Understandably, this puts Sun customers in a quandary. Most of them have invested substantial resources on their Sun provisioning implementation, and are now being asked by Oracle to start over. Many legacy provisioning vendors (including Oracle) are currently offering “free” licenses for a “rip and replace” solution, but customers still face the prospect of significant maintenance, deployment and integration costs. At its core, this “free” offer essentially means customers will take one decade old technology and replace it with another one.

The most successful people are those who are good at Plan B. – James Yorke (mathematician)

Fortunately, there’s an alternative available. This week, SailPoint launched www.IdentityPlanB.com to provide companies with a Plan B for provisioning. SailPoint’s Sun Migration Program allows Sun IdM customers to transition to a next-generation provisioning solution in a gradual, methodical way. SailPoint enables customers to immediately leverage a governance layer that complements their existing Sun provisioning implementation, extends the reach of that implementation beyond the resources being provisioning to today, and provides a roadmap to move away from Sun without starting over or disrupting the business.

The reality is that companies need to transition away from Sun IdM. But starting over isn’t the only option – there’s always a Plan B.

Note: The SailPoint crew will be at Burton Catalyst this week. If you’d like to talk more about migrating away from Sun, please join us on Wednesday in our hospitality suite, Aqua West Foyer, Room 306A.

At its core, the release is focused on “Oracle-izing” OIM and making it work more seamlessly with Oracle’s other software products. If you’re a born and bred Oracle customer and you’re comfortable being a few years behind in technology, then this might sit just fine with you. But if you were looking to address the modern era of governance and provisioning challenges, this release doesn’t do much to help you.

Secondly, from what I can tell, the major advancement Oracle is making in integrating its identity management offerings with each other seems to be largely at the surface level. They are promoting features such as “common install,” “common configuration management” and “common reporting.” Nowhere does it mention that they have resolved the multiple role models that exist between OIM and Identity Analytics, nor the multiple identity repositories the various components of the identity suite require. As an example, when roles, policies or identity data changes in one product, it must be manually “synchronized” in the other. These deficiencies and their associated challenges cause deployment headaches, increased complexity and are generally a major pain for customers.

Finally, it’s clear that Oracle’s strategy is to compete head-to-head with IBM, SAP, and Microsoft to be the leading integrated stack vendor. As a consequence of that focus, Oracle has prioritized integration features that “unite the stack” ahead of creating a seamlessly integrated IdM suite or delivering innovative new functionality to help customers address urgent compliance and operational issues. As a natural outcome of corporate priorities, Oracle has fallen behind in delivering integrated compliance, roles and provisioning.

Unfortunately for Sun IdM customers in particular, this is going to become painfully clear over the next year or two while Oracle continues the “Oracle-ization” of its identity suite (does anyone remember how Access360 went dark after IBM acquired it?). Oracle will first strive to rationalize the acquired technology into the stack, while “Sun”-setting others (like Sun Identity Manager). Given all this, it’s very likely that Oracle’s IdM technology will lag behind in functionality and integration between its components.

Most of the companies we talk to don’t have the luxury of waiting a few years to address today’s evolving governance, risk and compliance challenges. They have immediate business problems to solve and are looking for specific technologies to address them in the near term, not a long-term rearchitecture of their corporate infrastructure with the hope of someday addressing these needs.

Provisioning technology was originally created to automate IT functions, like help desk requests for user account changes. And generally, it was a good solution for that (albeit limited in application scope due the heavy investment required for a bottom-up approach). However, the decade-old technology has become outpaced by two factors: 1) the evolving requirements of identity governance and compliance versus account provisioning; and 2) the fact that identity management is rapidly shifting from an IT domain into a recognized business process driven by non-technical users. First generation provisioning solutions don’t incorporate business users and processes into IdM processes, and have serious functionality gaps that leave organizations struggling to keep up with service delivery and compliance demands.

Not surprisingly, traditional provisioning solutions have been marketed over the years as the answer to many identity management challenges: efficiency, security, productivity, compliance, you name it. Many companies have been burnt by products failing to deliver on these promises. Given the investments made, we’re finding customers are understandably reluctant to consider the wholesale scrapping of an existing project – even a struggling one – and starting over given the complexity of implementing a bottom-up provisioning solution. So what can you do? How do you move forward without completely going back to square one?

There’s no one-size-fits-all answer to that question. But we believe that SailPoint’s new identity lifecycle management capabilities offer an evolutionary path to provisioning success. One that can address your immediate pain, and then help you evolve toward the governance-based approach to provisioning that we’re advocating.

To provide you with more information, we’re sponsoring a webinar, “Rethinking Provisioning in 2010 and Beyond,” on June 10th that will feature Lori Rowland, a vice president at Burton Group and one of the industry’s top voices on provisioning. Lori and I will discuss the new business requirements for identity management and how they affect the provisioning landscape. We’ll also talk about what companies can do today to derive value from their technology deployments. Most importantly, my goal is to help you answer that question, “How do I get there from here?”

I’m looking forward to digging into this topic more with Lori and answering your questions live. If you’d like to join us, you can register at: https://www1.gotomeeting.com/register/684010041.

At the core of the problems with most legacy provisioning products is their failure to truly understand the security models within the systems they connect to and provision changes for. This may sound strange, but it’s true. Rather than focusing on building an overall control model that understands entitlement, legacy provisioning systems tend to focus on defining account schemas and building complex forms logic and rules to control the assignment of entitlements to identities via that schema.

To overload a much used term, the legacy approach to provisioning is “bottom up.” It starts at the bottom with a connector. The provisioning system itself requires complex configuration and programming by highly skilled IT technical staff, and the true business processes that the system provides are hidden in complex programming logic rather than being expressed in high-level business policy terms.

Quite the reverse is true for a governance-based approach to provisioning. A governance-based approach starts “top down” with a focused on managing entitlements within a defined governance lifecycle. This provides the business with a single view of the overall processes of request, controls, assignment and last mile provisioning as one overall business process. It builds upon clearly defined risk, role and policy models – models designed for and used by the business, NOT by an IdM specialist within IT.

Some of you might be wondering, “That’s just roles for provisioning isn’t it?” To be very clear, I’m saying that governance-based provisioning is much more than role-based provisioning! In fact, sometimes it doesn’t involve a role model at all. In those cases, a governance-based approach to provisioning is built upon a catalog of entitlements that describes business meaning, and prescribes clear ownership and approval processes for provisioning.

Here governance is built upon business oriented assignment policies that describe who should have what, and provides further insight into what that means – what data can be accessed, what files can be shared, etc. All this data comes together to create a core governance model that describes, in business terms, how access is defined, requested, approved, tracked, audited and later reviewed by the line of business. This is provisioning based on a governance meta-model, not XML coded “workflow rules.” It is “model based,” and the provisioning process itself is dynamically driven by the data that the model provides.

So what’s the net result of this next generation approach to provisioning? It’s better preventative and detective controls, fewer violations, and greater visibility and transparency over the complete end-to-end provisioning process. A governance-based approach to provisioning captures, documents and controls both the business and technical context of identity and the entitlement access governance lifecycle for all applications across the entire identity ecosystem, regardless of how the “last mile” of provisioning is enacted.

By modeling all of the rules, relationships and processes that make up “the business of identity” you can bridging the gap between these business processes and the technical implementation of the underlying security models. This allows organizations to gain end-to-end visibility and control across all systems and applications – a breadth of coverage that has proved nearly impossible to achieve using traditional provisioning solutions.

I think we were way overdue for a fresh approach to user provisioning. What do you think?

In the coming weeks, we’ll devote much of this blog to providing you with more insight into our new approach and new products. First, I’d like to explain how SailPoint arrived at today’s announcement and what it means for our current and prospective clients.

SailPoint released the first iteration of our identity governance solution, IdentityIQ, in early 2007. Since then, we’ve been dedicated to helping customers achieve regulatory compliance at a reduced cost, improve internal controls and better manage the risks associated with access to sensitive data and applications across the enterprise. There was clearly a need for this solution in the market – as evidenced by the increasing focus industry analysts have placed on this space, as well as our own customer adoption.

In September 2008, we added business-friendly, self-service access request capabilities to IdentityIQ. As we worked with our customers to roll that capability out across their organizations, those same customers began pushing for SailPoint to manage the entire lifecycle of user privileges. The problem was that existing solutions for requesting and managing user access were at best outdated and inefficient, but more importantly, they were too complex to be used by business users.

As many of you know, SailPoint’s heritage dates back to Waveset (acquired by Sun in 2003), so many of our executive and technical staff have deep roots in the provisioning space. Leveraging that history and knowledge base, we began working on a solution that would better address the huge pain points our customers were experiencing with available provisioning technologies. Today, we’re not only announcing two new provisioning products, Lifecycle Manager and Provisioning Engine, we’re also announcing an entirely new approach to provisioning.

This new approach begins with our Governance Platform, which centralizes identity data, captures business policy, models roles and mitigates risk to support both compliance and user lifecycle business processes. As we stated in the press release, this governance-based approach to provisioning delivers three distinct advantages to customers:

• Simplified deployments. SailPoint’s approach begins with the mining and modeling of all necessary information about users, access privileges, roles and policy into a single governance platform, enabling organizations to automate access request and provisioning processes without extensive workflow and custom coding. This reduces custom coding requirements by 200-300 percent.

• Lower deployment costs. SailPoint provides an open and flexible approach to the “last mile” of provisioning – the connector layer where changes are executed on IT resources – by supporting multiple techniques and processes for making changes to resources. This eliminates the hundreds of thousands of dollars organizations typically spend on “last mile” integrations. It also allows customers to immediately focus their identity management efforts where the highest value exists: at the business process and governance layer to ensure consistent, enterprise-wide compliance with internal and external security mandates.

• Business and IT alignment. SailPoint provides the first user interface designed specifically for business users to request access and manage user lifecycle events. Traditional provisioning tools were designed for use by IT administrators and were too cryptic and technical for business users. With its business-friendly user interfaces, SailPoint makes it easy to involve business users in all identity management processes, such as access requests, change approvals, access certifications and role lifecycle management.

The entire SailPoint team is excited about today’s launch. The early feedback from customers and analysts has been extremely positive, and we look forward to sharing more details with many of you during this spring’s tradeshow season (in the meantime, you can read more about the products here).

Dave’s column this week led me to reflect on how the IdM market has changed over the last 10 years. In 1999, the term “identity management” was not even in our lexicon – and in fact vendors and analyst firms spent a lot of time and energy debating what to call the emerging market. The birth of provisioning systems (itself a new term for our industry) was driven by the idea that user administration could be centralized, automated, and made more cost-effective. Designed primarily to relieve the burden on help desk and sys admins, provisioning solutions were primarily marketed and sold as a labor-saving improvement. It was a product designed for IT and sold to IT buyers. Initially, a lot of the focus was on demonstrating ROI.

Of course, the terrorist attacks of September 11, 2001 brought about a heightened focus on IT security, and the value proposition for provisioning shifted in the direction of securing the enterprise as well as providing a strong ROI. Around 2002-2003, another significant shift occurred in our market. Compliance was becoming more and more of a driver, as regulations like SOX, HIPAA and GLBA were introduced into law and took effect throughout the early 2000s. Businesses in the U.S. – and around the world – were trying to sort out how to manage these new mandates. It seemed like a natural fit for provisioning; after all, it was a means to centralize and automate how user access was granted and removed.

Ironically, the very nature of provisioning limited its ability to meet compliance requirements: the typical provisioning deployment manages around 10 resources, and most often these are not even the targets for compliance initiatives but rather the high-population, high churn systems that consume the most manpower to manage onboarding and offboarding. In addition, most provisioning systems are deployed to manage account-level access only and provide little visibility into the fine-grained application entitlements that define what actions a user can actually perform within an application – a key compliance requirement. Lastly, provisioning systems were designed for technical users, so their UI’s are too complex for business managers, auditors, and compliance staff.

With compliance demands increasing and security threats becoming ever-more sophisticated, I believe the IdM industry is now witnessing another inflection point. Ten years from where we started, provisioning technology still can’t provide end-to-end visibility and control across all high-risk systems and applications. In response to the need for stronger auditing and sustainable controls in the identity realm, centralized identity governance tools are proving themselves to be a better technology for governance, risk management and compliance. I believe 10 years from now, we’ll be reflecting on how significantly identity governance has shaped the IdM space.

I also believe the next decade will be defined by discriminating customers who want results immediately and who don’t believe throwing more money at legacy tools and processes is a viable solution. It will be marked by impressive innovation in the identity realm, led by identity governance vendors who are willing to rethink how identity data affects business decisions. Those same companies – SailPoint included – will enable companies to successfully manage compliance and security from a risk perspective – applying appropriate levels of oversight and audit where they matter the most. We may see a few dinosaurs try to evolve, but I doubt their products can live up to their multi-million dollar marketing claims.

How do you think the IdM market will change in the next 10 years?

Bob’s presentation was immediately followed by a panel discussion, hosted by Lori Rowland, that included Bob and analysts Gerry Gebel, Mark Diodati, Ian Glazer, and Kevin Kampman. The theme of the panel was change and evolution, touching on several topics of interest:

• The economy is driving the need for more identity solutions – compliance, need for efficiency, requirements not being met by current technologies. This year’s market has remained strong, with many vendors experiencing record growth. Burton predicts that next year will be even better.
• There has been industry consolidation. The biggest vendors have shrunk, and M&A events like Oracle acquiring Sun have had a significant impact on the IdM community. Going to smaller vendors is now a solid alternative. Vendor viability is not simply a matter of size. Large vendors do not excel at integrating their various components – you get better integration with smaller vendors’ products.
• The economy has sparked changes to the IdM market. There is increased interest in SaaS, hosted, Open Source, or alternative delivery methodologies.

For me, the most interesting part of the panel discussion was the analysts’ perspective on provisioning and the evolution of identity management into functional layers. Here’s a sampling of their commentary:

• Provisioning has become bloated and monolithic. Over time, every new feature got dumped into provisioning. It outgrew itself. Burton believes that breaking down functionality into separate layers is the right approach rather than making provisioning bigger. For example, an identity governance layer has emerged that is separate from the provisioning layer. This shows that vendors are catching up to what customers want in this area.
• Identity governance is better suited for functionality such as access certifications, audit, SoD policy and access request, whereas provisioning is better suited for infrastructure functionality (engine, connectors). As Gerry pointed out, provisioning is not well-suited for compliance. It doesn’t cover the right applications; it does not have business-oriented UIs. Lori then added that “doing access request via provisioning is not pretty. You need to know the meaning behind the entitlements (and that’s not in provisioning).”
• It’s a bad idea to clump all functionality into provisioning. Companies need to think about IdM differently – in layers. Big vendors are good at some things; specialty vendors are good at some things.
• Provisioning has become impossible to deploy. It’s grown to encompass more things than anyone can comprehend. You’re always going to be in the middle of a provisioning project. It’s like the laundry – you’re never done.

The panel finished up by looking at “What’s Hot” in IdM based on their conversations with end users. I’m happy to report here that the list includes several areas that are front and center for SailPoint, including role management, access and identity governance, and privileged user management. Other “hot” areas mentioned were federation, identity services, standards like SPML, and AD bridge. Identity management areas that have reached a  level of maturity and are “not as hot” included eSSO, WAM, provisioning, and password Management. Burton stressed that these products are still significant markets, but they are becoming more of a commodity.

All in all, it was an exciting and informative show.

By definition, governance is the process of setting policies and evaluating compliance and alignment with those policies. Today’s provisioning tools only focus on providing a transactional “last-mile” for the account management process – a process used primarily by help desk or identity administrators. In contrast, identity governance solutions like SailPoint take a business-process approach to identity, designed to engage the business user in the governance process. To achieve this, we’ve really had to re-think the identity management use cases full stop. Products like ours provide a new user interface to identity for a new class of identity owner – the business user. By taking a business-process and model-driven approach to the identity, we do end up subsuming many of the poorly defined and cumbersome business processes within today’s transactional provisioning layer.

That’s the evolution of enterprise software. New approach, new models, new target solution.

User provisioning tools are not properly designed to provide access and identity governance functionality. However, they were marketed as compliance platforms, which led to unreasonable expectations on the part of customers.

Most importantly, the new Burton report signals the transition of identity management solutions from pure IT-oriented technology toward business-enabling software. As Gerry puts it, new governance tools “strive to become business decision support tools rather than IT consoles.” This transition is more complex than it sounds, because it involves designing software that allows business users to play a bigger role in identity management business processes, such as requesting, approving, certifying, or removing access privileges.

Beyond the need for business-friendly UIs (which are very important), I want to emphasize the key role that identity governance solutions play in automating identity business processes and underpinning those processes with common policy and controls. I’ll focus on a key identity business process – access request – to illustrate my point:

In most organizations, the processes and tools used to request or change access are inefficient and inconsistent at best. Processes vary from business unit to business unit and from application to application, with users often requesting and gaining new access privileges without going through proper channels. The ad-hoc nature of the typical access request process leaves managers and users frustrated and enterprises vulnerable to increased security and compliance risks.

To address these problems, SailPoint released IdentityIQ Access Request Manager in September of 2008. With this release, we became the first identity governance vendor to automate the business process management (BPM) side of access request, allowing employees and managers to use a business-friendly, fully automated process to request or change access privileges. Underpinning the Access Request Manager is IdentityIQ’s graphical workflow engine that makes it simple to design and customize business processes – across access request, role management, policy enforcement, and other identity governance functional areas.

In my view, the key tie-in between business process management and good governance is our ability to strengthen key identity business processes with our identity governance model, including both role and policy models, controls and risk management – to ensure compliance and introduce preventive controls at each step along the way.

We’ll be at Catalyst next week, where I look forward to continuing this discussion with any of you that will be there. It’s shaping up to be a great event!