Iam

FIFTH EDITION
Identity and
Access
Management
Buyer’s Guide
What’s
Inside
A BU Y E R’S G UI D E
What’s Inside
The Identity Revolution Is Here 4

Are you ready?
IAM for Tomorrow. Today 6

Craft a long-term, sustainable identity strategy.
Start with the End in Mind 10

Identify priorities and establish clear goals.
Gain Confidence with Quick Wins 17

Choose a path with the strongest returns.
Ask the Right Questions 23

Evaluate core requirements.
SailPoint Identity and Access Management 45

A smarter way to manage identity.
The SailPoint Advantage 54

Future-proof your IAM program with SailPoint.
Glossary 56
Resources 67
Get Started 71
Don’t worry, be ready with SailPoint.
3 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

The Identity
Revolution
Is Here.
Are You Ready?

Today’s business world is changing rapidly, and so are your IAM requirements. Maybe you’re moving more
applications into the cloud. Or you’re rethinking security and access control in light of “Bring Your Own” trends.
Or you’re simply trying to scale your programs to match the speed of business change.
A successful identity and access management strategy can position your organization to better handle whatever
the future brings. It can move you toward stronger security and more sustainable compliance, reduced risk, improved
service levels and lower operational costs. This guide is designed to help ensure a smooth, speedy journey along the
way. It covers everything from building a solid understanding of today’s business goals, to reviewing the available
choices, to planning for and selecting a solution. Designed as a workbook, with checklists and targeted, detailed
information, it’s a practical tool that you can use to build a request for proposal (RFP), evaluate vendors, and conduct a
side-by-side product analysis.
In the pages that follow, we show how identity and access management can be a powerful force for risk
management and business improvement on several levels. We present typical concerns and issues that identity and
access management can address. We share pathways to help you achieve quick wins when implementing solutions. And
we help you assess your functional priorities — with checklists that can help make sure you don’t overlook anything.
As we wrap up, we provide a quick introduction to SailPoint’s complete identity and access management solution.
We also provide a glossary of terms and a list of resources where you can find additional information. We hope you find
reading this guide a useful step on your journey to next-generation identity and access management. Give us a call
when you’re ready to move ahead!
Kevin Cunningham
President and Founder, SailPoint

IAM for
Tomorrow.
Today.
Craft a Long-term, Sustainable

Identity Strategy
Rapid technological change is becoming a way of life for today’s identity and access management (IAM)
professionals. As cloud, mobile and other IT consumerization trends gain traction and velocity within the enterprise,
organizations must look beyond traditional IAM and put in place solutions designed for the future. What is required
is an IAM strategy that underpins and enables evolving business needs while at the same time meets security,
privacy and compliance requirements.
The changes impacting IAM are all around us. What was once a locked-down corporate network is now a globally
connected enterprise that extends well beyond the boundaries of the datacenter. There are more people connecting
to critical data and applications both inside and outside the enterprise. The proliferation of mobile devices enables
anytime/anywhere access. More and more employees work remotely, and business partners and customers expect
on-demand access to corporate applications and data.
In the face of overwhelming chaos and complexity, IT is still on the hook to manage and control access. In order to
secure and protect the new extended enterprise, you will need an IAM solution that centralizes policies and controls
and provides visibility to “who has access to what” across all resources — both in the cloud and on-premises.
As a result, leaders must work together to implement the right IAM solution to be able to answer the following
key questions:
• Am I adequately safeguarding information assets and sensitive data?

• Can I prevent and detect fraud, misuse, or unauthorized access?
• Can I confidently attest to the adequacy of internal controls?
• Can I cost-effectively meet and prove compliance with regulatory requirements?
• Are users provided the right access for their role in an efficient manner?
“IAM must be viewed as a business issue, as much as it is a technology

issue. IT and business users need to work together to define policy
and controls, monitor the effectiveness of controls, and better manage
organizational risk. To this end, key identity business processes, including
compliance, provisioning and SSO, must be seamlessly integrated.”
Jackie Gilbert, CMO & co-founder, SailPoint

Gone are the days when IAM success was defined by automating internal user provisioning to a few birthright
applications and leaving everything else to the helpdesk, or providing single sign-on to web applications inside the
firewall. The answer to yesterday’s business needs is not the answer to today’s complex business challenges. In
today’s world, IAM solutions need to deliver access services efficiently and cost-effectively to internal and external
users. They must manage resources in the datacenter and in the cloud, while delivering identity services to almost any
device — desktops, tablets and smartphones, all while meeting compliance requirements around security and privacy.
Faced with these multi-faceted challenges, the right approach should be formulated with sustainability in mind.
Identity and access management must address the immediate, tactical needs facing the organization, but at the
same time it must be part of a strategy for long-term business improvement. Here are some key issues to consider
as you formulate your IAM strategy:
• Rapid adoption of cloud apps by the business is a reality. You can no longer assume that all critical appli-
cations and data will reside inside the corporate network. A growing number of new applications will be deployed
“as a service” from the cloud, and you will need to provide access controls and governance over them in the same
manner as on-premises applications.
• Mobile access and “bring your own device” (BYOD) are trends that can’t be ignored. In many cases,
your organization will no longer own the endpoint device (e.g., personal phone or tablet). Access to corporate
assets in the cloud can now occur from a variety of devices, without ever touching the corporate IT infrastruc-
ture, yet access must still be controlled and managed.
• As the complexity of the IT environment grows, you don’t have time to waste integrating disparate
tools. You need to manage IAM as a set of integrated business functions — not functions that operate in
silos. Deploying “cloud-only” solutions or buying governance, provisioning, or access management solutions as
separate products limits your visibility and control — and it increases the cost and complexity of IAM projects.
• Governance should be considered a fundamental component across all identity and access
management processes — not something auditors work on after the fact. By embedding policy and controls
throughout all identity processes, organizations can achieve ongoing, sustainable compliance and reduce the
need for after-the-fact remediation and expensive manual processes.
• IT can’t do it all. You need to involve the business units and business users in IAM processes where
appropriate. To empower the business and speed the delivery of services, you need simple, intuitive self-service
capabilities for signing on to applications, requesting access, and resetting passwords. You also need the
support of the business to identity sensitive resources, define access policy, and better manage risk.

A Smarter Way to Manage Identity
To keep pace with today’s modern IT environments, organizations must embrace a new approach to identity and
access management — balancing the needs of business enablement, security and cost containment. Traditional IAM
approaches treat governance, provisioning and access management as separate activities, making it costly, complex
and burdensome to enforce access controls, meet compliance requirements and carry on the day-to-day work of
meeting increasingly demanding service level requirements. A more innovative and effective approach is required
to streamline all of these efforts — one that allows compliance, provisioning and access management processes to
leverage a common governance framework for roles, policy and risk management — across all resources from the
datacenter to the cloud. This evolution involves four critical shifts, including:
• Bridging cloud and on-premises IT: Silos make sense for a wheat farm, but not for your server farm. To
effectively manage risk and gain insights to make your workforce more productive and secure, it is imperative
that you gain visibility and control of users’ access rights and activity that spans on-premises IT and cloud
services. What is required is true cross-domain IAM — that manages and controls access across datacenter and
cloud applications.
• Extending IAM to personal mobile devices: Today’s business users expect convenient access to cloud and
web applications from any device — at work, home or on-the-go. The right IAM solution can help you more
effectively apply security policy, detect violations and ensure regulatory compliance no matter how and where
applications are accessed. Look for IAM solutions that integrate out-of-the-box with mobile device management
(MDM) tools to extend enterprise management and control to corporate applications and data on mobile devices.
• Seamless integration of access and identity: Providing access management and single sign-on capabilities
from a unified identity and policy data store not only provides greater flexibility to respond to business changes,
but can greatly reduce the total cost of ownership. Your IT team can focus more on protecting the business and
providing innovative services, with no more redundant servers and middleware to maintain, nor duplicate data
and policy stores to synchronize.
• Delivering IAM for the business: The right IAM solutions facilitate collaboration between IT and business
teams through easy-to-use graphical user interfaces and intuitive dashboards. Today’s IAM tools need to be
simple enough for non-technical users to participate in business processes such as single sign-on, access
request, access certification, policy definition, and password management.

Start with
the End
in Mind.
Identify priorities and

establish clear goals.
Identity and access management is a strategic imperative for organizations of all sizes. Companies ranging from
large, multi-national enterprises to smaller, fast-growing businesses must address requirements to protect and
govern access to critical applications, systems and databases whether in the cloud or on-premises. Identity and
access management plays a critical role in enabling organizations to inventory, analyze and understand the access
privileges granted to their employees — and to be ready to answer the critical question: “Who has access to what?”
At the same time, today’s enterprise demands faster and higher levels of service delivery across an increasingly
diverse and dynamic environment:
• There are growing populations of external users, such as partners, agents, and customers, that need access;
• New users come on board daily, requiring immediate access to enterprise resources;
• Users’ responsibilities change, or their relationships with the enterprise end, and access must quickly be modified
or revoked;
• Users want fast, convenient access resources anytime, anywhere using smartphones and tablets; and
• Some applications and users represent a higher level of risk to the organization than others and require
more focus.
For IT staff, the challenge becomes how to meet service-level demands while identifying and managing high-risk
activities, enforcing policy and security, maintaining stringent controls and addressing compliance requirements.
Because there are many different business drivers for identity and access management, you may wonder how and
when to put the different components of a solution in place. The answer depends on your business priorities and the
immediate challenges facing your organization.
To get started, step back and assess your most urgent issues. Do you understand what you want your solution to
help you achieve? Here are some common business goals that can help you determine your own unique priorities:
• Speed delivery of access to business users;

• Increase business user productivity;
• Manage access across on-premises and cloud applications;
• Reduce the cost of managing access change;
• Eliminate audit deficiencies and improve audit performance;
• Lower the cost of compliance; and
• Salvage or replace an existing provisioning system.
So let’s look in more detail at the business drivers for identity management — the goals organizations most
frequently hope to achieve with their implementation.

Speed Delivery of Access to Business Users
“I can’t keep up with Given the fast-paced and dynamic environment of business today, IT organizations are challenged to keep up with
the incoming requests the demand for identity and access management services, and to do so in a compliant manner. Business users
for managing user cannot wait days or weeks for access to systems required to perform their job duties. Similarly, organizations cannot
access across the
tolerate huge gaps in deprovisioning access when a user changes positions or is terminated.
organization. There’s
Changes to user access must be performed in near-real time, while remaining a controlled and auditable process
got to be a better way!”
that is visible to the business. The current state of IAM in most organizations makes it almost impossible to provide
consistent and effective service levels to the business due to the following challenges:
• Heavy use of disparate manual access request and change processes;

• Lack of end-user participation and visibility into identity management processes;
• Ad hoc methods for dealing with external identities and their access rights;
• Growing number of cloud-based applications that are managed outside of IT; and
• Help desk staff that is over-burdened with access request and password resets.
What organizations need is an easier, more cost-effective way to deliver access to the business. With the right
self-service tools, business users can manage their own access, from requesting new accounts or roles to recovering
forgotten passwords, using intuitive, business-friendly interfaces. In addition, today’s user provisioning solutions offer
easy-to-configure options for automating the entire access lifecycle of a user based on event triggers from authorita-
tive sources — to minimize the need for manual changes.
By providing an integrated approach that leverages business-friendly self-service access request tools and
automated lifecycle event triggers, identity and access management can streamline the delivery of user access
across your organization while continuously enforcing governance rules and compliance policies. It also empowers
business users to become an active participant in the identity and access management process, enabling them
to manage their own access and passwords while providing them with full visibility into active requests, thereby
reducing the workload on help desk and IT operations teams.
Increase Business User Productivity
“Our business users Whether you’re using identity management for internal users (employees and contractors) or external users (partners,
have to remember agents, customers), you want to implement technologies that reduce the burden of accessing business services. Having
so many passwords, the right identity and access management strategy can reduce internal costs and improve productivity, but it can also
they’re writing them
contribute to revenue growth and profitability, as more and more “users” are business partners, agents or customers.
on yellow sticky notes
As IT becomes more “consumerized,” all types of users expect quick, convenient access. And that access is
in plain view.”
no longer limited to logging in from a corporate laptop or PC — today’s workers want access anytime, anywhere,
via any device. Every minute that a user has to spend retrieving a lost password or having the help desk reset a
password is an unproductive minute — and when you multiply the growing number of applications by the amount of
time wasted, the high price of inconvenience becomes pretty clear.

Here are some questions you should consider as you plan your strategy to ensure your IAM solution delivers
convenience and improves user adoption and productivity:
• Do you make it as simple as possible for new users to register and begin using your business services — even if
they have no prior relationship with your organization?
• Can users request new access from a self-service tool without having to call the help desk?
• Do you provide simple password reset capabilities for users who have forgotten their username and passwords?
• Do you offer users a streamlined and personalized single sign-on experience for all the applications, regardless of
where they are hosted or how employees access them — via a desktop, laptop or mobile device?
• Do you use risk-based authentication to ensure that low-risk transactions are as easy as possible, but high-risk
transactions require more assurance?
Manage Access across On-premises and Cloud Applications
“We’ve lost visibility As enterprises accelerate their adoption of the cloud, they must cope with the challenges of managing a hybrid IT
and control over environment where some applications reside on-premises and some reside in the cloud. Adding to the complexity
applications in the of this environment, business units are gaining more autonomy to buy and deploy applications — which can often
cloud. We’re not even
house sensitive, corporate data — without consulting or involving the IT organization.
sure about what’s
out there.”
Signs that your organization is struggling to manage new cloud applications include:
• IT is not fully aware of the mission-critical cloud applications in production across various departments and
business units;
• Business units are performing their own user administration via spreadsheets and manual updates;
• Business units are requesting that IT integrate cloud applications with directories for periodic synchronization;
• Business units are purchasing their own identity and access management solutions — without consulting IT or
considering what IAM infrastructure is already in place; and
• IT audit processes, such as access certifications, have not been extended to cover cloud applications.
A proper identity and access management solution should help enterprises embrace the cloud while at the same
time allowing the IT organization to effectively apply centralized security policy, detect violations and demonstrate full
regulatory compliance. Successful IAM solutions will allow you to automate compliance and provisioning processes
for cloud applications in the same manner as on-premises applications. At the same time, it should provide end
users with convenient access to cloud applications and empower them with single sign-on from any device — at
work, home or on the go with mobile devices.

Reduce the Cost of Managing Access Change
“Requesting new access Managing the complex relationships between thousands of users and millions of access privileges continues to
or even changing a be a daunting and expensive task for most organizations. Changes to user access are initiated, approved and
user’s existing access is implemented using fragmented, disjointed processes. Coupled with the fact that in most organizations, the processes
a daunting task in our and tools used to request or change user access are highly manual, the result is an inefficient and costly execution
company. To add access
of access requests and changes.
to a single system can
take an extraordinary Does your organization wrestle with the following problems when fulfilling access changes across enterprise
effort to accomplish.” IT systems?
• Multiple front-end processes are used by the business to request new or change existing access privileges;
• Heavy reliance on help desk or IT admins to assess and implement access changes;
• Manual processes are required to facilitate changes to user access; and
• Different provisioning/deprovisioning processes are used for different applications.
If these situations sound familiar, it’s time to take a different approach. You need to centralize the delivery of access
across disparate IT resources spanning both the datacenter and the cloud and reduce the costs associated with
managing the initiation and fulfillment of access requests and changes. The right identity management solution
automates identity lifecycle events, such as onboarding new hires and managing job transfers, by directly assigning
or changing roles and entitlements to match a user’s current job function. It can also automate removal of access
privileges upon termination.
By automating these events, organizations can reduce the number of self-service requests initiated by business
users, the number of approvals required to grant access, and the number of calls to the help desk. In addition, a
centralized solution can orchestrate the automation of changes to access rights for all applications regardless of
how “last mile” provisioning changes are performed — via the help desk, a manual process, or an automated
provisioning solution.
Eliminate Audit Deficiencies and Improve Audit Performance
“We failed an audit. I Identity management is a focal point for IT audits and one of the areas most commonly flagged for ineffective
need a tool that can controls. During many Sarbanes-Oxley (SOX) audits, weak identity controls often receive negative audit findings in the
help us get back into form of control deficiencies or material weaknesses.
compliance — quickly!” Here are some of the most common identity risks auditors are looking for:
• Orphan accounts: Access that remains active for employees or contractors after termination due to failure to
remove privileges;
• Entitlement creep: The accrual of privileges over time through transfers, promotions or other changes in roles
resulting in employees with access beyond their job requirements;
• Separation-of-duty (SoD) violations: Inappropriate access resulting in excessive control over business transactions
or the ability to perform conflicting duties;

• Poorly managed privileged user accounts: Anonymous accounts that are typically the domain of privileged users
are managed using manual processes and are very difficult to audit; and
• Lack of visibility into access by job function: Business users struggle to interpret technical IT data to make
business decisions about what access is required to perform a specific job function.
If you’ve failed an audit due to weakness around any of these identity risks, we have good news. The right identity
and access management solution will improve your visibility into risky or noncompliant areas and automate your
processes for managing these risks. An enterprise-wide view of your identity data can help you to effectively
analyze risk, make more informed decisions and implement the appropriate controls in an automated and more
sustainable fashion.
Further, aligning user access with job functions through an enterprise role model can strengthen user access
controls by providing valuable business context around how specific sets of access map to the underlying business
function being performed by an individual. The result? Less chances of negative audit findings or failing another audit.
More chances of seeing audit performance improve over time.
Lower the Cost of Compliance
“Compliance is time- Compliance can be complex and difficult — and as a result, costly. Meeting industry and regulatory mandates
consuming and requires organizations to regularly review and certify user access privileges. This leaves many companies constantly
expensive. I need to get battling with error-prone and inefficient processes such as manually generating access reports and manually
my costs under control.”
remediating inappropriate user access privileges.
Signs that show you need to cut compliance costs include:
• Building or leveraging multiple, homegrown solutions to handle audit and compliance needs;
• Hiring full-time staff or consultants to handle compliance projects like access certifications and SoD
policy enforcement;
• Using inefficient tools like spreadsheets and email to drive manual compliance processes; and
• Treating high-risk and low-risk users the same, where insufficient attention is given to high-risk users, or too
much time and effort is spent on low-risk users.
To gain better control of your identity and access data, including centrally defining policy and risk and automating
your access certification process, you need to replace expensive paper-based and manual processes with automated
tools. By doing so, not only can you significantly reduce the cost of compliance, you can also establish repeatable
practices for a more consistent, auditable, reliable and easier-to-manage access certification effort.
If you struggle to effectively implement compliance processes and integrate them into your systems and infra-
structure, a governance-based identity and access management solution is the launching pad you need to improve
your effectiveness and reduce the costs of sustainable compliance.

Salvage or Replace an Existing Provisioning System
“Help! The provisioning Many organizations have a legacy user provisioning solution that no longer meets their needs, doesn’t do what the
solution we’ve deployed vendor promised it would, or more importantly, in the case of several products, including Sun Identity Manager and
is not meeting our BMC Identity Manager, will no longer be supported in the future.
expectations with regard Do you find yourself facing any of the following issues with your existing provisioning solution?
to compliance and is
not sustainable for our
future needs.” • Your project is behind schedule and over budget;
• You lack the necessary coverage for applications;
• Your provisioning product is being “retired” and must be replaced; or
• You have compliance weaknesses related to ineffective off-boarding processes, entitlement creep, SoD violations,
and more.
Now is the time to address those issues and migrate away from your legacy provisioning platform. Invest in
a technology that will address your current provisioning challenges, improve your overall identity and access
management strategy, and integrate with what you have in place today. Look for a solution that will provide your
organization a smooth transition and allow you to take a non-disruptive, stepwise approach while making the most of
your existing investment as you transition to a next-generation solution.
The new solution must also be able to balance core user provisioning requirements — add, change, delete user
accounts and password management — with user-friendly interfaces and processes that empower business users
to request and manage access on their terms.
Finally, and most importantly, it must offer an integrated approach to IAM. Governance and compliance should be
handled as an integrated activity within your identity infrastructure, not as a separate process.
Taking Stock
Once you’ve evaluated your business drivers for identity and access management, you’ll be in a better position to
prioritize your investments. If you’re like most organizations, you have more than one motivating factor, so the key is
identifying your one or two most important business imperatives. Moving ahead without prioritizing may cause you to
spend precious resources in the wrong places, inhibiting your ability to meet your most critical needs in a timely manner.
The good news is that investing in the right solution will enable you to realize some “quick wins,” while at the same
time strengthening your organization for the long-term. Depending on your business priorities, these immediate results
could save you money and reduce the compliance burden on IT; improve your audit performance; improve the efficiency
of identity business processes like access request and delivery; address shortcomings with your existing provisioning
system; streamline secure access management to cloud and Web applications; and extend IAM to your cloud applications.
Whatever path you choose to embark on first, you should avoid taking on every business problem on day one.
Best results are achieved by taking a stepwise approach where your project is focused on the business units,
departments, or applications that align with your business goals — whether they are corporate agility, operational
efficiency, service-level improvement, or regulatory compliance.

Gain Confidence
with Quick Wins.
Choose a Path with

the Strongest Returns
Now that you’ve identified your goals, you’ll want to consider the steps you need to take to achieve them. You have
several pathways to choose from, and you can prioritize them based on the unique business requirements and goals
of your organization. In this section, we outline how to maximize your success in the shortest amount of time to
achieve quick wins while laying a strong foundation for a sustainable identity and access management program.
Find Your Starting Point
For some organizations, the driving force behind an identity and access management project may be based upon any
number of challenges such as compliance, security, operational efficiency and business enablement. For example,
there might be an urgent demand to close audit gaps after a failed audit or a non-compliance penalty. For others,
there may be a requirement to eliminate the inordinate costs and inefficiencies found in current provisioning and
access management processes. Maybe the help desk is overwhelmed with trouble tickets and, as a result, service
levels are not where they should be. Or, perhaps the end user community is demanding more autonomy and wanting
IT to make their lives easier.
Once you’ve agreed upon your top priorities and goals, you will have a better understanding of what you must
achieve first. By focusing on a few “quick win” opportunities, you can help accelerate and build momentum for future
phases of your projects.
An incremental approach to project implementation helps you focus, ensuring you tackle high priority applications
and user populations that are most affected by your stated objectives. By demonstrating small, quick wins up front,
you will build confidence in the solution, help ensure ongoing adoption, and make it easier to secure funding for
additional projects.
Starting Point: Compliance
If audit deficiencies and the high cost of compliance are top of mind issues in your organization, then you may want
to focus on compliance automation as a first step. Here’s how to get started:
Step 1: Gain centralized visibility

The starting point for any compliance project should be to understand the current state of user access within the
organization by centralizing your identity data across your high-risk datacenter and cloud applications. This stage
involves creating a single repository for user and access information by aggregating data from your authoritative
source (or sources) and target resources.
Adding user account data to the identity warehouse can be performed by leveraging several different options for
connecting to resources: flat file data load, direct connectors, or integration with an existing provisioning solution.
Once you have selected the right method to aggregate your data and the data is centralized, you can move on to step
two — the correlation process — which will help you resolve the inconsistencies between the various sources of
identity data.

Step 2: Identify and close all orphan accounts

Finding and eliminating orphan accounts is one of the most effective risk mitigation steps you can take in your
compliance project. As part of building an identity warehouse, you can quickly correlate each application account
against your authoritative identity source to identify accounts that do not correlate to users in authoritative sources
(e.g., orphan accounts and system/service accounts). Once you’ve identified these high-risk accounts, you can
launch remediation actions for all unowned accounts — remove, mark as service, or, where possible, correlate to
known identities.
Step 3: Automate access certifications

Another quick win on the compliance front is to automate the access review process for your critical applications
and systems. Once you’ve aggregated and correlated your identity data, you can quickly generate a “data cleanup”
certification on the centralized identity data by launching a manager or application owner certification for your
high-risk applications. Certification reports will clearly highlight detected roles, policy violations, user risk scores and
any changes from the previous certification (new users, new roles, or new entitlements). This information enables
your reviewers to quickly focus on areas of potential risk and make better decisions.
Your data/application owners and people managers should review the access privileges for all users. These initial cer-
tifications should be used to establish a reliable baseline of data. It’s not unusual for organizations performing a baseline
certification to find up to 40% of user access privileges are inaccurate or inappropriate and should be revoked.
After revocations are performed, this cleansed data will be utilized by other identity management functions,
including ongoing access certifications, policy enforcement, role management, user provisioning, access
management, and risk analytics.
Starting Point: Provisioning
If your organization struggles with inefficient and/or non-compliant processes for granting new access privileges or
making changes to existing access privileges for employees, contractors, and partners, then it may make sense to
focus on user provisioning as your starting point:
Step 1: Enable self-service access request

One of the best ways to get started with provisioning is to focus on the business users first. Empowering business
users to find and request access without assistance from the help desk or IT admins can save headaches and money
at the same time. A centralized access request management process allows managers and end users to conveniently
request new access or make changes to existing access privileges within the constraints of your pre-defined identity
governance models (including policy and roles).
As part of deploying a self-service access request process, you can select from manual or automated access
fulfillment processes to implement the resulting changes in connected resources. Often times the fastest way to get
started is to leverage manual work items and help desk tickets, but this step can be combined with the step below
for maximum results.
Step 2: Automate access fulfillment

Another quick win for a provisioning deployment is to automate the fulfillment of access requests down to the
target resources. You can maximize the cost savings generated by selecting a few high-churn applications where

user accounts are created, updated or deleted on a regular basis. Once you’ve selected the applications, you can
determine the best option to complete the full integration cycle — deploying a new provisioning connector, or
leveraging an existing provisioning solution that is already in place.
Step 3: Streamline password management

Password management provides a quick path to the success of your IAM project by allowing end users to reset
forgotten passwords and bypassing the help desk. Using the same business-friendly user interface with configurable
challenge/response questions, users and/or their approved delegates can change or reset passwords across target
systems. Allowing end users to proactively manage password changes can significantly reduce help desk calls. Most
importantly, centralized password management will enable you to consistently enforce strong password policies,
customized for each application.
Starting Point: Access Management
If an ever-growing number of cloud, Web, and mobile applications is putting your organization at risk — based on the
proliferation of passwords across personal and business applications or lack of governance over cloud applications —
you may want to focus on cloud and web access management up front.
Step 1: Enable single sign-on for SaaS apps

If your organization is increasing its usage of SaaS applications, users are probably struggling to remember all of
the usernames and passwords across applications. By putting in place an SSO solution for SaaS applications, you
can achieve a very quick win. And by choosing a solution that includes pre-built application SSO profiles, you can
speed the initial deployment and allow business users to gain immediate productivity benefits. The right access
management solution will enable your end users to sign-on to all of their SaaS applications with one click — with no
passwords to remember — and will work across all the devices that today’s workers use to access applications, from
PCs or laptops to tablets and smartphones. From an ROI perspective, you should see measurable cost savings from
lower help desk calls and lost employee productivity due to locked accounts or forgotten passwords.
Step 2: Expand SSO to internal Web applications

If you’re like most organizations, your users access a combination of SaaS and internal Web applications to do their
daily jobs. If so, then it makes sense to choose an SSO solution that supports both cloud and on-premises Web
applications, giving your users one convenient access point for applications. This means choosing a solution with
pre-built application profiles for federated SSO to major SaaS applications (e.g. using the SAML 2.0 standard); secure
password replay to other third party cloud apps; and a reverse-proxy for your internal web applications. (The reverse-
proxy approach is recommended because it avoids the need to install and maintain agents on each and every
application server.) You should also plan to implement the reverse-proxy as a virtual appliance that is firewall friendly,
self-monitoring, and self-updating, which means you can quickly integrate it in your environment without burdening
your networking or IT operations teams. Expanding your SSO deployment to include internal Web applications can
further lower help desk costs and make SSO an even more valuable contributor to worker productivity.

Step 3: Implement risk-based controls

As you implement your SSO solution across SaaS and internal Web applications, it’s important to balance the need
for convenience with the right levels of security and access control. The right approach is to selectively apply controls
based on criticality and risk. Risk can be determined based on the systems that are being accessed, the user’s
attributes, the device being used to access the systems, and more. By deploying a solution that gives your organiza-
tion insight into the factors that determine risk, you can apply more stringent controls as needed. These controls can
include usage monitoring, auditable per-application ‘terms of use’ agreements, and strong authentication methods
with policy-based triggers to step-up to higher levels of identity assurance. You’ll want to be highly selective with
how you apply policies and controls. For applications and transactions that are not mission-critical, you should make
access as seamless and easy as possible, as less stringent controls are needed.
“SailPoint supplied an automated, centralized solution that reduced the

complexity of conducting manual access certifications across critical
enterprise applications and a flexible role management approach that
aligned access privileges with business function for improved security.”
Graeme Payne, VP of IT Risk & Compliance at Equifax

Modern Identity and Access Management Components
Now that you’ve identified your goals and considered the steps you need to take to achieve them, you will want to
find the right combination of identity and access management capabilities to help you get there. The diagram below
illustrates the key components of today’s IAM solutions. And, the section that follows provides all of the key require-
ments to evaluate these capabilities from vendors once you begin your selection process.
The new, modern identity and access management solution can serve multiple business demands and priorities using
a more integrated, effective approach.
Policy
Management
Access Audit Reporting
Certifications & Analytics
PLIANC
COM E
Access Single
AGEMENT
Request A
Sign-On
Governance B
C
PROV
Platform
IS
AN
IO
IN S
N
G ES Strong
Lifecycle ACC Authentication
Events
Password Usage
Management Monitoring
SaaS Mainframes Databases Web HR Apps Directories File ERP Cloud

Applications Applications Shares Applications Applications

Ask the
Right
Questions
Evaluating Core Requirements

Once you have a good handle on your identity and access management needs, it’s time to move ahead to evaluating
solutions. You’ll want to look at the individual capabilities of various identity and access management solutions in
order to determine if they can provide the functionality you need to accomplish your goals and whether they can
deliver the business and technical benefits of true governance that your organization requires.
The following pages provide a framework for evaluating products. Each section includes a set of qualifying
questions which can be used to evaluate products across a set of criteria required for completing a successful
project. Because identity and access management solutions should be flexible enough to allow you to start at the
stage that is appropriate for your organization — based on your business and IT goals and your existing identity
infrastructure — all sections may not be relevant to your needs. Feel free to apply the questions to your product
evaluation that are most appropriate to your organization at this time.
Finally, remember that checking vendor references is one of the most important steps in finding the right solution for
your organization. When you have the chance to speak with someone else in the industry who has been down a similar
path, be prepared with a list of questions. At the end of this section on pages 43-44, you’ll find a list of 25 questions
intended for you to use during these reference calls.
“With SailPoint, we’re able to deliver sustainable business benefits,

which are good for the business, not just the IT. That savings in time and
therefore money brought about by adopting IdentityIQ was one of the key
attractions that moved us towards SailPoint.”
Ralf Kappler, UBS Head of BBS service delivery

Building the Business Case for IAM
Providing a compelling business case for acquiring and deploying an identity and access management solution is a
critical step in any project. Ask the following questions to understand how the solution under consideration can help
you to solve your current business problems related to governance and delivery of user access within the enterprise.
Be sure to ask for example case studies and conduct reference calls for confirmation. See pages 43-44 for a list of
reference call questions.
BUSINESS CASE REQUIREMENTS SAILPOINT OTHERS

Can the solution quickly deliver a return on investment across compliance,
Yes
provisioning and access management?
Can the vendor provide real-world examples of cost savings from automating
Yes
end-user access request and provisioning processes?
Can the vendor provide real-world customer case study examples demonstrating how
Yes
the solution has reduced the cost of compliance?
Does the solution address common preventive and detective identity controls required
Yes
by regulatory mandates such as Sarbanes-Oxley, HIPAA and Basel II?
Does the solution help to proactively enforce pre-established business policies for
how access should be granted within the enterprise throughout access request and Yes
provisioning processes?
Does the solution reduce the complexity of creating an enterprise governance model
Yes
across roles, policies and risk?
Can the vendor provide specifics on how customers using the solution have leveraged
identity risk metrics to improve the effectiveness of preventive and detective identity Yes
controls within their organization?
Does the product provide a consistent user experience across IAM processes? Yes
Does the product provide a consistent user experience across both PC and
Yes
mobile devices?
Can the solution be used to manage internal and external user populations (e.g.,
Yes
business partners, consumers or citizens)?
Is the solution architected in a way that allows you to start quickly and expand based
Yes
on future needs without requiring major rework or purchase of additional solutions?
Is the solution architected as a single, unified application that does not require
the customer or system integrator to custom code integration between products Yes
during deployment?
How quickly can the solution be deployed and does it offer a smooth upgrade process
Yes
between versions?
Can the solution scale to support thousands of concurrent users without

Yes
performance degradation?

Strengthening Compliance and Governance Controls
The key to a successful identity and access management solution is one that is business-friendly, reduces the costs
and time involved in managing identity compliance, and that strengthens controls and improves audit performance —
all at the same time. The key components of an identity and access management solution include automated access
certifications, policy enforcement, role management and risk modeling and analytics.
Access Certification
Automated access reviews are an effective detective identity control for regularly validating user access within the
enterprise. These questions are designed to ensure that the solution you select is best suited to improve the efficiency
and accuracy of your certification process — and to help you meet goals for corporate accountability and compliance.
A C C E S S C E R T I F I C AT I O N R E Q U I R E M E N T S SAILPOINT OTHERS
Does the access certification feature support both technical and business user needs
Yes
within the tool?
Does the solution support managing different certification use cases by different user
types out-of-the-box — e.g., manager certifications, application owner certifications, Yes
data owners?
When certifiers review a user’s access privileges, can they approve, revoke or
Yes
allow exceptions?
Can the solution create certifications for individual entitlements, such as group
Yes
memberships, and assign them to the appropriate data owners?
When access is revoked, can the solution automatically de-provision access? Can the
Yes
user’s SSO access automatically be removed at the same time?
Can the software support the display of user-friendly entitlement descriptions

during a certification to provide users with a business-oriented translation of Yes
complex IT information?
Does the solution automatically route access review reports to the appropriate certifiers? Yes
Does the reviewer have the ability to bulk certify/approve a particular entitlement for
Yes
all users in a certification?
Does the solution provide visibility to certification activities (e.g., completion status)
Yes
on a user’s dashboard?
Can user access certifications be setup to auto-generate on a periodic cycle? Yes
Can the solution automatically trigger a certification based on detected changes to a

Yes
user’s access (e.g., user changes departments, job roles)?
Does the solution provide an interface for defining and managing certification events? Yes
Does the solution support a certification “sandbox” where certification settings can be
Yes
tested before rolling out a certification campaign to the organization?
Can certification settings be edited “in-flight” (e.g., modify due dates or

Yes
notification schedules)?
Does the application enable a continuous certification environment where users

and their associated access privileges are regularly monitored for changes and any Yes
change precipitates a review on a real-time basis?

A C C E S S C E R T I F I C AT I O N R E Q U I R E M E N T S SAILPOINT OTHERS
Does the application highlight privileged user accounts and other high-risk accounts
Yes
(e.g., service accounts) during the certification process?
Does the solution support review and resolution of policy violations directly
Yes
within a certification?
Can the solution support certification of multi-tiered applications by allowing business

Yes
users to only sign-off at the high-level business application account level?
Is certification decision history provided in active certifications to help reviewer

Yes
determine the appropriateness of access?
Do the user certification screens highlight/identify changes in user entitlements and/

Yes
or business roles since the last certification or new users not previously certified?
Does the solution provide user activity data on specific applications/transactions

Yes
during certifications, enabling reviewers to evaluate access based on usage?
Can automatic notifications be generated and sent out to certifiers when a new
Yes
certification is created?
Can the solution escalate an overdue certification to a user’s manager or other delegate? Yes
Does the access certification process support a challenge period to allow end users to
Yes
contest a pending remediation decision before it is implemented in the environment?
Can risk be used to define a population of end users for certification (e.g., only certify
Yes
high risk users)?
Does the solution support delegation of users to another certifier? Can individual line
Yes
items be delegated to another certifier for completion?
Does the solution track the full history of each certification item, including delegation,
Yes
forwarding, challenge, and review decisions for all entitlements and roles?
Does the solution provide an option to support bulk remediation for all former
employees’ access privileges prior to beginning an access certification, thereby Yes
reducing the workload of reviewers?
Does the solution support the definition and assessment of remediation periods,
Yes
allowing the tracking of the remediation activity within the target system?
Can the solution support electronic signatures for certification sign-off? Yes
Does the solution provide administrative dashboards and reports to track aggregated
Yes
certification metrics across the enterprise and certification campaigns?
Does the solution provide the ability to manage certifications from mobile devices? Yes

Policy Management
With constant changes in user access across multiple, heterogeneous enterprise and cloud applications, businesses
often struggle to validate access against established access policies, including segregation-of-duty, that expose the
organization to risk. The following questions can help you identify a solution that can enable you to simplify policy
definition and automate policy scanning, detection and remediation activities.
POLICY MANAGEMENT REQUIREMENTS SAILPOINT OTHERS

Does the solution support the ability to define and enforce access policy, including
SoD policies between individual roles, between individual entitlements, and between Yes
roles and entitlements?
Can SoD policy support multiple sided exclusions? For example, “A, B, or C conflicts
Yes
with any of D, E, or F”
Does the solution support policies around activity-based data (e.g., DLP events or
Yes
after-hours access)?
Can risk-based policies be created in the application to support notification/alerting

Yes
when user risk profiles change?
Does the application support the definition of account or identity attribute access policies? Yes
Does the system provide a business-friendly user interface for defining and editing
Yes
access policies without the need for coding?
Does the solution provide a single policy repository that is leveraged by all identity
Yes
processes, including both detective and preventive access controls?
Can the application support the ability to define policy violations within and across
Yes
applications/resources, including both datacenter and cloud applications?
Does the application automatically scan and detect policy violations? Yes
When policy violations are detected, does the application automatically notify
Yes
responsible parties?
Are the policy violations escalated if not addressed in a defined period of time? Yes
Does the application support execution of a business process or workflow when policy
violations are detected, allowing varying responses based on criteria such as the Yes
calculated risk of the violation?
Does the solution provide a business-friendly user interface for managing policy
Yes
violations by both business managers and compliance administrators?
Are policy violations clearly highlighted during access reviews to allow for rapid remediation? Yes
When addressing policy violations, is flexibility provided to allow different actions,

Yes
based on the type and circumstances of the violation?
Can revocation recommendations be stored in conjunction with each policy rule and
Yes
exposed to the user when viewing policy violations?
Can policy owners specify a unique risk score for each policy rule in the system? Yes
Can the risk score of a policy be used to control notifications and corrective actions
Yes
when a violation is detected?
Does the solution provide out-of-the-box reports to track policy violation activities? Yes

Streamlining User Provisioning
Traditional approaches to user provisioning have failed to evolve with today’s enterprise identity management
needs. While originally designed to automate IT operational processes, provisioning tools are now being called on to
interface directly with business users and orchestrate complex business processes. This section focuses on finding
a solution which can work for both the business and IT — one that empowers the business to self-manage while
automating common back-end identity management processes.
Self-Service Access Request

An identity management solution should offer a convenient and easy way for users to request new access or make
changes to existing access privileges within the constraints of the pre-defined identity policy and role model. And it
should allow you to gain greater transparency not only into who has access to what, but also into how they acquired
access privileges. The following questions can help you review these capabilities.
SELF-SERVICE ACCESS REQUEST REQUIREMENTS SAILPOINT OTHERS

Does the solution provide a business-friendly interface for requesting changes to Yes
user access?
Can the solution facilitate requesting of different types of access, including roles, Yes
entitlements and accounts?
Does the self-service access request solution allow for additions, changes, and Yes
removals of access?
Can users search for access using configurable metadata attributes such as name, Yes
description, owner or other keywords?
Can the solution suggest access rights based on an analysis of similar identities? Yes
If the solution suggests access rights, is the user informed of high-risk users included Yes
in the comparative analysis?
Does the solution allow the user to specify a priority for access requests? Yes
Can users request a start date (“sunrise”) associated with new access requests? Yes
Can users select an end date (“sunset”) when removing access through the self- Yes
service request interface?
Does the solution support requesting optional IT roles for currently assigned Yes
business roles?
Can the system be configured to restrict end users to only requesting optional IT roles? Yes
Does the solution support preventive policy-checking of self-service and delegated Yes
access requests prior to being submitted for fulfillment?
Does the solution give end users a business-friendly dashboard to view status of Yes
pending and completed requests?
Does the solution enable the user to track access requests made by them and for them? Yes
Does the solution allow users to track the full details of an access request, including
Yes
the status of approvals and fulfillment tasks?
Does the solution allow anyone in the organization to request access for anyone else? Yes

SELF-SERVICE ACCESS REQUEST REQUIREMENTS SAILPOINT OTHERS

Does the solution scope who can request access for others? Can attributes be used to
Yes
define the requestor relationship?
Does the solution offer self-service registration for external or “non-employee” users
Yes
(e.g., contractors, partners, consumers, etc.)?
Does the solution support creating new identities from scratch within the user
Yes
interface (e.g., act as the authoritative source for creating identities)?
Can the solution limit the data which is editable from the user interface? Yes
Does the solution allow you to edit identity attributes of existing users? Yes
Does the solution support configurable workflows to manage self-service access

Yes
request/change processes such as approvals and provisioning?
Can the solution automatically add newly requested applications to a user’s

Yes
SSO launchpad?

Automated Lifecycle Management
A fundamental capability of all identity and access management solutions is the automation of basic account
creation, update and delete functions. Unfortunately, traditional approaches to identity management perform this
through custom-coded workflows and complex policy rules. The following questions will help determine if an identity
management platform can keep pace with the dynamic nature of change in your organization.
A U T O M AT E D L I F E C Y C L E M A N A G E M E N T R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution support the definition of automated lifecycle events — e.g.,
new hire, promotion, termination — that trigger access changes in enterprise and Yes
SaaS applications?
Can lifecycle events trigger specific workflows to manage the change process from
Yes
initiation through provisioning?
Does the solution provide visibility to access changes initiated through automated
Yes
change events — e.g., new hire, promotion, termination?
Can the solution orchestrate changes to user access based on self-service access
Yes
requests and lifecycle events across disparate provisioning processes?
Does the solution provide flexible approval routing for changes initiated through self-
service request or automated lifecycle events — e.g., manager, data owners, role Yes
owners, and security administrators?
Can lifecycle events be configured from the user interface? Yes
Does the solution provide a graphical user interface for configuring/editing business
processes and workflows associated with manually-initiated access requests Yes
(including self-service and delegated requests)?
Does the solution support delegation of approval requests to other users within the
Yes
system and is this information tracked and audited?
Does the solution support dynamic rerouting of approval requests based on the
outcome of other workflow steps — e.g., change approval routing if a policy violation Yes
is identified or if the user’s risk score crosses a defined threshold?
Can the solution automatically determine the chronological order and need to create
Yes
new accounts associated with adding entitlements and roles?
Can the solution request additional information from users involved in the access
Yes
request process — e.g., requester, approver, application/data owners?
Can the solution be configured to take action based on account activity or

Yes
lack of activity?
Can the solution dynamically generate forms to capture additional information from
Yes
the user based on pre-configured provisioning policies for applications and roles?
Does the solution enable a user to self-register for access and have it create a new
Yes
account either immediately or after approvals?
Can the solution automatically add and remove SSO access to applications as part of
Yes
the provisioning process?
Does the access request and lifecycle management solution track aggregated request
Yes
metrics and workflow statistics?
Does the solution support tracking and reporting on service-level metrics? Yes

A U T O M AT E D L I F E C Y C L E M A N A G E M E N T R E Q U I R E M E N T S SAILPOINT OTHERS
Are metrics available at the business process as well as the individual workflow
Yes
step levels?
Does the solution support the ability to force an electronic signature when a user is
Yes
approving a request?
Password Management
Implementing a self-service interface for assisting business users in changing and resetting their passwords is
one of the fastest paths to cost savings for any identity and access management project. These questions help
you determine if the solution will be sufficient to address your password management needs across enterprise and
cloud-based systems, including defining and enforcing password policies, self-service changes and resets and
password synchronization across systems.
PA S S W O R D M A N A G E M E N T R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution allow end users to manage their own passwords — i.e., reset
Yes
forgotten passwords, change existing passwords?
Does the solution provide an option to help users reset forgotten passwords with a
Yes
Windows desktop (i.e., GINA or Credential Provider plugin)?
Does the solution support the following constraints: minimum/maximum length,

Yes
password history constraints, exclusion dictionary?
Does the solution support multiple password policies per application? If yes, can
different policies be applied to users based on identity attributes (e.g., employee and Yes
contractor policies)?
Does the solution automatically calculate the minimum password policy when
Yes
resetting or changing passwords across multiple systems?
Does the solution allow delegated password administration? Yes
Does the solution support challenge questions for password recovery? Yes
Can the number of challenge questions presented to the user be configured based on
Yes
the organization’s security policies?
Can the solution force the user to answer their authentication questions before using
Yes
other capabilities?
Can the solution provide administrators with a report detailing users who have not
Yes
completed answers to challenge questions?
Can manual password changes be synchronized across multiple systems at the

Yes
same time?
Can users manage passwords from a mobile device such as a tablet or smartphone? Yes
Are the end-user password management user interfaces integrated with the solution’s
Yes
access request user interfaces for a seamless user experience?

Simplifying Access Management for Cloud, Web and Mobile
The rapid proliferation of enterprise cloud and SaaS applications has a big downside — users are wasting time
trying to remember all their usernames and passwords and more importantly creating security issues by writing them
down in plain sight or overburdening the help desk when they inevitably forget them. Asking the following questions
will help you evaluate if an identity and access management solution can provide a fully integrated cloud, web, and
mobile SSO experience for users and support continued SaaS adoption in your organization.
Single Sign-on
The best way to simplify and secure access to applications while enabling convenience for the end users is with
single sign-on solutions that also offer strong authentication. The following questions will help you determine if your
solution is designed to seamlessly work within your environment.
SSO REQUIREMENTS SAILPOINT OTHERS

Does the solution provide a wide range of pre-built and configured SSO profiles to
Yes
speed deployment?
Are new SSO profiles for 3rd party vendors’ products provided free of charge? Yes
Can you customize application profiles (name, URLs, quick links, icon) and have
Yes
changes visible to all users?
Does the solution provide an out-of-the-box portal for application access

Yes
(i.e., lauchpad)?
Can users select a particular task or function of an application and SSO directly into
Yes
that activity from the launchpad or portal?
Are profiles supported for password, federation, and proxy-based SSO for both
Yes
corporate applications and BYOA?
Does the solution provide a launchpad or portal where users can see all web and
Yes
cloud applications they are entitled to and SSO into them with a single click?
Are an unlimited number of SSO users supported to share the same computing device,
Yes
such as a kiosk or tablet?
Does the solution allow you to automatically populate the launchpad with corporate
Yes
applications based on assignments of roles or entitlements?
Does the solution allow you to populate credentials (username/password) into the
Yes
launchpad based on provisioning workflows?
Can the system prevent the shared use of passwords between personal and
Yes
corporate applications?
Are application user IDs and passwords protected and encrypted in such a way that no
Yes
one other than the end user has access to the private encryption key to use them?
Does the solution provide self-service IAM functions from a mobile app, such as
Yes
password reset?
Does the solution provide SSO from a wide variety of Web browsers, regardless of how
Yes
users launch the apps (e.g., via launchpad portal, bookmark, URL email link,, etc.)?
Does the solution provide SSO into Web and cloud applications from tablets
Yes
and smartphones?

SSO REQUIREMENTS SAILPOINT OTHERS

Does the solution support optional logging of user activity? Yes
Does the solution automatically associate self-provisioned or BYOA application use

Yes
with the corresponding known identity records for reporting and governance?
Can administrators restrict, by policy or role, which applications, including third party
Yes
apps, are available for SSO?
Does the solution support the presentation and audit logging of a global system wide
“terms of use” acceptance for use of the SSO product by end users (e.g. misuse of Yes
this product is a violation of business conduct guidelines)?
Can the system use activity data to automatically deprovision application access after
Yes
a period of non-use?
Does the solution provide an on-premises reverse proxy and allow agentless
Yes
password-free SSO without application changes?
Does the on-premises proxy automatically update, self-monitor, and recover? Yes
Does the on-premises proxy scale horizontally? Yes
Does the on-premises proxy support virtual hosts as well as customized URL
Yes
extensions per app?
Does the on-premises proxy provide central session control? Yes
S T R O N G A U T H E N T I C AT I O N R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution include strong authentication options such as one-time passwords
Yes
(OTP) or knowledge-based authentication (KBA)?
Can the solution integrate with third party multi-factor authentication products? Yes
Does the solution enforce step-up authentication policies requiring strong

authentication for accessing applications based on identity risk:
• All users for a specific application
• Users with highly privileged entitlements Yes
• By business role
• Based on a user’s risk score
• Based on the access environment (country, time, IP, etc.)
Is access to the SSO solution optionally protected by strong authentication? Yes
Is access to the administrative functions protected by strong authentication? Yes

Role Management
An enterprise role model can be an important tool in streamlining and simplifying identity and access management
processes for the business. The following questions can help you determine whether the solution under evaluation
can help you create an enterprise role model and manage the entire role lifecycle to accommodate changes in
business and IT systems, while keeping the quality and reliability of the role model in place.
ROLE MANAGEMENT REQUIREMENTS SAILPOINT OTHERS

Does the solution support the creation and maintenance of an enterprise role model? Yes
Does the solution provide a single role model/repository leveraged by all identity
Yes
processes, including compliance, provisioning and access management activities?
Does the solution support a hierarchical role model with n-levels? Yes
Can the business role model support both required and optional IT role associations to
reduce the number of roles required in the system to effectively enforce the principle Yes
of least privilege?
Can the solution automate the creation of roles using data mining techniques to
Yes
discover potential roles using various pattern search algorithms?
Does the solution support automated mining of both business roles (top-down) and IT
Yes
roles (bottom-up)?
Does the role mining support a directed search, whereby the user is able to narrow
the focus of the mining by selecting a set of applications to mine against and by
providing user-specifics such as location, job title, manager, cost center (e.g., “Only Yes
mine against applications 1 & 3 and users of those applications that are in cost center
1204 and work in the Chicago office.”)
Does the role definition process include the ability to identify or suggest candidate
Yes
roles during the access certification process?
Can new role types be configured directly within the user interface? Yes
Does the solution support custom types of roles? Yes
Can the solution import an existing role model using manual or automated interfaces? Yes
Does the solution support the ability to read or import organizational

Yes
hierarchy information?
Can role owners provide a business friendly description to help users understand the
Yes
meaning of a role during certification and access request activities?
Does the solution support delegation with respect to role ownership? Yes
Does the solution provide approval workflow options when the definition or contents
Yes
of a role are changed (i.e., add, modify, disable)?
Does the solution provide the ability to perform a “what if” impact analysis on role
Yes
model changes?
Does the solution support certification of both role composition (role privilege/
Yes
entitlement mapping) and role membership?
Does the solution provide analysis of roles indicating role quality based on factors
Yes
such as membership, risk, and usage?

ROLE MANAGEMENT REQUIREMENTS SAILPOINT OTHERS

Can the solution detect and proactively report on the following types of issues with
Yes
the role model: inactive roles, users with no roles, roles with no users?
Can role engineers define additional metadata attributes on a role and can those
Yes
attributes be used to control IAM processes without having to customize the application?
Can the solution detect and alert on policy violations that exist within a role definition
Yes
before assigning roles to users?
Does the solution provide the ability to assign and de-assign roles to users from the
Yes
user interface?
Can assignment be done both manually and through automated assignment and
Yes
de-assignment rules associated with a role?
Can a role assignment automatically provide SSO access to an application by adding

Yes
one or more SSO profiles to a user’s launchpad?
Can a role definition be used to trigger strong authentication within the context of an
Yes
SSO event?
Does the solution provide logging and reporting capabilities for all role changes? (e.g.,
Yes
“when was the role created, who created it, who approved it?”)
Does the solution maintain all previous versions of role definitions? Yes
Can users easily view and roll back to previous versions of role definitions? Yes

Risk Modeling and Analytics
Most organizations struggle to understand the underlying risk posed by what users have access to and how they are
using their access. In order to effectively deploy and manage enterprise identity and access management solutions,
you need insight into where the risk hot spots are in your organization. The following questions address a solution’s
ability to take a risk-based approach and provide the functionality necessary for you to assess, manage and control
threats to security posed by people, roles and applications.
R I S K M O D E L I N G A N D A N A LY T I C S R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution provide a comprehensive approach to measuring identity and
Yes
access risk within the enterprise at both the user and application/resource levels?
Does the solution track and monitor the risk of each user based on that user’s access
Yes
to sensitive applications and data (identity risk scoring)?
Does the solution support the creation of an application risk model to determine the
Yes
relative risk of each managed application based on pre-defined risk factors?
Does the solution support the assignment of unique risk values to each application,
Yes
entitlement and role within the system?
Does the solution enable risk mitigation actions (e.g., certifications, de-provisioning or
Yes
activity monitoring) to be targeted at high-risk users?
Can risk scores on access be used to calculate the overall risk score of an identity
Yes
within the organization?
Can certification status or time since last certification be used as a risk factor
Yes
in the model?
Does the solution dynamically calculate a user’s risk score based on changes to
Yes
access within the environment?
Does the solution support using risk scores to trigger strong authentication policies
Yes
for SSO events?
Does the solution support configurable risk factors and weightings for calculating
Yes
identity or risk scores?
Can attributes from authoritative sources be used to influence an identity or resource

Yes
risk score, such as location, employee status, etc.?
Does the solution support the assignment of risk scores to policy rules — e.g.,
Yes
SoD policies?
Can the solution profile aggregate risk scores, e.g., by manager, department, location,
Yes
or company-wide?
Can aggregate risk scores be displayed graphically for easy identification of risk “hot spots”? Yes
Does the solution track risk scores over time for trending analysis? Yes
Can the solution alert or notify managers, application owners or compliance officers
Yes
based on changes to an identity or resource risk score?
Can high-risk users be easily identified via reporting and analytics? Yes
Can bulk corrective or mitigating actions (such as an ad hoc certification) be taken

Yes
against high-risk user populations discovered via reporting or analytics?

Identity and Access Intelligence
Organizations strive for better visibility into identity and access information across their business. The following
questions can help you identify whether the solution under consideration can give you the information you need via
dashboards and alerts while also enabling you to run ad hoc queries and produce detailed reports on a variety of
identity and access management processes.
IDENTITY AND ACCESS INTELLIGENCE REQUIREMENTS SAILPOINT OTHERS

Does the solution provide end users and managers with an easy-to-use dashboard
Yes
experience where they can see actionable information or new identity related activities?
Does the solution include personalized administrative dashboards which highlight

Yes
compliance and provisioning activities/status within the enterprise?
Can users personalize the content and presentation of information on their

Yes
dashboard? Are personalization settings persisted between sessions?
Does the solution provide an extensible framework for adding customer-defined

Yes
business processes to the dashboard?
Can users drill down from the dashboard into specific tasks and/or supporting data? Yes
Does the solution include numerous pre-defined reports out-of-the-box across

Yes
compliance and provisioning BI needs?
Can pre-defined reports be personalized by end users to fit their specific business needs? Yes
Can end users change the columns which are included in reports? Sort order of data?
Yes
Group data?
Can users save reporting personalizations for easy recall and reuse? Yes
Does the solution provide an interactive preview option for reviewing report layouts? Yes
Does the solution provide charting/graphing options for internal reports? Yes
Is a report scheduler provided that allows user-specified reports to be run on a

Yes
regularly scheduled basis? Can results be automatically sent via email?
Does the solution support saving reporting results in downloadable file formats (e.g.,
Yes
PDF, Excel or CSV)?
Can the solution require users to “sign-off” that they have reviewed a report? Yes
Can the solution report on historical “point-in-time” access as well as current state? Yes
Does the solution provide an ad hoc analytics interface for creating dynamic searches? Yes
Can ad hoc searches be saved as reports for easy recall? Yes
Does the solution provide a way to search on activity information according to various
search parameters related to the system/activity and the target user base? For
Yes
example, show all login activity on an application for users in a specific cost center
with risk scores over a certain threshold.

Connectivity and Integrations
The success of an organization’s identity and access management solution is highly dependent upon its ability to
connect to target resources and to integrate with its IT infrastructure. The following questions will help you gauge
whether the solution under consideration has the connectivity footprint to govern and fulfill access along with the
ability to establish an integrated identity eco-system.
C O N N E C T I V I T Y A N D I N T E G R AT I O N S R E Q U I R E M E N T S SAILPOINT OTHERS
Can the application derive the employee/manager relationship from an authoritative
Yes
identity source, such as the central HR application?
Can the application support multiple authoritative sources for identity data? Yes
Does the solution allow transformation of data and execution of validation rules as
Yes
part of the data load processing?
Can the solution support collecting data from enterprise applications based in public
Yes
or private clouds?
Does the software create a single view of each user within the enterprise and their
Yes
associated access privileges?
Are all user entitlements, roles, policy information and activity data viewable within
Yes
the context of an individual identity?
Does the solution enable automated correlation of user account information using a
Yes
“wizard-like” interface that can be operated by non-technical users?
Does the application provide a user interface for performing manual correlation of
Yes
user account privileges?
Can an approval be associated with manual correlation of accounts? Yes
Does the application provide a way to designate accounts as privileged or

Yes
system accounts?
Does the solution include a centralized catalog of all entitlements in the system? Yes
Does the solution support associating contextual metadata with each entitlement —
Yes
e.g., business-friendly description, data owner, and account type?
Can business-friendly descriptions and other metadata be imported and associated

with entitlements? Is this information presented during certification and access Yes
request processes?
Are both automated and manual updates to entitlement metadata supported? Yes
Does the solution provide out-of-the-box connectors for the following categories of
enterprise systems?
• directories
• databases
• platforms Yes
• business applications
• messaging applications
• mainframes
• SaaS applications
Does the solution provide a toolkit for creating connectors for custom or
Yes
homegrown applications?

Does the vendor provide access to all connectors free of charge? Are connectors
Yes
developed in future releases included in this policy?
Can the solution manage the complete user account lifecycle (add, edit and delete,
Yes
enable, disable) for connected resources?
Does the solution provide native support for delta aggregation of account and
Yes
entitlement data from connected applications?
Can the solution validate that changes requested are correctly implemented in the
Yes
target resource?
Can the solution manage password changes in target resources? Yes
Does the solution provide a web-based interface for administration and configuration
Yes
of application connectors?
Are provisioning activities recorded for audit purposes? Yes
Can the system orchestrate changes to user access across multiple

Yes
Does the application provide a solution for managing enterprise IT systems deployed
Yes
in public or private clouds?
Does the solution provide out-of-box integration with any third party automated
Yes
provisioning systems?
Can the system support the retrieval of entitlement information through another
provisioning system’s connectors without the need to directly connect to the Yes
target system?
Can the system support sending account creation and change requests to third-party
Yes
provisioning systems for execution in a target resource?
Does the solution expose web services for integrating with a third-party provisioning
Yes
solution to bulk re-provision users based on role model changes?
Does the solution support closed-loop validation of change requests through

Yes
integration with a third-party provisioning solution?
Can the solution monitor third-party provisioning system audit logs and correlate this
Yes
activity data to identities under management?
Does integration with third-party provisioning systems use industry standards such
as the service provisioning markup language (SPML) or the system for cross-domain Yes
identity management standard (SCIM) when supported by integrated systems?
Does the solution integrate help desk/service desk systems? Yes
Does the solution support the automatic generation of “tickets” through service/help
Yes
desk integrations?
Can the solution receive updates on ticket status and display the information to users
Yes
when tracking requests?
Are the following file import options supported: CSV, XML and flat files? Yes
Does the solution support automatic discovery of flat-file or database schemas to

Yes
speed deployment?

Does the solution support modeling fine-grained permissions such as operational
Yes
rights on database tables and file shares?
Can updates to user and access data be scheduled within the application to support
Yes
regular refresh of information?
Does the software support the definition of custom schemas for each connected application? Yes
Does the solution support importing and evaluating activity data (e.g., SIEM feeds and
Yes
application log files) from target systems?
Can activity data be mapped back to a known identity based on unique correlation rules? Yes
Does the solution support integration with service request management systems? Yes
Does the solution support the collection of DLP events for use in compliance and
Yes
Does the solution provide integration with mobile device management systems? Yes
Does the solution support integration with privileged user management systems? Yes
Can the solution integrate with Data Governance solutions? Yes
Platform, Deployment & Configuration Options
Most organizations have a standardized set of processes and technologies that act as a foundation to their IT
infrastructure. The IAM solution you are evaluating should assimilate to that standardized environment.
P L AT F O R M , D E P L O Y M E N T & C O N F I G U R AT I O N R E Q U I R E M E N T S SAILPOINT OTHERS

Does the solution run on a wide variety of enterprise platforms, application servers
Yes
and database combinations?
Does the solution have configurable components that tie to an integrated data store? Yes
Does the solution support running in a virtualized application environment such

Yes
as VMware?
Can applications run in a clustered environment for load balancing and/or

Yes
fail-over purposes?
Is the solution available as a pre-configured hardware or software appliance? Yes
Does the solution provide pass-through authentication, leveraging existing

Yes
authentication mechanisms to authenticate users?
Does the solution support definition of user roles and assignment of internal access
Yes
rights based on roles?
Does the solution provide out-of-the-box authorization profiles for common user types
Yes
(Manager, Compliance Officer, Auditor)?
Can the internal authorization model be configured based on customer needs? Yes

P L AT F O R M , D E P L O Y M E N T & C O N F I G U R AT I O N R E Q U I R E M E N T S SAILPOINT OTHERS

Can customers modify the user interface and reporting templates (color, fonts,
Yes
headers, footers, logos, etc.) to meet corporate branding requirements?
Does the application support end-user personalization of tables and charts? Yes
Are user preferences and personalization options stored in between sessions? Yes
Does the solution provide standard/reference workflows? Yes
Does the solution enable the customization of workflows? Yes
Does the solution support re-usable workflow sub-processes? Yes
Do utilities or capabilities exist for tracking requests, workflow execution and

Yes
fulfillment operations?
Can deployment configurations be rolled forward in an upgrade? Yes
Can deployment configurations be easily migrated between environments

Yes
(i.e., development, test, staging, and production)?
Does the solution integrate with enterprise mail servers? Yes
Does the solution provide a batch scheduling utility? Yes
Can actions performed by users of the solution be audited? Yes
Does the solution timestamp all actions? Yes
Does the solution support the ability to scale tasks such as aggregations, identity
Yes
refresh and certification generation across multiple hosts and threads?
Does the vendor support and participate in standards efforts around identity and
Yes
access management interoperability (e.g., XACML, SPML, SCIM, SAML)?
Is an integrated Identity Provider (IdP) capability available to provide password-free

federated SSO via SAML included with the solution so that SSO can be provided from Yes
any network?

Critical Questions to Ask During a Reference Call
Checking vendor references is one of the most important steps in finding the right solution for your organization.
When you have the chance to speak with someone else in the industry who has been down a similar path, ask
questions and follow-up to get specific answers. These sample questions can help you focus on the information you
need from references. Not all of these questions apply to every project, but they provide a good starting point for your
own questionnaire.
1. Can you describe the identity management project that you worked on with this vendor? What was the
main business driver for the project? When did the project begin?
2. Which specific products/modules of the vendor are you deploying?
3. What stage are you in with the product now (design, deployment, production, etc.)?
4. What is the scope of the project in terms of managed users, applications/resources under management?
5. What 2-3 key factors led you to choose this vendor for the project?
6. What other vendors did you evaluate?
7. What went well during your implementation?
8. What went poorly during your implementation?
9. Were you able to meet schedules and deadlines?
10. Did you encounter any hidden costs?
11. Were there any integration issues?
12. What type of production environment (hardware, software) do you run the product in? How well did the
product fit into your production environment?
13. Did you discover things during the implementation that you would have liked to know before you started?
14. Did the vendor provide professional services or did you work with a third-party systems integrator?
How large was the implementation team?

15. If third party, how well did the vendor and systems integrator work together?
16. How would you rate the quality of vendor personnel that you worked with?
17. Did the vendor’s solution “work as advertised” — in other words, did it meet your expectations?
18. Was the vendor’s solution flexible and easy to customize?
19. How would you rate the quality of support you get from the vendor?
20. How well does the vendor handle patches and upgrades?
21. Does the vendor facilitate discussions with peer groups, such as regional user group meetings and
online communities?
22. What do you like least about this vendor? What do you like most about this vendor?
23. If you had to make the decision all over again, would it be the same? If not, why?
24. If you had to assign a letter grade (A-F) to this vendor, what would it be?
25. Is there anything else I should know about this product and company before we make a decision?

SailPoint
Identity
and Access
Management

A Smarter Way
to Manage Identity
Finding a solution that can automate key compliance, provisioning and access management processes and
deliver risk-aware identity intelligence makes perfect sense. SailPoint offers market-leading identity and access
management solutions that alleviate the cost and complexity of managing user lifecycles, meeting compliance
requirements, and delivering convenient access to cloud and Web applications. With a centralized, holistic approach
to managing user access across the entire IT environment, SailPoint provides superior visibility into and control
over user access to sensitive applications and data both on-premises and in the cloud — helping you identify and
mitigate risk.
From the ground up, SailPoint solutions are distinctively different from previous generations of identity and access
management solutions. They address the needs of today’s complex enterprise business and IT environment from the
perspective of the business — with readily-available self-service capabilities, intuitive user interfaces, powerful business
process automation, and industry-leading capabilities for discovering and prioritizing identity-related business risks.
IdentityIQ delivers integrated compliance, provisioning, and access management capabilities all built on a common
governance model. IdentityIQ delivers all IAM services through a consistent user experience, which empower
business users to effectively participate in a wide variety of IAM processes including automated access certifications,
policy enforcement, access request and provisioning, password management, single sign-on and identity analytics.
With SailPoint solutions you can provide fast, convenient application access that keeps business users
productive, while improving the efficiency of your infrastructure, reducing operational costs, and improving
security and risk management.
SailPoint IdentityIQ
One Solution for Everything Identity in the Enterprise.

SailPoint IdentityIQ is a complete governance-based identity management solution that provides fast, convenient
access to keep business users productive, and access controls to keep the business safe. IdentityIQ integrates
provisioning, compliance and access management into a unified solution that leverages a common identity
governance framework. Because of this approach, IdentityIQ consistently applies business and security policy
and role and risk models across all IAM activities — from access requests to access certifications and policy
enforcement, to account provisioning, user lifecycle management, password management, single sign-on and
identity analytics.
With on-demand visibility into “who has access to what” and a business-friendly interface, IdentityIQ enables non-
technical users to effectively participate and collaborate with IT in IAM activities. Easy-to-use self-service features
empower end users to request access, sign-on to cloud and Web applications, reset passwords and perform access
reviews without involving IT operations or help desk teams.

The integrated components of IdentityIQ include:
• Compliance Manager - Streamlines the execution of compliance controls and improves audit performance
through automated access certifications and policy management.
• Lifecycle Manager - Combines self-service access request and password management with automated lifecycle
event management to simplify creating, changing, and revoking user access privileges.
• Access Manager - Offers governance-based single sign-on (SSO) across cloud, on-premises web, and mobile
applications through easy-to-use desktop and mobile interfaces.
• Governance Platform - Centralizes identity data and provides a single place to model roles, policies, and risk to
support compliance, provisioning, and access management processes across the organization.
• Connectivity Foundation - Provides flexible options for connecting to enterprise and cloud resources to
aggregate identity data and orchestrate changes resulting from compliance and provisioning processes.
Industry-leading Enterprise IAM for Today’s Hybrid IT Environments

SailPoint IdentityIQ provides a unified approach across core IAM activities leveraging a common identity governance
platform to provide the industry’s richest set of controls spanning the datacenter to the cloud.
IAM Services and Solution Modules

A
Single Password Access Access Request Advanced

Sign-On Management Certification & Provisioning Policy & Analytics
Compliance Lifecycle Access

Manager Manager Manager
Governance Platform
Policy Role Identity Risk Workflow

Model Model Warehouse Model Engine
Connectivity Foundation
Resource Provisioning Service Desk MDM Cloud
Connectors Integration Integration Integration Gateway

SailPoint IdentityIQ Compliance Manager
With Compliance Manager Ensure compliance while

you can:
reducing cost, risk and worry.
• Reduce the cost of compliance
by automating labor-intensive For many organizations,
compliance processes compliance is top of mind. So
• Strengthen controls to are the complex issues and the
address audit deficiencies or
weaknesses difficult and expensive processes
• Provide proof of compliance to that come with it. That’s why so
internal and external auditors many organizations are looking to
• Proactively detect and prevent streamline processes and lower
inappropriate access and
violations of corporate policy the costs of compliance — while
• Enable stronger collaboration still ensuring the effectiveness and
across business, IT and audit/ accuracy that auditors demand.
compliance teams
SailPoint IdentityIQ Compliance
Manager automates the
common auditing, reporting and
management activities associated
with a strong compliance program,
and integrates identity processes
such as access certification and policy enforcement to deliver the strong detective controls that auditors demand.
By taking a risk-aware approach to compliance, IdentityIQ Compliance Manager helps to prioritize the most critical
compliance activities and focus controls on the users, resources and access privileges that represent the greatest
potential risk to the business — and the greatest possibility of a failed audit.
COMPLIANCE MANAGER AT-A-GLANCE

C A PA B I L I T Y DESCRIPTION
Access Certifications • Automate access review cycles with flexible scheduling options
• Present data in business-friendly language
• Focus reviewers on exceptions and high-risk items
• Track reviewer progress and actions
• Enforce a closed-loop provisioning process
Policy Management • Enforce multiple types of access policy across cloud and on-premises applications
• Proactively detect and prevent inappropriate access and violations in real-time
• Prioritize violation response with risk-based approach
• Track and report on violations
Audit Reporting • Highlight effectiveness of compliance controls

• Track compliance performance through a simple enterprise-wide dashboard
• Archive certification and policy violation history

SailPoint IdentityIQ Lifecycle Manager
With Lifecycle Manager, Handles access needs at the

you can:
speed of business.
• Empower internal and
external users to In today’s world of rapid, constant
independently register, change, organizations need a
request new access and
change and reset passwords consistent, secure and compliant
• Quickly administer access approach to manage access changes
using automated identity and meet the needs of internal users,
lifecycle events (i.e., hires,
transfers, and terminations) as well as external users such as
• Gain complete visibility partners and customers.
to process execution and That’s why SailPoint IdentityIQ
service-level monitoring
Lifecycle Manager provides
• Streamline IT operations and
offload IT and help desk convenient, easy-to-use self-service
capabilities that allow users to
register, request access and reset
their passwords without involving
IT or the help desk. By applying
policy to all user lifecycle processes,
Lifecycle Manager ensures users
acquire only the most appropriate levels of access, delivering convenience without impacting the organization’s
security and risk posture.
To simplify the ongoing process of managing workforce churn, IdentityIQ Lifecycle Manager automates change
to user access resulting from a range of identity lifecycle events (i.e., new hires, transfers, moves or terminations)
through integration with authoritative sources, such as HR systems and corporate directories. When a lifecycle event
is detected, Lifecycle Manager triggers the required changes by initiating the appropriate business process, including
policy checking and approvals.
LIFECYCLE MANAGER AT-A-GLANCE
Self-Service Access Request • Empower users to request and manage access using an e-commerce shopping experience
• Help business users find the right access with keyword and affinity search features
• Facilitate delegated administration by managers and help desk/admins
• Provide visibility to request status and process execution
Password Management • Allow business users to change and reset passwords
• Automatically detect and synchronize passwords
• Enable delegated password management by managers and help desk/admins
• Enforce strong password policies
Lifecycle Event Management • Automate access changes based on HR lifecycle events (i.e., hires, transfers, terminations)
• Prevent policy violations and consistently enforce the desired state
• Orchestrate changes across automated and manual provisioning processes
• Gain complete visibility to process execution

SailPoint IdentityIQ Access Manager
With Access Manager, Deliver convenience without sacrificing security or control.

you can:
Today’s empowered workforce expects to use whatever
• Give business users consistent,
convenient sign-on to all their technology will make them most productive, whether provided
cloud and web applications by the central IT team or not. And, with the consumerization
• Support sign-on from mobile of IT, users expect convenient, on-demand access that is as
devices using the same
security and credentials as easy as downloading mobile applications to a smartphone.
from desktops IT, however, still needs to maintain control over access while
• Enforce risk-based meeting these more demanding service levels.
governance controls, such as
strong authentication, when IdentityIQ Access Manager empowers users with
and where needed single sign-on (SSO) to cloud and web applications from
• Enable users to easily find any device, eliminating the need to remember and enter
and request access to cloud
applications based on their job multiple user names and passwords. It delivers a consistent
function and roles and convenient SSO experience for the applications that users need every day, including internal web apps such as
• Gain complete visibility portals, Intranets, HR and ERP systems, and commercial SaaS applications.
into application usage to
identify and reduce unused Because Access Manager is part of the IdentityIQ suite, it leverages enterprise-wide policy and control information
subscription charges to make access management decisions smarter. Critical information such as high-risk users or highly sensitive
access permissions can be used by Access Manager to enforce strong authentication where needed. Access
Manager also includes application usage agreements to educate users about appropriate use policies and to capture
auditable acknowledgement that users will follow policy.
When new access is requested, it can be automatically provisioned based on the user’s job function or role
within the organization, via seamless integration with IdentityIQ Lifecycle Manager. Access Manager can monitor for
accounts that are not regularly being used and issue alerts to managers to deactivate or automatically de-provision
those accounts.
ACCESS MANAGER AT-A-GLANCE
Single Sign-on (SSO) • Eliminate the need for users to remember and enter multiple user names and passwords
for SaaS apps, internal web apps, and mobile apps
• Provide convenient SSO from mobile devices using the same security and credentials as
from the desktop
Strong Authentication and • Enforce strong authentication to apps based on identity risk, such as role membership,
Policy-based Controls privileged account ownership, or risk score
• Provide strong authentication via a one-time password (OTP) sent to a user’s phone or
knowledge-based authentication (KBA) consisting of challenge/response questions
• Integrates with third-party authentication tools, such as smartcards or OTP tokens
• Educate users on appropriate terms of use policy for SaaS apps
Synchronized SSO and • Provide convenient App Store to add new applications to SSO Launchpad
Provisioning • Provision access to applications using the same policies and approval processes as for
other IT services
• Identify unused or unauthorized accounts and report them back to the appropriate
business sponsor for removal and potential cost savings

SailPoint IdentityIQ Identity Intelligence
With Identity Intelligence, Analyze access data to spot

you can:
risks and gain insights.
• Deliver technical information
in business-relevant Organizations strive for better
dashboards and reports for visibility into potential risk
stronger collaboration and
communication between factors across their business.
business, IT and audit staff With Identity Intelligence
• Analyze and evaluate identity from IdentityIQ, organiza-
data to improve the
effectiveness of detective and tions can transform technical
preventive controls identity data scattered across
• Enhance overall security, multiple enterprise systems into
compliance and
audit performance centralized, easily understood and
• Empower users with better business-relevant information.
visibility into potential The visibility and insights offered
risk factors
by IdentityIQ through dashboards,
• Greatly reduce the cost
and burden of compliance- risk metrics and reporting provide
related activities a clear understanding of identity
and access information and help
to proactively manage and focus
identity management efforts strategically across even the most complex enterprise environments.
IdentityIQ provides out-of-the-box reports and analytics tools that make it easy to track and monitor critical
compliance metrics, lifecycle management processes and access data details across the organization. Advanced
analytics capabilities help users to quickly create ad-hoc reports to support the unique needs of the business as well.
Business-friendly reports provide compliance and audit users with the ability to monitor and analyze the organiza-
tion’s performance around key compliance controls including the status of access certifications, policy violations,
remediation activity and risk metrics.
Business and IT users can configure the data available in the IdentityIQ dashboard with at-a-glance charts,
graphs, detailed reports and task status. The dashboard is interactive, allowing users to drill down into the source
data. Each user’s dashboard is tailored to his or her role and can be customized by the user with easy drag-and-drop
formatting and content selection.
IDENTITY INTELLIGENCE AT-A-GLANCE
Reporting and Analytics • Access predefined reports for compliance, provisioning and access management
• Leverage report designer for custom reporting requirements
• Gain needed information on-demand with powerful advanced search capabilities
Personalized Dashboards • Notify users of required actions with “visual alerts”
• Provide one-click entry into access request, password management and compliance activities
• Deliver at-a-glance charts, graphs and reports with drill-down capabilities
• Highlight scheduled compliance events and the status of in-process tasks

SailPoint IdentityIQ Governance Platform
With the Governance Platform, Centralize identity data and leverage one model for
you can:
policy, risk, and roles across all IAM processes.
• Centralize data into a common
Identity Warehouse shared by Traditional approaches to identity management treat
all IAM processes governance, provisioning and access management
• Mine, model and manage roles as separate activities, making it costly, complex and
that are leveraged across all
IAM processes burdensome to enforce access controls, carry out
• Dynamically assign risk compliance initiatives and carry on the day-to-day work of
scores for users and meeting increasingly demanding service level requirements.
resources to better focus
and prioritize controls A more innovative and effective approach is required to
• Define and leverage access streamline all these efforts — one that allows access management, governance and provisioning processes to
policies for detective and leverage a common framework for roles, policy and risk management.
preventive control across all
IAM processes The SailPoint IdentityIQ Governance Platform lays the foundation for effective identity and access management
within the enterprise by establishing a framework that centralizes identity data, captures business policy, models
roles and takes a risk-based approach to managing users and resources. The Governance Platform allows
organizations to build consistent preventive and detective controls that span all critical IAM business processes -
access certifications, access request, single sign-on, password management, and automated provisioning. Likewise,
reporting and analytics are consistent across all identity and access management data.
GOVERNANCE PLATFORM AT-A-GLANCE
Identity Warehouse • Leverage single system of record for identity data across all IAM functions and activities
• Import data using out-of-the-box connectors or via flat files
Policy Model • Define and implement detective and preventive controls across compliance, access
management and provisioning processes
• Proactively identify and route violations for review or immediate revocation
Role Model • Define flexible role types that enforce “least privilege” access
• Discover business and IT roles based on identity attributes and entitlements
• Provide automated role approvals, role certifications, role quality metrics and role analytics
• Use “what-if” analysis to see impact of changes before they are implemented
Risk Model • Locate and identify areas of risk across users and applications
• Calculate and assign unique identity risk score
• Continuously update risk scores based on changes to user access
Workflow Engine • Orchestrate the logical sequence of business process steps that support compliance and
provisioning processes
• Offer a visual business process modeler to support the design of complex, multi-step
workflow processes
• Leverage a unique data-driven model to orchestrate business processes and generation
of end user forms

Compliance Lifecycle Access
Manager Manager Manager
Governance Platform
Policy Role Identity Risk Workflow

SailPoint IdentityIQ Model Model Warehouse
Connectivity Foundation Model Engine
With Connectivity Foundation,

you can:
Establish a connectivity Connectivity Foundation
footprint to administer and
• Speed the provisioning of Resource Provisioning Service Desk MDM Cloud
access changes to your govern user access
Connectors Integration Integration Integration Gateway
managed resources In today’s complex IT
• Seamlessly manage access environment, managing
changes across on-premises
and cloud resources changes to user access can
• Lower costs associated with seem like a daunting task for
managing access changes business and IT users alike. Business users want a simple, consistent process for requesting changes. IT operations
through automation
teams want the flexibility to implement changes in the most cost-effective way, and they need to be able to handle
• Orchestrate changes to user
access using your choice of hybrid IT environments with a mix of on-premises and cloud resources.
fulfillment processes The IdentityIQ Connectivity Foundation provides flexible integration options, including direct connectors to
• Track and document over eighty cloud and on-premises resources, along with integration options for other provisioning vehicles, such
all provisioning changes
for auditors as third-party provisioning tools, service desk systems, mobile device management systems, and even manual
MAGDESIGN - CONFIDENTIAL
SAILPOINT
provisioning processes. IdentityIQ seamlessly orchestrates - IDENTITYIQ
how changes ARCHITECTURE
get fulfilled across multiple fulfillment
mechanisms, giving organizations maximum flexibility to provision changes in whatever way they choose while
providing superior visibility.
To extend connectivity to resources in public and private clouds, IdentityIQ provides the Cloud Gateway, which
synchronizes access changes over a secure, encrypted connection between IdentityIQ and enterprise systems
in different networks. The Cloud Gateway also allows customers or partners to host IdentityIQ in the cloud and
seamlessly connect to on-premises resources.
SailPoint recognizes that many organizations have significant investments in legacy provisioning systems. To
maximize existing investments in these systems, SailPoint offers Provisioning Integration Modules (PIMs) for a variety
of third-party provisioning solutions. IdentityIQ also provides Service Desk Integration Modules (SIMs) that automati-
cally generate help desk tickets, and it can create manual work items to assign and track the progress of change
requests within IdentityIQ.
CONNECTIVITY FOUNDATION AT-A-GLANCE
Cloud and On-premises • Speed provisioning of access changes to managed resources on-premises and in the cloud
Resource Connectors with over 80 out of the box connectors
• Support rapid deployment to custom applications
Third-Party Provisioning • Leverage third party provisioning solutions to import data or provision changes to
Integration target systems
Service Desk Integration and • Generate help desk tickets or manual work items to fulfill access changes
Work Queues
Cloud Gateway • Extend identity and access management capabilities to public/private cloud environments
or host IdentityIQ in the cloud and connect to datacenter applications
MDM Integration • Apply corporate IAM policies and controls to personal mobile devices

The
SailPoint
Advantage
Future-proof Your IAM

Strategy with SailPoint
Only SailPoint brings a unique combination of strengths to bear on every aspect of the new challenges of identity
and access management. With innovative, industry-proven technology, a strong heritage in IAM, and the only truly
integrated IAM suite in the market, SailPoint is equipped to help any organization run a successful identity and
access management program. Here’s why SailPoint is the best choice for enterprise-class identity and access
management worldwide:
• Cross-domain IAM — We seamlessly manage access to both cloud and on-premises resources, giving you the big
picture across all your resources, with unified compliance, provisioning, and access management.
• Mobile-enabled IAM — We provide single sign-on to applications from any device, anywhere, anytime, and we
integrate with Mobile Device Management (MDM) solution providers to extend governance and provisioning to
mobile applications and data.
• Consumer-simple — We provide self-service capabilities and user-friendly interfaces to empower internal and
external users to successfully manage their access needs independent of IT, but within the confines of IT security
and policy.
• Built-in Governance — We provide a single framework that centralizes identity data and defines a common
policy, role, and risk model to manage users and resources. This framework allows you to build a single preventive
and detective control model to support all identity and access management business processes.
• Identity Intelligence & Analytics — We centralize visibility to access risks across the entire enterprise and
provide meaningful insights to help you make effective business decisions. You get one central view across
compliance, provisioning, and access management.
• Unified architecture — SailPoint is the only IAM provider to deliver a fully integrated, unified IAM solution that
spans governance, provisioning, and access management. SailPoint’s solutions are built on a common platform,
giving our customers a solution that’s both easier to deploy, easier to maintain and easier to use.
• Enterprise scalability and performance — Our solutions deliver scalable, streamlined and secure IAM
systems that scale to accommodate growth in user populations, application coverage, and new business units
brought on board. We manage some of the largest IAM implementations in the world spanning thousands of
applications, hundreds of thousands of users, and millions of entitlements.
“SailPoint is one of the faster-growing organizations within the IAM sector.

[SailPoint’s] growth figure was more than double that of its nearest
competitor and has been a strong measure of the company’s success for
the last three years.”
Ovum IAM Decision Matrix, 2013

Glossary
A Aggregation: The collection and correlation of identity

data from enterprise applications into a centralized
Access Certifications: The periodic review of user identity data repository.
access privileges in order to validate that access
privileges align with a user’s job function and conform Application Store or App Store: A service that allows
to policy guidelines. Access certifications are commonly users to browse and download applications.
used as an internal control to ensure compliance with
Sarbanes-Oxley and other regulations. Approval Workflow: A business process that
automates gathering approvals from authorized users
Access Control: The system controls and surrounding for requested changes to identity artifacts such as user
processes that grant or deny parties the capability and access rights or role definition.
opportunity to access systems (i.e., gain knowledge of or
to alter information or material on systems). Assertion: A claim, such as to be a particular identity
or a member of a group. Usually requires proof via a
Access Management: Systems or processes used to credential, i.e., a user ID and password pair.
control authentication and authorization to resources
within an organization, such as files, applications, Attestation: Alternate term for access certification,
systems, devices, etc. Access management is often the periodic review of user access privileges in order
based on a role and rule evaluation system to grant or to validate that access privileges align with a user’s job
deny access to an object in the organization. function and conform to policy guidelines.
Access Privileges: The access rights that a user has Attribute: A single piece of information associated
to a system resource, such as the right to access, view, with a digital identity. Examples of attributes are name,
modify, create, or delete. phone number, and institution affiliation. Each piece
of identifying information about a user can be thought
Access Request: Systems or processes used to of as an attribute of that user. Users have identity
request new access, make changes to existing access, attributes, each of which may be stored on one or more
or remove access to resources within an organization. target systems.
Account Management: A set of processes to manage Audit: The independent review and examination
authentication in connected systems. This primarily of records and activities to assess the adequacy of
involves the creation and deletion of user accounts in the system controls, to ensure compliance with established
connected system. policies and operational procedures, and to recommend
necessary changes in controls, policies, or procedures.
Active Directory: A Microsoft application that provides
authentication and authorization resources to Microsoft Audit Deficiency: Auditor’s finding that an IT control is
Windows and other Windows applications. not effective. The term is commonly used in SOX audits
to flag a control deficiency that could adversely affect the
Activity Monitoring: A means to monitor user actions company’s ability to report external financial data reliably.
(e.g., access to systems, modifications to data) using log
data collected from systems or applications.

Audit Log: A log that captures a record of events Breach: The successful defeat of security controls,
that have occurred within a system or application. For which could result in an unauthorized penetration of
example, an audit log may contain all logins made to the a system or application; a violation of controls of a
system, the name of the persons making the logins, the particular system such that information assets or system
time the logins occurred, etc. components are unduly exposed.
Authentication: The process of establishing confidence BYOA: Bring Your Own Application refers to the
in the validity of a claimant’s presented identifier, usually policy of permitting employees to access personal
as a prerequisite for granting access to resources in an application accounts (e.g., Facebook, LinkedIn, TripIt)
information system. while in the workplace.
Authoritative Source: The system that contains the BYOD: Bring Your Own Device refers to the policy of
definitive online value for a particular identity attribute. permitting employees to bring personally owned mobile
In some cases, a system is authoritative because it devices (laptops, tablets, and smart phones) to their
creates the value (for example, employee ID number). In workplace, and use those devices to access privileged
other cases, a system is authoritative because it is the company information and applications.
place where a user must go to enter the information (for
example, cell phone number).
C
Authorization: The process of granting or denying access
to an information resource based on defined policy. Certification: See Access Certifications
Cloud Computing: Computing service that is delivered

B over the Internet with three distinct characteristics: the
service is sold on demand; the service is elastic — a
Basel II: A set of banking regulations put forth by the user can have as much or as little of a service as they
Basel Committee on Bank Supervision, which regulates want at any given time; and the service is fully managed
finance and banking internationally. Basel II attempts by the service provider (the consumer needs nothing but
to integrate Basel capital standards with national a web browser).
regulations, by setting the minimum capital require-
ments of financial institutions with the goal of mitigating Credential: A means to authenticate a claimed identity,
financial and operational risks. usually meaning the private part of a paired identity
assertion (user ID is usually the public part). Credentials
Biometric: A physical trait or behavioral characteristic can change over time and may be revoked.
that can be used for the purposes of identification or
verification. A good biometric should be unique to an Compliance: Conforming to a specification or policy,
individual, stable over time, quick and easy to present and standard or law that has been clearly defined. Policies
verify, and not be easily duplicated by artificial means. can be derived from internal directives, procedures
and requirements, or from external laws, regulations,
standards and agreements. These laws can have
criminal or civil penalties or can be regulations.

Continuous Compliance: Using processes and tools Detective Control: A procedure, possibly aided by
to meet compliance requirements in an automated, automation, that is used to identify events (undesirable
consistent, and predictable manner, rather than treating or desired), errors and other occurrences that an
compliance as a one-time event. enterprise has determined to have a material effect on
its business.
Correlation: The process of combining identity data
from disparate data sources into a common schema Directory: A shared information infrastructure for
that represents an identity. Identities can be linked locating, managing, administering, and organizing
automatically to application accounts and access rights common items and network resources, which can
using correlation rules or manually using a tool to include volumes, folders, files, printers, users, groups,
establish the correct links. devices, telephone numbers and other objects.
CSV: A comma separated values file is a data file used

for the digital storage of data structured in a table of E
lists form, where each associated item (member) in a
group is in association with others also separated by the Entitlement: A specific value for an account attribute,
commas of its set. most commonly a group membership or a permission. A
security entitlement is a right granted to a user’s account
on a given system to access some data or function.
D
Entitlement Creep: An access control vulnerability that
Dashboard: A reporting mechanism that aggregates results from workers accruing access privileges over
and display metrics and key performance indicators time through transfers, promotions, or simply through
(KPIs), enabling them to be examined at a glance by all the normal course of business. When workers accrue
manner of users before further exploration via additional entitlements beyond what they actually need to do their
business intelligence (BI), performance management job, organizations become exposed to unnecessary
(PM) and analytics tools. business risks.
Datacenter: A facility used to house computer systems Entitlement Management: A mechanism for
and associated components, such as servers (e.g., web centrally defining the applications and services to
servers, application servers, database servers), switches, which a user may be given authorization. It is the
routers, data storage devices, load balancers, wire cages process of granting, resolving, enforcing, revoking and
or closets, vaults, racks, and related equipment. administering fine-grained access entitlements (also
referred to as “authorizations,” “privileges,”“access
Delegation: a process where a reviewer or approver rights,”“permissions” and/or “rules”).
can pass his decision authority to another user, either
temporarily or permanently. Escalation: a process to alert, notify, or delegate an
action when a reviewer or approver fails to respond to a
Deprovisioning: A process to delete a user account in request after a defined period of time.
a system.

Extensible Access Control Markup Language H

(XACML): an open standard XML-based language
designed to express security policies and access rights to Hierarchical Role Model: In role-based access control,
information for Web services, digital rights management the role hierarchy defines an inheritance relationship
(DRM), and enterprise security applications. among roles. For example, the role structure for a bank
may treat all employees as members of the “employee”
role. Above this may be roles “department manager”
F and “accountant,” which inherit all permissions of the
“employee” role.
Federation: A set of agreements which allow an
organization to trust the authentication provided by a HIPAA (Health Insurance Portability and
separate organization and provide authorization based Accountability Act): Federal legislation enacted in the
on that authentication result. The goal of federation is to United States to establish standardized mechanisms
allow users to access resources in multiple organizations for electronic data interchange (EDI), security, and
in a seamless manner. confidentiality of all healthcare-related data. HIPAA
mandates security mechanisms to ensure confidentiality
and data integrity of any information that personally
G identifies an individual.
Governance: The system of rules, practices and Hybrid IT: Hybrid IT is an approach to enterprise
processes by which an organization is directed, computing in which an organization provides and
measured and controlled. manages some information technology (IT) resources
on-premises (in the datacenter) but uses cloud-based
Gramm-Leach-Bliley Act (GLBA): Federal legislation services for others.
enacted in the United States to control the ways that
financial institutions deal with the private information
of individuals. GLBA requires financial institutions to I
give customers written privacy notices that explain
information sharing practices. Identity Cube: A multi-dimensional view of each
identity and their associated access and attributes.
Group: A collection of users to simplify access control
to computer systems. Traditionally, groups are static: one Identity Governance: Identity management software
defines a group by individually selecting its members. that automates the rules, practices and processes to
In dynamic groups, however, all users which match manage and control user access to critical applications
specified search criteria will be considered a member of and data. Identity governance allows organizations
this dynamic group. to improve accountability and transparency, meet
compliance mandates and better manage risk.
Identity Key: A single value used (and usually generated)

by an identity store to uniquely identify each identity.

Identity and Access Management (IAM): Software L

that automates the business processes required to
manage electronic identities and their related access Last-Mile Provisioning: The process for
permissions. This ensures that access privileges are implementing changes on target resources based on
granted according to one interpretation of policy and user lifecycle changes.
all individuals and services are properly authenticated,
authorized and audited. LDAP (Lightweight Directory Access Protocol): Set
of protocols for accessing information in directories.
IAM-as-a-Service (IDaaS): IAM software that is LDAP makes it possible for almost any application
hosted in the cloud, delivered as a cloud service, and running on virtually any computer platform to obtain
managed by a third-party service provider. directory information.
Identity Provider (IdP): A system that creates, Least Privilege: A concept that seeks to restrict a
maintains, and manages identity information for user’s access (e.g., to data or applications) or type of
principals (users, services, or systems) and provides access (e.g. read, write, execute, delete) to the minimum
principal authentication to other service providers necessary to perform his or her duties.
(applications) within a federation or distributed network.
Identity Store: A system which maintains identity M

information. An identity store is often an authoritative
source for some of the information it contains. Material Weakness: Auditor’s finding that an IT control
is severely deficient. The term is commonly used in
Insider Threat: The potential risks of fraud, theft, SOX audits to indicate that a material misstatement of
sabotage, or privacy breaches that originate from financials cannot be prevented or detected.
workers inside an organization with access to sensitive
applications and data. Model Audit Rule (MAR): A mandate effective January
1, 2010 that requires non-public insurers in the United
Interface: Technology that allows a user to States to prove that they have effective controls over
communicate and use computer software and can the integrity of financial systems and data. Similar to
include the display screen, keyboard, mouse, the Sarbanes-Oxley, MAR requires more transparency,
appearance of the desktop, characters, colors, help tighter adherence to internal controls and better
messages, etc. corporate governance.
Internal Controls: Processes designed to help Multi-Factor Authentication: An authentication

organizations prevent and detect fraud and protect process that requires multiple elements. The elements
sensitive assets. Internal controls are usually a means by are usually grouped into three categories: Something you
which an organization’s processes and IT resources are know (a password, pass phrase, or PIN); something you
reviewed, monitored, and measured. have (a token or smart card); or, something you “are” (a
fingerprint, voice print, or retina scan).

N OpenID: An open standard that describes how users can

be authenticated using a third-party service (known as
North American Electric Reliability Corporation Relying Parties or RP), obviating the need for organizations
Critical Infrastructure Protection (NERC CIP): A to provide their own authentication systems and allowing
framework developed to protect the ongoing reliability users to consolidate their digital identities.
of the North American bulk power system that was
approved in early 2008. The CIP standards require OpenID Connect: An open standard that performs
utilities to identify and secure their critical cyber assets. many of the same tasks as OpenID, but does so in a
way that is API-friendly and usable by native and mobile
applications. The standard is a simple identity layer on
O top of the OAuth 2.0 protocol and allows clients to verify
the identity of the end user based on the authentication
OAuth: An open standard for authorization. OAuth performed by an Authorization Server, as well as to
provides a method for clients to access server resources obtain basic profile information about the end user in an
on behalf of a resource owner (such as a different client interoperable and REST-like manner.
or an end user). It also provides a process for end users
to authorize third-party access to their server resources Orphan Account: An account belonging to a user who
without sharing their credentials (typically, a username has since left the organization. Orphan accounts are a
and password pair), using user-agent redirections. direct result of failure to remove access privileges when
workers terminate or transfer jobs and are a frequent
Offboarding: A process for removing access when focus for IT auditors looking for security risks.
users, such as employees, contractors, partners, or
customers, leave an organization.
P
Onboarding: A process for granting access when
users, such as new employees, contractors, partners, or Password: A form of secret authentication data that is
customers, join an organization. used to control access to system services. It enables the
holder of an electronic identifier to confirm that he or
On-premises or “on-prem”: Software that is installed she is the person to whom the identifier was issued. A
and run on computers in the facility (building) of the credential, something only the user knows and that the
person or organization using the software, rather than at authenticator can confirm.
a remote facility, such as a cloud service provider.
Password Management: Automation of the process
One-Time Password (OTP): a password that is valid for controlling, setting, resetting and synchronizing
for only one login session or transaction, generated by passwords across systems.
an algorithm when a user needs to authenticate. The
OTP is commonly sent to the user’s mobile device or Password Policy: A set of requirements regarding
security token. password creation, storage, and usage. These
requirements often constrain several characteristics
of passwords.

Password Reset: A process or technology that allows systems, or to run services on systems, or by one
users who have either forgotten their password or application to connect programmatically to another.
triggered a lockout to authenticate with an alternate
factor and then define a new password. Policy Evaluation: Rules that automatically enforce
policy by checking an operation for policy violations
Password Synchronization: A solution that takes a before granting it.
password from a user and changes the passwords on
other resources to be the same as that password. Provisioning: The process of granting, changing, or
removing user access to systems, applications and
Preventive Control: An internal control that is databases based on a unique user identity. Automated
used to prevent undesirable events, errors and other user provisioning is intended to speed and simplify the
occurrences than an organization has determined could administration of users and their access privileges. This
have a negative material effect on its business. is done by automating and codifying business processes
such as onboarding and termination and connecting
Payment Card Industry (PCI) Data Security these processes to multiple systems.
Standard (DSS): A standard developed by the PCI
Standards Council to enhance payment account data Public Cloud: A cloud computing environment that is
security. The standard consists of 12 core requirements, open to the general public and delivered via the Internet,
which include security management, policies, outside of any enterprise firewall. Public cloud computing
procedures, network architecture, software design and uses cloud computing technologies to support customers
other critical measures. that are external to the provider’s organization. Using
public cloud services generates the types of economies
Policy: An authoritative, prescribed set of rules of scale and sharing of resources that can reduce costs
for conducting business that may be defined by an and increase choices of technologies.
organization or by the outcome of regulatory mandates.
Policy Enforcement: The set of preventive and R

detective controls that automatically ensure that defined
policy is followed by the organization. Resource: A system, application, database, or other object
under management by an identity management system.
Private Cloud: A form of cloud computing that is
used by only one organization or ensures that an Reassign: An action that transfers responsibility for a
organization’s cloud is completely isolated from others. performing an operation to a different person.
When a service provider uses public cloud resources
to create a private cloud, the result is called a virtual Reconciliation: a process that periodically compares
private cloud. identity data in an Identity Management solution with
the data actually present on managed resources.
Privileged Account: A privileged account is a login ID Reconciliation correlates account data and highlights
on a system or application which grants more powerful differences and can invoke workflow to alert or make
access rights than a normal user. Privileged accounts changes to the data.
are typically used by system administrators to manage

Remediation: The act or process of remedying a to perform certain operations within an organization. A
compliance problem or issue, such as a policy violation. simple role is a collection of entitlements defined within
the context of a single system. Roles are used to simplify
Reverse Proxy: software that provides a single point security administration on systems and applications, by
of authentication to web servers on an internal network. encapsulating popular sets of entitlements and assigning
The reverse proxy architecture has the advantage of not them as packages, rather than individually, to users.
requiring software to be installed on each web application.
Role Assignment: The process of granting roles to
Revocation: The act of removing a specified role or users. A role may be implicitly assigned to a user, i.e.,
entitlement from a user based on a decision made by a some database will include a rule of the form “users
reviewer during a certification. matching requirements X should be automatically
assigned role Y.
Risk: The probability that a particular threat-source will
exercise (accidentally trigger or intentionally exploit) Role-Based Access Control (RBAC): A model
a particular information system vulnerability and the that limits user access based on the user’s role within
resulting impact if this should occur. an organization.
Risk Assessment: The process of identifying the Role Creation: The process of defining roles within a
risks to system security and determining the probability role model and mapping those roles to the appropriate
of occurrence, the resulting impact, and additional set of access privileges based on business process and
safeguards that would mitigate this impact. job function.
Risk Management: The total process of identifying, Role Certification: The periodic review of a role or roles
controlling, and mitigating risks. in order to validate that the role contains the appropriate
access privileges and that members of the role are
Risk Mitigation: A process to reduce either the correct. Role certifications are commonly used as an
probability or the consequences of a threat. Risk internal control and a way to prevent role proliferation.
mitigation options can include eliminating vulnerabilities;
strengthening internal controls; or reducing the Role Lifecycle Management: The process of
magnitude of adverse impacts. automating role creation, modification, retirement; role
approvals; role certifications; and role analytics.
Risk-based Authentication: A method of applying
varying levels of stringency to authentication processes Role Management: Roles and role assignment are
based on the likelihood that access to a given system unlikely to remain static for any length of time. Because
could result in its being compromised. As the level of of this, they must be managed — the entitlements
risk increases, the authentication process becomes more associated with a role must be reviewed and updated
comprehensive and restrictive. and the users assigned the role, implicitly or explicitly,
must be reviewed and changed. Role Management
Role: A role is a collection of entitlements or other includes the business processes used to affect these
roles that enables an identity to access resources and reviews and changes.

Role Model: A schematic description of roles that Self-Service: The process of allowing users to request
defines roles and role hierarchies, subject role activation, access to resources using a self-service interface, which
subject-object mediation, as well as constraints on user/ uses workflow to route the request to the appropriate
role membership and role set activation. A role model is manager(s) for approval.
a set of role definitions and a set of implicit or explicit
role assignments. Separation of Duty (SoD): An internal control designed
to prevent fraud by ensuring that no one person has
Rules: A set of prescribed guidelines that may be excessive control over one or more critical business
defined by an organization or by the outcome of transactions. It refers to mutually exclusive access or
regulatory mandates. roles. This involves dividing responsibility for sensitive
information or risky actions so that no individual acting
alone can compromise a system. As a security principle,
S it has as its primary objective the prevention of fraud and
errors. This principle is demonstrated in the occasional
SAML: Security Assertion Markup Language is an requirement for two signatures on a bank check, or by
XML-based standard for exchanging authentication and preventing a person from authorizing their own workflow
authorization data between security domains, that is, requests. Also sometimes called Segregation of Duties.
between an identity provider (a producer of assertions)
and a service provider (a consumer of assertions). Service Account: A typed of shared account that is
used for application-to-application communications
Sarbanes-Oxley Act (SOX): Also known as the when secured access must be granted by one system to
“Public Company Accounting Reform and Investor another system.
Protection Act” is a law enacted in 2002 to protect
investors by improving the accuracy and reliability of Shared Account: A login ID on a system or application
corporate financial disclosures. The regulation affects all that is used by more than one human or machine user.
companies listed on stock exchanges in the U.S. Privileged accounts are often shared by administrators:
for example, root, sa or Administrator.
Security Information and Event Management
(SIEM) Technology: Security information management System for Cross-Domain Identity Management
(SIM) provides log management—the collection, (SCIM): An open standard used to simplify user
reporting and analysis of log data—to support regulatory management in the cloud by defining a schema
compliance reporting, internal threat management and for representing users and groups and a REST API
resource access monitoring. Security event management for all the necessary create, read, update, and delete
(SEM) processes event data from security devices, (CRUD) operations.
network devices, systems and applications in real
time to provide security monitoring, event correlation Single Sign-On (SSO): An authentication process where
and incident response. The technology can be used to the user can enter one username and password and have
discover activity associated with a targeted attack or a access to a number of resources within an enterprise,
security breach, and is also used to satisfy a wide variety eliminating the need to separately authenticate and sign
of regulatory requirements. on to individual applications and systems.

Software-as-a-Service (SaaS): A software distribution U

model in which applications are hosted by a vendor or
service provider and made available to customers over User: Any person who interacts directly with a computer
the Internet, usually on a pay-as-you-go basis. SaaS system. Users are people whose access to systems and
software is owned, delivered and managed remotely by identity information must be managed.
one or more service providers.
User Lifecycle Management: The process for
Solvency II: A risk-based regulatory framework that automating and managing user onboarding, promotions
applies to all insurers in EU member states that took and transfers, and offboarding.
effect in 2012. Solvency II seeks to instill risk awareness
into the governance, operations, and decision-making of
the European insurance business.
Step-up Authentication: Method for determining

a required level of authentication based on a defined
policy set on a resource. Based on policy evaluation,
the user can be required to step-up the level of
authentication to access any given resource (e.g., use
multi-factor authentication).
Token: Either software or hardware used as an

authentication factor to access an information system.
Hardware tokens are small devices, typically either
the size of a credit card or key fob, which compute a
one-time password. A software token performs the same
function as a hardware token except that it is installed
as a piece of software on a device that the user already
has – such as a cell phone or tablet.
Transparency: The availability of full information

required for accountability, risk management, and
collective decision making.

Resources
For further information on the topic of identity Membership Organizations

management, try these links to experts, websites
and publications. Cloud Security Alliance
The Cloud Security Alliance (CSA) is a not-for-profit
Websites organization with a mission to promote the use of best
practices for providing security assurance within Cloud
www.sailpoint.com Computing, and to provide education on the uses of
blog.sailpoint.com Cloud Computing to help secure all other forms of
computing. The Cloud Security Alliance is led by a broad
Analysts coalition of industry practitioners, corporations, associa-
tions and other key stakeholders.
Forrester www.cloudsecurityalliance.org
Identifies and analyzes emerging trends in technology
and their impact on business. Internet Engineering Taskforce (IETF)
www.forrester.com IETF is a large open international community of
network designers, operators, vendors, and researchers
Gartner concerned with the evolution of the Internet architecture
Provides research and analysis of the computer and the smooth operation of the Internet. It is open to
hardware, software, communications, and related any interested individual. The organization now has
information technology industries. adopted a working group dedicated to the development
www.gartner.com of SCIM.
www.ietf.org
IDC
Provides data, analysis and advisory services on (ISC)²
information technology (IT) markets, trends, products, The global leader in educating and certifying information
vendors, and geographies. security professionals throughout their careers. A
www.idc.com network of certified information security professionals.
Members have access to current industry information,
KuppingerCole networking opportunities, discounts on industry
Provides research and analysis focused on information conferences and valuable career tools.
security, both in classical and in cloud environments. www.isc2.org
www.kuppingercole.com
National Institute of Standards Technology (NIST)
Ovum NIST is a non-regulatory federal agency within the
Provides analysis and guidance focused on converging U.S. Department of Commerce. NIST’s mission is to
technologies and markets, including telecommunica- promote U.S. innovation and industrial competitiveness
tions, software and IT services. by advancing measurement science, standards, and
www.ovum.com technology in ways that enhance economic security and
improve our quality of life.
www.nist.gov

OASIS CSO Magazine

OASIS (Organization for the Advancement of Structured Provides news, analysis and research on a broad range
Information Standards) is a not-for-profit consortium that of security and risk management topics. Areas of focus
drives the development, convergence and adoption of include information security, physical security, business
open standards for the global information society. The continuity, identity and access management, loss
consortium produces more Web services standards than prevention and more.
any other organization along with standards for security, www.csoonline.com
e-business, and standardization efforts in the public
sector and for application-specific markets. Founded in Dark Reading
1993, OASIS has more than 5,000 participants repre- Designed as a news source for enterprise IT and network
senting over 600 organizations and individual members security professionals, the site provides up-to-date
in 100 countries. information about products, management strategies,
www.oasis-open.org architectures and security policy.
www.darkreading.com
Magazines
The Data Breach Blog
Australian IT Focused on providing the latest updates on security
Weekly supplement to The Australian covering the latest breaches, the blog discusses data and web security.
trends in the Australian technology market as well as www.scmagazineus.com/the-data-breach-blog/
features and reviews about new products and technology. section/1263
www.australianit.com.au
eWEEK
CIO Magazine Features breaking technology news and in-depth
Resource for Chief Information Officers. Technology analysis and reviews targeted toward IT decision-makers
executives can find articles, research, events, and on building their enterprise infrastructure.
CIO communities. www.eweek.com
www.cio.com
Information Age
ComputerWeekly.com Focuses on the strategies and technologies involved
Focused on the UK market, the news site offers business in maximizing business performance through effective
and technical information alongside independent information and technology management. Aimed at
analysis and views on technology, strategy and careers. UK-based executives involved in the application of
www.computerweekly.com technology for strategic, competitive advantage and
improved efficiency.
www.information-age.com

Network World
Provides information, intelligence and insight for network
and IT executives. With an editorial focus on delivering
news, opinion and analytical tools for key decision makers
who architect, deploy and manage business solutions.
www.networkworld.com
SC Magazine
Aims to provide IT security professionals with in-depth and
unbiased information. Each monthly issue contains news,
analysis, features, contributions from thought leaders and
product reviews. Established in 1989, it is the longest
established IT security title in the United States.
www.scmagazine.com
SearchCloudComputing
Created to help information technology (IT) profession-
als, application developers and chief information officers
(CIOs) stay well-informed on the rapidly advancing topic
of Cloud Computing. Offers content to serve the unique
needs of all members involved in a cloud computing
decisions at an enterprise level.
www.searchcloudcomputing.techtarget.com.

Get Started
Don’t Worry, Be Ready.

With SailPoint identity and access management, you’ll be ready no matter what the future brings. SailPoint helps you
tackle tomorrow’s challenges today. Whether you’re replacing legacy provisioning solutions with a next-generation
approach, delivering secure and convenient access to cloud apps, managing mobile access, or thinking about
migrating IAM systems to the cloud, SailPoint’s got you covered. Don’t let your IAM investment fall behind. Be ready
for whatever comes your way – with SailPoint.
Managing the Business of Identity
SailPoint, the industry leader in identity and access management, empowers the world’s largest organizations to
accelerate business performance, mitigate risk, reduce IT costs and ensure compliance. The company’s innovative
on-premises and SaaS IAM solutions provide superior visibility into and control over user access to sensitive
applications and data, regardless of where they reside. SailPoint’s product suite provides customers a unified solution
for compliance, user provisioning, access management, and identity intelligence — all based on an integrated
governance model. Founded in 2005, the company is headquartered in Austin, Texas, and has offices in Australia,
France, Germany, Great Britain, India, Netherlands, Singapore, South Africa, and Switzerland.
rate Headquarters Global Offices Corporate Headquarters Global Offices

5 Four Points Drive UK +44 (0) 845 273 3826 11305 Four Points Drive UK +44 (0) 845 273 3826
ng 2, Suite 100 Netherlands +31 (0) 20 3120423 Building 2, Suite 100 Netherlands +31 (0) 20 3120423
, Texas 78726 Germany +49 (0) 69 50956 5434 Austin, Texas 78726 Germany +49 (0) 69 50956 5434
46.2000 Switzerland +41 (0) 79 74 91 282 512.346.2000 Switzerland +41 (0) 79 74 91 282
Australia +61 2 82498392 Australia +61 2 82498392
oll-free 888.472.4578 USA toll-free 888.472.4578
Singapore +65 6248 4820 Singapore +65 6248 4820
sailpoint.com Africa +27 21 403 6475 www.sailpoint.com Africa +27 21 403 6475
Corporate Headquarters About SailPoint

Corporate Headquarters
11305 Four Points Drive 11305 Four Points Drive
Building 2, Suite 100 Building 2, Suite 100
Austin, Texas 78726 Austin, Texas 78726
As the fastest-growing, independent identity and access management (IAM) provider,
512.346.2000 512.346.2000
USA toll-free 888.472.4578 SailPoint helps888.472.4578
USA toll-free hundreds of the world’s largest organizations securely and effectively
www.sailpoint.com deliver and www.sailpoint.com
manage user access from any device to data and applications residing
in the datacenter, on mobile devices, and in the cloud. The company’s innovative
Global Offices product portfolio Global Offices
offers customers an integrated set of core services including identity
UK +44 (0) 845 273 3826 UK +44 (0) 845 273 3826
Netherlands +31 (0) 20 3120423 governance,
Netherlands +31 (0) 20 3120423 and access management delivered on-premises or from the
provisioning,
Germany +49 (0) 69 50956 5434 Germany +49 (0) 69 50956 5434 For more information, visit www.sailpoint.com.
cloud (IAM-as-a-service).
Switzerland +41 (0) 79 74 91 282 Switzerland +41 (0) 79 74 91 282
Australia +61 2 82498392 Australia +61 2 82498392
Singapore +65 6248 4820 Singapore +65 6248 4820
© 2013 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are
Africa +27 21 403 6475 Africa +27 21 403 6475
trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All
other products or services are trademarks of their respective companies. 1113-4006

Iam

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Iam

Încărcat de

Drepturi de autor:

Formate disponibile

FIFTH EDITION

The Identity Revolution Is Here 4

IAM for Tomorrow. Today 6

Start with the End in Mind 10

Gain Confidence with Quick Wins 17

Ask the Right Questions 23

SailPoint Identity and Access Management 45

The SailPoint Advantage 54

3 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Are You Ready?

5 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Craft a Long-term, Sustainable

• Am I adequately safeguarding information assets and sensitive data?

“IAM must be viewed as a business issue, as much as it is a technology

7 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

8 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

A Smarter Way to Manage Identity

9 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Identify priorities and

• Speed delivery of access to business users;

11 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Speed Delivery of Access to Business Users

• Heavy use of disparate manual access request and change processes;

Increase Business User Productivity

12 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Manage Access across On-premises and Cloud Applications

13 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Reduce the Cost of Managing Access Change

Eliminate Audit Deficiencies and Improve Audit Performance

14 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Lower the Cost of Compliance

15 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Salvage or Replace an Existing Provisioning System

16 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Choose a Path with

Find Your Starting Point

Starting Point: Compliance

Step 1: Gain centralized visibility

18 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Step 2: Identify and close all orphan accounts

Step 3: Automate access certifications

Starting Point: Provisioning

Step 1: Enable self-service access request

Step 2: Automate access fulfillment

19 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Step 3: Streamline password management

Starting Point: Access Management

Step 1: Enable single sign-on for SaaS apps

Step 2: Expand SSO to internal Web applications

20 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Step 3: Implement risk-based controls

“SailPoint supplied an automated, centralized solution that reduced the

21 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Modern Identity and Access Management Components

SaaS Mainframes Databases Web HR Apps Directories File ERP Cloud

22 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Evaluating Core Requirements

“With SailPoint, we’re able to deliver sustainable business benefits,

24 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

Building the Business Case for IAM

BUSINESS CASE REQUIREMENTS SAILPOINT OTHERS

Can the solution scale to support thousands of concurrent users without

25 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION