By definition, governance is the process of setting policies and evaluating compliance and alignment with those policies. Today’s provisioning tools only focus on providing a transactional “last-mile” for the account management process – a process used primarily by help desk or identity administrators. In contrast, identity governance solutions like SailPoint take a business-process approach to identity, designed to engage the business user in the governance process. To achieve this, we’ve really had to re-think the identity management use cases full stop. Products like ours provide a new user interface to identity for a new class of identity owner – the business user. By taking a business-process and model-driven approach to the identity, we do end up subsuming many of the poorly defined and cumbersome business processes within today’s transactional provisioning layer.

That’s the evolution of enterprise software. New approach, new models, new target solution.

User provisioning tools are not properly designed to provide access and identity governance functionality. However, they were marketed as compliance platforms, which led to unreasonable expectations on the part of customers.

Most importantly, the new Burton report signals the transition of identity management solutions from pure IT-oriented technology toward business-enabling software. As Gerry puts it, new governance tools “strive to become business decision support tools rather than IT consoles.” This transition is more complex than it sounds, because it involves designing software that allows business users to play a bigger role in identity management business processes, such as requesting, approving, certifying, or removing access privileges.

Beyond the need for business-friendly UIs (which are very important), I want to emphasize the key role that identity governance solutions play in automating identity business processes and underpinning those processes with common policy and controls. I’ll focus on a key identity business process – access request – to illustrate my point:

In most organizations, the processes and tools used to request or change access are inefficient and inconsistent at best. Processes vary from business unit to business unit and from application to application, with users often requesting and gaining new access privileges without going through proper channels. The ad-hoc nature of the typical access request process leaves managers and users frustrated and enterprises vulnerable to increased security and compliance risks.

To address these problems, SailPoint released IdentityIQ Access Request Manager in September of 2008. With this release, we became the first identity governance vendor to automate the business process management (BPM) side of access request, allowing employees and managers to use a business-friendly, fully automated process to request or change access privileges. Underpinning the Access Request Manager is IdentityIQ’s graphical workflow engine that makes it simple to design and customize business processes – across access request, role management, policy enforcement, and other identity governance functional areas.

In my view, the key tie-in between business process management and good governance is our ability to strengthen key identity business processes with our identity governance model, including both role and policy models, controls and risk management – to ensure compliance and introduce preventive controls at each step along the way.

We’ll be at Catalyst next week, where I look forward to continuing this discussion with any of you that will be there. It’s shaping up to be a great event!