Showing posts with label Sailpoint. Show all posts
Showing posts with label Sailpoint. Show all posts

Wednesday, October 29, 2014

Five Ways to Make Identity Management Work Best Across Hybrid Computing Environments

Transcript of a BriefingsDirect podcast on the basic tenets of identity and access management in a rapidly changing and growing IT world.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: SailPoint Technologies.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion on learning new best practices for managing the rapidly changing needs around identity and access management (IAM).

Any modern business has been dealing with IAM from day one. But now, with more critical elements of business extending beyond the enterprise, access control complexity has been ramping up due to cloud, mobile, bring your own device (BYOD), and hybrid computing.  And greater complexity forms a major deterrent to secure, governed, and managed control over who and what can access your data and services -- and under what circumstances.

So while cloud gets a lot of attention, those of us working with enterprises daily know that the vast majority of businesses are, and will remain, IT hybrids, a changing mixture of software as a service (SaaS), cloud, mobile, managed hosting models, and of course, on-premises IT systems.

We're here with a Chief Technology Officer for a top IAM technology provider to gain a deeper understanding of the various ways to best deploy and control access management in this ongoing age of hybrid business.

Here to explore five critical tenets of best managing the rapidly changing needs around identity and access management is our guest, Darran Rolls, Chief Technology Officer at SailPoint Technologies in Austin, Texas. Welcome, Darran.

Darran Rolls: Thank you.

Gardner: Darran, changes in IT are forcing a rethinking of deployment models and in user behaviors. Therefore governance of these critical business processes needs to adjust. But let’s just focus on what does not change, despite this hybrid environment we now find ourselves in. There must be some basic, bedrock principles that we can look to that will guide us as we're trying to better manage access and identity.

Rolls: Absolutely, there are, and I think that will be a consistent topic of our conversation today. It's something that we like to think of as the core tenets of IAM. As you very eloquently pointed out in your introduction, this isn't anything new. We've been struggling with managing identity and security for some time. The changing IT environment is introducing new challenges, but the underlying principles of what we're trying to achieve have remained the same.
The idea of holistic management for identity is key. There's no question about that, and something that we'll come back to is this idea of the weakest link -- a very commonly understood security principle. As our environment expands with cloud, mobile, on-prem, and managed hosting, the idea of a weak point in any part of that environment is obviously a strategic flaw.

As we like to say at SailPoint, it’s an anywhere identify principle. That means all people -- employees, contractors, partners, customers, basically from any device, whether you’re on a desktop, cloud, or mobile to anywhere. That includes on-prem enterprise apps, SaaS apps, and mobile. It’s certainly our belief that for any IAM technology to be truly effective, it has to span all for all -- all access, all accounts, and all users; wherever they live in that hybrid runtime.

Gardner: So we're in an environment now where we have to maintain those bedrock principles for true enterprise-caliber governance, security, and control, but we have a lot more moving parts. And we have a cavalcade of additional things you need to support, which to me, almost begs for those weak links to crop up.

So how do you combine the two? How do you justify and reconcile these two realities -- secure and complex?

Addressing the challenge

Rolls: One way comes from how you address the problem and the challenge. Quite often, I'm asked if there's a compromise here. If I move my IAM to the cloud, will I still be able to sustain my controls and management and do risk mitigation, which is what we were trying to get to.

My advice is if you're looking at an identity-as-a-service (IDaaS) solution that doesn’t operate in terms of sustainable controls and risk mitigation, then stop, because controls and risk mitigation really are the core tenets of identity management. It’s really important to start a conversation around IDaaS by quite clearly understanding what identity governance really is.

This isn’t an occasional, office-use application. This is critical security infrastructure. We very much have to remember that identity sits at the center of that security-management lifecycle, and at the center of the users’ experience. So it’s super important that we get it right.

So in this respect, I like to think that IDaaS is more of a deployment option than any form of a compromise. There are a minimum set of table stakes that have to be in place. And, whether you're choosing to deploy an IDaaS solution or an on-prem offering, there should be no compromise in it.

We have to respect the principles of global visibility and control, of consistency, and of user experience. Those things remain true for cloud and on-prem, so the song remains the same, so to speak. The IT environment has changed, and the IAM solutions are changing, but the principles remain the same.

Gardner: I was speaking with some folks leading up to the recent Cloud Identity Summit, and more and more, people seem to be thinking that the IAM is the true extended enterprise management. It's more than just the identity in access, but across services and so essential for extended enterprise processes.
Being more inclusive means that you need to have the best of all worlds. You need to be able to be doing well on-premises as well as in the cloud, and not either/or.

Also, to your point, being more inclusive means that you need to have the best of all worlds. You need to be able to be doing IAM well on-premises, as well as in the cloud -- and not either/or.

Rolls: Most of the organizations that I speak to these days are trying to manage a balance between being enterprise-ready -- so supporting controls and automation and access management for all applications, while being very forward looking, so also deploying that solution from the cloud for cost and agility reasons. 

For these organizations, choosing an IDaaS solution is not a compromise in risk mitigation, it’s a conscious direction toward a more off-the-shelf approach to managing identity. Look, everyone has to address security and user access controls, and making a choice to do that as a service can’t compromise your position on controls and risk mitigation.

Gardner: I suppose the risk of going hybrid is that if you have somewhat of a distributed approach to your IAM capabilities, you'll lose that all-important single view of management. I'd like to hear more, as we get into these tenets, of how you can maintain that common control.

You have put in some serious thought into making a logical set of five tenets that help people understand and deal with these changeable markets. So let’s start going through those. Tell me about the first tenet, and then we can dive in and maybe even hear an example of where someone has done this right.

Focusing on identity

Rolls: Obviously it would be easy to draw 10 or 20, but we like to try and compress it. So there's probably always the potential for more. I wouldn’t necessarily say these are in any specific order, but the first one is the idea of focusing on the identity and not the account.

This one is pretty simple. Identities are people, not accounts in an on-line system. And something we learned early in the evolution of IAM was that in order to gain control, you have to understand the relationships between people -- identities, and their accounts, and between those accounts and the entitlements and data they give access, too.

So this tenet really sits at the heart of the IAM value proposition -- it's all about understanding who has access to what, and what it really means to have that access. By focusing on the identity -- and capturing all of the relationships it has to accounts, to systems, and to data -- that helps map out the user security landscape and get a complete picture of how things are configured.

Gardner: If I understand this correctly, all of us now have multiple accounts. Some of them overlap. Some of them are private. Some of them are more business-centric. As we get into the Internet of Things, we're going to have another end-point tier associated with a user, or an identity, and that might be sensors or machines. So it’s important to maintain the identity focus, rather than the account focus. Did I get that right?

Rolls: We see this today in classic on-prem infrastructure with system-shared and -privileged accounts. They are accounts that are operated by the system and not necessarily by an individual. What we advocate here, and what leads into the second tenet as well, is this idea of visibility. You have to have ownership and responsibility. You assign and align the system and functional accounts with people that can have responsibility.
The consequences of not understanding and accurately managing those identity and account relationships can be pretty significant.

In the Internet of Things, I would by no means say that it's nothing new, because if nothing else, it's potentially a new order of scale. But it's functionally the same thing: Understanding the relationships.

For example, I want to tie my Nest account back to myself or to some other individual, and I want to understand what it means to have that ownership. It really is just more of the same, and those principles that we have learned in enterprise IAM are going to play out big time when everything has an identity in the Internet of Things.

Gardner: Any quick examples of tenet one, where we can identify that we're having that focus on the user, rather than the account, and it has benefited them?

Rolls: For sure. The consequences of not understanding and accurately managing those identity and account relationships can be pretty significant. Unused and untracked accounts, something that we commonly refer to in the industry as "orphan accounts," often lead to security breaches. That’s why, if you look at the average identity audit practice, it’s very focused on controls for those orphan accounts.

We also know for a fact, based on network forensic analysis that happens post-breach, that in many of the high-profile, large-scale security breaches that we've seen over the last two to five years, the back door is left open by an account that nobody owns or manages. It’s just there. And if you go over to the dark side and look at how the bad guys construct vulnerabilities, first things they look for are these unmanaged accounts.

So it’s low-hanging fruit for IAM to better manage these accounts because the consequences can be fairly significant.

Tenet two

Gardner: Okay, tenet two. What’s next on your priority list?

Rolls: The next is two-fold. Visibility is king, and silos are bad. This is really two thoughts that are closely related.

The first part is the idea that visibility is king, and this comes from the realization that you have to be able to capture, model, and visualize identity data before you have any chance of managing it. It’s like the old saying that you can’t manage what you can’t measure.

It’s same thing for identity. You can’t manage the access and security you don’t see, and what you don’t see is often what bites you. So this tenet is the idea that your IAM system absolutely must support this idea of rapid, read-only aggregation of account and entitlement information as a first step, so you can understanding the landscape.

The second part is around the idea that silos of identity management can be really, really bad. A silo here is a standalone IAM application or what one might think of as a domain-specific IAM solution. These are things like an IDaaS offering that only does cloud apps or an Active Directory-only management solution, basically any IAM tool that creates a silo of process and data. This isolation goes against the idea of visibility and control that we just covered in the first tenant.
In education, we say "no child left behind." In identity, we say “no account left behind, and no system left behind.”

You can’t see the data if its hidden in a siloed system. It’s isolated and doesn't give you the global view you need to manage all identity for all users. As a vendor, we see some real-world examples of this. SailPoint just replaced a legacy-provisioning solution at a large US based bank, for example, because the old system was only touching 12 of their core systems.

The legacy IAM system the bank had was a silo managing just the Unix farm. It wasn't integrated and its data and use case wasn’t shared. The customer needed a single place for their users to go to get access, and a single point of password control for their on-prem Unix farm, and for their cloud-based, front-end application. So today SailPoint’s IdentityNow provides that single view for them, and things are working much better.

Gardner: It also reminds me that we need to be conscious of supporting the legacy in the older systems, recognizing that they weren't designed necessarily for the reality we're in now. We also need to be flexible in the sense of being future-proof. So it's having visibility across your models that are shifting in terms of hybrid and cloud, but also visibility across the other application sets and platforms that were never created with this mixture of models that we are now supporting.

Rolls: Exactly right. In education, we say "no child left behind." In identity, we say “no account left behind, and no system left behind.” We also shouldn’t forget there is a cost associated with maintaining those siloed IAM tools, too. If the system only supports cloud, or only supports on-prem, or managing identity for mobile, SaaS, or just one area of the enterprise -- there’s cost. There's a real dollar cost for buying and maintaining the software, and probably more importantly, a soft cost in the end-user experience for the people that have to manage across those silos. So these IAM silos are not only preventing visibility and controls, but there is big cost here, a real dollar cost to the business, as well.

Gardner: This gets closer to the idea of a common comprehensive view of all the data and all the different elements of what we are trying to manage. I think that's also important.

Okay, number three. What are we looking at for your next tenet, and what are the ways that we can prevent any of that downside from it?

Complete lifecycle

Rolls: This tenet comes from the school of identity hard knocks, and is something I’ve learned from being in the IAM space for the past 20 or so years -- you have to manage the complete lifecycle for both the identity, and every account that the identity has access to.

Our job in identity management, our “place” if you will in the security ecosystem, is to provide cradle-to-grave management for corporate account assets. It's our job to manage and govern the full lifecycle of the identity -- a lifecycle that you’ll often hear referred to as JML, meaning Joiners, Movers and Leavers.

As you might expect, when gaps appear in that JML lifecycle, really bad things start to happen. Users don’t get the system access they need to get their jobs done, the wrong people get access to the wrong data and critical things get left behind when people leave.

Maybe the wrong people get access to the wrong data. They're in the Move phase. Then things get left behind when people leave. You have to track the account through that JML lifecycle. I avoid using the term "cradle to grave," but that’s really what it means.

That’s a very big issue for most companies that we talked to. It’s captured in that lifecycle.
In general, worker populations are becoming more transient and work groups more dynamic.

Gardner: So it’s not just orphan accounts, but it’s inaccurate or outdated accounts that don’t have the right and up-to-date information. Those can become back doors. Those can become weak links.

It appears to me, Darran, that there's another element here in how our workplace is changing. We're seeing more and more of what they call "contingent workforces," where people will come in as contractors or third-party suppliers for a brief period of time, do a job, and get out.

It’s this lean, agile approach to business. This also requires a greater degree of granularity and fine control. Do you have any thoughts about how this new dynamic workforce is impacting this particular tenet?

Rolls: It’s certainly increasing the pressure on IT to understand and manage all of its population of users, whether they're short-term contractors or long-term employees. If they have access to an asset that the business owns, it’s the business's fiduciary duty to manage the lifecycle for that worker.

In general, worker populations are becoming more transient and work groups more dynamic. Even if it’s not a new person joining the organization, we’re creating and using more dynamic groups of people that need more dynamic systems access.

It’s becoming increasingly important for businesses today to be able to put together the access that people need quickly when a new project starts and then accurately take it away when the project finishes. And if we manage that dynamic access without a high degree of assured governance, the wrong people get to the wrong stuff, and valued things get left behind.

Old account

Quite often, people ask me if it would really matter when the odd account gets left behind, and my answer usually is: It certainly can. A textbook example of this when a sales guy leaves his old company, goes to join a competitor, and no one takes away his account. He's then spends the next six months dipping into his old company’s contacts and leads because he still has access to the application in the cloud.

This kind of stuff happens all the time. In fact, we recently replaced another IDaaS provider at a client on the West Coast, specifically because “the other vendor” -- who shall remain nameless -- only did just-in-time SAML provisioning, with no leaver-based de-provisioning. So customers really do understand this stuff and recognize the value. You have to support the full lifecycle for identity or bad things happen for the customer and the vendor.

Gardner: All right. We were working our way through our tenets. We're now on number four. Is there a logical segue between three and four? How does four fit in?

Rolls: Number four, for me, is all about consistency. It talks to the fact that we have to think of identity management in terms of consistency for all users, as we just said, from all devices and accessing all of our applications.

Practically speaking, this means that whether you sit with your Windows desktop in the office, or you are working from an Android tablet back at the house, or maybe on your smartphone in a Starbucks drive-through, you can always access the applications that you need. And you can consistently and securely do something like a password reset, or maybe complete a quarterly user access certification task, before hitting the road back to the office.
It’s very easy to think of consistency as just being in the IAM UI or just in the device display, but it really extends to the identity API as well.

Consistency here means that you get the same basic user experience, and I use the term user experience here very deliberately, and the same level of identity service, wherever you are. It has become very, very important, particularly as we have introduced a variety of incoming devices, that we keep our IAM services consistent.

Gardner: It strikes me that this consistency has to be implemented and enforced from the back-end infrastructure, rather than the device, because the devices are so changeable. We're even thinking about a whole new generation of devices soon, and perhaps even more biometrics, where the device becomes an entry point to services.

Tell me a bit about the means by which consistency can take place. This isn't something you build into the device necessarily.

Rolls: Yes, that consistency has to be implemented in the underlying service, as you’ve highlighted. It’s very easy to think of consistency as just being in the IAM UI or just in the device display, but it really extends to the identity API as well. A very good example to explore this concept of consistency of the API, is to think like a corporate application developer and consider how they look at consistency for IAM, too.

Assume our corporate application developer is developing an app that needs to carry out a password reset, or maybe it needs to do something with an identity profile. Does that developer write a provisioning connector themselves? Or should they implement a password reset in their own custom code?

The answer is, no, they don’t roll their own. Instead they should make use of the consistent API-level services that the IAM platform provides -- they make calls to the IDaaS service. The IDaaS service is then responsible for doing the actual password reset using consistent policies, consistent controls, and a consistent level of business service. So, as I say, its about consistency for all use cases, from all devices, accessing all applications.

Thinking about consistency

Gardner: And even as we think about the back-end services support, that itself also needs to extend to on-prem legacy, and also to cloud and SaaS. So we're really thinking about consistency deep and wide.

Rolls: Precisely, and if we don’t think about consistency for identity as a services, we're never going to have control. And importantly, we're never going to reduce the cost of managing all this stuff, and we're never going to lower the true risk profile for the business.

Gardner: We're coming up or our last tenet, number five. We haven't talked too much about the behavior, the buy-in. You can lead a horse to water, but you can't make him drink. This, of course, has an impact on how we enforce consistency across all these devices, as well as the service model. So what do we need to do to get user buy-in? How does number five affect that?

Rolls: Number five, for me, is the idea that the end-user experience for identity is everything. Once upon a time, the only user for identity management was IT itself and identity was an IT tool for IT practitioners. It was mainly used by the help desk and by IT pros to automate identity and access controls. Fortunately, things have changes a lot since then, both in the identity infrastructure and, very importantly, in the end users’ expectations.
The expectation is to move the business user to self service for pretty much everything, and that very much includes Identity Management as a Service as well.

Today, IAM really sits front and center for the business users IT experience. When we think of something like single sign-on (SSO), it literally is the front door to the applications and the services that the business is running. When a line-of-business person sits down at an application, they're just expecting seamless access via secured single sing-on. The expectation is that they can just quickly and easily get access to the things they need to get their job done.

They also expect identity-management services, like password management, access request, and provisioning to be integrated, intuitive, and easy to use. So the way these identity services are delivered in the user experience is very important.

Pretty much everything is self-service these days. The expectation is to move the business user to self-service for pretty much everything, and that very much includes Identity Management as a Service (IDaaS) as well. So the UI just has to be done right and the overall users’ experience has to be consistent, seamless, intuitive, and just easy to deal with. That’s how we get buy-in for identity today, by making the identity management services themselves easy to use, intuitive, and accessible to all.

Gardner: And isn’t this the same as saying making the governance infrastructure invisible to the end user? In order to do that, you need to extend across all the devices, all the deployment models, and the APIs, as well as the legacy systems. Do you agree that we're talking about making it invisible, but we can’t do that unless you're following the previous four tenets?

Rolls: Exactly. There's been a lot of industry conversation around this idea of identity being part of the application and the users’ flow, and that’s very true. Some large enterprises do have their own user-access portals, specific places that you go to carry out identity-related activities, so we need integration there. On the other hand, if I'm sitting here talking to you and I want to reset my Active Directory password, I just want to pick up my iPhone and do it right there, and that means secure identity API’s.

We talked a good amount about the business user experience. It is very important to realize that it’s not just about the end-user and the UI. It also affects how the IDaaS service itself is configured, deployed, and managed over time. This means the user experience for the system owner, be that someone in IT or in the line of business -- it doesn’t really matter who -- has to be consistent and easy to use and has to lead to easier configuration, faster deployment, and faster time-to-value. We do that by making sure that the administration interface and the API’s that support it are consistent and generally well thought out, too.

Intersect between tenets

Gardner: I can tell, Darran, that you've put an awful lot of thought into these tenets. You've created them with some order, even though they're equally important. This must be also part of how you set about your requirements for your own products at SailPoint.

Tell me about the intersect between these tenets, the marketplace, and what SailPoint is bringing in order to ameliorate the issues that the problem side of these tenets identify, but also the solution side, in terms of how to do things well.

Rolls: You would expect every business to say these words, but they have great meaning for us. We're very, very customer focused at SailPoint. We're very engaged with our customers and our prospects. We're continually listening to the market and to what the buying customer wants. That’s the outside-in part of the of the product requirements story, basically building solutions to real customer problems.

Internally, we have a long history in identity management at SailPoint. That shows itself in how we construct the products and how we think about the architecture and the integration between pieces of the product. That’s the inside-out part of the product requirements process, building innovative products that solutions that work well over time.
As SailPoint has strategically moved into the IDaaS space, we’ve brought with us a level of trust, a breadth of experience, and a depth of IAM knowledge.

So I guess that all really comes down to good internal product management practices. Our product team has worked together for a considerable time across several companies. So that’s to be expected. It's fair to say that SailPoint is considered by many in the industry as the thought leader on identity governance and administration. We now work with some of the largest and most trusted brand names in the world, helping them provide the right IAM infrastructure. So I think we’re getting it right.

As SailPoint has strategically moved into the IDaaS space, we’ve brought with us a level of trust, a breadth of experience, and a depth of IAM knowledge that shows itself in how we use and apply these tenets of identity in the products and the solutions that we put together for our customers.

Gardner: Now, we talked about the importance of being legacy-sensitive, focusing on what the enterprise is and has been and not just what it might be, but I'd like to think a little bit about the future-proofing aspects of what we have been discussing.

Things are still changing and, as we said, there are new generations of mobile devices, more biometrics perhaps doing away with passwords and identifying ourselves through the device that then needs to filter back throughout the entire lifecycle of IAM implications and end points.

So when you do this well, if you follow the five tenets, if you think about them and employ the right infrastructure to support governance in IAM for both the old and the new, how does that set you up to take advantage of some of the newer things? Maybe it’s big data, maybe it’s hybrid cloud, or maybe it's agile business.

It seems to me that there's a virtuous adoption benefit that when you do IAM well.

Changes in technologies

Rolls: As you've highlighted, there are lots of new technologies out there that are effecting change in corporate infrastructure. In itself, that change isn’t new. I came into IT with the advent of distributed systems. We were going to replace every mainframe. Mainframes were supposed to be dead, and it's kind of interesting that they're still here.

So infrastructure change is most definitely accelerating, and the options available for the average IT business these days -- cloud, SaaS and on-prem -- are all blending together. That said, when you look below the applications, and look at the identity infrastructure, many things remain the same. Consider a SaaS app like Yes, it’s a 100 percent SaaS cloud application, but it still has an account for every user.

I can provide you with SSO to your account using SAML, but your account still has fine-grained entitlements that need to be provisioned and governed. That hasn’t changed. All of the new generation of cloud and SaaS applications require IAM. Identity is at the center of the application and it has to be managed. If you adopt a mature and holistic approach to that management you are in good stead.
If you're not on board, you'd better get on board, because the challenges for identity are certainly not going away.

Another great example are the mobile device management (MDM) platforms out there -- a new piece of management infrastructure that has come about to manage mobile endpoints. The MDM platforms themselves have identity control interfaces. Its our job in IAM to connect with these platforms and provide control over what’s happening to identity on the endpoint device, too.

Our job in identity is to manage identity lifecycles where ever they sit in the infrastructure. If you're not on board, you'd better get on board, because the challenges for identity are certainly not going away.

Interestingly, I'm sometimes challenged when I make a statement like that. I’ll often get the reply that "with SAML single sign-on, the the passwords go away so the account management problem goes away, right?” The answer is that no, they don’t. They're still accounts in the application infrastructure. So good best practice identity and access management will remain key as we keep moving forward.

Gardner: And of course as you pointed out earlier, we can expect the scale of what's going to be involved here to only get much greater.

Rolls: Yes, 100 percent. Scale is key to architectural thinking when you build a solution today, and we're really only just starting to touch where scale is going to go.

It’s very important to us at SailPoint, when we build our solutions, that the product we deliver understands the scale of business today and the scale that is to come. That affects how we design and integrate the solutions, it affects how they are configured and how they are deployed. It’s imperative to think scale -- that’s certainly something we do.

Gardner: Very good. I'm afraid we will have to leave it there. You've been listening to a sponsored BriefingsDirect podcast discussion on new best practices for managing the rapidly changing needs around identity and access management.

We’ve seen how greater complexity is the chief detriment to secured, governed, and responsive ID management. We've also seen how the tried-and-true principles of ID are still there and need to be maintained, even as we face greater scale and greater complexity across more devices, tiers, and across the extended enterprise landscape.

So I want to thank our guest, Darran Rolls, Chief Technology Officer at SailPoint Technologies in Austin, Texas. Thank you so much, Darran.

Rolls: Thank you, Dana, good speaking to you.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks also to our audience for joining, and don’t forget to come back to the next BriefingsDirect IT discussion.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: SailPoint Technologies.

Transcript of a BriefingsDirect podcast on the basic tenets of identity and access management in a rapidly changing and growing IT world. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.

You may also be interested in:

Wednesday, December 04, 2013

Identity and Access Management as a Service Gets Boost with SailPoint's IdentityNow Cloud Service

Transcript of a BriefingsDirect podcast on the need for and innovation in improved identity and access management.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: SailPoint Technologies.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on the changing needs for, and heightened value around, improved identity and access management (IAM). We'll examine now how business trends are forcing organizations to safely allow access to all kinds of applications and myriad resources anytime, anywhere, and from any device.

According to research firm MarketsandMarkets, the demand for IAM is therefore estimated to grow from more than $5 billion this year to over $10 billion in 2018. What's driving the doubling of the market in five years? Well, as with much of the current IT space, it's about cloud, mobile, bring your own device (BYOD), consumerization of IT, and broader security concerns.

But the explosive growth also factors the move to more pervasive use of identity and access management as a service (IDaaS).

So join us now as we explore how new IDaaS offerings are helping companies far better protect and secure their informational assets. Here to share insights into this future of identity management is Paul Trulove, Vice President of Product Marketing at SailPoint Technologies in Austin, Texas. Welcome, Paul. [Disclosure: SailPoint is a sponsor of BriefingsDirect podcasts.]

Paul Trulove: Thanks, Dana. Glad to be here.

Gardner: The word "control" comes up so often when I talk to people about security and IT management issues, and companies seem to feel that they are losing control, especially with such trends as BYOD. How do companies regain that control, or do we need to think about this differently. Is it no longer an issue of control?

Trulove: The reality in today's market is that a certain level of control will always be required. But as we look at the rapid adoption of new corporate enterprise resources, things like cloud-based applications or mobile devices where you could access corporate information anywhere in the world at any time on any device, the reality is that we have to put a base level of controls in place that allow organizations to protect the most sensitive assets. But you have to also provide ready access to the data, so that the organizations can move at the pace of what the business is demanding today.

Gardner: The expectations of users has changed. When they can go sign up for a software-as-a-service (SaaS) application or access cloud services, they're used to having more of their own freedom. How is that something that we can balance, allow them to get the best of their opportunity and their productivity benefits, but at the same time, allow for the enterprise to be as low risk as possible?

Trulove: That's the area that the organization has to find the right balance for their particular business that meets the internal demands, the external regulatory requirements, and really meet the expectations of their customer base. While the productivity aspect can't be ignored, taking a blind approach to allowing an individual end-user to begin to migrate structured data out of something like an SAP or other enterprise resource planning (ERP) systems, up to a personal account is something most organizations are just not going to allow.

Each organization has to step back, redefine the different types of policies that they're trying to put in place, and then put the right kind of controls that mitigate risk in terms of inappropriate acts, access to critical enterprise resources and data, but also allow the end user to have a little bit more control and little bit more freedom to do things that make them the most productive.

Uptake in SaaS

Gardner: We've seen a significant uptake in SaaS, certainly at the number of apps level, communications, and email, but it seems as if some of the infrastructure services around IAM are lagging. Is there a maturity issue here, or is it just a natural way that markets evolve? What's the case in understanding why the applications have gone fast, but we're now just embarking on IDaaS?

Trulove: We're seeing a common trend in IT if you look back over time, where a lot of the front-end business applications were the first to move to a new paradigm. Things like ERP and service resource management (SRM)-type applications have all migrated fairly quickly.

Over the last decade, we've really seen a lot of the sales management applications, like Salesforce and NetSuite come on as full force. Now, there are things like Workday and even some of the work force management becoming very popular. However, the infrastructure generally lagged for a variety of reasons.

In the IAM space, this is a critical aspect of enterprise security and risk management as it relates to guarding the critical assets of the organization. Security practitioners are going to look at new technology very thoroughly before they begin to move things like IAM out to a new delivery paradigm such as SaaS.

The other thing is that organizations right now are still fundamentally protecting internal applications. So there's less of a need to move your infrastructure out into the cloud until you begin to change the overall delivery paradigm for your internal application.
As customers implement more and more of their software out in the cloud, that's a good time for them to begin to explore IDaaS.

What we're seeing in the market, and definitely from a customer perspective, is that as customers implement more and more of their software out in the cloud, that's a good time for them to begin to explore IDaaS.

Look at some of the statistics being thrown around. In some cases, we've seen that 80 percent of new software purchases are being pushed to a SaaS model. Those kinds of companies are much more likely to embrace moving infrastructure to support that large cloud investment with fewer applications to be managed back in the data center.

Gardner: As you mentioned, SaaS has been around for 10 years, but the notion of mobile-first applications now has picked up in just the last two or three years. I have to imagine that's another accelerant to looking at IAM differently when you get the devices.

We've talked a little bit about SaaS and IDaaS, coming on as a follow up, how does the mobile side of things impact this?

Trulove: Mobile plays a huge part in organizations' looking at IDaaS, and the reason is that you’re moving the device that's interacting with the identity management service outside the bounds of the firewall and the network. So, having a point of presence in the cloud gives you a very easy way to generate all of the content out to the devices that are being operated outside of the traditional bounds of the IT organization, which was generally networked in to the PCs, laptops, etc that are on the network itself.

Moving to IDaaS

Gardner: I'd like to get into what hurdles organizations need to overcome to move in to IDaaS, but let's define this a little better for folks that might not be that familiar with it. How does SailPoint define IDaaS? What are we really talking about?

Trulove: SailPoint looks at IDaaS as a set of capabilities across compliance and governance, access request and provisioning, password management, single sign-on (SSO), and Web access management that allow for an organization to do fundamentally the same types of business processes and activities that they do with an internal IAM systems, but delivered from the cloud.

We also believe that it's critical, when you talk about IDaaS to not only talk about the cloud applications that are being managed by that service, but as importantly, the internal applications behind the firewall that still have to be part of that IAM program.

Gardner: So, this is not just green field. You have to work with what's already in place, and it has to work pretty much right the first time.

Trulove: Yes, it does. We really caution organizations against looking at cloud applications in a siloed manner from all the things that they're traditionally managing in the data center. Bringing up a secondary IAM system to only focus on your cloud apps, while leaving everything that is legacy in place, is a very dangerous situation. You lose visibility, transparency, and that global perspective that most organizations have struggled to get with the current IAM approaches across all of those areas that I talked about.
We see a little bit less of the data export concerns with companies here in the US, but it's a much bigger concern for companies in Europe and Asia in particular.

Gardner: So, we recognize that these large trends are forcing a change, users want their freedom, more mobile devices, more different services from different places, and security being as important if not more than ever. What is holding organizations back from moving towards IDaaS, given that it can help accommodate this very complex set of requirements?

Trulove: It can. The number one area, and it's really made up of several different things, is the data security, data privacy, and data export concerns. Obviously, the level at which each of those interplay with one another, in terms of creating concern within a particular organization, has a lot to do with where the company is physically located. So, we see a little bit less of the data export concerns with companies here in the US, but it's a much bigger concern for companies in Europe and Asia in particular.

Data security and privacy are the two that are very common and are probably at the top of every IT security professional’s list of reasons why they're not looking at IDaaS.

Gardner: It would seem that just three or four years ago, when we were talking about the advent of cloud services, quite a few people thought that cloud was less secure. But I’ve certainly been mindful of increased and improved security as a result of cloud, particularly when the cloud organization is much more comprehensive in how they view security.

They're able to implement patches with regularity. In fact, many of them have just better processes than individual enterprises ever could. So, is that the case here as well? Are we dealing with perceptions? Is there a case to be made for IDaaS being, in fact, a much better solution overall?

IAM as secure

Trulove: Much like organizations have come to recognize the other categories of SaaS as being secure, the same thing is happening within the context of IAM. Even a lot of the cloud storage services, like, are now signing up large organizations that have significant data security and privacy concerns. But, they're able to do that in a way and provide the service in a way where that assurance is in place that they have control over the environment.

And so, I think the same thing will happen with identity, and it's one of the areas where SailPoint is very focused on delivering capabilities and assurances to the customers that are looking at IDaaS, so that they feel comfortable putting the kinds of information and operating the different types of IAM components, so that they get over that fear of the unknown.

Gardner: Before we get into some of the details about how you’re approaching this, and what your services can provide, I'm curious about what companies can expect to get when they pursue the full cloud and services panoply of possibilities across apps, data, IT management, and other services. What are some of the business drivers? What do you get if you do this right and you make the leap to the services’ strata?

Trulove: One of the biggest benefits of moving from a traditional IAM approach to something that is delivered as IDaaS is the rapid time to value. It's also one of the biggest changes that the organization has to be prepared to make, much like they would have as they move from a Siebel- to a Salesforce-type model back in the day.

IAM delivered as a service needs to be much more about configuration, versus that customized solution where you attempt to map the product and technology directly back to existing business processes.
The benefit that they get out of that is a much lower total cost of ownership (TCO), especially around the deployment aspects of IDaaS.

One of the biggest changes from a business perspective is that the business has to be ready to make investments in business process management, and the changes that go along with that, so that they can accommodate the reality of something that's being delivered as a service, versus completely tailoring a solution to every aspect of their business.

The benefit that they get out of that is a much lower total cost of ownership (TCO), especially around the deployment aspects of IDaaS.

Gardner: It's interesting that you mentioned business process and business process management. It seems to me that by elevating to the cloud for a number of services and then having the access and management controls follow that path, you’re able to get a great deal of flexibility and agility in how you define who it is you’re working with, for how long, for when.

It seems to me that you can use policies and create rules that can be extended far beyond your organization’s boundaries, defining workgroups, defining access to assets, creating and spinning up virtualized companies, and then shutting them down when you need. So, is there a new level of consideration about a boundaryless organization here as well?

Trulove: There is. One of the things that is going to be very interesting is the opportunity to essentially bring up multiple IDaaS environments for different constituents. As an organization, I may have two or three fundamentally distinct user bases for my IAM services.

Separate systems

I may have an internal population that is made up of employees, and contractors that essentially work for the organization that need access to a certain set of systems. So I may bring up a particular environment to manage those employees that have specific policies and workflows and controls. Then, I may bring up a separate system that allows for business partners or individual customers to have access to very different environments within the context of either cloud or on-prem IT resources.

The advantage is that I can deploy these services uniquely across those. I can vary the services that are deployed. Maybe I provide only SSO and basic provisioning services for my external user populations. But for those internal employees, I not only do that, but I add access certifications, and segregation of duties (SOD) policy management. I need to have much better controls over my internal accounts, because they really do guard the keys to the kingdom in terms of data and application access.

Gardner: We began this conversation talking about balance. It certainly seems to me that that level of ability, agility, and defining new types of business benefits far outweighs some of the issues around risk and security that organizations are bound to have to solve one way or the other. So, it strikes me as a very compelling and interesting set of benefits to pursue.

Let's look now, Paul, at your products. You've delivered the SailPoint IdentityNow suite. You've got a series of capabilities, and there are more to come. As you were defining and building out this set of services, what were some of the major requirements that you had, that you needed to check off before you brought this to market?

Trulove: The number one capability that we really talk to a lot of customers about is an integrated set of IAM services that span everything from that compliance and governance to access request provisioning and password management all the way to access management and SSO.
They can get value out of it, not necessarily on day one, but within weeks, as opposed to months.

One of the things that we found as a critical driver for the success of these types of initiatives within organizations is that they don't become siloed, and that as you implement a single service, you get to take advantage of a lot of the work that you've done as you bring on the second, third, or fourth services.

The other big thing is that it needs to be ready immediately. Unlike a traditional IAM solution, where you might have deployment environments to buy and implement software to purchase and deploy and configure, customers really expect IDaaS to be ready for them to start implementing the day that they buy.

It's a quick time-to-value, where the organization deploying it can start immediately. They can get value out of it, not necessarily on day one, but within weeks, as opposed to months. Those things were very critical in deploying the service.

The third thing is that it is ready for enterprise-level requirements. It needs to meet the use cases that a large enterprise would have across those different capabilities, but also as important, that it meets data security, privacy, and export concerns that a large enterprise would have relative to beginning to move infrastructure out to the cloud.

Even as a cloud service, it needs a very secure way to get back into the enterprise and still manage the on-prem resources that aren’t going away anytime soon. n one hand we would talk to customers about managing things like Google Apps, Salesforce and Workday. In the same breath, they also talk about still needing to manage the mainframe and the on-premises enterprise ERP system that they have in place.

So, being able to span both of those environments to provide that secure connectivity from the cloud back into the enterprise apps was really a key design consideration for us as we brought this product to market.

Hybrid model

Gardner: It sounds if it's a hybrid model from the get-go. We hear about public cloud, private cloud, and then hybrid. It sounds as if hybrid is really a starting point and an end point for you right away.

Trulove: It's hybrid only in that it's designed to manage both cloud and on-prem applications. The service itself all runs in the cloud. All of the functionality, the data repositories, all of those things are 100 percent deployed as a service within the cloud. The hybrid nature of it is more around the application that it's designed to manage.

Gardner: You support a hybrid environment, but I see, given what you've just said, that means that all the stock in trade and benefits as a service offering are there, no hardware or software, going from a CAPEX to OPEX model, and probably far lower cost over time were all built in.

Trulove: Exactly. The deployment model is very much that classic SaaS, a multitenant application where we basically run a single version of the service across all of the different customers that are utilizing it.

Obviously, we've put a lot of time, energy, and focus on data protection, so that everybody’s data is protected uniquely for their organization. But we get the benefits of that SaaS deployment model where we can push a single version of the application out for everybody to use when we add a new service or we add new capabilities to existing services. We take care of upright processes and really give the customers that are subscribing to the services the option of when and how they want to turn new things on.
We've put a lot of time, energy, and focus on data protection, so that everybody’s data is protected uniquely for their organization.

Gardner: Let's just take a moment and look at the SailPoint IdentityNow suite. Tell me what it consists of, and how this provides a benefit and on-ramp to a better way of doing IT as a service and business as a service.

Trulove: The IdentityNow suite is made up of multiple individual services that can be deployed distinctly from one another, but all leverage a common back-end governance foundation and common data repository.

The first service is SSO and it very much empowers users to sign on to cloud, mobile, and web applications from a single application platform. It provides central visibility for end users into all the different application environments that they maybe interacting with on a daily basis, both from a launch-pad type of an environment, where I can go to a single dashboard and sign on to any application that I'm authorized to use.

Or I may be using back-end Integrated Windows Authentication, where as soon as I sign into my desktop at work in the morning, I'm automatically signed into all my applications as I used them during the day, and I don’t have to do anything else.

The second service is around password management. This is enabling that end-user self-service capability. When end users need to change their password or, more commonly, reset them because they’ve forgotten them over a long weekend, they don’t have to call the help desk.

Strong authentication

They can go through a process of authenticating through challenge questions or other mechanisms and then gain access to reset that password and even use some strong authentication mechanisms like one-time password tokens that are going to be issued, allow the user to get in and then, change that password to something that they will use on an ongoing basis.

The third service is around access certifications, and this automates that process of allowing organizations to put in place controls through which managers or other users within the organization are reviewing who has access to what on a regular basis. It's a very business-driven process today, where an application owner or business manager is going to go in, look at the series of accounts and entitlements that a user has, and fundamentally make a decision whether that access is correct at a point in time.

One of the key things that we're providing as part of the access certification service is the ability to automatically revoke those application accounts that are no longer required. So there's a direct tie into the provisioning capabilities of being able to say, Paul doesn’t need access to this particular active directory group or this particular capability within the ERP system. I'm going to revoke it. Then, the system will automatically connect to that application and terminate that account or disable that account, so the user no longer has access.

The final two services are around access request and provisioning and advanced policy and analytics. On the access request and provisioning side, this is all about streamlining, how users get access. It can be the automated birth-right provisioning of user accounts based on a new employee or contractor joining new organization, reconciling when a user moves to a new role, what they should or should not have, or terminating access on the back end when a user leaves the organization.
What most customers see, as they begin to deploy IDaaS is the ability to get value very quickly.

All of those capabilities are provided in an automated provisioning model. Then we have that self-service access request, where a user can come in on an ad-hoc basis and say, "I'm starting a new project on Monday and I need some access to support that. I'm going to go in, search for that access. I'm going to request it." Then, it can go through a flexible approval model before it actually gets provisioned out into the infrastructure.

The final service around advanced policy and analytics is a set of deeper capabilities around identifying where risks lie within the organization, where people might have inappropriate access around a segregation of duty violation.

It's putting an extra level of control in place, both of a detective nature, in terms of what the actual environment is and which accounts that may conflict that people already have. More importantly, it's putting preventive controls in place, so that you can attach that to an access request or provisioning event and determine whether a policy violation exists before a provisioning action is actually taken.

Gardner: You've delivered quite a bit in terms of this suite's offering this year. Before we hear some more about some of the roadmap and future capabilities, what are your customers finding now that they are gaining as a result of moving to IDaaS as well, as the opportunity for specific services within the suite? What do you get when you do this right?

Trulove: What most customers see, as they begin to deploy IDaaS is the ability to get value very quickly. Most of our customers are starting with a single service and they are using that as a launching pad into a broader deployment over time.

So you could take SSO as a distinct project. We have customers that are implementing that SSO capability to get rapid time to value that is very distinct and very visible to the business and the end users within their organization.

Password management

Once they have that deployed and up and running, they're leveraging that to go back in and add something like password management or access certification or any combination thereof.

We’re not stipulating how a customer starts. We're giving them a lot of flexibility to start with very small distinct projects, get the system up and running quickly, show demonstrable value to the business, and then continue to build out over time both the breadth of capabilities that they are using but also the depth of functionality within each capability.

Gardner: Do you have any instances, Paul, where folks are saying, "We wanted to go mobile, but we're being held back. Now that we've taken a plunge, this has really opened up a whole new way for us to deliver data and applications to different devices and mobile, whether it’s the campus setting or road warrior setting." Any thoughts about how this is, in particular, aiding and abetting mobile.

Trulove: Mobile is driving a significant increase in why customers are looking at IDaaS. The main reason is that mobile devices operate outside of the corporate network in most cases. If you're on a smartphone and you are on a 3G, 4G, LTE type network, you have to have a very secure way to get back into those enterprise resources to perform particular operations or access certain kinds of data.

One of the benefits that an IDaaS service gives you is a point of presence in cloud that allows the mobile devices to have something that is very accessible from wherever they are. Then, there is a direct and very secure connection back into those on-prem enterprise resources as well as out to the other cloud applications that you are managing.
The other big thing we're seeing in addition to mobile devices is just the adoption of cloud applications.

The reality in a lot of cases is that, as organizations add those BYOD type policies and the number of mobile devices that are trying to access corporate data increase significantly, providing an IAM infrastructure that is delivered from the cloud is a very convenient way to help bring a lot of those mobile devices under control across your compliance, governance, provisioning, and access request type activities.

The other big thing we're seeing in addition to mobile devices is just the adoption of cloud applications. As organizations go out and acquire multiple cloud applications, having a point of presence to manage those in the cloud makes a big difference.

In fact, we've seen several deployment projects of something like Workday actually gated by needing to put in the identity infrastructure before the business was going to allow their end users to begin to use that service. So the combination of both mobile and cloud adoption are driving a renewed focus on IDaaS.

Gardner:  I know you can't actually pre-announce, and I am not asking you to, but as we consider what you can now do with these capabilities, perhaps you can paint a little bit of a vision for us as to where you think your offerings, and therefore the market and the opportunity for improvement in the user organizations, is headed.

Trulove: If you look at the road map that we have for the IdentityNow product, the first three services are available today, and that’s SSO, password management, and access certification. Those are the key services that we're seeing businesses drive into the cloud as early adopters. Behind that, we'll be deploying the access request and provisioning service and the advanced policy and analytic services in the first half of 2014.

Continued maturation

Beyond that, what we're really looking at is continued maturation of the individual services to address a lot of the emerging requirements that we're seeing from customers, not only across the cloud and mobile application environments, but as importantly as they begin to deploy the cloud services and link back to their on-prem identity and access management infrastructure, as well as the applications that they are continuing to run and manage from the data center.

Gardner: So, more inclusive, and therefore more powerful, in terms of the agility, when you can consider all the different aspects of what falls under the umbrella of IAM.

Trulove: We're also looking at new and innovative ways to reduce the deployment timeframes, by building a lot of capabilities that are defined out of the box. These are  things like business processes, where there will be catalog of the best practices that we see a majority of customers implement. That has become a drop-down for an admin to go in and pick, as they are configuring the application.
We're also looking at new and innovative ways to reduce the deployment timeframes, by building a lot of capabilities that are defined out of the box.

We'll be investing very heavily in areas like that, where we can take the learning as we deploy and build that back in as a set of best practices as a default to reduce the time required to set up the application and get it deployed in a particular environment.

Gardner: Well, great. I'm afraid we'll have to leave it there. You've been listening to a sponsored BriefingsDirect podcast discussion on the changing needs for and heightened value around improved IAM, and we have seen how explosive expected growth and change is forcing a move to more a pervasive use of identity and access management as a service or IDaaS.

And, of course, we've learned more about SailPoint Technologies and how they're delivering the means for organizations to safely allow access to all kinds of applications and resources anytime anywhere and from any device.

With that, I'd like to thank our guest, Paul Trulove, Vice President of Product Marketing at SailPoint Technologies. Thanks, Paul.

Trulove: Thank you, Dana. I appreciate the time.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. A big thank you also to our audience for joining us, and a reminder to come back and join us again next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: SailPoint Technologies.

Transcript of a BriefingsDirect podcast on the need for and innovation in improved identity and access management. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Monday, October 27, 2008

Identity Governance Becomes Must-Do Item on Personnel Management and Security Checklist

Transcript of BriefingsDirect podcast on the identity governance and best practices for IT systems access provisioning.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, a sponsored podcast discussion about a serious and potentially catastrophic set of issues for many companies. I’m going to be talking about security and risk aversion around personnel, applications, and IT systems. We’re looking how companies can more properly manage identity information and access rules for the users of applications and systems. We will also develop an understanding of a new class of solutions to this growing problem.

The goal is to work more toward identity governance, a step above simply giving access and privileges, and of getting pro-active in managing access across multiple dimensions in a business.

We use the word “governance” because it helps to develop an appreciation for the large-picture solution of properly provisioning users, giving them the right level of access privilege, and then being able to exercise lowering risk from the people, process, and systems perspective -- a comprehensive control and monitoring capability.

These issues and risks are reinforced these days by the sudden and unexpected financial pressure affecting many banks. There are dislocations, mergers, acquisitions, and most likely significant downsizing. There are a lot of bright people who have access to a lot of very sensitive systems. These are very powerful applications. If there were ever a need for identity governance, this would be it.

To help this better understand these issues and some of the newest solutions around identity governance, we are now joined by two executives from SailPoint Technologies. We’re talking with Mark McClain, the CEO and founder, and also Jackie Gilbert, the vice president of marketing and also a founder at SailPoint Technologies. Welcome to you both.

Mark McClain: Thank you, Dana.

Jackie Gilbert: Thanks, Dana.

Gardner: There was a time, and it doesn't seem that long ago, when folks would get themselves a directory and provision people on and off of IT systems through that. It was fairly straightforward. A limited number of people in IT managed this. But it seems that times have changed fairly rapidly. Mark, help me understand what's different now. Why do we need this more holistic governance approach to identity issues?

McClain: Sure, Dana. That's an accurate representation of where the market has evolved to, or it's continuing to evolve to. Some of this has been around for quite some time. It was probably initially referred to in many peoples' minds as a concept of user management, when we first went to distributed computing, and we had all these challenges of managing a whole bunch of identities on systems that were distributed around the enterprise, as opposed to a single well-maintained mainframe or something like that.

The advent of distributed systems, and, to some degree, the Internet drove us to seek how to secure the open enterprise. That was a challenge, as you said, of a lot of provisioning and de-provisioning of accounts, focused on operational efficiency, because it became a very costly solution in many organizations.

They understood that they had some security risk, but many times, their biggest concern was how much it was costing to manage, and also the very poor quality of service that, in many cases, was being offered to their users and partners. Someone would start with the company and not get everything they need to do their job for a few weeks, which is highly unproductive and quite costly.

But then I think if you look back over most of this decade, back to the turn of the century – it’s still funny to say that phrase – you see a series of issues with breaches. There’s been a series of issues with fraud or potential fraud, everything from Enron to things that happened with other companies where there are questionable practices, and then various clear issues of fraud or criminal activity.

And all of that together has brought about a new focus on privacy, financial oversight, and good governance, which is, in many cases, all related to the management of risk.

It comes down to how we get a good handle on who has access to what in our enterprises -- which critical data and applications are exposed to which people? The better we understand that, the better we can understand the actual potential risks we have in sharing that information or allowing it go sometimes outside of our four walls.

In many ways, this focus on governance has been driven by those kinds of things. Now, in the current situation, as you just said, there is lots of churn in the financial markets and in the companies that make up those markets, where people are potentially moving inside of companies, changing jobs, lots of potential lay-offs happening.

That's when these issues of good governance, good controls over who has access to which critical information become very, very acute. That's because people are very sensitized to, "Hmm, if I get a disgruntled employee who may reach back and do something negative, do I have people who have been moved around quickly in a state of churn and now they have access to multiple things that they shouldn't?

It's this segregation of duties challenges. There are lots of issues that we can continue to talk about, but I think it's a well-understood pain-point that's getting more intense all the time as we see kind of more churn and concerns in the markets.

Gilbert: To add to and build on what Mark just said, the other thing that is unique in the current phase we are in, which is all about oversight, audit, risk-management, is that it has created a need for more and more people from the business side of organizations to become involved with identity management – and that has real implications.

When you are just focused on automation and making processes more efficient, that stays within the realm of IT and can be very much a focus for IT tools and technical users. Now, you have executives, boards, and business managers, who are being asked to be accountable and to gauge the risk and the effectiveness of controls around identity.

Those people are being asked to use tools and approve, certify, and deem whether access privileges and the accounts the users hold are correct, and do not place businesses at risk. So, if you think about it, it has actually forced the marriage of business and IT all around this issue of identity governance.

Gardner: I suppose it's not that people are any better or worse than they used to be, but that these systems are extremely powerful. One person with access to some trading applications, for example, can suddenly lose $5 billion. Right?

McClain: Absolutely. As to your comment there about the nature of people, you'd hope that the fundamental moral fiber of the country hasn't declined. But having said that, there are a couple of interesting things that have changed.

One is that, the world of hackers has evolved from seeing what they can get away with to prove their technical prowess, and has now really migrated to a fairly significant level of organized-crime involvement.

We've heard stories from companies of their employees being solicited by criminal elements to give up information. There were people getting phone calls saying, "Hey, would you be willing to sell access to your systems for some amount of money? Are you in credit trouble? Are you having financial difficulties?" People are soliciting employees to perform criminal behavior for money, which is a completely new element in the last 5 to 10 years, for sure.

Gilbert: A recent example of that was at Countrywide Financial. There was just some recent news this week about the arrest of a former employee who was actually selling Social Security numbers and mortgage information over a two-year period to the black market. This person admitted, I think, to receiving more than $70,000, by just selling this proprietary information. I think over 45,000 people were compromised that were Countrywide customers, and this isn't an isolated example.

There have been many cases of bank employees selling costumer information to collection agencies. So I think what Mark was referring to is that there is actually more temptation and more opportunities to commit fraud now because there is a market for it.

Gardner: So, that means that we need to plug these holes and almost develop the ability to forecast vulnerabilities in advance – and that cuts across a chief security officer (CSO), the IT people, line-of-business people, and for the human resources department. So who owns identity governance, if it, in fact, cuts across so many different aspects of a large enterprise?

McClain: It's a good question. I think that's one of the challenges that businesses are wrestling with today. As Jackie pointed out earlier, we saw, when we were focused on the identity provisioning challenges a number of years ago, then it was kind of the help desk and the security group, all within IT, that were wrestling with the problem. Now, you have those constituencies as well as two or three key others.

We now have the auditors, both internal and external, and/or the compliance people who want to have a say, or a seat at the table, to talk about how well we are managing these kinds of access privileges and what risks are involved, when they are not managed well.

You certainly have the business people paying attention now because you have senior management who are highly motivated to avoid being the next headline. They don't want their company showing up out there with Cox Communications, the IRS, Wachovia, and any number of companies like Dupont, which have hit the headlines in the last two or three years with some sort of significant breach related to access.

Business people are very tuned-in to the risk and the potential for fraud, or the potential for abuse – and they are motivated. Your ownership questions are good ones, Dana. This is such a rapidly evolving challenge, but all those people are certainly at the table.

There is a little a bit of a hot potato now going on where IT and security groups are saying, "Hey, I am not going sign-up and own this problem entirely, because I don't have the business context to know exactly what does or doesn't represent risk. You business people have to define that for us."

Gardner: It's tough to be responsible for something that you don't have authority over.

McClain: Absolutely.

Gilbert: One of our customers at a financial institution, the vice president of IT, told me that he has become more savvy and is actually pushing back on the lines of business. He said that when the IT auditor comes in and shows a bunch of red ink, he says that his counterpart in the line of business needs to help own and resolve this issue because IT alone really doesn't have the knowledge that it takes to figure out where is the risk and how to mitigate the risk.

Gardner: As we've seen in other aspects of maturing business processes and IT, solutions often involve bringing enough information up to the right people, through management consoles, analysis, and good data. How do we give whoever becomes the owner of this problem, or perhaps those managing a federated approach to the problem, the tools, the visibility, and the comprehensive access that they need to the right information? What is our first step toward the solution here?

McClain: You partially answered your own question, because you used the word "visibility," which we think is one of the three core pillars of this emerging segment of identity governance. It starts first and foremost with visibility. As a business person or even as an IT or control audit person, I can't define and manage the risk in my organization, unless I understand the current state of the union.

So it really does start with answering the fundamental question that most companies wrestle with, which is "Who has access to what?" One of my customers has joked about the fact that on the day you start with the company, you have access to nothing, and on the day you leave, you have access to everything. Quite often, the only person who actually knows all of the access privileges I may have after 15 years at a company is me.

There have been multiple groups I have moved through, multiple help desks, and IT organizations that have been part of granting me access over the years. So, it's quite probable that, literally, only I understand all of the privileges I have as an employee -- and that's a problem.

This problem starts by helping customers understand the criticality of gaining visibility across critical applications and data for who has access to what. We have to be able to correlate and aggregate a lot of technical information. We have to figure out that "D Gardner" and "Dana G" and "Dana_Gardner" are, in fact, the same person, and then correlate all the privileges that you have into a single view, so I can at least start with visibility.

Gilbert: If you think about it, for most Fortune 1000 companies that is a very difficult thing to do – just based on the fact that they have tens of thousands of employees, and hundreds -- maybe even thousands -- of applications that span mainframes, UNIX, Windows, and custom and packaged applications. The more complex and varied the IT is – and the bigger the company is – the more frequent churn of people.

Some industries have 30-percent churn, with people coming in and out of the organization. All that makes this an extremely difficult problem, as Mark said, just getting proper visibility.

Gardner: Are we talking about this problem in a way that we are going to just grab all of this information, data and access information, and then put it all in one big, honking repository to manage it centrally?

Or are we talking about, "Let's leave the access privileges and controls where they are, but elevate the metadata and put that into some sort of a management framework that we can act on"?

McClain: We would say it is the latter. In other words, efforts to completely centralize all of the real-time access control, real-time authorization of who can get to what has almost always have failed.

There were a number of projects years ago, where people were going to create one enterprise directory. What you find now is that a lot of the more modern applications do rely on a directory, and that directory has become more standardized and more carefully managed. We would say philosophically that this is really more like a business intelligence (BI) application.

In that sense, I want to leave the operational data in the transactional systems that it belongs to. Yet, I have to be able to pull out of that, aggregate it, and put it into a repository that can be searched and cross-referenced across all the information, so that I can get that visibility.

By the way, a highly related point here is, if I just aggregate and correlate all this information from all the underlying systems – like Jackie said, from the mainframes and directories and Windows and UNIX servers – just getting it in one place is only part of the problem. The other huge part of the problem is giving it the right business context.

That's because one of the dirty, dark secrets today is that governance and compliance have become harder, and auditors have been forcing more frequent and periodic review of the access information. Quarterly or annually, these managers and applications owners need to re-certify who has access to what.

Another dirty secret in the industry right now is that managers and applications owners must sign-off on these reports, but they don't understand them, because those reports are generated out of the IT systems and they are incomprehensible to the business people.

Knowing that Dana has access to "server FQ 93T," doesn't tell me much of anything about what Dana can do. If I can understand that that server actually is the front end to the accounts payable system, then now I know something about whether that's appropriate for Dana to have access to.

A second core pillar that we've spent a lot of time talking to our prospects and customers about is this concept of business context. Not only do they have to aggregate and correlate visibility across everything they do, I, as a customer, need to give it context so I can understand the business risks and the criticality of the information that you can access.

Gilbert: Part of the way that context is accomplished can be as simple as just providing business-friendly descriptors for entitlements. We also use the context of business roles, so that we can take a group of entitlements and assign them to a business role.

For example, a "database administrator in the Austin region" gets these types of privileges. By making that linkage and creating that higher level of abstraction around a role, we can ask people to approve whether "Joe" should be in that particular role. And they are much more likely to understand that than they are just looking at the low-level entitlements, and trying to make an intelligent decision about whether that is appropriate.

Gardner: I’m fairly clear that we have a distinct problem here, and that we are not going to solve it through a central forced march into a single approach or product. And, I understand that the identity governance solution has to be understood in the business context.

I guess what I am not clear about is how we actually go out and get this information, make it visible, get that single view of the employee, and then create the opportunity for execution and action against that information?

Gilbert: As Mark said, it's pretty analogous to BI and even data warehousing or data mining, if you will. Our approach is to take a very lightweight, read-only access to the data. We pull entitlement data and account data from applications and servers throughout the enterprise and we aggregate that into what is basically an entitlement warehouse.

We physically create a common data view of users and their entitlements. What that gives you is not only the visibility in one, single place, but it gives you the business context to better understand it. And it allows us to do some automation of controls and policy enforcement, and some risk assessment. It's amazing the value you can derive, once you get the data all in one place and normalized, so that you can apply all kinds of rules and logic to it.

For example, we can much more easily send and route that information around to the people who need to approve access or review it on a quarterly basis. And, it's all in one place. They’re not getting a single spreadsheet per application. They’re getting it all centralized per employee or per application, however they want to see it.

We can also scan that data, looking for policy violations. A good example of that would be what we call "toxic combinations," such as “you can't have an employee who both has the ability to set up a vendor and pay a vendor.” Those are two different access privileges that together indicate a high potential for fraud. So by combining all the entitlement data into one single database, you can much more easily scan for and detect potential policy violations and also the potential for risk to the business.

Gardner: I suppose carrying on with that analogy about BI, that the same information, those same rules, can be used by a number of different constituencies in the organization, whether it's provisioning, personnel, security, or compliance. It all seems to have a common reach, but a differentiation in terms of how people can then use it.

McClain: Yes, I think that's right. The idea of that once you have defined business roles. Once you have defined access policies, these segregated duties, and "toxic" combinations, that that's useful information, whether you are doing annual or quarterly re-certification processes, but also when you are taking on a new employee or adding a new partner or something.

You want to be able to refer to those kinds of systems that data of who has access to what and which are the appropriate policies, what are the appropriate combinations to avoid. So that if I’m going to provision someone, for instance, to a new system, or give them new entitlements, I can check it against that same repository of information on the users and the policies that I care about. I can make sure I’m not creating any problems at the time that I grant access.

Gardner: You can use this identity governance, of course, for prevention and insight. But, it also sounds like it would be very powerful, if we were doing a merger and acquisition (M&A), or if I were forced, tough as it maybe, to fire everybody and then re-hire them under a different ownership or structure. Trying to do something like that without this sort of comprehensive information set would be really onerous.

Have you had any customers or use-case scenarios where people have used these ID governance systems to that degree, and what sort of paybacks have they seen?

Gilbert: That's a really good point. In fact, M&A activity, is a use-case that we have seen with our customers.

A typical example would be that one bank has just bought another bank, and there is going to be a gradual process of integrating the new bank into the larger bank. During that time, we want to manage the population of users in a very shared way, so that a certain set of people will maintain access to just the old bank and then others will get merged access to the combination of the two banks.

Then, for people who potentially are being laid off or replaced as part of the M&A, we are going to manage them with potential risks in mind. So, we are going to limit their access and we may want to monitor their activity.

We actually provide a tool to segment user populations and then manage them differently in terms of the kind of controls and monitoring that we would allow the company to provide around that M&A acquisition activity.

Gardner: When it comes to implementing something like this, and I believe your product is called SailPoint IdentityIQ 3.0, is this strictly a product approach, or is this professional services and consulting or some level of competency or skill-sets within the organization's combination? I suppose the question is how much of this is actually accomplished by the product, and to what degree is the user company's skill sets required?

McClain: We would love to say you drop it in and it works, but it's not quite that simple. Many times, this is a fairly substantial project, although the ability to get to value quickly is something we've demonstrated with a number of our companies. We work with them to scope an appropriate size project, some limited number of applications or users – to show how the technology can significantly help them with these processes of certification or managing roles or better risk management.

But, quite often there is a very fairly significant consulting part of the conversation, because ultimately this is an opportunity to bring these constituencies to the table, sometimes for the first time. The auditors, the application people, and the IT security people sit down and say, "What do we want to accomplish here? How can we best provide good governance, meet our compliance requirements, and manage our risks appropriately?"

So, there is often a very beneficial set of conversations that come out of that. Then, of course, the challenge of our tool, of our software, is to capture those policies, capture those things in the product.

We have definitely seen very significant payback conversations because of the amount of manual effort and money being spent on these projects, particularly the Sarbanes-Oxley related certification projects, where not only can we save the companies a great deal of money – either in "soft" dollars internally or "hard" dollars being served with consultants.

But frankly, one of the things we hear consistently is that SailPoint IdentityIQ 3.0 is a big frustration reducer for the business.

This is a very significant source of pain and frustration in the business community today. Even if it's not purely a financial justification that we are able to give the customer, sometimes their eyes light up with, "Oh, wow, if I could give this to my users (the line of business or the auditors), they would be so much happier doing what they are doing today." So quite often there is a very significant emotional payback, I'll call it, as well as a financial payback in this kind of a solution.

Gardner: Often, risk reduction and security management is a large undertaking that requires organizational and cultural shifts, and that can involve such things as the Information Technology Infrastructure Library (ITIL), and how to re-engineer your processes within IT department itself. Granted that these are complicated and large undertakings, let's just drill down on the product itself, what does the SailPoint IdentityIQ product do in terms of "picks and shovels" that these other practitioners can put to use?

Gilbert: We've touched on a few of these points before, but a big area we contribute to is in automating some of the types of controls that would be defined by a framework like ITIL, control objectives for information and related technology (COBIT), or some of the frameworks that attempt to say, "Here's a common set of good practices that we've captured, and many of these really involve best practices and business processes for improving security controls."

SailPoint’s automated workflow replaces the manual paper-based quarterly review of access. It provides you with a much more effective set of controls that are predictable, but customizable.

We have one customer who was doing quarterly reviews. They would spend most of the quarter compiling the data, reviewing it, and then manually reconciling it. Then, they would have one or two weeks of a break before they would start the process over again.

So, as Mark said, one of the things that really helps is that we are coming in and replacing something that is painful, onerous, and not very reliable, where people have low confidence. We are replacing that with a set of controls that is much more in line with the sort of recommendations you would see coming out of an ITIL or a COBIT, in terms of how you align controls to reduce risk and how you perform these kinds of activities in a way that is reliable and predictable.

Gardner: Examples often help, but I don’t suppose there are a lot of people jumping up and down saying, "I'm really a high-risk over here!" So, there are not too many companies that you can trot out and say, "Well, we took them from 90 percent risk to 20 percent risk.” But are there any examples of how this has worked, and perhaps some of the paybacks, both business terms and even IT terms of how people have benefited?

Gilbert: A couple of examples come to mind. One of our customers, again a financial services company, went through the first quarterly certification process across dozens of Sarbanes-Oxley relevant applications. In that very first round of review, they detected that, on average, 20 percent of the entitlements for their users were inappropriate and needed to be revoked.

That’s the kind of benefit of oversight you're getting right out of the gate. Once you have the ability to see the data and see it with the right context, you are much more productive at spotting what needs to be taken away and what is inappropriate.

IT audits uncover many of these problems. Another customer was written up by their auditors because they concluded – just based on a sampling – that the access data for the corporation was, on average, only 70 percent accurate, meaning that 30 percent of it was erroneous or incorrect.

These cases that are easy to quantify, and you're giving this immediate benefit of data clean-up and removing inappropriate access. We call it entitlement creep, that's our expression for it over time. People transfer, they change jobs, they need temporary access to some system for a project – and it never gets removed.

Part of what you are getting right out of the gate is the ability to say, "Hey, Joe doesn't really need this. He's not even in the accounts-payable department anymore," but he still has all the system access.

Gardner: Have there been any unintended positive consequences from using this? That's to say, for people who have put identity governance in place did they get what they were expecting, but also more? Where there other ancillary payoffs that people have enjoyed?

McClain: Tha’s an interesting question. I certainly think this idea of happier users is one. IT is so consistently under-appreciated, under-loved, under-paid. When they can provide a tool to the business user that makes the job simpler, faster, easier, especially for something like these audit processes or certification, re-certification processes, that no one looks forward to, I think that's always a win for the IT staff in particular.

I have made something you have to do easier and quicker and less painful. That's quantifiable, but under the given consequence of an improved relationship between IT, security groups, and the users. Also, the relation between internal audit and many of these groups has become fairly combative. You talk to people that have been around IT for years now, and they say, "Look, it's not like we are buddy-buddy with our auditors, but we all were sort of working together, trying to make sure that the company was being well-governed."

We have a few cases that became very combative, with a lot of anger. One person said, "Oh, you mean the ‘A word’" about the group of auditors that they were talking to. What we are finding is that this helps them get back to, "Look, aren't we all trying to accomplish an objective here of better risk management, better governance?"

One of the things that our customers have told us is that they are so focused on just getting through the audit to check the compliance box, people have lost sight of why we were doing this stuff in the first place. Ultimately we're trying to mitigate and manage risk. We’re trying to provide good repeatable processes and good governance, so the right people have the access they need to do their job correctly, and only the access that they need to do their job correctly.

So often, we've gotten away from that. It's become just, "I have to get through this process to check the box, to meet the audit by this date." It's become a must-do that has lost sight of its original objective, in many cases.

Gilbert: You mentioned the culture issue earlier. To be honest with you, we find a lot of people that may be talking about risk management, but inside most IT departments, it is really hard to understand how to put that into action.

Because we give them the ability to begin aggregating the data, doing certifications and revoking and solving policy violations, they can automatically accumulate risk data, allowing them to profile their users by risk. I think people are looking for ways to put a risk-based approach into action. What does that mean to me as an IT practitioner? I think there is a desire to get to that, but there is really a struggle on how to quantify risk, and put risk management it into practice.

Gardner: As we’re wrapping up, it's interesting to look at the future. This is a fast-moving space. When we look to identity governance, say two or three years from now, is this a case of the role growing? Is there a larger payback or a productivity benefit, or are we just going to make what we've got in terms of the problem set work better? What does the future hold?

McClain: The one that we've debated around here, that I think might be useful, as there is this acronym that's fairly prevalent out there, GRC (governance risk management and compliance). Oracle has a GRC suite, IBM has a GRC suite, SAP has a GRC suite. And we've joked about the fact that if you were to look at that from a chronological standpoint, it should have been CRG instead of GRC. Meaning a lot of the focus for the last few years has been on compliance. How do I either reduce the cost and complexity of it? How do I meet the audits more quickly and effectively, and just this huge focus on getting to the audits and all that stuff.

People would tell you that they have compliance relatively under control now. They are generally passing their audits. They generally are not having big material deficiencies, but they sure would like to take cost out of the process and get away from so much manual work, to more automation.

This risk management, the R of CRG seems to be a emerging now as we've talked a lot today. I think senior management is sitting on their perch in the CxO suite. "So, we've spent all this money on security, we're supposedly compliant, why do we still have these breaches?"

Most big companies are still experiencing breaches, most of which don't hit the press, but some do. So, I think they are starting to ask the fundamental question of, "So we are compliant, but we still have risk. We're not managing well. What are we going to do to get better about that?"

Governance, which is I think the focus of our talk today, is in some ways, an umbrella over all that this incorporates and then hopefully moves to just good sound, repeatable, business management of identity and access. How do I place policies? How do I provide a risk matrix, as Jackie was just talking about, that enables me to understand, measure, manage risk?

I think really we are seeing the shift from the C, kind of through the R of GRC. People are just sort of half a foot in the water, half a tail in the water, on the risk management side of it. And, to your point, what does this look like three years from now? I'd like to think a lot of companies are using some risk matrix to address these issues.

They hopefully have compliance well under control. They can pass their audits. They can generate the reports in a timely automated fashion, and they're moving to more sophisticated governance or clarity around the business policies and how those affect the underlying IT systems. So I think it's kind of that progression from the C to R to G, flipping the acronym upside down.

Gardner: Well, great. I have certainly learned quite a bit, and have much better appreciation for why identity governance needs to happen. I have certainly been in cases in my jobs where I've gone from one department or unit to another and I had accessed all those other applications.

McClain: Fortunately you are high-ethics guy and you didn't view it.

Gardner: Yes, right, I didn’t do anything bad about it but I could see where that's certainly a risk.

McClain: Exactly.

Gardner: Okay, we are talking about identity governance and risk, and how to come to more of a solutions focus around this. We've enjoyed the talk. It’s a sponsored podcast today with Mark McClain, CEO and founder, and Jackie Gilbert, vice president of marketing and founder, at SailPoint Technologies. I want to thank you both.

McClain: Thank You, Dana.

Gilbert: Thank You.

Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You have been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time for more in-depth discussions about enterprise software and strategies. Thanks, and bye for now.

to the podcast. Download the podcast. Find it on iTunes/iPod. Learn more. Sponsor: SailPoint Technologies.

Transcript of BriefingsDirect podcast on on the identity governance and best practices for IT systems access provisioning. Copyright Interarbor Solutions, LLC, 2005-2008. All rights reserved.