The Gartner Magic Quadrant for Identity and Access Governance (IAG) was published in mid-December, and I’m proud to report that SailPoint was positioned at the top of the Leaders Quadrant. This report is a major milestone for us for two reasons: this is Gartner’s first release of a Magic Quadrant on IAG, signifying the amount of customer interest in this segment of IdM; and it’s yet another validation that SailPoint is leading the market. (You can read the full report here.)

In the IAG Magic Quadrant, Gartner predicts that IAG will become “the lead focus of two out of three IAM projects by 2013, up from one in three today.” We at SailPoint have evangelized the need for identity governance since our company’s inception more than six years ago – and have already seen this shift in priorities with our customers because of the immediate business value that identity governance delivers. Based on our market momentum and product innovation, this is the second analyst report this year that names SailPoint a market leader (see my cofounder Mark’s post on the August 2011 Forrester Wave).

The second Gartner Magic Quadrant published in December was for IT Administration/User Provisioning. I’m happy to report that SailPoint made our debut appearance in the Visionaries Quadrant! We entered the provisioning market believing that a new approach was needed to address today’s identity business challenges. I believe our positioning on the Quadrant recognizes our vision and leadership in taking a governance-based approach to identity management, as well as our strong market momentum.

For the team at SailPoint, it’s highly rewarding to be recognized by the analyst community, and we’re particularly happy that we fared so well in the prestigious Magic Quadrants. If you haven’t had a chance yet, I highly recommend reading both reports. And I look forward to reporting even more SailPoint successes in the coming year.

I’ve spent the past 11 years working on IdM standards, beginning with SPML back in 2000. Sometimes our worst failures teach us the best lessons, and that’s absolutely the case with SPML. SPML never really gained widespread market adoption because it failed to deliver in three key areas: simplicity and ease of adoption, industry support and true customer demand. SCIM aims to improve upon each of these areas in order to improve connectivity, manageability and governance for SaaS and cloud-based applications.

Keeping It Simple

SPML turned out to be far from simple. The effort was well-intentioned one by everyone involved, but ultimately, the resulting spec was too large and complex, and created as many problems for customers as it solved (if not more). At the end of the day, SPML was a complete operating model for provisioning and as such came with a lot of baggage and a lot of complex use cases. In contrast, SCIM focuses on the core tasks of account management and leaves out a lot of the “provisioning platform” extras. This simplifies things for everyone concerned. SCIM is also 100% based on a newer RESTful web services approach that is both easier to write and use in the code, and easier to read and understand in the specification.

App Vendor Support

Today’s cloud application vendors understand the importance of IdM, and they recognize the need to simplify and standardize how organizations provision to their cloud application services. While the cloud has been designed to provide simple on-demand computing for today’s business needs, it has opened up several IdM issues, including remote application user administration and synchronization of identity data between the enterprise and the cloud. Recognizing the importance of solving these issues, companies like salesforce.com, Google and Cisco have invested their time to help drive SCIM forward and build SCIM interfaces into their products. Support by the major SaaS vendor platforms will prove critical if SCIM is to achieve widespread adoption.

Real Customer Demand

Despite the naysayers, business adoption of the cloud is accelerating. And as more and more SaaS applications are deployed, it’s incumbent on organizations to manage the identities they now own in the cloud. These organizations aren’t interested in adding more complexity to their IdM implementations, and are beginning to push both management and application vendors to provide a simple, standardized way of managing their SaaS accounts. This growing and real customer need has resulted in genuine customer push – push for their SaaS vendors to support SCIM on the account side, and push for their identity management vendors to make use best use of it.

SailPoint will continue its contributions to the SCIM effort as it moves toward adoption by the IETF. We strongly believe that this type of standard is critical to addressing IdM in the cloud and to providing the level of manageability, controls and governance that’s needed for today’s increasingly mission critical cloud-based applications. If you’re interested in more technical details on the spec, take a listen to the webinar I recorded last week with Dave Kearns of KuppingerCole and Patrick Harding of Ping Identity.

As the SCIM standard evolves, I’ll be sure to keep you updated. In the mean time, I’d like to hear your thoughts on SCIM. Do you think we are guiding the market in the right direction?

As I think about the coming year, I wanted to share my annual predictions for the IdM market in 2012:

1. Identity Governance Gets Proactive: When we first brought identity governance to the market several years ago, most customers were focused on addressing immediate compliance or audit issues. Now, as those same organizations are several years into their deployments, I see more IT organizations moving to adopt preventive controls to block violations or inappropriate access at the point of request. Even more encouraging, we are seeing clients using risk scores to drive the prioritization of remediations and frequency of certifications, focusing controls where risk is highest. I predict proactive identity governance will help companies reduce the burden on compliance staff and improve audit performance.
2. Auditors Wake Up to SaaS: One of the most interesting phenomena I’ve observed over the past year is the extent to which IT auditors continue to exclude SaaS applications from their audit scope. As SaaS applications become more broadly deployed in mission-critical parts of the business like HR and finance, companies are placing themselves at increased risk for fraud, privacy violations or data breaches. I predict that 2012 will be the year that enterprises wake up to the risk of placing sensitive data or transactions in the hands of a cloud service provider without effective controls over who has access to what. A major data breach will certainly get everyone’s attention!
3. Provisioning Gets Slimmer – and Simpler: I’ve heard several analysts talking lately about provisioning “bloat” and the damage done by overly ambitious provisioning projects that never delivered on the promised benefits. As we enter 2012, I think we’re at the end of the age of bloated provisioning and are embarking on a new era of “slimmed down” provisioning that is easier and faster to deploy. We are seeing many clients implementing self-service access request with manual (non-automated) fulfillment via service desk or manual methods. And many clients are deploying provisioning on SailPoint’s identity governance foundation, which allows them to leverage business-friendly entitlement catalog and well-defined policies to simplify workflow and rapidly implement self-service.
4. Proving the Business Outcomes of IT Decisions Remains a Top Priority: It’s no surprise to anyone that we are living in a time of constrained budgets, but enterprises continue to invest in technology despite that fact. In most organizations, projects are being scrutinized even harder and require more justification than in the past. Regardless of what happens with the economy in 2012, I believe businesses will continue their careful scrutiny of IT investments. For this reason, IT organizations will need to learn to communicate and sell the business case for any large-scale IT project (including IdM) AND prove that the promised ROI was realized. (My cofounder Jackie recently wrote a great blog on this very topic.)

These are just a couple of my thoughts for next year. I’d like to hear your thoughts. What do you think will happen in the IdM market next year?

While the needs and benefits of IdM are real, many companies feel challenged to build a business case and show the potential ROI for this type of project. But don’t let number-crunching intimidate you! In a world of financial uncertainty where there are many competing technology investments, it’s more important than ever to show financial justification for your IdM strategy and direction.

To help you get started, we’ve developed four steps to consider when building your business case for a governance-based IdM strategy, focused on explaining the technology’s potential for delivering demonstrable ROI to the organization:

1. Internal needs assessment: Begin the evaluation process by first determining what the most pressing IdM issues or opportunities your organization is facing.
2. Baseline costs: Quantify how many and what types of resources are currently being spent on IdM processes (including manual labor costs).
3. Set project goals: Formally define your goals of the project and the expected benefits to the organization.
4. Build the financial model: Estimate how much your project will cost (technology, services, personnel) and then project how the project will save the organization time and money.

One of the keys to building your business case is to provide real-world examples of the tangible and repeatable benefits and cost savings that can result from your IdM project. SailPoint often partners with our customers to provide insight and help throughout this process. Below are some ROI stats that our customers have reported when demonstrating the ROI on their projects:

• Saved 50 full-time employees annually in controls testing and documentation on a project that spanned 600 applications across 28 countries.
• Reduced IT Operations costs by $800k annually by automating the de-provisioning of terminated employees.
• Slashed time spent on compliance by 66% by completing user access reviews in just 4 weeks instead of 3 months.
• Achieved 30% reduction in excess entitlements after the first user access review cycle.

We recently hosted a webinar that delves further into this topic. If you are interested in more details, you can access the free on-demand webinar here. The topics and real world use cases covered in the webinar are designed to help you define clear goals for your project and map out a compelling business case. Check it out!

SailPoint IdentityIQ was the obvious choice because it delivered identity governance and provisioning capabilities in a single solution. It was also immediately evident that it would be easy for our business managers to use, and provided us insight into the risk associated with user access.

We always enjoy sharing customer success stories, but I find this one particularly exciting, because it highlights three dramatic shifts that we’ve seen in the provisioning market over the past half-decade:

1. Customers are looking for solutions that tightly integrate the functions of identity compliance (capabilities including user access certifications, policy enforcement, and risk analysis) with provisioning activities;
2. Customers need a solution that is business friendly – that is, allows non-technical users to participate in IdM processes; and
3. Customers demand fast time-to-value from their provisioning projects (a historical weak point for first generation provisioning solutions).

A core tenet of SailPoint’s next-generation approach to identity management is that identity compliance and provisioning need to operate hand-in-glove to provide coordinated preventive and detective controls. To do this both effectively and efficiently, they must leverage a single identity warehouse, a single role model, and a single policy catalog. To do so otherwise requires a burdensome amount of coordination and synchronization of different internal repositories, rules, roles, and models between product components – which is a time-consuming and expensive deployment exercise, as well as an operations headache. As a case in point, because IdentityIQ’s compliance and provisioning components are architected on a single governance platform and identity warehouse, CUNA Mutual was able to streamline their deployment and leverage a single role model and SoD policy model across both access certification and provisioning activities.

Slowly but surely, we’re hearing the growing recognition that the basic requirements for user provisioning have shifted dramatically with respect to ease of use. At the Gartner IAM Summit in London in March, one of the Gartner analysts echoed this trend by pointing out that:

Today’s IAM buyers expect ease of use, well-designed interfaces, wizard-driven setup, mobile-ready interfaces, and quick and predictable deployments. You are not likely to get this from traditional provisioning vendors … Vendors like SailPoint who are not even on the [2010 User Provisioning] Magic Quadrant can be a perfect fit for your needs.

These are exactly the requirements that customers have been communicating to us for years, and it’s what SailPoint is delivering to the market. We have invested heavily in developing business-friendly user interfaces (designed for non-technical users) that provide meaningful context to identity data – something no legacy provisioning solution can claim. IdentityIQ’s user interfaces are intuitive and make it easy for line of business managers to work hand-in-hand with IT and compliance personnel in minimizing risk and providing higher levels of service. This was an important consideration to CUNA Mutual, who knew that enabling non-technical users from their business entities and external partners with minimal training was key to the successful rollout of the solution.

Lastly, I think it is interesting to note that CUNA Mutual was up in production with SailPoint’s compliance and provisioning solution less than six months after we announced the availability of our provisioning capabilities. This demonstrates just how much we have learned since first-generation provisioning products about architecting solutions that provide fast time to value to customers. Reducing workflow complexity, providing a flexible role model, and taking an agnostic approach to last-mile resource connectivity are just a few of the innovations that SailPoint has built into our products that allow for these significant gains in time-to-value.

We realize that our perspectives and approaches to provisioning are new to some in the market. And while most everyone agrees that legacy provisioning solutions are not designed to meet today’s new IdM requirements, change always takes time. We knew our governance-based approach would help simplify implementation and deliver results much more quickly. And as we were able to report with CUNA Mutual, we were right!

I chuckled when I read Ian Glazer’s blog post, “A Chronic Identity Pain.” Ian referred to himself as “an old provisioning guy” – being a few years his senior, it made me think, “Does that make me an old-old provisioning guy?” Having said that, I do consider myself more of a governance and provisioning guy now, so maybe I get a break when it comes to managing and governing a run-time access control decision environment.

But back to Ian’s post. With it, he kicked off an important conversation topic: When you take off the infrastructure hat and put on the governance/compliance/management hat, a XACML, or claims-based access control environment, poses some very interesting challenges. As Ian said, understanding who really does have access to what can become a lot more challenging. I agree with him about there being a need for coordination between administration and configuration. I would add that a new level of change control is needed given the growing audit requirement for attestation. I would also point to the value of modeling and intelligence in these environments.

To better explain these points, take a look at this standard view of a XACML attribute based access control model:

In this graphic, you can see the request for resource access flowing into the PEP [at 1] and the PEP requesting policy and obligations from the PDP [at 2]. In this view, there is nothing too interesting from a governance perspective – although this flow has to be trustworthy and we’ve got to be able to track and audit its execution.

Then the PDP starts to run a cycle of dependencies that can get quite interesting. First, it obtains its policy from a PAP [at 3] that manages all the complex policies needed to control access. These policies contain the rules and obligations that make up the “Yin” of any governable run-time access control model. These policy rules are the heart of the access control model and must be governed accordingly. Questions such as: “Who defines them?” “Who approves them?” and “How do you manage their change control live-cycle?” should be of prime concern to any identity audit process.

On the other side, there must always be a “Yang,” and in this model it becomes the attributes, or run-time values that are being used in the rule assessment process. These resources, environment and subject attributes (data) are either presented in the session as claims (which are even harder to audit) or they are collected by the PEP from a process XACML calls a “policy information point” or PIP [at 4].

When the policy says “you can access the data IF your department attribute = accounting,” the system immediately places a high dependency on the integrity and governance of that department attribute. And we’re back to those same questions of “who sets the attribute?” and “who controls its life-cycle?” These questions are a primary concern for any diligent identity audit process. The policy absolutely “depends” on the attribute (just as the Yin depends on the Yang), and therefore the integrity, trust and governance of the overall access control process depends on the overall change control and attestation process that govern the policies and the attributes used in the system.

There’s one more thing to consider here, and that is intelligence. I think of the rules and the attributes in XACML (the Yin and Yang) as the “should’ in the question of “who should have access to what?” When I put my old provisioning guy’s identity governance hat on, I want to answer the question “who could” have access to that thing?” But in today’s emerging dynamic and highly distributed access control models, I can really only answer that “could” question when I have visibility into the policies and the attributes and can apply analytics, intelligence and modeling and ask the question “what if” … but I’ll save that discussion for another post.

As our faithful readers know, SailPoint was an early pioneer of identity governance. Since we started the company in 2005, SailPoint has been talking about the need to refocus identity management to better address business needs – to provide better visibility and transparency. Gartner echoed this point of view in the recently published 2010 Provisioning Magic Quadrant and reinforced it during this week’s Summit.

Bill Hostmann, a Gartner business intelligence (BI) analyst, opened the first day with a session titled “Transforming IAM: The New Business Intelligence Connection.” He spoke about the need for IdM to go beyond simple “reporting” to correlate data and facilitate analysis. Bill pointed out that BI is about exploiting information to make better decisions, and that’s where the true business value lies.

I wholeheartedly agree, and believe that’s why identity governance has been so well received with business users. Identity governance uses a BI approach determine “who has access to what” across the enterprise – and provides the necessary context for business users to determine whether that access is appropriate and whether it aligns with corporate policy.

Gartner’s Earl Perkins echoed Bill’s thinking in his Monday presentation. He acknowledged that in the past, IdM was designed to make IT’s life easier, not enable the business. Now, though, as audit and compliance requirements pull more business managers into IdM processes, there are new requirements for IdM’s tools. Providing business intelligence about identity data to those business users has become table stakes for IdM. At the same time, Earl emphasized that IT managers need to switch from an IT-centric focus to a strategy for providing tangible value to the business.

A new feature of this year’s IAM Summit was the addition of a “Burton track” to provide technical depth and how-to advice. Two sessions in this track focused on identity and access governance (IAG). In these, Lori Rowland provided an overview of the IAG market and capabilities, advising the audience to start with IAG and follow with provisioning as a way to gain quick wins and show business value. Lori reiterated that IAG is becoming a major segment of identity management.

Probably the best part of the show was speaking with so many customers who already have embarked on identity governance projects. The IAM Summit was a nice reminder of how far we’ve come and a great energy boost as we head into 2011!

The goal of our Users Group meetings are to foster a community among our customers to share best practices and provide new perspectives on challenges. By far the most interesting part of the day was hearing project updates from each customer and listening to the interactive dialog between companies addressing the same set of identity governance challenges. Our customers face a lot of common issues and challenges – spanning technology, project scope, staffing, organizational change management, executive support, etc. Many creative ideas were shared about how to speed deployment, accelerate adoption, get stronger buy-in from business users, and deal with constant organizational change.

Two “hot topics” of discussion during the day were role management and provisioning. We devoted a significant amount of the discussion on role management best practices, which proved to be a very popular topic. Some of the customers attending have very advanced role management projects and were able to share a lot of insights to their peers. We’ll plan to address some of the more common questions around roles in future blog posts. Another interesting discussion was focused governance-based provisioning, driven by a demo of SailPoint’s Lifecycle Manager (released in April 2010). Although provisioning deployments weren’t a focus of the User Group, it was definitely on the minds of the attendees – many of whom are in the early stages of rethinking their current provisioning implementations.

Regardless of whether a customer is just beginning to deploy identity governance or is two years into their implementation, our users tell us the knowledge and networking from these events is incredibly helpful. SailPoint also appreciated the opportunity to preview future IdentityIQ updates and solicit valuable feedback on our product roadmap. I’d like to send a big thanks to our customers that attended this Users Group!

For our customers who read this blog, I’d like to invite you to attend future meetings. Our quarterly Virtual Users Group is this Thursday, November 4^th. We’ll also be hosting two Users Groups in early-2011- one in the northeast and our first international one. Stay tuned for more details on both of those.

Understandably, this puts Sun customers in a quandary. Most of them have invested substantial resources on their Sun provisioning implementation, and are now being asked by Oracle to start over. Many legacy provisioning vendors (including Oracle) are currently offering “free” licenses for a “rip and replace” solution, but customers still face the prospect of significant maintenance, deployment and integration costs. At its core, this “free” offer essentially means customers will take one decade old technology and replace it with another one.

The most successful people are those who are good at Plan B. – James Yorke (mathematician)

Fortunately, there’s an alternative available. This week, SailPoint launched www.IdentityPlanB.com to provide companies with a Plan B for provisioning. SailPoint’s Sun Migration Program allows Sun IdM customers to transition to a next-generation provisioning solution in a gradual, methodical way. SailPoint enables customers to immediately leverage a governance layer that complements their existing Sun provisioning implementation, extends the reach of that implementation beyond the resources being provisioning to today, and provides a roadmap to move away from Sun without starting over or disrupting the business.

The reality is that companies need to transition away from Sun IdM. But starting over isn’t the only option – there’s always a Plan B.

Note: The SailPoint crew will be at Burton Catalyst this week. If you’d like to talk more about migrating away from Sun, please join us on Wednesday in our hospitality suite, Aqua West Foyer, Room 306A.

At its core, the release is focused on “Oracle-izing” OIM and making it work more seamlessly with Oracle’s other software products. If you’re a born and bred Oracle customer and you’re comfortable being a few years behind in technology, then this might sit just fine with you. But if you were looking to address the modern era of governance and provisioning challenges, this release doesn’t do much to help you.

Secondly, from what I can tell, the major advancement Oracle is making in integrating its identity management offerings with each other seems to be largely at the surface level. They are promoting features such as “common install,” “common configuration management” and “common reporting.” Nowhere does it mention that they have resolved the multiple role models that exist between OIM and Identity Analytics, nor the multiple identity repositories the various components of the identity suite require. As an example, when roles, policies or identity data changes in one product, it must be manually “synchronized” in the other. These deficiencies and their associated challenges cause deployment headaches, increased complexity and are generally a major pain for customers.

Finally, it’s clear that Oracle’s strategy is to compete head-to-head with IBM, SAP, and Microsoft to be the leading integrated stack vendor. As a consequence of that focus, Oracle has prioritized integration features that “unite the stack” ahead of creating a seamlessly integrated IdM suite or delivering innovative new functionality to help customers address urgent compliance and operational issues. As a natural outcome of corporate priorities, Oracle has fallen behind in delivering integrated compliance, roles and provisioning.

Unfortunately for Sun IdM customers in particular, this is going to become painfully clear over the next year or two while Oracle continues the “Oracle-ization” of its identity suite (does anyone remember how Access360 went dark after IBM acquired it?). Oracle will first strive to rationalize the acquired technology into the stack, while “Sun”-setting others (like Sun Identity Manager). Given all this, it’s very likely that Oracle’s IdM technology will lag behind in functionality and integration between its components.

Most of the companies we talk to don’t have the luxury of waiting a few years to address today’s evolving governance, risk and compliance challenges. They have immediate business problems to solve and are looking for specific technologies to address them in the near term, not a long-term rearchitecture of their corporate infrastructure with the hope of someday addressing these needs.