As I think about the coming year, I wanted to share my annual predictions for the IdM market in 2012:

1. Identity Governance Gets Proactive: When we first brought identity governance to the market several years ago, most customers were focused on addressing immediate compliance or audit issues. Now, as those same organizations are several years into their deployments, I see more IT organizations moving to adopt preventive controls to block violations or inappropriate access at the point of request. Even more encouraging, we are seeing clients using risk scores to drive the prioritization of remediations and frequency of certifications, focusing controls where risk is highest. I predict proactive identity governance will help companies reduce the burden on compliance staff and improve audit performance.
2. Auditors Wake Up to SaaS: One of the most interesting phenomena I’ve observed over the past year is the extent to which IT auditors continue to exclude SaaS applications from their audit scope. As SaaS applications become more broadly deployed in mission-critical parts of the business like HR and finance, companies are placing themselves at increased risk for fraud, privacy violations or data breaches. I predict that 2012 will be the year that enterprises wake up to the risk of placing sensitive data or transactions in the hands of a cloud service provider without effective controls over who has access to what. A major data breach will certainly get everyone’s attention!
3. Provisioning Gets Slimmer – and Simpler: I’ve heard several analysts talking lately about provisioning “bloat” and the damage done by overly ambitious provisioning projects that never delivered on the promised benefits. As we enter 2012, I think we’re at the end of the age of bloated provisioning and are embarking on a new era of “slimmed down” provisioning that is easier and faster to deploy. We are seeing many clients implementing self-service access request with manual (non-automated) fulfillment via service desk or manual methods. And many clients are deploying provisioning on SailPoint’s identity governance foundation, which allows them to leverage business-friendly entitlement catalog and well-defined policies to simplify workflow and rapidly implement self-service.
4. Proving the Business Outcomes of IT Decisions Remains a Top Priority: It’s no surprise to anyone that we are living in a time of constrained budgets, but enterprises continue to invest in technology despite that fact. In most organizations, projects are being scrutinized even harder and require more justification than in the past. Regardless of what happens with the economy in 2012, I believe businesses will continue their careful scrutiny of IT investments. For this reason, IT organizations will need to learn to communicate and sell the business case for any large-scale IT project (including IdM) AND prove that the promised ROI was realized. (My cofounder Jackie recently wrote a great blog on this very topic.)

These are just a couple of my thoughts for next year. I’d like to hear your thoughts. What do you think will happen in the IdM market next year?

While the needs and benefits of IdM are real, many companies feel challenged to build a business case and show the potential ROI for this type of project. But don’t let number-crunching intimidate you! In a world of financial uncertainty where there are many competing technology investments, it’s more important than ever to show financial justification for your IdM strategy and direction.

To help you get started, we’ve developed four steps to consider when building your business case for a governance-based IdM strategy, focused on explaining the technology’s potential for delivering demonstrable ROI to the organization:

1. Internal needs assessment: Begin the evaluation process by first determining what the most pressing IdM issues or opportunities your organization is facing.
2. Baseline costs: Quantify how many and what types of resources are currently being spent on IdM processes (including manual labor costs).
3. Set project goals: Formally define your goals of the project and the expected benefits to the organization.
4. Build the financial model: Estimate how much your project will cost (technology, services, personnel) and then project how the project will save the organization time and money.

One of the keys to building your business case is to provide real-world examples of the tangible and repeatable benefits and cost savings that can result from your IdM project. SailPoint often partners with our customers to provide insight and help throughout this process. Below are some ROI stats that our customers have reported when demonstrating the ROI on their projects:

• Saved 50 full-time employees annually in controls testing and documentation on a project that spanned 600 applications across 28 countries.
• Reduced IT Operations costs by $800k annually by automating the de-provisioning of terminated employees.
• Slashed time spent on compliance by 66% by completing user access reviews in just 4 weeks instead of 3 months.
• Achieved 30% reduction in excess entitlements after the first user access review cycle.

We recently hosted a webinar that delves further into this topic. If you are interested in more details, you can access the free on-demand webinar here. The topics and real world use cases covered in the webinar are designed to help you define clear goals for your project and map out a compelling business case. Check it out!

The 5,573 adults polled gave us a resounding answer about whether data breaches are impacting their loyalty: 20-25% of respondents would stop doing business with a company following a data breach. We also asked consumers about the shift to electronic health records, and we saw even more evidence of consumer fears about identity theft and loss of privacy. The key takeaway for me is that consumers are paying attention to how merchants manage sensitive data, and companies that do not act as trusted custodians will see a measurable impact to customer loyalty.

If you’re interested in our latest survey results, please see today’s press release for full details. And we’ve put together a graphical representation of the survey’s findings to better communicate all the numbers – check it out (click the graphic for a larger view):

1. IdM is a not a set of IT processes. It is a set of business processes enabled by IT, which means business managers and users MUST be actively involved.
2. IdM should be approached with not just productivity and efficiency in mind, but governance and risk management, as well.
3. IdM implementations, while admittedly complex, should not take years and millions of dollars before delivering real value to the business.

Based on those principles, SailPoint set out to shake up the IdM market and deliver a new, innovative solution that delivers on these truths. The result, IdentityIQ, provides an integrated, single governance model; features intuitive dashboards and plain English for business users; and has proven over and over again that it will deliver tangible results within months, not years. Along the way, we also introduced a new market category, identity governance, and have seen several legacy-provisioning providers try to copy our approach.

Recently, Forrester Research validated that new market and our approach, positioning SailPoint as a leader in identity governance. The report, “The Forrester Wave: Role Management and Access Recertification,” states:

SailPoint’s IdentityIQ is the king of risk representation – since its inception it has had versatile support for assessing a credit-score-like risk for users and entitlements. Its user interface is one of the most customizable; the user’s splash page resembles a new portal’s intuitive layout with such features as portlets and drag-and-drop support.

After conducting an exhaustive and in-depth product analysis, SailPoint IdentityIQ scored the highest on 4 of the 6 product offering categories, as well as in customer behavior. Highlights of that analysis of IdentityIQ include:

The product has the most advanced capabilities of all other products in this Wave in risk management.

SailPoint is business-user friendly. It has beautiful dashboards.

The company’s expansion into provisioning also makes it a viable choice for enterprises looking to implement closed-loop identity compliance.

We’re thrilled with the recognition of our hard work, and invite you to read the entire report, courtesy of SailPoint, at www.sailpoint.com/forrester.

The details of the FTC announcement were interesting on two fronts. First and foremost, there was an absolute lack of strong security measures at both companies, making it child’s play for intruders to gain access to sensitive customer data. Lookout was charged with failure to implement strong password policies, storing passwords in clear text, and failure to provide access control to confidential web pages. Ceridian was charged with storing sensitive personal information in clear text on the company’s network and failure to take reasonable measures to detect and prevent unauthorized access to sensitive data.

The second interesting aspect of this news is that it demonstrates how the FTC is proactively taking action to protect consumers against data breaches. Both companies were charged with “unfair and deceptive trade practices” they advertised security safeguards that they failed to provide. The message is clear: if you suffer a data breach that impacts consumers and have advertised the how great your security is, you’re a target for a federal watchdog!

I like how the FTC is requiring the companies to implement and prove strong controls over access to sensitive data as part of the settlements. By mandating comprehensive data security plans and independent security audits, the FTC has sent a clear signal that companies managing consumer information will be held accountable to high standards of data protection. Notably, by prescribing explicit security plans and audits, the terms of the FTC settlements go well beyond the scope of many security and privacy laws in effect today.

The goal of our Users Group meetings are to foster a community among our customers to share best practices and provide new perspectives on challenges. By far the most interesting part of the day was hearing project updates from each customer and listening to the interactive dialog between companies addressing the same set of identity governance challenges. Our customers face a lot of common issues and challenges – spanning technology, project scope, staffing, organizational change management, executive support, etc. Many creative ideas were shared about how to speed deployment, accelerate adoption, get stronger buy-in from business users, and deal with constant organizational change.

Two “hot topics” of discussion during the day were role management and provisioning. We devoted a significant amount of the discussion on role management best practices, which proved to be a very popular topic. Some of the customers attending have very advanced role management projects and were able to share a lot of insights to their peers. We’ll plan to address some of the more common questions around roles in future blog posts. Another interesting discussion was focused governance-based provisioning, driven by a demo of SailPoint’s Lifecycle Manager (released in April 2010). Although provisioning deployments weren’t a focus of the User Group, it was definitely on the minds of the attendees – many of whom are in the early stages of rethinking their current provisioning implementations.

Regardless of whether a customer is just beginning to deploy identity governance or is two years into their implementation, our users tell us the knowledge and networking from these events is incredibly helpful. SailPoint also appreciated the opportunity to preview future IdentityIQ updates and solicit valuable feedback on our product roadmap. I’d like to send a big thanks to our customers that attended this Users Group!

For our customers who read this blog, I’d like to invite you to attend future meetings. Our quarterly Virtual Users Group is this Thursday, November 4^th. We’ll also be hosting two Users Groups in early-2011- one in the northeast and our first international one. Stay tuned for more details on both of those.

The need for business involvement. I may sound like a broken record, but I believe that 2011 will bring more IT challenges than we’ve seen in a long time. Many companies are still struggling to meet existing compliance requirements, and most of them believe that more regulation is on the way. Unfortunately, these same companies are also facing an increased risk of insider threats as a result of layoffs, hastily completed mergers and stagnant wages over the last two years. IT risk management is now a corporate imperative, and addressing these identity governance concerns requires business-level participation.

The ability to involve the business. You’ve probably always understood the value of involving IT and business managers in identity management efforts, but until recently, business managers were asked to review technical information that was virtually meaningless to them. Today’s next-generation provisioning and identity governance solutions like IdentityIQ were designed with business users in mind. IdentityIQ creates a single, authoritative view of “who has access to what” and then translates that technical identity data into consistent, business-relevant information. Now, business managers have the information they need to certify access privileges and better address the IT risks companies face.

Finally, in order for this business and IT integration to succeed, participants from both sides need to come together and communicate. I’d like to offer three best practices to help you ensure that your company’s business managers are active participants in your IdM processes (I recently wrote a more in-depth piece for eWeek on this topic).

1. Build a culture of business accountability – Establish a regular, automated process for business managers to review access, establishing a culture of accountability.
2. Focus on policy alignment – IT and business managers must collaborate on policy alignment to ensure that controls are designed and implemented correctly.
3. Make transparency a priority – Provide business managers with business-oriented user interfaces, glossaries and help facilities that turn IT data into business intelligence to facilitate good decisions and effective oversight.

As your company involves more business users, we want to help you succeed.  If there are specific topics you’d like us to provide more advice on, please leave a comment and we’ll address them in future posts. We’ll also be hosting a customer best practices session at next month’s Gartner IAM Summit, where a customer will discuss the value of taking a business-driven approach to identity governance.

I believe the shift toward more business involvement is a positive one for the IdM industry. It will help companies better address security and compliance requirements, and create more visibility with executive management. It’s an exciting evolution in the market, and I’m looking forward to next year!

• Half of the respondents said they would take company data with them when leaving a job. A full 27% admitted they would take customer contact information, 23% would take electronic files, and 16% admitted they would take product designs and plans.
• Interestingly, only 16% said they would take office supplies with them.
• 49% of those surveyed said they would look at information if they were mistakenly given access to a file containing confidential data, such as salary information. 6% said they would also tell someone else about the file’s contents.
• Only 13% of workers think the current recession has made their coworkers more likely to steal data from a company.

For me, the biggest takeaway from the survey’s results is that many employees don’t consider taking electronic data with them when they leave to be “stealing.” I’d guess that many believe they own the customer data or product plans if they worked on them. There is clearly a bit of moral ambiguity about ownership of company data that companies need to address here.

So what is the right way to address this issue? Unfortunately, there’s no silver bullet solution – companies need a layered approach that includes awareness/education, and preventive and detective controls. First and foremost, companies need to be explicit about their policies in this area and clearly define what is considered “illegal” usage of proprietary data.

At the same time, companies need to proactively monitor and manage workers’ access privileges, with the goal of limiting access to only what is required to perform a given job. Identity governance solutions, like SailPoint’s IdentityIQ, play a major role in helping companies ensure that workers’ access privileges are appropriate and conform to policy. IdentityIQ also makes sure that access privileges are promptly de-provisioned when an employee changes roles or leaves the company, and also provides detective controls by automating periodic access reviews and monitoring worker activities on high-risk applications.

What makes this area such a challenge is finding the right balance between limiting security risk and opening up access to sensitive applications and data. Fortunately, identity governance is helping companies successfully mitigate the risks highlighted by the survey. Regardless of where you are with your IAM strategy, given the survey results, I think every company should take a second (or third) look at the policies and controls they have in place. And SailPoint has several resources available to help you, such as our on-demand webinars (including ones on “Five Identity Risks You Need to Know About” and “Managing What Matters: Taking a Risk-based Approach to Identity Governance”) and the 2^nd edition of our Identity Governance Buyer’s Guide.

The IT director of a nonprofit organ donor center for more than 200 hospitals in Texas was fired in November 2005. At the time of her termination, the employee was informed in writing that all her access rights had been revoked. The company also took steps to lock all administrator accounts to which she was known to have access. Despite such steps, the terminated employee still managed to access the company’s network from her home via a VPN account that she set up previously without anyone’s knowledge.

Once inside the network, she used an administrator account belonging to another employee to log into several servers, including the company’s organ donor database server and main accounting server. Over the next several hours, she then deleted donor records, accounting invoice files, database and software applications, backup files and the software tokens needed to run some applications. In a bid to cover her tracks, the ex-employee manually deleted all logs of her VPN sessions. She also disabled the activity logging functions on the database and accounting servers – making it impossible to identity the individual files and applications she deleted.

What makes this case really interesting is that the sabotage occurred even though the company took reasonable steps to handle the terminated employee. The company immediately revoked the employee’s access privileges after terminating her and disabled all administrator accounts to which she had had previous access. So what more could a company do to prevent incidents like this? Here are some ideas:

• Formalize your approach to identity governance by building an authoritative repository of all users and their access privileges – mined from all critical systems. Without centralized visibility, there will always be blind spots, as the situation above illustrates. Statistics show that the average employee has 35% more privileges than they need – so mine the data to find out.
• Once you’ve centralized your data, you can automatically scan it to detect anomalies and policy violations. For example, accounts that don’t map to an active employee in the HR system can be flagged as “orphans” and duplicate accounts (employee with more than one account on any system) can be flagged for immediate remediation.
• Put in place consistent, repeatable processes for business-level oversight of access privileges. For instance, you can require that any change in employment status (termination, transfer, promotion, etc.) automatically triggers a review of all of that employee’s access privileges by his or her supervisor. In the case above, this would have resulted in a comprehensive report of all access privileges held by the fired IT director, with the ability to revoke these privileges at the click of a mouse.
• Consider using privileged user management (PUM) tools like Cyber-Ark to deal with “shared” and administrative accounts. These accounts are particularly troublesome because they are anonymous (e.g., UNIX “root”) and don’t map to a specific employee. With PUM tools in place, organizations can tightly control access to privileged accounts and track, monitor, and log every activity performed by employees using privileged user credentials.

Additionally, consider integrating PUM tools with identity governance solutions to ensure complete visibility and control over all user access privileges. For example, privileged accounts under management by Cyber-Ark can be imported into SailPoint IdentityIQ, displayed in access reviews, and can be used to escalate an employee’s risk score based on his or her access to privileged accounts.

How do you manage the access rights of privileged users?

But, do these approaches work? Even with the alphabet soup of regulations around the globe, we still see “compliant” companies reporting major breaches. Why? I believe many companies lost sight of the original intent of the regulation (risk management, security, data protection) because they were so focused on following the letter of the law to pass the IT audits. As a result, it’s pretty common to see companies investing significant resources into achieving literal compliance, but sometimes, in their zeal to be “compliant,” these firms push security (and common sense) to the side. The goal of proving compliance becomes the main focus of many companies, at the expense of holistically assessing, preventing, and mitigating risks.

The flip side of the debate about regulation is to let the free markets drive good corporate governance. The theory is that companies who “allow” security breaches will lose brand value and customers, and therefore will approach security and privacy protections as good business strategy. However, as a number of analysts and industry watchers have pointed out, breach disclosures don’t always affect revenue or stock prices. The TJX data breach was one of the biggest, costliest and most publicized breaches ever – yet customer and investor confidence in TJX remained largely unshaken in the aftermath. TJX’s stock was worth about $30 per share when the breach was disclosed, and its closing price a year later was just over $29. And during the one year following the breach, TJX reported that comparable-store sales increased 4%.

We probably all agree that strong corporate governance is necessary – and in fact, I’d suggest it’s a strategic differentiator for many companies. But as I talk to companies approaching the same problem from different perspectives, I still wonder: Should we let free market forces determine what corporations do, or should we mandate the “right” behavior to protect consumers and stakeholders?

What do you think?