SailPoint Identity Quotient

SailPoint recently announced the results of our 2010 Market Pulse Survey focused on employees’ attitudes toward company data. We got some pretty startling results from the more than 1,500 workers polled in the U.S. and Great Britain:

• Half of the respondents said they would take company data with them when leaving a job. A full 27% admitted they would take customer contact information, 23% would take electronic files, and 16% admitted they would take product designs and plans.
• Interestingly, only 16% said they would take office supplies with them.
• 49% of those surveyed said they would look at information if they were mistakenly given access to a file containing confidential data, such as salary information. 6% said they would also tell someone else about the file’s contents.
• Only 13% of workers think the current recession has made their coworkers more likely to steal data from a company.

For me, the biggest takeaway from the survey’s results is that many employees don’t consider taking electronic data with them when they leave to be “stealing”. I’d guess that many believe they own the customer data or product plans if they worked on them. There is clearly a bit of moral ambiguity about ownership of company data that companies need to address here.

So what is the right way to address this issue? Unfortunately, there’s no silver bullet solution – companies need a layered approach that includes awareness/education, and preventive and detective controls. First and foremost, companies need to be explicit about their policies in this area and clearly define what is considered “illegal” usage of proprietary data.

At the same time, companies need to proactively monitor and manage workers’ access privileges, with the goal of limiting access to only what is required to perform a given job. Identity governance solutions, like SailPoint’s IdentityIQ, play a major role in helping companies ensure that workers’ access privileges are appropriate and conform to policy. IdentityIQ also makes sure that access privileges are promptly de-provisioned when an employee changes roles or leaves the company, and also provides detective controls by automating periodic access reviews and monitoring worker activities on high-risk applications.

What makes this area such a challenge is finding the right balance between limiting security risk and opening up access to sensitive applications and data. Fortunately, identity governance is helping companies successfully mitigate the risks highlighted by the survey. Regardless of where you are with your IAM strategy, given the survey results, I think every company should take a second (or third) look at the policies and controls they have in place. And SailPoint has several resources available to help you, such as our on-demand webinars (including ones on “Five Identity Risks You Need to Know About” and “Managing What Matters: Taking a Risk-based Approach to Identity Governance”) and the 2^nd edition of our Identity Governance Buyer’s Guide.

Posted in: Identity Governance, Identity Management, Insider Threats/Security Breaches, Risk Management, SailPoint | No Comments »

Last week, the SailPoint team attended the Burton Gartner Catalyst show in San Diego. The event was very well attended, and it presented a great opportunity to hear from the analysts and connect with our customers and prospects in between sessions and during our Mad Hatter’s identiTEA Party hospitality suite.

On day one, keynote speaker John Seely Brown kicked off the conference with a thought-provoking session designed to shake people out of complacency. His presentation, “Forging Ahead: Navigating the New Normal,” argued that today’s enterprises aren’t hacking it. He showed some pretty compelling statistics: plummeting return on assets over the last 65 years and S&P company life spans dwindling to less than 10 years, on average. In order to stop this nosedive, he argued, enterprises must transition from being “push” to “pull” institutions. He explained that this means adopting more decentralized, modular and loosely-coupled business models, where the goal is more collaboration than control. He urged the audience to embrace technologies (like cloud computing and social networking) that will help them evolve away from “closed, proprietary models,” mobilize resources on demand and participate in “idea flows” with external parties. There was lot to think about from this presentation, let me tell you!

Many of the Catalyst sessions that followed Seely Brown built upon his theme – offering a mix of the theoretical and the pragmatic. In many sessions, cloud computing was the focus, and many questions were raised about how to separate the hype from the reality; and how to embrace change while managing new sets of risks. In one session, Bob Blakely and Ian Glazer acknowledged that cloud computing can deliver cost savings, but for some technologies like user provisioning, it’s premature to move them to the cloud because there’s not a lot of benefit – yet.

In another session, Lori Rowland staged a mock “intervention,” urging the industry to adopt a new way of thinking about provisioning. Although Lori acknowledged that provisioning has had some successes, she pointed out that the technology has become bloated over the years, is notoriously hard to integrate, and relies on proprietary connectors that have to be addressed every time an app is updated/changed. The session echoed a lot of what Lori said during SailPoint’s “Rethinking Provisioning in 2010 and Beyond” webinar in May. We agree wholeheartedly with the need for a new approach to provisioning, which is why we introduced a next-generation provisioning solution earlier this year.

For SailPoint, perhaps the highlight of the Catalyst conference was hearing – from analysts and end users – that identity and access governance has fully established itself as a market. In just four short years, our conversations with customers have evolved from explaining the concept of identity governance to hearing customers present successful case studies about it. In fact, my next post will be recapping a case study that one of our customers, Sallie Mae, presented last week at Catalyst.

Did you attend Catalyst? What was the highlight for you?

Posted in: Identity Management | No Comments »

A little more than a year ago, the industry was surprised to hear that Oracle planned to acquire Sun Microsystems. Immediately, Sun customers began to wonder about the future of their existing IdM investments. It took another several months for the acquisition to be finalized, and then even more before Oracle began to roll out its product roadmap. Now, after 15 months of uncertainty, Sun customers are starting to realize what many of us already knew – it’s the beginning of the end for Sun IdM: Oracle plans to stop supporting the Sun IdM product in 2014 and will only be making minimal updates in the meantime.

Understandably, this puts Sun customers in a quandary. Most of them have invested substantial resources on their Sun provisioning implementation, and are now being asked by Oracle to start over. Many legacy provisioning vendors (including Oracle) are currently offering “free” licenses for a “rip and replace” solution, but customers still face the prospect of significant maintenance, deployment and integration costs. At its core, this “free” offer essentially means customers will take one decade old technology and replace it with another one.

The most successful people are those who are good at Plan B. – James Yorke (mathematician)

Fortunately, there’s an alternative available. This week, SailPoint launched www.IdentityPlanB.com to provide companies with a Plan B for provisioning. SailPoint’s Sun Migration Program allows Sun IdM customers to transition to a next-generation provisioning solution in a gradual, methodical way. SailPoint enables customers to immediately leverage a governance layer that complements their existing Sun provisioning implementation, extends the reach of that implementation beyond the resources being provisioning to today, and provides a roadmap to move away from Sun without starting over or disrupting the business.

The reality is that companies need to transition away from Sun IdM. But starting over isn’t the only option – there’s always a Plan B.

Note: The SailPoint crew will be at Burton Catalyst this week. If you’d like to talk more about migrating away from Sun, please join us on Wednesday in our hospitality suite, Aqua West Foyer, Room 306A.

Posted in: Identity Governance, Identity Management, Provisioning, SailPoint | 2 Comments »

For some time, I’ve been watching Oracle’s marketing machine tout the impending arrival of Oracle Identity Manager 11g – a reportedly “revolutionary” suite of IdM products. I saw the OIM 11g announcement this morning and spent more than a few minutes digesting its contents. I have to admit that I was curious whether Oracle would move the IdM market significantly forward. But if you were looking for answers to some of today’s most pressing identity management issues or innovative new features, I think you’ll find that the focus of 11g lies elsewhere.

At its core, the release is focused on “Oracle-izing” OIM and making it work more seamlessly with Oracle’s other software products. If you’re a born and bred Oracle customer and you’re comfortable being a few years behind in technology, then this might sit just fine with you. But if you were looking to address the modern era of governance and provisioning challenges, this release doesn’t do much to help you.

Secondly, from what I can tell, the major advancement Oracle is making in integrating its identity management offerings with each other seems to be largely at the surface level. They are promoting features such as “common install,” “common configuration management” and “common reporting.” Nowhere does it mention that they have resolved the multiple role models that exist between OIM and Identity Analytics, nor the multiple identity repositories the various components of the identity suite require. As an example, when roles, policies or identity data changes in one product, it must be manually “synchronized” in the other. These deficiencies and their associated challenges cause deployment headaches, increased complexity and are generally a major pain for customers.

Finally, it’s clear that Oracle’s strategy is to compete head-to-head with IBM, SAP, and Microsoft to be the leading integrated stack vendor. As a consequence of that focus, Oracle has prioritized integration features that “unite the stack” ahead of creating a seamlessly integrated IdM suite or delivering innovative new functionality to help customers address urgent compliance and operational issues. As a natural outcome of corporate priorities, Oracle has fallen behind in delivering integrated compliance, roles and provisioning.

Unfortunately for Sun IdM customers in particular, this is going to become painfully clear over the next year or two while Oracle continues the “Oracle-ization” of its identity suite (does anyone remember how Access360 went dark after IBM acquired it?). Oracle will first strive to rationalize the acquired technology into the stack, while “Sun”-setting others (like Sun Identity Manager). Given all this, it’s very likely that Oracle’s IdM technology will lag behind in functionality and integration between its components.

Most of the companies we talk to don’t have the luxury of waiting a few years to address today’s evolving governance, risk and compliance challenges. They have immediate business problems to solve and are looking for specific technologies to address them in the near term, not a long-term rearchitecture of their corporate infrastructure with the hope of someday addressing these needs.

Posted in: Identity Governance, Provisioning | No Comments »

A few weeks ago, I was out on the West Coast talking to companies about privileged user management and identity governance with our technology partner, Cyber-Ark. This is an area of real concern for lots of organizations – and rightfully so. During our meetings, we exchanged real-world “horror stories” about insider fraud and sabotage. One of the most interesting ones was a case that went to trial last year in Texas. This case clearly illustrates the challenge of putting in place appropriate controls over privileged user access.

The IT director of a nonprofit organ donor center for more than 200 hospitals in Texas was fired in November 2005. At the time of her termination, the employee was informed in writing that all her access rights had been revoked. The company also took steps to lock all administrator accounts to which she was known to have access. Despite such steps, the terminated employee still managed to access the company’s network from her home via a VPN account that she set up previously without anyone’s knowledge.

Once inside the network, she used an administrator account belonging to another employee to log into several servers, including the company’s organ donor database server and main accounting server. Over the next several hours, she then deleted donor records, accounting invoice files, database and software applications, backup files and the software tokens needed to run some applications. In a bid to cover her tracks, the ex-employee manually deleted all logs of her VPN sessions. She also disabled the activity logging functions on the database and accounting servers – making it impossible to identity the individual files and applications she deleted.

What makes this case really interesting is that the sabotage occurred even though the company took reasonable steps to handle the terminated employee. The company immediately revoked the employee’s access privileges after terminating her and disabled all administrator accounts to which she had had previous access. So what more could a company do to prevent incidents like this? Here are some ideas:

• Formalize your approach to identity governance by building an authoritative repository of all users and their access privileges – mined from all critical systems. Without centralized visibility, there will always be blind spots, as the situation above illustrates. Statistics show that the average employee has 35% more privileges than they need – so mine the data to find out.
• Once you’ve centralized your data, you can automatically scan it to detect anomalies and policy violations. For example, accounts that don’t map to an active employee in the HR system can be flagged as “orphans” and duplicate accounts (employee with more than one account on any system) can be flagged for immediate remediation.
• Put in place consistent, repeatable processes for business-level oversight of access privileges. For instance, you can require that any change in employment status (termination, transfer, promotion, etc.) automatically triggers a review of all of that employee’s access privileges by his or her supervisor. In the case above, this would have resulted in a comprehensive report of all access privileges held by the fired IT director, with the ability to revoke these privileges at the click of a mouse.
• Consider using privileged user management (PUM) tools like Cyber-Ark to deal with “shared” and administrative accounts. These accounts are particularly troublesome because they are anonymous (e.g., UNIX “root”) and don’t map to a specific employee. With PUM tools in place, organizations can tightly control access to privileged accounts and track, monitor, and log every activity performed by employees using privileged user credentials.

Additionally, consider integrating PUM tools with identity governance solutions to ensure complete visibility and control over all user access privileges. For example, privileged accounts under management by Cyber-Ark can be imported into SailPoint IdentityIQ, displayed in access reviews, and can be used to escalate an employee’s risk score based on his or her access to privileged accounts.

How do you manage the access rights of privileged users?

Posted in: Identity Governance, Insider Threats/Security Breaches, Risk Management, SailPoint, User Access Control | 2 Comments »

Our CTO Darran Rolls recently focused on the fact that traditional provisioning solutions took a “bottom-up, connector-focused” approach as opposed to a “top-down governance model” approach (”The Value of Taking a Governance-based Approach to Provisioning”). The net result being that many provisioning projects failed to deliver on their value proposition – especially to the non-technical business user – giving the IdM market a big black eye over the past few years. In addition, there has been shift in provisioning market drivers, which is driving increasingly sophisticated requirements from customers. The IdM market must evolve to meet the demands of this new IdM reality.

Provisioning technology was originally created to automate IT functions, like help desk requests for user account changes. And generally, it was a good solution for that (albeit limited in application scope due the heavy investment required for a bottom-up approach). However, the decade-old technology has become outpaced by two factors: 1) the evolving requirements of identity governance and compliance versus account provisioning; and 2) the fact that identity management is rapidly shifting from an IT domain into a recognized business process driven by non-technical users. First generation provisioning solutions don’t incorporate business users and processes into IdM processes, and have serious functionality gaps that leave organizations struggling to keep up with service delivery and compliance demands.

Not surprisingly, traditional provisioning solutions have been marketed over the years as the answer to many identity management challenges: efficiency, security, productivity, compliance, you name it. Many companies have been burnt by products failing to deliver on these promises. Given the investments made, we’re finding customers are understandably reluctant to consider the wholesale scrapping of an existing project – even a struggling one – and starting over given the complexity of implementing a bottom-up provisioning solution. So what can you do? How do you move forward without completely going back to square one?

There’s no one-size-fits-all answer to that question. But we believe that SailPoint’s new identity lifecycle management capabilities offer an evolutionary path to provisioning success. One that can address your immediate pain, and then help you evolve toward the governance-based approach to provisioning that we’re advocating.

To provide you with more information, we’re sponsoring a webinar, “Rethinking Provisioning in 2010 and Beyond,” on June 10th that will feature Lori Rowland, a vice president at Burton Group and one of the industry’s top voices on provisioning. Lori and I will discuss the new business requirements for identity management and how they affect the provisioning landscape. We’ll also talk about what companies can do today to derive value from their technology deployments. Most importantly, my goal is to help you answer that question, “How do I get there from here?”

I’m looking forward to digging into this topic more with Lori and answering your questions live. If you’d like to join us, you can register at: https://www1.gotomeeting.com/register/684010041.

Posted in: Identity Governance, Provisioning, SailPoint | No Comments »

In case you missed it, SailPoint recently announced a new provisioning solution based on identity governance. I believe this announcement not only signaled a fundamental change in approach from “old school” provisioning systems, but also sent a much needed life preserver to companies struggling with a provisioning quagmire. I know talk is cheap, so I want to provide a more technology focused description on how our new approach will lead to a much needed improvement in the overall success rate for provisioning projects.

At the core of the problems with most legacy provisioning products is their failure to truly understand the security models within the systems they connect to and provision changes for. This may sound strange, but it’s true. Rather than focusing on building an overall control model that understands entitlement, legacy provisioning systems tend to focus on defining account schemas and building complex forms logic and rules to control the assignment of entitlements to identities via that schema.

To overload a much used term, the legacy approach to provisioning is “bottom up.” It starts at the bottom with a connector. The provisioning system itself requires complex configuration and programming by highly skilled IT technical staff, and the true business processes that the system provides are hidden in complex programming logic rather than being expressed in high-level business policy terms.

Quite the reverse is true for a governance-based approach to provisioning. A governance-based approach starts “top down” with a focused on managing entitlements within a defined governance lifecycle. This provides the business with a single view of the overall processes of request, controls, assignment and last mile provisioning as one overall business process. It builds upon clearly defined risk, role and policy models – models designed for and used by the business, NOT by an IdM specialist within IT.

Some of you might be wondering, “That’s just roles for provisioning isn’t it?” To be very clear, I’m saying that governance-based provisioning is much more than role-based provisioning! In fact, sometimes it doesn’t involve a role model at all. In those cases, a governance-based approach to provisioning is built upon a catalog of entitlements that describes business meaning, and prescribes clear ownership and approval processes for provisioning.

Here governance is built upon business oriented assignment policies that describe who should have what, and provides further insight into what that means – what data can be accessed, what files can be shared, etc. All this data comes together to create a core governance model that describes, in business terms, how access is defined, requested, approved, tracked, audited and later reviewed by the line of business. This is provisioning based on a governance meta-model, not XML coded “workflow rules.” It is “model based,” and the provisioning process itself is dynamically driven by the data that the model provides.

So what’s the net result of this next generation approach to provisioning? It’s better preventative and detective controls, fewer violations, and greater visibility and transparency over the complete end-to-end provisioning process. A governance-based approach to provisioning captures, documents and controls both the business and technical context of identity and the entitlement access governance lifecycle for all applications across the entire identity ecosystem, regardless of how the “last mile” of provisioning is enacted.

By modeling all of the rules, relationships and processes that make up “the business of identity” you can bridging the gap between these business processes and the technical implementation of the underlying security models. This allows organizations to gain end-to-end visibility and control across all systems and applications – a breadth of coverage that has proved nearly impossible to achieve using traditional provisioning solutions.

I think we were way overdue for a fresh approach to user provisioning. What do you think?

Posted in: Identity Governance, Provisioning, SailPoint | 1 Comment »

Last week’s oil spill has me thinking about how – and when – government regulation is the ideal path to mandate corporate governance. Specifically in the IdM space, I’ve watched government regulations evolve to address transparency, privacy and consumer data protection. As I look back at what’s happened, it’s apparent that most of these data protection regulations were put in place to deal with the fact that, left to their own devices, most enterprises do not invest adequately to protect privacy, prevent fraud, or effectively manage risk. (It’s interesting to note that the negligence of a small group of companies has had a significant impact on the market as a whole.) This appears to be what happened in the case of such well-known regulatory efforts as SOX, HIPAA, MAR, PCI, NERC CIP, Basel II, etc. The foundational belief is that government, or in some cases, industry, must mandate action in order to motivate the right behavior from companies.

But, do these approaches work? Even with the alphabet soup of regulations around the globe, we still see “compliant” companies reporting major breaches. Why? I believe many companies lost sight of the original intent of the regulation (risk management, security, data protection) because they were so focused on following the letter of the law to pass the IT audits. As a result, it’s pretty common to see companies investing significant resources into achieving literal compliance, but sometimes, in their zeal to be “compliant,” these firms push security (and common sense) to the side. The goal of proving compliance becomes the main focus of many companies, at the expense of holistically assessing, preventing, and mitigating risks.

The flip side of the debate about regulation is to let the free markets drive good corporate governance. The theory is that companies who “allow” security breaches will lose brand value and customers, and therefore will approach security and privacy protections as good business strategy. However, as a number of analysts and industry watchers have pointed out, breach disclosures don’t always affect revenue or stock prices. The TJX data breach was one of the biggest, costliest and most publicized breaches ever – yet customer and investor confidence in TJX remained largely unshaken in the aftermath. TJX’s stock was worth about $30 per share when the breach was disclosed, and its closing price a year later was just over $29. And during the one year following the breach, TJX reported that comparable-store sales increased 4%.

We probably all agree that strong corporate governance is necessary – and in fact, I’d suggest it’s a strategic differentiator for many companies. But as I talk to companies approaching the same problem from different perspectives, I still wonder: Should we let free market forces determine what corporations do, or should we mandate the “right” behavior to protect consumers and stakeholders?

What do you think?

Posted in: Compliance, Insider Threats/Security Breaches, Risk Management | No Comments »

I read a very interesting Forrester report last week commissioned by Microsoft and RSA. It was based on a survey of 305 IT security decision makers and assesses data security practices at enterprises around the world.

A key takeaway from the report is the fact that compliance, not security, drives security budgets. I don’t think this will shock anyone, but it’s worth thinking about. As most of us know, it’s easier to justify a security project based on a mandate (SOX audit deficiency!) than to explain the business value of a security investment (I’m not talking ROI here, but the value of avoiding or mitigating potential threats and their consequences). In recent years, regulatory mandates have fueled an almost recession-proof level of investment in security products and services that shows no sign of slowing down.

Everything would be hunky-dory if the security investments justified by SOX et al. were perfectly aligned with the security needs of the organization, but evidently they’re not (here’s where the Forrester reports gets interesting). Using data protection as a case in point, the report shows that the great majority of enterprises do not align their security spending to the factors that pose the greatest business risk. In fact, enterprises are more likely to fund projects that address low-impact accidental breaches rather than high-impact breaches (such as malicious theft by insiders).

Whether you agree with the report or not, it’s worth a quick read. It’s got some interesting quantitive data on incidents and cost of incidents. This level of information is what is required to assess risk and align security controls appropriately – but it’s also the data that is oftentimes hard to come by.

The report is a great reminder that we shouldn’t let the “ready built” justication provided by compliance to prevent us from doing the real work of security, which is risk management.

Posted in: Compliance | No Comments »

This morning, we announced a next generation provisioning product that builds on the governance framework provided by our core product, IdentityIQ. The announcement is a culmination of almost two years’ work internally at SailPoint, and we believe it represents an evolutionary shift in the provisioning market that will benefit any company that is struggling to meet the need for business-friendly access request, effective user lifecycle management, and ongoing compliance and audit requirements.

In the coming weeks, we’ll devote much of this blog to providing you with more insight into our new approach and new products. First, I’d like to explain how SailPoint arrived at today’s announcement and what it means for our current and prospective clients.

SailPoint released the first iteration of our identity governance solution, IdentityIQ, in early 2007. Since then, we’ve been dedicated to helping customers achieve regulatory compliance at a reduced cost, improve internal controls and better manage the risks associated with access to sensitive data and applications across the enterprise. There was clearly a need for this solution in the market – as evidenced by the increasing focus industry analysts have placed on this space, as well as our own customer adoption.

In September 2008, we added business-friendly, self-service access request capabilities to IdentityIQ. As we worked with our customers to roll that capability out across their organizations, those same customers began pushing for SailPoint to manage the entire lifecycle of user privileges. The problem was that existing solutions for requesting and managing user access were at best outdated and inefficient, but more importantly, they were too complex to be used by business users.

As many of you know, SailPoint’s heritage dates back to Waveset (acquired by Sun in 2003), so many of our executive and technical staff have deep roots in the provisioning space. Leveraging that history and knowledge base, we began working on a solution that would better address the huge pain points our customers were experiencing with available provisioning technologies. Today, we’re not only announcing two new provisioning products, Lifecycle Manager and Provisioning Engine, we’re also announcing an entirely new approach to provisioning.

This new approach begins with our Governance Platform, which centralizes identity data, captures business policy, models roles and mitigates risk to support both compliance and user lifecycle business processes. As we stated in the press release, this governance-based approach to provisioning delivers three distinct advantages to customers:

• Simplified deployments. SailPoint’s approach begins with the mining and modeling of all necessary information about users, access privileges, roles and policy into a single governance platform, enabling organizations to automate access request and provisioning processes without extensive workflow and custom coding. This reduces custom coding requirements by 200-300 percent.

• Lower deployment costs. SailPoint provides an open and flexible approach to the “last mile” of provisioning – the connector layer where changes are executed on IT resources – by supporting multiple techniques and processes for making changes to resources. This eliminates the hundreds of thousands of dollars organizations typically spend on “last mile” integrations. It also allows customers to immediately focus their identity management efforts where the highest value exists: at the business process and governance layer to ensure consistent, enterprise-wide compliance with internal and external security mandates.

• Business and IT alignment. SailPoint provides the first user interface designed specifically for business users to request access and manage user lifecycle events. Traditional provisioning tools were designed for use by IT administrators and were too cryptic and technical for business users. With its business-friendly user interfaces, SailPoint makes it easy to involve business users in all identity management processes, such as access requests, change approvals, access certifications and role lifecycle management.

The entire SailPoint team is excited about today’s launch. The early feedback from customers and analysts has been extremely positive, and we look forward to sharing more details with many of you during this spring’s tradeshow season (in the meantime, you can read more about the products here).

Posted in: Compliance, Identity Governance, Identity Management, Provisioning, SailPoint | 1 Comment »