant source of pain and frustration in the business community today. Even if it's not purely a financial justification that we are able to give the customer, sometimes their eyes light up with, "Oh, wow, if I could give this to my users (the line of business or the auditors), they would be so much happier doing what they are doing today." So quite often there is a very significant emotional payback, I'll call it, as well as a financial payback in this kind of a solution.

Gardner: Often, risk reduction and security management is a large undertaking that requires organizational and cultural shifts, and that can involve such things as the Information Technology Infrastructure Library (ITIL), and how to re-engineer your processes within IT department itself. Granted that these are complicated and large undertakings, let's just drill down on the product itself, what does the SailPoint IdentityIQ product do in terms of "picks and shovels" that these other practitioners can put to use?

Gilbert: We've touched on a few of these points before, but a big area we contribute to is in automating some of the types of controls that would be defined by a framework like ITIL, control objectives for information and related technology (COBIT), or some of the frameworks that attempt to say, "Here's a common set of good practices that we've captured, and many of these really involve best practices and business processes for improving security controls."

SailPoint’s automated workflow replaces the manual paper-based quarterly review of access. It provides you with a much more effective set of controls that are predictable, but customizable.

We have one customer who was doing quarterly reviews. They would spend most of the quarter compiling the data, reviewing it, and then manually reconciling it. Then, they would have one or two weeks of a break before they would start the process over again.

So, as Mark said, one of the things that really helps is that we are coming in and replacing something that is painful, onerous, and not very reliable, where people have low confidence. We are replacing that with a set of controls that is much more in line with the sort of recommendations you would see coming out of an ITIL or a COBIT, in terms of how you align controls to reduce risk and how you perform these kinds of activities in a way that is reliable and predictable.

Gardner: Examples often help, but I don’t suppose there are a lot of people jumping up and down saying, "I'm really a high-risk over here!" So, there are not too many companies that you can trot out and say, "Well, we took them from 90 percent risk to 20 percent risk.” But are there any examples of how this has worked, and perhaps some of the paybacks, both business terms and even IT terms of how people have benefited?

Gilbert: A couple of examples come to mind. One of our customers, again a financial services company, went through the first quarterly certification process across dozens of Sarbanes-Oxley relevant applications. In that very first round of review, they detected that, on average, 20 percent of the entitlements for their users were inappropriate and needed to be revoked.

That’s the kind of benefit of oversight you're getting right out of the gate. Once you have the ability to see the data and see it with the right context, you are much more productive at spotting what needs to be taken away and what is inappropriate.

IT audits uncover many of these problems. Another customer was written up by their auditors because they concluded – just based on a sampling – that the access data for the corporation was, on average, only 70 percent accurate, meaning that 30 percent of it was erroneous or incorrect.

These cases that are easy to quantify, and you're giving this immediate benefit of data clean-up and removing inappropriate access. We call it entitlement creep, that's our expression for it over time. People transfer, they change jobs, they need temporary access to some system for a project – and it never gets removed.

Part of what you are getting right out of the gate is the ability to say, "Hey, Joe doesn't really need this. He's not even in the accounts-payable department anymore," but he still has all the system access.

Gardner: Have there been any unintended positive consequences from using this? That's to say, for people who have put identity governance in place did they get what they were expecting, but also more? Where there other ancillary payoffs that people have enjoyed?

McClain: Tha’s an interesting question. I certainly think this idea of happier users is one. IT is so consistently under-appreciated, under-loved, under-paid. When they can provide a tool to the business user that makes the job simpler, faster, easier, especially for something like these audit processes or certification, re-certification processes, that no one looks forward to, I think that's always a win for the IT staff in particular.

I have made something you have to do easier and quicker and less painful. That's quantifiable, but under the given consequence of an improved relationship between IT, security groups, and the users. Also, the relation between internal audit and many of these groups has become fairly combative. You talk to people that have been around IT for years now, and they say, "Look, it's not like we are buddy-buddy with our auditors, but we all were sort of working together, trying to make sure that the company was being well-governed."

We have a few cases that became very combative, with a lot of anger. One person said, "Oh, you mean the ‘A word’" about the group of auditors that they were talking to. What we are finding is that this helps them get back to, "Look, aren't we all trying to accomplish an objective here of better risk management, better governance?"

One of the things that our customers have told us is that they are so focused on just getting through the audit to check the compliance box, people have lost sight of why we were doing this stuff in the first place. Ultimately we're trying to mitigate and manage risk. We’re trying to provide good repeatable processes and good governance, so the right people have the access they need to do their job correctly, and only the access that they need to do their job correctly.

So often, we've gotten away from that. It's become just, "I have to get through this process to check the box, to meet the audit by this date." It's become a must-do that has lost sight of its original objective, in many cases.

Gilbert: You mentioned the culture issue earlier. To be honest with you, we find a lot of people that may be talking about risk management, but inside most IT departments, it is really hard to understand how to put that into action.

Because we give them the ability to begin aggregating the data, doing certifications and revoking and solving policy violations, they can automatically accumulate risk data, allowing them to profile their users by risk. I think people are looking for ways to put a risk-based approach into action. What does that mean to me as an IT practitioner? I think there is a desire to get to that, but there is really a struggle on how to quantify risk, and put risk management it into practice.

Gardner: As we’re wrapping up, it's interesting to look at the future. This is a fast-moving space. When we look to identity governance, say two or three years from now, is this a case of the role growing? Is there a larger payback or a productivity benefit, or are we just going to make what we've got in terms of the problem set work better? What does the future hold?

McClain: The one that we've debated around here, that I think might be useful, as there is this acronym that's fairly prevalent out there, GRC (governance risk management and compliance). Oracle has a GRC suite, IBM has a GRC suite, SAP has a GRC suite. And we've joked about the fact that if you were to look at that from a chronological standpoint, it should have been CRG instead of GRC. Meaning a lot of the focus for the last few years has been on compliance. How do I either reduce the cost and complexity of it? How do I meet the audits more quickly and effectively, and just this huge focus on getting to the audits and all that stuff.

People would tell you that they have compliance relatively under control now. They are generally passing their audits. They generally are not having big material deficiencies, but they sure would like to take cost out of the process and get away from so much manual work, to more automation.

This risk management, the R of CRG seems to be a emerging now as we've talked a lot today. I think senior management is sitting on their perch in the CxO suite. "So, we've spent all this money on security, we're supposedly compliant, why do we still have these breaches?"

Most big companies are still experiencing breaches, most of which don't hit the press, but some do. So, I think they are starting to ask the fundamental question of, "So we are compliant, but we still have risk. We're not managing well. What are we going to do to get better about that?"

Governance, which is I think the focus of our talk today, is in some ways, an umbrella over all that this incorporates and then hopefully moves to just good sound, repeatable, business management of identity and access. How do I place policies? How do I provide a risk matrix, as Jackie was just talking about, that enables me to understand, measure, manage risk?

I think really we are seeing the shift from the C, kind of through the R of GRC. People are just sort of half a foot in the water, half a tail in the water, on the risk management side of it. And, to your point, what does this look like three years from now? I'd like to think a lot of companies are using some risk matrix to address these issues.

They hopefully have compliance well under control. They can pass their audits. They can generate the reports in a timely automated fashion, and they're moving to more sophisticated governance or clarity around the business policies and how those affect the underlying IT systems. So I think it's kind of that progression from the C to R to G, flipping the acronym upside down.

Gardner: Well, great. I have certainly learned quite a bit, and have much better appreciation for why identity governance needs to happen. I have certainly been in cases in my jobs where I've gone from one department or unit to another and I had accessed all those other applications.

McClain: Fortunately you are high-ethics guy and you didn't view it.

Gardner: Yes, right, I didn’t do anything bad about it but I could see where that's certainly a risk.

McClain: Exactly.

Gardner: Okay, we are talking about identity governance and risk, and how to come to more of a solutions focus around this. We've enjoyed the talk. It’s a sponsored podcast today with Mark McClain, CEO and founder, and Jackie Gilbert, vice president of marketing and founder, at SailPoint Technologies. I want to thank you both.

McClain: Thank You, Dana.

Gilbert: Thank You.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time for more in-depth discussions about enterprise software and strategies. Thanks, and bye for now.

to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Transcript of BriefingsDirect podcast on on the identity governance and best practices for IT systems access provisioning. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.