• Half of the respondents said they would take company data with them when leaving a job. A full 27% admitted they would take customer contact information, 23% would take electronic files, and 16% admitted they would take product designs and plans.
• Interestingly, only 16% said they would take office supplies with them.
• 49% of those surveyed said they would look at information if they were mistakenly given access to a file containing confidential data, such as salary information. 6% said they would also tell someone else about the file’s contents.
• Only 13% of workers think the current recession has made their coworkers more likely to steal data from a company.

For me, the biggest takeaway from the survey’s results is that many employees don’t consider taking electronic data with them when they leave to be “stealing”. I’d guess that many believe they own the customer data or product plans if they worked on them. There is clearly a bit of moral ambiguity about ownership of company data that companies need to address here.

So what is the right way to address this issue? Unfortunately, there’s no silver bullet solution – companies need a layered approach that includes awareness/education, and preventive and detective controls. First and foremost, companies need to be explicit about their policies in this area and clearly define what is considered “illegal” usage of proprietary data.

At the same time, companies need to proactively monitor and manage workers’ access privileges, with the goal of limiting access to only what is required to perform a given job. Identity governance solutions, like SailPoint’s IdentityIQ, play a major role in helping companies ensure that workers’ access privileges are appropriate and conform to policy. IdentityIQ also makes sure that access privileges are promptly de-provisioned when an employee changes roles or leaves the company, and also provides detective controls by automating periodic access reviews and monitoring worker activities on high-risk applications.

What makes this area such a challenge is finding the right balance between limiting security risk and opening up access to sensitive applications and data. Fortunately, identity governance is helping companies successfully mitigate the risks highlighted by the survey. Regardless of where you are with your IAM strategy, given the survey results, I think every company should take a second (or third) look at the policies and controls they have in place. And SailPoint has several resources available to help you, such as our on-demand webinars (including ones on “Five Identity Risks You Need to Know About” and “Managing What Matters: Taking a Risk-based Approach to Identity Governance”) and the 2^nd edition of our Identity Governance Buyer’s Guide.

On day one, keynote speaker John Seely Brown kicked off the conference with a thought-provoking session designed to shake people out of complacency. His presentation, “Forging Ahead: Navigating the New Normal,” argued that today’s enterprises aren’t hacking it. He showed some pretty compelling statistics: plummeting return on assets over the last 65 years and S&P company life spans dwindling to less than 10 years, on average. In order to stop this nosedive, he argued, enterprises must transition from being “push” to “pull” institutions. He explained that this means adopting more decentralized, modular and loosely-coupled business models, where the goal is more collaboration than control. He urged the audience to embrace technologies (like cloud computing and social networking) that will help them evolve away from “closed, proprietary models,” mobilize resources on demand and participate in “idea flows” with external parties. There was lot to think about from this presentation, let me tell you!

Many of the Catalyst sessions that followed Seely Brown built upon his theme – offering a mix of the theoretical and the pragmatic. In many sessions, cloud computing was the focus, and many questions were raised about how to separate the hype from the reality; and how to embrace change while managing new sets of risks. In one session, Bob Blakely and Ian Glazer acknowledged that cloud computing can deliver cost savings, but for some technologies like user provisioning, it’s premature to move them to the cloud because there’s not a lot of benefit – yet.

In another session, Lori Rowland staged a mock “intervention,” urging the industry to adopt a new way of thinking about provisioning. Although Lori acknowledged that provisioning has had some successes, she pointed out that the technology has become bloated over the years, is notoriously hard to integrate, and relies on proprietary connectors that have to be addressed every time an app is updated/changed. The session echoed a lot of what Lori said during SailPoint’s “Rethinking Provisioning in 2010 and Beyond” webinar in May. We agree wholeheartedly with the need for a new approach to provisioning, which is why we introduced a next-generation provisioning solution earlier this year.

For SailPoint, perhaps the highlight of the Catalyst conference was hearing – from analysts and end users – that identity and access governance has fully established itself as a market. In just four short years, our conversations with customers have evolved from explaining the concept of identity governance to hearing customers present successful case studies about it. In fact, my next post will be recapping a case study that one of our customers, Sallie Mae, presented last week at Catalyst.

Did you attend Catalyst? What was the highlight for you?

Understandably, this puts Sun customers in a quandary. Most of them have invested substantial resources on their Sun provisioning implementation, and are now being asked by Oracle to start over. Many legacy provisioning vendors (including Oracle) are currently offering “free” licenses for a “rip and replace” solution, but customers still face the prospect of significant maintenance, deployment and integration costs. At its core, this “free” offer essentially means customers will take one decade old technology and replace it with another one.

The most successful people are those who are good at Plan B. – James Yorke (mathematician)

Fortunately, there’s an alternative available. This week, SailPoint launched www.IdentityPlanB.com to provide companies with a Plan B for provisioning. SailPoint’s Sun Migration Program allows Sun IdM customers to transition to a next-generation provisioning solution in a gradual, methodical way. SailPoint enables customers to immediately leverage a governance layer that complements their existing Sun provisioning implementation, extends the reach of that implementation beyond the resources being provisioning to today, and provides a roadmap to move away from Sun without starting over or disrupting the business.

The reality is that companies need to transition away from Sun IdM. But starting over isn’t the only option – there’s always a Plan B.

Note: The SailPoint crew will be at Burton Catalyst this week. If you’d like to talk more about migrating away from Sun, please join us on Wednesday in our hospitality suite, Aqua West Foyer, Room 306A.

In the coming weeks, we’ll devote much of this blog to providing you with more insight into our new approach and new products. First, I’d like to explain how SailPoint arrived at today’s announcement and what it means for our current and prospective clients.

SailPoint released the first iteration of our identity governance solution, IdentityIQ, in early 2007. Since then, we’ve been dedicated to helping customers achieve regulatory compliance at a reduced cost, improve internal controls and better manage the risks associated with access to sensitive data and applications across the enterprise. There was clearly a need for this solution in the market – as evidenced by the increasing focus industry analysts have placed on this space, as well as our own customer adoption.

In September 2008, we added business-friendly, self-service access request capabilities to IdentityIQ. As we worked with our customers to roll that capability out across their organizations, those same customers began pushing for SailPoint to manage the entire lifecycle of user privileges. The problem was that existing solutions for requesting and managing user access were at best outdated and inefficient, but more importantly, they were too complex to be used by business users.

As many of you know, SailPoint’s heritage dates back to Waveset (acquired by Sun in 2003), so many of our executive and technical staff have deep roots in the provisioning space. Leveraging that history and knowledge base, we began working on a solution that would better address the huge pain points our customers were experiencing with available provisioning technologies. Today, we’re not only announcing two new provisioning products, Lifecycle Manager and Provisioning Engine, we’re also announcing an entirely new approach to provisioning.

This new approach begins with our Governance Platform, which centralizes identity data, captures business policy, models roles and mitigates risk to support both compliance and user lifecycle business processes. As we stated in the press release, this governance-based approach to provisioning delivers three distinct advantages to customers:

• Simplified deployments. SailPoint’s approach begins with the mining and modeling of all necessary information about users, access privileges, roles and policy into a single governance platform, enabling organizations to automate access request and provisioning processes without extensive workflow and custom coding. This reduces custom coding requirements by 200-300 percent.

• Lower deployment costs. SailPoint provides an open and flexible approach to the “last mile” of provisioning – the connector layer where changes are executed on IT resources – by supporting multiple techniques and processes for making changes to resources. This eliminates the hundreds of thousands of dollars organizations typically spend on “last mile” integrations. It also allows customers to immediately focus their identity management efforts where the highest value exists: at the business process and governance layer to ensure consistent, enterprise-wide compliance with internal and external security mandates.

• Business and IT alignment. SailPoint provides the first user interface designed specifically for business users to request access and manage user lifecycle events. Traditional provisioning tools were designed for use by IT administrators and were too cryptic and technical for business users. With its business-friendly user interfaces, SailPoint makes it easy to involve business users in all identity management processes, such as access requests, change approvals, access certifications and role lifecycle management.

The entire SailPoint team is excited about today’s launch. The early feedback from customers and analysts has been extremely positive, and we look forward to sharing more details with many of you during this spring’s tradeshow season (in the meantime, you can read more about the products here).

The overriding goal of the CIP standards is to protect the bulk electric system from cyber attacks, including attacks from within the utility (i.e., insider threats). The eight standards include establishing programs for managing access to cyber assets, documenting which personnel are authorized to access cyber assets, and creating plans and processes for electronic and physical security of assets, among other things. The deadline to become “auditably compliant” by July 2010 provides the real “teeth” to the mandate, requiring organizations to undergo audits and provide documented evidence of compliance or non-compliance with the standards.

While the NERC CIP standards are more prescriptive than some regulatory mandates, they do leave many implementation details up to the affected organizations. Put another way, NERC defines “the what” but not necessarily “the how” of getting compliant. This factor makes it critical that organizations think strategically and holistically about their approach to NERC CIP and follow three important guidelines:

1. Take a risk-based approach that focuses controls on the most critical cyber assets and avoids boiling the ocean;
2. Automate compliance processes for consistency and repeatability, and to control costs; and
3. Don’t forget the people component in “people, process, and technology” – communications and information sharing between stakeholders is key.

Because controlling access to critical infrastructure is one of the highest priorities for complying with the CIP standards, identity governance will be a key component of any organization’s compliance strategy. Identity governance provides an automated approach to strengthening access controls and delivering evidence of those controls for audit purposes. By offering a framework for automating compliance, facilitating business and IT collaboration, and taking a risk-based approach, identity governance helps organizations to achieve sustainable, auditable compliance with the standards’ requirements.

To help organizations plan and implement a cost effective, risk-based approach to NERC CIP compliance, SailPoint is presenting a free webinar with Corporate Integrity’s Michael Rasmussen on February 10^th (details here). We’ll review the CIP standards, what’s needed and how identity governance can help companies achieve the next level of compliance. Following the webinar, we’ll also provide access to a free whitepaper that walks companies through the eight CIP standards focused on IAM, and provides a roadmap for how to best comply with each.

UPDATE: The webinar is now available on-demand. Feel free to view at your leisure and share the link with your colleagues! We also have a white paper that you can download.

Additional key findings from the survey include:

• More than 50% of those surveyed confirm that IT is responsible for ensuring the security and managing the risk around sensitive applications and data.

• 42% reported shared responsibility and accountability with business managers for the access certification process.

• 61% of the respondents report that they use manual or homegrown processes to manage a company’s access privileges.

• Only 14% of companies believe they have adequate controls in place to address the risk of insider threats in 2010 (which is a similar statistic from our May 2009 Market Pulse Survey).

The complete Market Pulse Survey results, as well as an in-depth analysis of what they mean, is available here.

1. Cautious Investment Strategies Will Remain. The tough economy has made buyers more selective about how they invest in software solutions. The constricted budgets and constrained resources of 2009 in many cases brought clarity to project prioritization. CIOs have become more discriminating customers who want results quickly and who expect a solid near-term return on investment. Particularly in the identity governance space, companies expect to have full visibility and control over access privileges in months, if not weeks, with measurable results along the way. Even if companies enjoy larger budgets next year, CIOs will continue to be laser-focused on solutions that provide immediate, measurable results.

2. The Compliance Burden Will Grow. Compliance, transparency and risk management will remain top priorities for global companies. Everyone agrees that as fallout of what transpired in the financial markets in 2008, even more regulation is on the way, not less. The Model Audit Rule, which effectively requires SOX-like compliance for non-public insurance companies, takes effect on January 1st. Part of Obama’s stimulus package included the HITECH Act in healthcare, which effectively adds more “teeth” to HIPAA by requiring companies to disclose any privacy breaches. And most recently, the Personal Data Privacy and Security Act of 2009 passed a major hurdle and will be voted on by the Senate. Clearly these are US-only examples, but companies around the world are going to be bombarded with new requirements and more stringent rules.

3. Identity Management Will “Grow Up.” As a result of the growing focus on governance and compliance, organizations are starting to view IdM as more of a business-centric discipline than an IT-only domain. IdM processes can no longer be the exclusive realm of identity admins and help desk staff. To ensure compliance initiatives are successful, organizations must get business users involved in the process. It is the business user, after all, who has the most accurate knowledge of who should doing what with which applications and datasets. Collaboration is required across teams of business, audit/compliance and technical staff. As a result, there is a growing need for IdM solutions to evolve into business-friendly solutions to better manage IT and business risk. The IdM market will see more business process management (BPM) functionality in the coming year and will begin delivering business intelligence and decision support solutions.

4. Identity Governance Will Energize the IdM Market. As I’ve said many times, I believe the recession has served as a catalyst in IdM’s evolution – both by elevating the importance of transparency and risk management, as well as increasing corporate focus on rapid results and return on investment. I believe our industry is now at an inflection point where companies are starting to rethink how they approach IT risk management and what they expect from technology vendors. As identity governance technology matures, innovative startups will completely disrupt the IdM space by bringing a level of intelligence and risk management that is of high value to the business. We’ll see a few dinosaurs try to evolve, but this race will be a fast one and we’ll see if they can keep up.

How do you think 2010 will differ from 2009 in the IdM market?

One of the best aspects of shows like this is the high-quality conversations that happen everywhere – in the sessions, on the show floor, in restaurants and of course, the lobby bar! It’s interesting to see this kind of networking in action, built on many years of identity management history and experience. (Yes, we’re becoming an older and wiser bunch.)

It’s always tough to pick a leading theme for an event like this, but a couple of consistent threads ran throughout the show. First, a lot was said about how IAM is evolving (some said “maturing”) to address governance, risk and compliance requirements. One key shift pointed out by several Gartner analysts is the growing involvement of business users in IAM processes. Here’s a sampling of comments made in the sessions:

IAM needs governance. It needs to partner with the business community. It’s not just plumbing. – Earl Perkins

The goal of IT governance is defined as a business goal: It is not just IT-related. – Paul Proctor

Business representation is critical to managing IAM in day-to-day operations, including determining who should have access to what, defining roles and rules, access reviews and attestations, and so on. – Ray Wagner

Another over-arching theme during the show was the relationship between IAM and business process management (BPM). In Earl Perkins’ opening keynote, he highlighted BPM as an emerging IAM trend, noting that customers should begin to look for BPM functionality in IAM solutions. Paul Proctor reinforced this idea in his session “GRC Requirements for IAM,” stating that “IAM is increasingly viewed not just as a collection of infrastructure procedures for IT but as a means of enhancing and extending key business processes.”

We couldn’t agree more! Last week at the show, we announced our latest product release – IdentityIQ 4.0. This release extends our capabilities to “manage the business of identity” by fostering better teamwork across an organization by synchronizing identity business processes with IT controls (be sure to read the press release and what the media are saying).

Stay tuned for tomorrow’s blog, where I’ll share two case studies presented at the Gartner show by SailPoint customers in the insurance and managed care industries.

Dave’s column this week led me to reflect on how the IdM market has changed over the last 10 years. In 1999, the term “identity management” was not even in our lexicon – and in fact vendors and analyst firms spent a lot of time and energy debating what to call the emerging market. The birth of provisioning systems (itself a new term for our industry) was driven by the idea that user administration could be centralized, automated, and made more cost-effective. Designed primarily to relieve the burden on help desk and sys admins, provisioning solutions were primarily marketed and sold as a labor-saving improvement. It was a product designed for IT and sold to IT buyers. Initially, a lot of the focus was on demonstrating ROI.

Of course, the terrorist attacks of September 11, 2001 brought about a heightened focus on IT security, and the value proposition for provisioning shifted in the direction of securing the enterprise as well as providing a strong ROI. Around 2002-2003, another significant shift occurred in our market. Compliance was becoming more and more of a driver, as regulations like SOX, HIPAA and GLBA were introduced into law and took effect throughout the early 2000s. Businesses in the U.S. – and around the world – were trying to sort out how to manage these new mandates. It seemed like a natural fit for provisioning; after all, it was a means to centralize and automate how user access was granted and removed.

Ironically, the very nature of provisioning limited its ability to meet compliance requirements: the typical provisioning deployment manages around 10 resources, and most often these are not even the targets for compliance initiatives but rather the high-population, high churn systems that consume the most manpower to manage onboarding and offboarding. In addition, most provisioning systems are deployed to manage account-level access only and provide little visibility into the fine-grained application entitlements that define what actions a user can actually perform within an application – a key compliance requirement. Lastly, provisioning systems were designed for technical users, so their UI’s are too complex for business managers, auditors, and compliance staff.

With compliance demands increasing and security threats becoming ever-more sophisticated, I believe the IdM industry is now witnessing another inflection point. Ten years from where we started, provisioning technology still can’t provide end-to-end visibility and control across all high-risk systems and applications. In response to the need for stronger auditing and sustainable controls in the identity realm, centralized identity governance tools are proving themselves to be a better technology for governance, risk management and compliance. I believe 10 years from now, we’ll be reflecting on how significantly identity governance has shaped the IdM space.

I also believe the next decade will be defined by discriminating customers who want results immediately and who don’t believe throwing more money at legacy tools and processes is a viable solution. It will be marked by impressive innovation in the identity realm, led by identity governance vendors who are willing to rethink how identity data affects business decisions. Those same companies – SailPoint included – will enable companies to successfully manage compliance and security from a risk perspective – applying appropriate levels of oversight and audit where they matter the most. We may see a few dinosaurs try to evolve, but I doubt their products can live up to their multi-million dollar marketing claims.

How do you think the IdM market will change in the next 10 years?

Charlie’s presentation began with the intriguing comment “Roles are like communism. They sound pretty good on paper, but the real challenge is trying to implement them in the real world.” From this introduction, Charlie went on to describe how the bank embarked on the process of aggregating and correlating entitlements across 24 compliance-relevant applications and building roles to improve oversight during quarterly access certifications.

He shared several of the challenges that the bank had to overcome to better address its compliance and security requirements. Prior to implementing SailPoint IdentityIQ, the institution performed access certifications using “Excel over Outlook.” There was a lot of frustration in the various departments because managers were being hit constantly by differing organizations asking them to review and approve access privileges. Charlie also talked about the difficulty of certifying user access because reviewers could not understand cryptic entitlement descriptions. Two of the bigger takeaways from his presentation were the need (and challenge) of getting businesspeople to participate in role definition and maintenance and the importance of cleansing data before mining for roles.

Charlie summed up the results of the bank’s role management project as “making compliance simpler, reducing corporate risk from proliferation of access privileges, and improving control of the entire account lifecycle.” After completing his presentation, he took quite a few questions from the audience and shared some valuable insights. Here are a few of the questions – along with Charlie’s answers.

Question: Did you use role mining to create roles?

Answer: We created our initial set of roles using an interactive process between IT and business groups, in parallel with doing entitlement aggregation and cleanup. SailPoint IdentityIQ supports role mining, but in my opinion mining is not effective until after you’ve gone through and cleaned up your identity data. Dirty data yields dirty results, so it’s important to go through a certification and cleanup cycle before you do role mining.

Question: How many roles did you create?

Answer: I’m not sure of the total number. It really depends on what parts of the organization you’re talking about. For example, in our branches, we need only a limited number of roles, like 5. It’s completely different in our back-office environment, where we have many more systems and functional groups and the number and complexity of roles is a lot greater.

Question: How do you get business users to maintain roles over time?

Answer: We are using the access certification process to ensure regular oversight of roles. SailPoint IdentityIQ automates the certification of both role contents (entitlements that make up a role) and role membership.

Question: How long did this project take?

Answer: It took us about 6 months from the initial design through the final user acceptance testing.

As you can see, Charlie presented a pragmatic example of implementing role management in the financial services world. And as Charlie pointed out, success comes by defining a working process between business and IT and deploying the right tools for people to accomplish defined objectives.

I’ll end with another quote about communism (this time from Will Rogers): “Communism to me is one-third practice and two-thirds explanation.” Continuing with the analogy to roles, I say let’s cut down on the explaining and focus on the practice!

What do you think?