The Gartner Magic Quadrant for Identity and Access Governance (IAG) was published in mid-December, and I’m proud to report that SailPoint was positioned at the top of the Leaders Quadrant. This report is a major milestone for us for two reasons: this is Gartner’s first release of a Magic Quadrant on IAG, signifying the amount of customer interest in this segment of IdM; and it’s yet another validation that SailPoint is leading the market. (You can read the full report here.)

In the IAG Magic Quadrant, Gartner predicts that IAG will become “the lead focus of two out of three IAM projects by 2013, up from one in three today.” We at SailPoint have evangelized the need for identity governance since our company’s inception more than six years ago – and have already seen this shift in priorities with our customers because of the immediate business value that identity governance delivers. Based on our market momentum and product innovation, this is the second analyst report this year that names SailPoint a market leader (see my cofounder Mark’s post on the August 2011 Forrester Wave).

The second Gartner Magic Quadrant published in December was for IT Administration/User Provisioning. I’m happy to report that SailPoint made our debut appearance in the Visionaries Quadrant! We entered the provisioning market believing that a new approach was needed to address today’s identity business challenges. I believe our positioning on the Quadrant recognizes our vision and leadership in taking a governance-based approach to identity management, as well as our strong market momentum.

For the team at SailPoint, it’s highly rewarding to be recognized by the analyst community, and we’re particularly happy that we fared so well in the prestigious Magic Quadrants. If you haven’t had a chance yet, I highly recommend reading both reports. And I look forward to reporting even more SailPoint successes in the coming year.

I’ve spent the past 11 years working on IdM standards, beginning with SPML back in 2000. Sometimes our worst failures teach us the best lessons, and that’s absolutely the case with SPML. SPML never really gained widespread market adoption because it failed to deliver in three key areas: simplicity and ease of adoption, industry support and true customer demand. SCIM aims to improve upon each of these areas in order to improve connectivity, manageability and governance for SaaS and cloud-based applications.

Keeping It Simple

SPML turned out to be far from simple. The effort was well-intentioned one by everyone involved, but ultimately, the resulting spec was too large and complex, and created as many problems for customers as it solved (if not more). At the end of the day, SPML was a complete operating model for provisioning and as such came with a lot of baggage and a lot of complex use cases. In contrast, SCIM focuses on the core tasks of account management and leaves out a lot of the “provisioning platform” extras. This simplifies things for everyone concerned. SCIM is also 100% based on a newer RESTful web services approach that is both easier to write and use in the code, and easier to read and understand in the specification.

App Vendor Support

Today’s cloud application vendors understand the importance of IdM, and they recognize the need to simplify and standardize how organizations provision to their cloud application services. While the cloud has been designed to provide simple on-demand computing for today’s business needs, it has opened up several IdM issues, including remote application user administration and synchronization of identity data between the enterprise and the cloud. Recognizing the importance of solving these issues, companies like salesforce.com, Google and Cisco have invested their time to help drive SCIM forward and build SCIM interfaces into their products. Support by the major SaaS vendor platforms will prove critical if SCIM is to achieve widespread adoption.

Real Customer Demand

Despite the naysayers, business adoption of the cloud is accelerating. And as more and more SaaS applications are deployed, it’s incumbent on organizations to manage the identities they now own in the cloud. These organizations aren’t interested in adding more complexity to their IdM implementations, and are beginning to push both management and application vendors to provide a simple, standardized way of managing their SaaS accounts. This growing and real customer need has resulted in genuine customer push – push for their SaaS vendors to support SCIM on the account side, and push for their identity management vendors to make use best use of it.

SailPoint will continue its contributions to the SCIM effort as it moves toward adoption by the IETF. We strongly believe that this type of standard is critical to addressing IdM in the cloud and to providing the level of manageability, controls and governance that’s needed for today’s increasingly mission critical cloud-based applications. If you’re interested in more technical details on the spec, take a listen to the webinar I recorded last week with Dave Kearns of KuppingerCole and Patrick Harding of Ping Identity.

As the SCIM standard evolves, I’ll be sure to keep you updated. In the mean time, I’d like to hear your thoughts on SCIM. Do you think we are guiding the market in the right direction?

As I think about the coming year, I wanted to share my annual predictions for the IdM market in 2012:

1. Identity Governance Gets Proactive: When we first brought identity governance to the market several years ago, most customers were focused on addressing immediate compliance or audit issues. Now, as those same organizations are several years into their deployments, I see more IT organizations moving to adopt preventive controls to block violations or inappropriate access at the point of request. Even more encouraging, we are seeing clients using risk scores to drive the prioritization of remediations and frequency of certifications, focusing controls where risk is highest. I predict proactive identity governance will help companies reduce the burden on compliance staff and improve audit performance.
2. Auditors Wake Up to SaaS: One of the most interesting phenomena I’ve observed over the past year is the extent to which IT auditors continue to exclude SaaS applications from their audit scope. As SaaS applications become more broadly deployed in mission-critical parts of the business like HR and finance, companies are placing themselves at increased risk for fraud, privacy violations or data breaches. I predict that 2012 will be the year that enterprises wake up to the risk of placing sensitive data or transactions in the hands of a cloud service provider without effective controls over who has access to what. A major data breach will certainly get everyone’s attention!
3. Provisioning Gets Slimmer – and Simpler: I’ve heard several analysts talking lately about provisioning “bloat” and the damage done by overly ambitious provisioning projects that never delivered on the promised benefits. As we enter 2012, I think we’re at the end of the age of bloated provisioning and are embarking on a new era of “slimmed down” provisioning that is easier and faster to deploy. We are seeing many clients implementing self-service access request with manual (non-automated) fulfillment via service desk or manual methods. And many clients are deploying provisioning on SailPoint’s identity governance foundation, which allows them to leverage business-friendly entitlement catalog and well-defined policies to simplify workflow and rapidly implement self-service.
4. Proving the Business Outcomes of IT Decisions Remains a Top Priority: It’s no surprise to anyone that we are living in a time of constrained budgets, but enterprises continue to invest in technology despite that fact. In most organizations, projects are being scrutinized even harder and require more justification than in the past. Regardless of what happens with the economy in 2012, I believe businesses will continue their careful scrutiny of IT investments. For this reason, IT organizations will need to learn to communicate and sell the business case for any large-scale IT project (including IdM) AND prove that the promised ROI was realized. (My cofounder Jackie recently wrote a great blog on this very topic.)

These are just a couple of my thoughts for next year. I’d like to hear your thoughts. What do you think will happen in the IdM market next year?

While the needs and benefits of IdM are real, many companies feel challenged to build a business case and show the potential ROI for this type of project. But don’t let number-crunching intimidate you! In a world of financial uncertainty where there are many competing technology investments, it’s more important than ever to show financial justification for your IdM strategy and direction.

To help you get started, we’ve developed four steps to consider when building your business case for a governance-based IdM strategy, focused on explaining the technology’s potential for delivering demonstrable ROI to the organization:

1. Internal needs assessment: Begin the evaluation process by first determining what the most pressing IdM issues or opportunities your organization is facing.
2. Baseline costs: Quantify how many and what types of resources are currently being spent on IdM processes (including manual labor costs).
3. Set project goals: Formally define your goals of the project and the expected benefits to the organization.
4. Build the financial model: Estimate how much your project will cost (technology, services, personnel) and then project how the project will save the organization time and money.

One of the keys to building your business case is to provide real-world examples of the tangible and repeatable benefits and cost savings that can result from your IdM project. SailPoint often partners with our customers to provide insight and help throughout this process. Below are some ROI stats that our customers have reported when demonstrating the ROI on their projects:

• Saved 50 full-time employees annually in controls testing and documentation on a project that spanned 600 applications across 28 countries.
• Reduced IT Operations costs by $800k annually by automating the de-provisioning of terminated employees.
• Slashed time spent on compliance by 66% by completing user access reviews in just 4 weeks instead of 3 months.
• Achieved 30% reduction in excess entitlements after the first user access review cycle.

We recently hosted a webinar that delves further into this topic. If you are interested in more details, you can access the free on-demand webinar here. The topics and real world use cases covered in the webinar are designed to help you define clear goals for your project and map out a compelling business case. Check it out!

The 5,573 adults polled gave us a resounding answer about whether data breaches are impacting their loyalty: 20-25% of respondents would stop doing business with a company following a data breach. We also asked consumers about the shift to electronic health records, and we saw even more evidence of consumer fears about identity theft and loss of privacy. The key takeaway for me is that consumers are paying attention to how merchants manage sensitive data, and companies that do not act as trusted custodians will see a measurable impact to customer loyalty.

If you’re interested in our latest survey results, please see today’s press release for full details. And we’ve put together a graphical representation of the survey’s findings to better communicate all the numbers – check it out (click the graphic for a larger view):

1. IdM is a not a set of IT processes. It is a set of business processes enabled by IT, which means business managers and users MUST be actively involved.
2. IdM should be approached with not just productivity and efficiency in mind, but governance and risk management, as well.
3. IdM implementations, while admittedly complex, should not take years and millions of dollars before delivering real value to the business.

Based on those principles, SailPoint set out to shake up the IdM market and deliver a new, innovative solution that delivers on these truths. The result, IdentityIQ, provides an integrated, single governance model; features intuitive dashboards and plain English for business users; and has proven over and over again that it will deliver tangible results within months, not years. Along the way, we also introduced a new market category, identity governance, and have seen several legacy-provisioning providers try to copy our approach.

Recently, Forrester Research validated that new market and our approach, positioning SailPoint as a leader in identity governance. The report, “The Forrester Wave: Role Management and Access Recertification,” states:

SailPoint’s IdentityIQ is the king of risk representation – since its inception it has had versatile support for assessing a credit-score-like risk for users and entitlements. Its user interface is one of the most customizable; the user’s splash page resembles a new portal’s intuitive layout with such features as portlets and drag-and-drop support.

After conducting an exhaustive and in-depth product analysis, SailPoint IdentityIQ scored the highest on 4 of the 6 product offering categories, as well as in customer behavior. Highlights of that analysis of IdentityIQ include:

The product has the most advanced capabilities of all other products in this Wave in risk management.

SailPoint is business-user friendly. It has beautiful dashboards.

The company’s expansion into provisioning also makes it a viable choice for enterprises looking to implement closed-loop identity compliance.

We’re thrilled with the recognition of our hard work, and invite you to read the entire report, courtesy of SailPoint, at www.sailpoint.com/forrester.

Working with Harris Interactive, we polled 3,484 employees across the United States, Great Britain and Australia. A significant number of respondents openly admitted they would abuse proprietary and sensitive information. I want to share some of the survey’s results with you, as well as the primary takeaway from each.

First, 22% of US, 29% of Australian and 48% of British employees openly admitted they would misuse data they have been granted access to (either intentionally or mistakenly). This includes:

• 9% of US, 8% of Australian and 24% of British employees would take the data themselves when leaving a job; and
• 10% of US, 12% of Australians and 27% of British employees would forward to someone else, like a former colleague.

I wrote last year about the “moral gray area” around theft of company data. Many employees may believe they own – or at least share ownership – of corporate data they have been working on. Clearly, the survey highlights the need for companies to have corporate policies in place to educate employees about what is and is not allowed, and to have IT controls in place to enforce them. A company may be comfortable with employees taking samples of their portfolio of work with them, but taking customer data or product designs is clearly not allowable.

The most shocking survey finding was that 24% of Britons openly admitted they would sell proprietary data online if they could, compared to 5% of Americans and 4% of Australian. This willingness to profit from access to proprietary data is quite alarming. We got an interesting take on this finding from journalist Jared Wade of Risk Management: “I’m not sure whether U.K. employees are more devious or just more honest, but even the lower totals in the United States and Australia show the enormity of the risk. That’s just a ton of people who have no qualms about leaking — if not outright thieving — data.”

Bottom line: we as organizations need to be vigilant about managing the risk of insider sabotage or fraud. It’s critical to educate employees on corporate data policies and to institute preventive and detective controls to help safeguard data. As the survey shows, the insider threat remains very real, but that risk can be mitigated with identity governance solutions like SailPoint IdentityIQ. Identity governance provides a centralized view into an organization’s identity data and helps to limit and control employee access to sensitive data and applications. (To learn more about how IdentityIQ can safeguard against insider threats, I recommend you read this identity governance overview or take a minute to watch our latest video.)

After reading through the Market Pulse Survey results, how do you think your employees would respond?

SailPoint IdentityIQ was the obvious choice because it delivered identity governance and provisioning capabilities in a single solution. It was also immediately evident that it would be easy for our business managers to use, and provided us insight into the risk associated with user access.

We always enjoy sharing customer success stories, but I find this one particularly exciting, because it highlights three dramatic shifts that we’ve seen in the provisioning market over the past half-decade:

1. Customers are looking for solutions that tightly integrate the functions of identity compliance (capabilities including user access certifications, policy enforcement, and risk analysis) with provisioning activities;
2. Customers need a solution that is business friendly – that is, allows non-technical users to participate in IdM processes; and
3. Customers demand fast time-to-value from their provisioning projects (a historical weak point for first generation provisioning solutions).

A core tenet of SailPoint’s next-generation approach to identity management is that identity compliance and provisioning need to operate hand-in-glove to provide coordinated preventive and detective controls. To do this both effectively and efficiently, they must leverage a single identity warehouse, a single role model, and a single policy catalog. To do so otherwise requires a burdensome amount of coordination and synchronization of different internal repositories, rules, roles, and models between product components – which is a time-consuming and expensive deployment exercise, as well as an operations headache. As a case in point, because IdentityIQ’s compliance and provisioning components are architected on a single governance platform and identity warehouse, CUNA Mutual was able to streamline their deployment and leverage a single role model and SoD policy model across both access certification and provisioning activities.

Slowly but surely, we’re hearing the growing recognition that the basic requirements for user provisioning have shifted dramatically with respect to ease of use. At the Gartner IAM Summit in London in March, one of the Gartner analysts echoed this trend by pointing out that:

Today’s IAM buyers expect ease of use, well-designed interfaces, wizard-driven setup, mobile-ready interfaces, and quick and predictable deployments. You are not likely to get this from traditional provisioning vendors … Vendors like SailPoint who are not even on the [2010 User Provisioning] Magic Quadrant can be a perfect fit for your needs.

These are exactly the requirements that customers have been communicating to us for years, and it’s what SailPoint is delivering to the market. We have invested heavily in developing business-friendly user interfaces (designed for non-technical users) that provide meaningful context to identity data – something no legacy provisioning solution can claim. IdentityIQ’s user interfaces are intuitive and make it easy for line of business managers to work hand-in-hand with IT and compliance personnel in minimizing risk and providing higher levels of service. This was an important consideration to CUNA Mutual, who knew that enabling non-technical users from their business entities and external partners with minimal training was key to the successful rollout of the solution.

Lastly, I think it is interesting to note that CUNA Mutual was up in production with SailPoint’s compliance and provisioning solution less than six months after we announced the availability of our provisioning capabilities. This demonstrates just how much we have learned since first-generation provisioning products about architecting solutions that provide fast time to value to customers. Reducing workflow complexity, providing a flexible role model, and taking an agnostic approach to last-mile resource connectivity are just a few of the innovations that SailPoint has built into our products that allow for these significant gains in time-to-value.

We realize that our perspectives and approaches to provisioning are new to some in the market. And while most everyone agrees that legacy provisioning solutions are not designed to meet today’s new IdM requirements, change always takes time. We knew our governance-based approach would help simplify implementation and deliver results much more quickly. And as we were able to report with CUNA Mutual, we were right!

The details of the FTC announcement were interesting on two fronts. First and foremost, there was an absolute lack of strong security measures at both companies, making it child’s play for intruders to gain access to sensitive customer data. Lookout was charged with failure to implement strong password policies, storing passwords in clear text, and failure to provide access control to confidential web pages. Ceridian was charged with storing sensitive personal information in clear text on the company’s network and failure to take reasonable measures to detect and prevent unauthorized access to sensitive data.

The second interesting aspect of this news is that it demonstrates how the FTC is proactively taking action to protect consumers against data breaches. Both companies were charged with “unfair and deceptive trade practices” they advertised security safeguards that they failed to provide. The message is clear: if you suffer a data breach that impacts consumers and have advertised the how great your security is, you’re a target for a federal watchdog!

I like how the FTC is requiring the companies to implement and prove strong controls over access to sensitive data as part of the settlements. By mandating comprehensive data security plans and independent security audits, the FTC has sent a clear signal that companies managing consumer information will be held accountable to high standards of data protection. Notably, by prescribing explicit security plans and audits, the terms of the FTC settlements go well beyond the scope of many security and privacy laws in effect today.

I chuckled when I read Ian Glazer’s blog post, “A Chronic Identity Pain.” Ian referred to himself as “an old provisioning guy” – being a few years his senior, it made me think, “Does that make me an old-old provisioning guy?” Having said that, I do consider myself more of a governance and provisioning guy now, so maybe I get a break when it comes to managing and governing a run-time access control decision environment.

But back to Ian’s post. With it, he kicked off an important conversation topic: When you take off the infrastructure hat and put on the governance/compliance/management hat, a XACML, or claims-based access control environment, poses some very interesting challenges. As Ian said, understanding who really does have access to what can become a lot more challenging. I agree with him about there being a need for coordination between administration and configuration. I would add that a new level of change control is needed given the growing audit requirement for attestation. I would also point to the value of modeling and intelligence in these environments.

To better explain these points, take a look at this standard view of a XACML attribute based access control model:

In this graphic, you can see the request for resource access flowing into the PEP [at 1] and the PEP requesting policy and obligations from the PDP [at 2]. In this view, there is nothing too interesting from a governance perspective – although this flow has to be trustworthy and we’ve got to be able to track and audit its execution.

Then the PDP starts to run a cycle of dependencies that can get quite interesting. First, it obtains its policy from a PAP [at 3] that manages all the complex policies needed to control access. These policies contain the rules and obligations that make up the “Yin” of any governable run-time access control model. These policy rules are the heart of the access control model and must be governed accordingly. Questions such as: “Who defines them?” “Who approves them?” and “How do you manage their change control live-cycle?” should be of prime concern to any identity audit process.

On the other side, there must always be a “Yang,” and in this model it becomes the attributes, or run-time values that are being used in the rule assessment process. These resources, environment and subject attributes (data) are either presented in the session as claims (which are even harder to audit) or they are collected by the PEP from a process XACML calls a “policy information point” or PIP [at 4].

When the policy says “you can access the data IF your department attribute = accounting,” the system immediately places a high dependency on the integrity and governance of that department attribute. And we’re back to those same questions of “who sets the attribute?” and “who controls its life-cycle?” These questions are a primary concern for any diligent identity audit process. The policy absolutely “depends” on the attribute (just as the Yin depends on the Yang), and therefore the integrity, trust and governance of the overall access control process depends on the overall change control and attestation process that govern the policies and the attributes used in the system.

There’s one more thing to consider here, and that is intelligence. I think of the rules and the attributes in XACML (the Yin and Yang) as the “should’ in the question of “who should have access to what?” When I put my old provisioning guy’s identity governance hat on, I want to answer the question “who could” have access to that thing?” But in today’s emerging dynamic and highly distributed access control models, I can really only answer that “could” question when I have visibility into the policies and the attributes and can apply analytics, intelligence and modeling and ask the question “what if” … but I’ll save that discussion for another post.