Two years ago, it was difficult to find many people who clearly understood the difference between what they were getting from their provisioning vendor and a true identity governance solution, so we spent a lot of time on basic education. This year, people were much better educated coming into the conference. They were keen to understand the nuances and differentiators between identity governance offerings and actively sought out vendors like SailPoint. In fact, identity governance was featured prominently in many of the conference speakers’ sessions in one form or another. One Gartner analyst even told me, “Identity governance is one of the hottest topics at the show this year.”

It’s taken a bit of time, but the fog is definitely clearing on the identity landscape, and it looks like 2010 may be the year that identity governance comes into its own.

I’m always interested in what themes get the most play at RSA. This year, I’d have to say that “the cloud” wins the contest hands-down. Cloud computing was ubiquitous – a centerpiece of most keynote addresses, a feature on booth signage throughout the show floor, and not surprisingly, the butt of quite a few jokes (example: let’s do a tequila shot every time we hear the word “cloud”).

In the show’s opening keynote, RSA’s CEO Art Coviello declared cloud computing “the most over-hyped but underestimated phenomenon in history” (borrowing a phrase from Nicholas Negroponte). Coviello went on to say that cloud computing presents us all with the rare opportunity for a “do over” – to be present at the rollout of a new wave of computing with security built-in from the get go. I have to admit I raised my eyebrows at this turn of phrase. I predict that the evolution toward cloud computing will be moderated and incremental – and not a “do over” by anyone’s definition.

Another interesting observation about this year’s show is the continued (and perhaps even bigger) blend of public and private sector speakers. Past years’ shows have featured Michael Chertoff, Melissa Hathaway, and Al Gore. This year’s speakers included Secretary of Homeland Security Janet Napolitano, Howard Schmidt, the U.S. cybersecurity coordinator appointed by President Obama in December, and Robert Mueller, director of the FBI. On Tuesday, Schmidt presented a keynote address and hosted a heavily-attended town hall meeting. In both of these venues, he conveyed a very measured and pragmatic approach to addressing the cybersecurity responsibilities of the federal government. He said more than once “there is no silver bullet.”

During an entertaining Q&A session with the audience, Schmidt revealed the following about his agenda:

• He’s not a proponent of more regulation to drive better security practices. The one exception he mentioned was the area of data breaches (where there is pending legislation).
• He assured the audience that any measures taken by the Fed will respect privacy and civil liberties issues.
• He admitted that the Federal Information Security Management Act (FISMA) is archaic and needs to be changed. He mentioned that some changes are being rolled out this year.
• He believes that we, as a society, are making real progress with cybersecurity. He pointed out that there are fewer devastating attacks and service disruptions than in previous years.

Unfortunately, Schmidt’s position is made all the more challenging by the bureaucracy and interest groups he will have to navigate in Washington – it’s not just a matter of fixing problems and fighting the bad guys. On a positive note, the amount of focus being put on the issue of cybersecurity at the federal level can only be a good thing.

The overriding goal of the CIP standards is to protect the bulk electric system from cyber attacks, including attacks from within the utility (i.e., insider threats). The eight standards include establishing programs for managing access to cyber assets, documenting which personnel are authorized to access cyber assets, and creating plans and processes for electronic and physical security of assets, among other things. The deadline to become “auditably compliant” by July 2010 provides the real “teeth” to the mandate, requiring organizations to undergo audits and provide documented evidence of compliance or non-compliance with the standards.

While the NERC CIP standards are more prescriptive than some regulatory mandates, they do leave many implementation details up to the affected organizations. Put another way, NERC defines “the what” but not necessarily “the how” of getting compliant. This factor makes it critical that organizations think strategically and holistically about their approach to NERC CIP and follow three important guidelines:

1. Take a risk-based approach that focuses controls on the most critical cyber assets and avoids boiling the ocean;
2. Automate compliance processes for consistency and repeatability, and to control costs; and
3. Don’t forget the people component in “people, process, and technology” – communications and information sharing between stakeholders is key.

Because controlling access to critical infrastructure is one of the highest priorities for complying with the CIP standards, identity governance will be a key component of any organization’s compliance strategy. Identity governance provides an automated approach to strengthening access controls and delivering evidence of those controls for audit purposes. By offering a framework for automating compliance, facilitating business and IT collaboration, and taking a risk-based approach, identity governance helps organizations to achieve sustainable, auditable compliance with the standards’ requirements.

To help organizations plan and implement a cost effective, risk-based approach to NERC CIP compliance, SailPoint is presenting a free webinar with Corporate Integrity’s Michael Rasmussen on February 10^th (details here). We’ll review the CIP standards, what’s needed and how identity governance can help companies achieve the next level of compliance. Following the webinar, we’ll also provide access to a free whitepaper that walks companies through the eight CIP standards focused on IAM, and provides a roadmap for how to best comply with each.

Additional key findings from the survey include:

• More than 50% of those surveyed confirm that IT is responsible for ensuring the security and managing the risk around sensitive applications and data.

• 42% reported shared responsibility and accountability with business managers for the access certification process.

• 61% of the respondents report that they use manual or homegrown processes to manage a company’s access privileges.

• Only 14% of companies believe they have adequate controls in place to address the risk of insider threats in 2010 (which is a similar statistic from our May 2009 Market Pulse Survey).

The complete Market Pulse Survey results, as well as an in-depth analysis of what they mean, is available here.

1. Cautious Investment Strategies Will Remain. The tough economy has made buyers more selective about how they invest in software solutions. The constricted budgets and constrained resources of 2009 in many cases brought clarity to project prioritization. CIOs have become more discriminating customers who want results quickly and who expect a solid near-term return on investment. Particularly in the identity governance space, companies expect to have full visibility and control over access privileges in months, if not weeks, with measurable results along the way. Even if companies enjoy larger budgets next year, CIOs will continue to be laser-focused on solutions that provide immediate, measurable results.

2. The Compliance Burden Will Grow. Compliance, transparency and risk management will remain top priorities for global companies. Everyone agrees that as fallout of what transpired in the financial markets in 2008, even more regulation is on the way, not less. The Model Audit Rule, which effectively requires SOX-like compliance for non-public insurance companies, takes effect on January 1st. Part of Obama’s stimulus package included the HITECH Act in healthcare, which effectively adds more “teeth” to HIPAA by requiring companies to disclose any privacy breaches. And most recently, the Personal Data Privacy and Security Act of 2009 passed a major hurdle and will be voted on by the Senate. Clearly these are US-only examples, but companies around the world are going to be bombarded with new requirements and more stringent rules.

3. Identity Management Will “Grow Up.” As a result of the growing focus on governance and compliance, organizations are starting to view IdM as more of a business-centric discipline than an IT-only domain. IdM processes can no longer be the exclusive realm of identity admins and help desk staff. To ensure compliance initiatives are successful, organizations must get business users involved in the process. It is the business user, after all, who has the most accurate knowledge of who should doing what with which applications and datasets. Collaboration is required across teams of business, audit/compliance and technical staff. As a result, there is a growing need for IdM solutions to evolve into business-friendly solutions to better manage IT and business risk. The IdM market will see more business process management (BPM) functionality in the coming year and will begin delivering business intelligence and decision support solutions.

4. Identity Governance Will Energize the IdM Market. As I’ve said many times, I believe the recession has served as a catalyst in IdM’s evolution – both by elevating the importance of transparency and risk management, as well as increasing corporate focus on rapid results and return on investment. I believe our industry is now at an inflection point where companies are starting to rethink how they approach IT risk management and what they expect from technology vendors. As identity governance technology matures, innovative startups will completely disrupt the IdM space by bringing a level of intelligence and risk management that is of high value to the business. We’ll see a few dinosaurs try to evolve, but this race will be a fast one and we’ll see if they can keep up.

How do you think 2010 will differ from 2009 in the IdM market?

In the midst of this publicity storm of insecurity, the U.S. government has stepped up its focus on information security and privacy. Currently, two bills – the Data Breach Notification Act and the Personal Data Privacy and Security Act of 2009 – are making their way through Congress. The Senate Judiciary Committee passed the two bills in early November, which are now headed for a full Senate vote. The first bill is designed to protect consumers from having their personal information lost, stolen or exposed (similar to California’s landmark CA 1386 law). The latter bill establishes guidelines for protecting sensitive information and creates the Office of Federal Identity Protection inside the Federal Trade Commission.

It will be interesting to see whether one or both of the U.S. laws pass. Over the past 5 years, similar legislation has been proposed but failed to pass in the U.S. Congress. Proponents see great benefit in unifying various state breach notification laws into a single national law. Opponents fear the law imposes requirements that are too onerous for businesses to bear, in addition to creating more federal bureaucracy to oversee the mandate.

Given the number and frequency of data breaches, I believe that 2010 could be the year we’ll see a national privacy and security law in the U.S. There are clear benefits to simplifying and standardizing laws around data breach notification. The proposed bill will establish a single national standard to replace the patchwork quilt of state data breach laws (and will provide regulations for the few states that have no such legislation). And it will also establish some pretty stiff enforcements and penalties, which will satisfy those looking for real “teeth” in the law.

I have the least confidence about Congress’ ability to pass the Personal Data Privacy and Security Act. This law is more prescriptive than the Data Breach Notification Act. It would require all companies handling sensitive data to implement specific risk assessment and vulnerability testing measures (including controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while in transit and at rest). It also establishes a new office of the FTC to act as a watchdog.

Because the Data Privacy and Security Act federally mandates security controls, it’s bound to be a lightning rod for debate. No one disagrees that companies need to put in place the necessary controls to prevent security breaches, but there is volatile disagreement over the role of the federal government in forcing companies to comply with specific security practices. Many will invoke Sarbanes-Oxley as an example of the ills of overly aggressive federal regulation of private industry. Proponents will point to the fact that businesses are not doing a very good job at guaranteeing security and privacy left to their own devices.

What do you think? Should laws mandate how companies address and prevent security breaches, or should companies be allowed to address these on their own?

During a phase of dramatic company growth in the 2003-2005 timeframe, Humana set out to improve its user onboarding processes, which were particularly painful in high-growth and high-churn areas of the business. Andy described how Humana’s early IAM projects progressed through a “Peak of Inflated Expectations” phase, then descended into the “Trough of Disillusionment,” as initial enthusiasm and commitment for the IAM program waned. During this period, there were many stops and starts, including a period where Humana considered throwing out its provisioning solution and starting over. But ultimately, the project found stability and success.

In the 2007-2008 timeframe, Humana’s priorities turned to regulatory compliance. SailPoint entered the Humana IAM program in 2008, when Humana selected IdentityIQ to automate access certification and policy enforcement. Andy described how SailPoint IdentityIQ helped Humana gain enterprise visibility to “who has access to what” and automated necessary oversight by IT and business managers. He concluded his presentation with the message that Humana had, after five years, climbed the “Slope of Enlightenment” and was reaping the productivity benefits of a mature IAM program.

Later that morning, Robert Mazzocchi, VP of Identity and Access Management at AIG, took the stage. Robert’s case study described how AIG addressed its compliance and risk management needs during an exceptionally volatile period of the company’s history – events that were exacerbated by AIG’s highly decentralized business units and lack of a centralized HR system. He described how AIG scoped its Global Access Certification project, with the goal of aggregating, correlating and certifying user and access data for high-risk applications that spanned geographies and operating environments.

Robert described how IdentityIQ helped AIG to create certification reports and send them for periodic processing to department and application managers, providing all necessary capabilities such as reminder notices, escalation, delegation, and status tracking and audit reporting. As he described how AIG was conducting global recertifications, Robert emphasized that AIG’s main driver for performing recertifications was to reduce corporate risk. He stressed the need to be able to identify high-risk users in the environment, such as privileged users. And to scope controls accordingly, so that the greatest oversight is applied where it’s needed the most.

For me, the customer presentations were the most compelling ones of the show because they connected the advice presented by the analysts previously at the show to real-world IAM projects. As a result, the attendees got invaluable exposure to first-hand accounts of successful IAM and identity governance projects, which will undoubtedly help them with their own projects.

One of the best aspects of shows like this is the high-quality conversations that happen everywhere – in the sessions, on the show floor, in restaurants and of course, the lobby bar! It’s interesting to see this kind of networking in action, built on many years of identity management history and experience. (Yes, we’re becoming an older and wiser bunch.)

It’s always tough to pick a leading theme for an event like this, but a couple of consistent threads ran throughout the show. First, a lot was said about how IAM is evolving (some said “maturing”) to address governance, risk and compliance requirements. One key shift pointed out by several Gartner analysts is the growing involvement of business users in IAM processes. Here’s a sampling of comments made in the sessions:

IAM needs governance. It needs to partner with the business community. It’s not just plumbing. – Earl Perkins

The goal of IT governance is defined as a business goal: It is not just IT-related. – Paul Proctor

Business representation is critical to managing IAM in day-to-day operations, including determining who should have access to what, defining roles and rules, access reviews and attestations, and so on. – Ray Wagner

Another over-arching theme during the show was the relationship between IAM and business process management (BPM). In Earl Perkins’ opening keynote, he highlighted BPM as an emerging IAM trend, noting that customers should begin to look for BPM functionality in IAM solutions. Paul Proctor reinforced this idea in his session “GRC Requirements for IAM,” stating that “IAM is increasingly viewed not just as a collection of infrastructure procedures for IT but as a means of enhancing and extending key business processes.”

We couldn’t agree more! Last week at the show, we announced our latest product release – IdentityIQ 4.0. This release extends our capabilities to “manage the business of identity” by fostering better teamwork across an organization by synchronizing identity business processes with IT controls (be sure to read the press release and what the media are saying).

Stay tuned for tomorrow’s blog, where I’ll share two case studies presented at the Gartner show by SailPoint customers in the insurance and managed care industries.

• Despite tightened budgets during 2009, we are seeing strong demand for identity governance. Companies continue to invest in strengthening controls around access to their critical applications and data. In fact, SailPoint recently closed the strongest quarter in our company’s history. Already this year we’ve doubled our customer base, and my guess is that 2010 will also be a year of significant market growth. We’re seeing the same demand across North America, Europe and Asia/Pacific, emphasizing that identity governance is addressing a global issue.

• The tough economy has made buyers more selective about how they invest in IdM solutions. Budget constraints have ensured that companies are laser-focused on solutions that provide immediate, measurable results. I believe one of the factors in SailPoint’s success has been our ability to give our customers visibility and control over access privileges very quickly – in weeks or months, not years. Seeing the early results of data aggregation, correlation, and data cleanup across critical applications is very powerful, and allows organizations to immediately address high-risk issues like orphan accounts, policy violations and proliferation of service accounts. Generating results like this helps get executive and business buy-in, and serves as a strong foundation for expanding the project to incorporate access certifications, role management, access request and provisioning.

• Lastly, I see a major shift by organizations to view IdM as more of a business-centric discipline. Put another way, IdM is no longer the exclusive realm of identity admins and help desk staff. To ensure compliance initiatives are successful, organizations must get business users involved in the process. Collaboration is required across teams of business, audit/compliance and technical staff. As a result, there is a growing need for business-friendly solutions that synchronize identity business processes across the individuals and groups managing identity governance activities. Taking a business process approach is a key enabler that allows organizations to effectively work together to define governance policy, design and implement appropriate controls, monitor the effectiveness of controls, and better manage IT and business risk.

To sum up, in some ways the recession has served as a catalyst in IdM’s evolution – both by elevating the importance of transparency and risk management, as well as increasing corporate focus on rapid results and return on investment. I believe our industry is now at an inflection point where companies are starting to rethink how they approach IT risk management and what they expect from technology vendors. It should make the next year very interesting, and exciting, from a technology vendor’s perspective!

I’m looking forward to hearing the Gartner analysts’ predictions heading into 2010 and to having conversations with any of you who will be joining us at the conference.

Most industry analysts agree that the MAR applies SOX requirements to privately-held insurance companies. While it’s true that the new rule was based on SOX and contains many of the same auditing and reporting requirements, the two regulations are not the same. In fact, there are some key differences:

• SOX applies only to publicly-held companies, whereas the Model Audit Rule applies to all insurance companies domiciled in the United States with direct and assumed premiums greater than $500 million.
• SOX requires the CEO and CFO to certify in quarterly and annual SEC filings the adequacy of the company’s disclosure controls and whether there have been changes in its IFCR. The Model Audit Rule applies only to the internal controls over annual statutory financial statements filed by insurers. Therefore, the certifications apply only to the annual reports.
• SOX requires that a company’s external auditor attest to and report on management’s evaluation of ICFR. The Model Audit Rule has no such external attestation requirement.

For identity management and IT security professionals, the most significant aspect of the new MAR is the requirement to perform an assessment of internal controls over financial reporting (if you’ve undergone a SOX audit before, this will be familiar territory). In the coming weeks, we’ll be spending more time exploring the new MAR because we believe there are several best practices from SOX compliance efforts that can provide a baseline for achieving MAR compliance.

We’re also partnering with Michael Rasmussen, a renowned GRC analyst at Corporate Integrity, for a webinar, “Addressing the New Model Audit Rule 2010” on October 22^nd. During this webinar, Michael will review the identity-related controls associated with the 2010 MAR requirements, how these affect managing access to key financial applications and data, and how to be prepared for audits and executive reporting needs.