Documente Academic
Documente Profesional
Documente Cultură
Identity and
Access
Management
Buyer’s Guide
What’s
Inside
A BU Y E R’S G UI D E
What’s Inside
Glossary 56
Resources 67
Get Started 71
Don’t worry, be ready with SailPoint.
Kevin Cunningham
President and Founder, SailPoint
Gone are the days when IAM success was defined by automating internal user provisioning to a few birthright
applications and leaving everything else to the helpdesk, or providing single sign-on to web applications inside the
firewall. The answer to yesterday’s business needs is not the answer to today’s complex business challenges. In
today’s world, IAM solutions need to deliver access services efficiently and cost-effectively to internal and external
users. They must manage resources in the datacenter and in the cloud, while delivering identity services to almost any
device — desktops, tablets and smartphones, all while meeting compliance requirements around security and privacy.
Faced with these multi-faceted challenges, the right approach should be formulated with sustainability in mind.
Identity and access management must address the immediate, tactical needs facing the organization, but at the
same time it must be part of a strategy for long-term business improvement. Here are some key issues to consider
as you formulate your IAM strategy:
• Rapid adoption of cloud apps by the business is a reality. You can no longer assume that all critical appli-
cations and data will reside inside the corporate network. A growing number of new applications will be deployed
“as a service” from the cloud, and you will need to provide access controls and governance over them in the same
manner as on-premises applications.
• Mobile access and “bring your own device” (BYOD) are trends that can’t be ignored. In many cases,
your organization will no longer own the endpoint device (e.g., personal phone or tablet). Access to corporate
assets in the cloud can now occur from a variety of devices, without ever touching the corporate IT infrastruc-
ture, yet access must still be controlled and managed.
• As the complexity of the IT environment grows, you don’t have time to waste integrating disparate
tools. You need to manage IAM as a set of integrated business functions — not functions that operate in
silos. Deploying “cloud-only” solutions or buying governance, provisioning, or access management solutions as
separate products limits your visibility and control — and it increases the cost and complexity of IAM projects.
• Governance should be considered a fundamental component across all identity and access
management processes — not something auditors work on after the fact. By embedding policy and controls
throughout all identity processes, organizations can achieve ongoing, sustainable compliance and reduce the
need for after-the-fact remediation and expensive manual processes.
• IT can’t do it all. You need to involve the business units and business users in IAM processes where
appropriate. To empower the business and speed the delivery of services, you need simple, intuitive self-service
capabilities for signing on to applications, requesting access, and resetting passwords. You also need the
support of the business to identity sensitive resources, define access policy, and better manage risk.
To keep pace with today’s modern IT environments, organizations must embrace a new approach to identity and
access management — balancing the needs of business enablement, security and cost containment. Traditional IAM
approaches treat governance, provisioning and access management as separate activities, making it costly, complex
and burdensome to enforce access controls, meet compliance requirements and carry on the day-to-day work of
meeting increasingly demanding service level requirements. A more innovative and effective approach is required
to streamline all of these efforts — one that allows compliance, provisioning and access management processes to
leverage a common governance framework for roles, policy and risk management — across all resources from the
datacenter to the cloud. This evolution involves four critical shifts, including:
• Bridging cloud and on-premises IT: Silos make sense for a wheat farm, but not for your server farm. To
effectively manage risk and gain insights to make your workforce more productive and secure, it is imperative
that you gain visibility and control of users’ access rights and activity that spans on-premises IT and cloud
services. What is required is true cross-domain IAM — that manages and controls access across datacenter and
cloud applications.
• Extending IAM to personal mobile devices: Today’s business users expect convenient access to cloud and
web applications from any device — at work, home or on-the-go. The right IAM solution can help you more
effectively apply security policy, detect violations and ensure regulatory compliance no matter how and where
applications are accessed. Look for IAM solutions that integrate out-of-the-box with mobile device management
(MDM) tools to extend enterprise management and control to corporate applications and data on mobile devices.
• Seamless integration of access and identity: Providing access management and single sign-on capabilities
from a unified identity and policy data store not only provides greater flexibility to respond to business changes,
but can greatly reduce the total cost of ownership. Your IT team can focus more on protecting the business and
providing innovative services, with no more redundant servers and middleware to maintain, nor duplicate data
and policy stores to synchronize.
• Delivering IAM for the business: The right IAM solutions facilitate collaboration between IT and business
teams through easy-to-use graphical user interfaces and intuitive dashboards. Today’s IAM tools need to be
simple enough for non-technical users to participate in business processes such as single sign-on, access
request, access certification, policy definition, and password management.
• There are growing populations of external users, such as partners, agents, and customers, that need access;
• New users come on board daily, requiring immediate access to enterprise resources;
• Users’ responsibilities change, or their relationships with the enterprise end, and access must quickly be modified
or revoked;
• Users want fast, convenient access resources anytime, anywhere using smartphones and tablets; and
• Some applications and users represent a higher level of risk to the organization than others and require
more focus.
For IT staff, the challenge becomes how to meet service-level demands while identifying and managing high-risk
activities, enforcing policy and security, maintaining stringent controls and addressing compliance requirements.
Because there are many different business drivers for identity and access management, you may wonder how and
when to put the different components of a solution in place. The answer depends on your business priorities and the
immediate challenges facing your organization.
To get started, step back and assess your most urgent issues. Do you understand what you want your solution to
help you achieve? Here are some common business goals that can help you determine your own unique priorities:
So let’s look in more detail at the business drivers for identity management — the goals organizations most
frequently hope to achieve with their implementation.
“I can’t keep up with Given the fast-paced and dynamic environment of business today, IT organizations are challenged to keep up with
the incoming requests the demand for identity and access management services, and to do so in a compliant manner. Business users
for managing user cannot wait days or weeks for access to systems required to perform their job duties. Similarly, organizations cannot
access across the
tolerate huge gaps in deprovisioning access when a user changes positions or is terminated.
organization. There’s
Changes to user access must be performed in near-real time, while remaining a controlled and auditable process
got to be a better way!”
that is visible to the business. The current state of IAM in most organizations makes it almost impossible to provide
consistent and effective service levels to the business due to the following challenges:
What organizations need is an easier, more cost-effective way to deliver access to the business. With the right
self-service tools, business users can manage their own access, from requesting new accounts or roles to recovering
forgotten passwords, using intuitive, business-friendly interfaces. In addition, today’s user provisioning solutions offer
easy-to-configure options for automating the entire access lifecycle of a user based on event triggers from authorita-
tive sources — to minimize the need for manual changes.
By providing an integrated approach that leverages business-friendly self-service access request tools and
automated lifecycle event triggers, identity and access management can streamline the delivery of user access
across your organization while continuously enforcing governance rules and compliance policies. It also empowers
business users to become an active participant in the identity and access management process, enabling them
to manage their own access and passwords while providing them with full visibility into active requests, thereby
reducing the workload on help desk and IT operations teams.
“Our business users Whether you’re using identity management for internal users (employees and contractors) or external users (partners,
have to remember agents, customers), you want to implement technologies that reduce the burden of accessing business services. Having
so many passwords, the right identity and access management strategy can reduce internal costs and improve productivity, but it can also
they’re writing them
contribute to revenue growth and profitability, as more and more “users” are business partners, agents or customers.
on yellow sticky notes
As IT becomes more “consumerized,” all types of users expect quick, convenient access. And that access is
in plain view.”
no longer limited to logging in from a corporate laptop or PC — today’s workers want access anytime, anywhere,
via any device. Every minute that a user has to spend retrieving a lost password or having the help desk reset a
password is an unproductive minute — and when you multiply the growing number of applications by the amount of
time wasted, the high price of inconvenience becomes pretty clear.
Here are some questions you should consider as you plan your strategy to ensure your IAM solution delivers
convenience and improves user adoption and productivity:
• Do you make it as simple as possible for new users to register and begin using your business services — even if
they have no prior relationship with your organization?
• Can users request new access from a self-service tool without having to call the help desk?
• Do you provide simple password reset capabilities for users who have forgotten their username and passwords?
• Do you offer users a streamlined and personalized single sign-on experience for all the applications, regardless of
where they are hosted or how employees access them — via a desktop, laptop or mobile device?
• Do you use risk-based authentication to ensure that low-risk transactions are as easy as possible, but high-risk
transactions require more assurance?
“We’ve lost visibility As enterprises accelerate their adoption of the cloud, they must cope with the challenges of managing a hybrid IT
and control over environment where some applications reside on-premises and some reside in the cloud. Adding to the complexity
applications in the of this environment, business units are gaining more autonomy to buy and deploy applications — which can often
cloud. We’re not even
house sensitive, corporate data — without consulting or involving the IT organization.
sure about what’s
out there.”
Signs that your organization is struggling to manage new cloud applications include:
• IT is not fully aware of the mission-critical cloud applications in production across various departments and
business units;
• Business units are performing their own user administration via spreadsheets and manual updates;
• Business units are requesting that IT integrate cloud applications with directories for periodic synchronization;
• Business units are purchasing their own identity and access management solutions — without consulting IT or
considering what IAM infrastructure is already in place; and
• IT audit processes, such as access certifications, have not been extended to cover cloud applications.
A proper identity and access management solution should help enterprises embrace the cloud while at the same
time allowing the IT organization to effectively apply centralized security policy, detect violations and demonstrate full
regulatory compliance. Successful IAM solutions will allow you to automate compliance and provisioning processes
for cloud applications in the same manner as on-premises applications. At the same time, it should provide end
users with convenient access to cloud applications and empower them with single sign-on from any device — at
work, home or on the go with mobile devices.
“Requesting new access Managing the complex relationships between thousands of users and millions of access privileges continues to
or even changing a be a daunting and expensive task for most organizations. Changes to user access are initiated, approved and
user’s existing access is implemented using fragmented, disjointed processes. Coupled with the fact that in most organizations, the processes
a daunting task in our and tools used to request or change user access are highly manual, the result is an inefficient and costly execution
company. To add access
of access requests and changes.
to a single system can
take an extraordinary Does your organization wrestle with the following problems when fulfilling access changes across enterprise
effort to accomplish.” IT systems?
• Multiple front-end processes are used by the business to request new or change existing access privileges;
• Heavy reliance on help desk or IT admins to assess and implement access changes;
• Manual processes are required to facilitate changes to user access; and
• Different provisioning/deprovisioning processes are used for different applications.
If these situations sound familiar, it’s time to take a different approach. You need to centralize the delivery of access
across disparate IT resources spanning both the datacenter and the cloud and reduce the costs associated with
managing the initiation and fulfillment of access requests and changes. The right identity management solution
automates identity lifecycle events, such as onboarding new hires and managing job transfers, by directly assigning
or changing roles and entitlements to match a user’s current job function. It can also automate removal of access
privileges upon termination.
By automating these events, organizations can reduce the number of self-service requests initiated by business
users, the number of approvals required to grant access, and the number of calls to the help desk. In addition, a
centralized solution can orchestrate the automation of changes to access rights for all applications regardless of
how “last mile” provisioning changes are performed — via the help desk, a manual process, or an automated
provisioning solution.
“We failed an audit. I Identity management is a focal point for IT audits and one of the areas most commonly flagged for ineffective
need a tool that can controls. During many Sarbanes-Oxley (SOX) audits, weak identity controls often receive negative audit findings in the
help us get back into form of control deficiencies or material weaknesses.
compliance — quickly!” Here are some of the most common identity risks auditors are looking for:
• Orphan accounts: Access that remains active for employees or contractors after termination due to failure to
remove privileges;
• Entitlement creep: The accrual of privileges over time through transfers, promotions or other changes in roles
resulting in employees with access beyond their job requirements;
• Separation-of-duty (SoD) violations: Inappropriate access resulting in excessive control over business transactions
or the ability to perform conflicting duties;
• Poorly managed privileged user accounts: Anonymous accounts that are typically the domain of privileged users
are managed using manual processes and are very difficult to audit; and
• Lack of visibility into access by job function: Business users struggle to interpret technical IT data to make
business decisions about what access is required to perform a specific job function.
If you’ve failed an audit due to weakness around any of these identity risks, we have good news. The right identity
and access management solution will improve your visibility into risky or noncompliant areas and automate your
processes for managing these risks. An enterprise-wide view of your identity data can help you to effectively
analyze risk, make more informed decisions and implement the appropriate controls in an automated and more
sustainable fashion.
Further, aligning user access with job functions through an enterprise role model can strengthen user access
controls by providing valuable business context around how specific sets of access map to the underlying business
function being performed by an individual. The result? Less chances of negative audit findings or failing another audit.
More chances of seeing audit performance improve over time.
“Compliance is time- Compliance can be complex and difficult — and as a result, costly. Meeting industry and regulatory mandates
consuming and requires organizations to regularly review and certify user access privileges. This leaves many companies constantly
expensive. I need to get battling with error-prone and inefficient processes such as manually generating access reports and manually
my costs under control.”
remediating inappropriate user access privileges.
Signs that show you need to cut compliance costs include:
• Building or leveraging multiple, homegrown solutions to handle audit and compliance needs;
• Hiring full-time staff or consultants to handle compliance projects like access certifications and SoD
policy enforcement;
• Using inefficient tools like spreadsheets and email to drive manual compliance processes; and
• Treating high-risk and low-risk users the same, where insufficient attention is given to high-risk users, or too
much time and effort is spent on low-risk users.
To gain better control of your identity and access data, including centrally defining policy and risk and automating
your access certification process, you need to replace expensive paper-based and manual processes with automated
tools. By doing so, not only can you significantly reduce the cost of compliance, you can also establish repeatable
practices for a more consistent, auditable, reliable and easier-to-manage access certification effort.
If you struggle to effectively implement compliance processes and integrate them into your systems and infra-
structure, a governance-based identity and access management solution is the launching pad you need to improve
your effectiveness and reduce the costs of sustainable compliance.
“Help! The provisioning Many organizations have a legacy user provisioning solution that no longer meets their needs, doesn’t do what the
solution we’ve deployed vendor promised it would, or more importantly, in the case of several products, including Sun Identity Manager and
is not meeting our BMC Identity Manager, will no longer be supported in the future.
expectations with regard Do you find yourself facing any of the following issues with your existing provisioning solution?
to compliance and is
not sustainable for our
future needs.” • Your project is behind schedule and over budget;
• You lack the necessary coverage for applications;
• Your provisioning product is being “retired” and must be replaced; or
• You have compliance weaknesses related to ineffective off-boarding processes, entitlement creep, SoD violations,
and more.
Now is the time to address those issues and migrate away from your legacy provisioning platform. Invest in
a technology that will address your current provisioning challenges, improve your overall identity and access
management strategy, and integrate with what you have in place today. Look for a solution that will provide your
organization a smooth transition and allow you to take a non-disruptive, stepwise approach while making the most of
your existing investment as you transition to a next-generation solution.
The new solution must also be able to balance core user provisioning requirements — add, change, delete user
accounts and password management — with user-friendly interfaces and processes that empower business users
to request and manage access on their terms.
Finally, and most importantly, it must offer an integrated approach to IAM. Governance and compliance should be
handled as an integrated activity within your identity infrastructure, not as a separate process.
Taking Stock
Once you’ve evaluated your business drivers for identity and access management, you’ll be in a better position to
prioritize your investments. If you’re like most organizations, you have more than one motivating factor, so the key is
identifying your one or two most important business imperatives. Moving ahead without prioritizing may cause you to
spend precious resources in the wrong places, inhibiting your ability to meet your most critical needs in a timely manner.
The good news is that investing in the right solution will enable you to realize some “quick wins,” while at the same
time strengthening your organization for the long-term. Depending on your business priorities, these immediate results
could save you money and reduce the compliance burden on IT; improve your audit performance; improve the efficiency
of identity business processes like access request and delivery; address shortcomings with your existing provisioning
system; streamline secure access management to cloud and Web applications; and extend IAM to your cloud applications.
Whatever path you choose to embark on first, you should avoid taking on every business problem on day one.
Best results are achieved by taking a stepwise approach where your project is focused on the business units,
departments, or applications that align with your business goals — whether they are corporate agility, operational
efficiency, service-level improvement, or regulatory compliance.
For some organizations, the driving force behind an identity and access management project may be based upon any
number of challenges such as compliance, security, operational efficiency and business enablement. For example,
there might be an urgent demand to close audit gaps after a failed audit or a non-compliance penalty. For others,
there may be a requirement to eliminate the inordinate costs and inefficiencies found in current provisioning and
access management processes. Maybe the help desk is overwhelmed with trouble tickets and, as a result, service
levels are not where they should be. Or, perhaps the end user community is demanding more autonomy and wanting
IT to make their lives easier.
Once you’ve agreed upon your top priorities and goals, you will have a better understanding of what you must
achieve first. By focusing on a few “quick win” opportunities, you can help accelerate and build momentum for future
phases of your projects.
An incremental approach to project implementation helps you focus, ensuring you tackle high priority applications
and user populations that are most affected by your stated objectives. By demonstrating small, quick wins up front,
you will build confidence in the solution, help ensure ongoing adoption, and make it easier to secure funding for
additional projects.
If audit deficiencies and the high cost of compliance are top of mind issues in your organization, then you may want
to focus on compliance automation as a first step. Here’s how to get started:
If your organization struggles with inefficient and/or non-compliant processes for granting new access privileges or
making changes to existing access privileges for employees, contractors, and partners, then it may make sense to
focus on user provisioning as your starting point:
user accounts are created, updated or deleted on a regular basis. Once you’ve selected the applications, you can
determine the best option to complete the full integration cycle — deploying a new provisioning connector, or
leveraging an existing provisioning solution that is already in place.
If an ever-growing number of cloud, Web, and mobile applications is putting your organization at risk — based on the
proliferation of passwords across personal and business applications or lack of governance over cloud applications —
you may want to focus on cloud and web access management up front.
Now that you’ve identified your goals and considered the steps you need to take to achieve them, you will want to
find the right combination of identity and access management capabilities to help you get there. The diagram below
illustrates the key components of today’s IAM solutions. And, the section that follows provides all of the key require-
ments to evaluate these capabilities from vendors once you begin your selection process.
The new, modern identity and access management solution can serve multiple business demands and priorities using
a more integrated, effective approach.
Policy
Management
Access Audit Reporting
Certifications & Analytics
PLIANC
COM E
Access Single
AGEMENT
Request A
Sign-On
Governance B
C
PROV
Platform
IS
AN
IO
IN S
N
G ES Strong
Lifecycle ACC Authentication
Events
Password Usage
Management Monitoring
Providing a compelling business case for acquiring and deploying an identity and access management solution is a
critical step in any project. Ask the following questions to understand how the solution under consideration can help
you to solve your current business problems related to governance and delivery of user access within the enterprise.
Be sure to ask for example case studies and conduct reference calls for confirmation. See pages 43-44 for a list of
reference call questions.
Can the vendor provide real-world examples of cost savings from automating
Yes
end-user access request and provisioning processes?
Can the vendor provide real-world customer case study examples demonstrating how
Yes
the solution has reduced the cost of compliance?
Does the solution address common preventive and detective identity controls required
Yes
by regulatory mandates such as Sarbanes-Oxley, HIPAA and Basel II?
Does the solution help to proactively enforce pre-established business policies for
how access should be granted within the enterprise throughout access request and Yes
provisioning processes?
Does the solution reduce the complexity of creating an enterprise governance model
Yes
across roles, policies and risk?
Can the vendor provide specifics on how customers using the solution have leveraged
identity risk metrics to improve the effectiveness of preventive and detective identity Yes
controls within their organization?
Does the product provide a consistent user experience across IAM processes? Yes
Does the product provide a consistent user experience across both PC and
Yes
mobile devices?
Can the solution be used to manage internal and external user populations (e.g.,
Yes
business partners, consumers or citizens)?
Is the solution architected in a way that allows you to start quickly and expand based
Yes
on future needs without requiring major rework or purchase of additional solutions?
Is the solution architected as a single, unified application that does not require
the customer or system integrator to custom code integration between products Yes
during deployment?
How quickly can the solution be deployed and does it offer a smooth upgrade process
Yes
between versions?
The key to a successful identity and access management solution is one that is business-friendly, reduces the costs
and time involved in managing identity compliance, and that strengthens controls and improves audit performance —
all at the same time. The key components of an identity and access management solution include automated access
certifications, policy enforcement, role management and risk modeling and analytics.
Access Certification
Automated access reviews are an effective detective identity control for regularly validating user access within the
enterprise. These questions are designed to ensure that the solution you select is best suited to improve the efficiency
and accuracy of your certification process — and to help you meet goals for corporate accountability and compliance.
A C C E S S C E R T I F I C AT I O N R E Q U I R E M E N T S SAILPOINT OTHERS
Does the access certification feature support both technical and business user needs
Yes
within the tool?
Does the solution support managing different certification use cases by different user
types out-of-the-box — e.g., manager certifications, application owner certifications, Yes
data owners?
When certifiers review a user’s access privileges, can they approve, revoke or
Yes
allow exceptions?
Can the solution create certifications for individual entitlements, such as group
Yes
memberships, and assign them to the appropriate data owners?
When access is revoked, can the solution automatically de-provision access? Can the
Yes
user’s SSO access automatically be removed at the same time?
Does the solution automatically route access review reports to the appropriate certifiers? Yes
Does the reviewer have the ability to bulk certify/approve a particular entitlement for
Yes
all users in a certification?
Does the solution provide visibility to certification activities (e.g., completion status)
Yes
on a user’s dashboard?
Does the solution provide an interface for defining and managing certification events? Yes
Does the solution support a certification “sandbox” where certification settings can be
Yes
tested before rolling out a certification campaign to the organization?
A C C E S S C E R T I F I C AT I O N R E Q U I R E M E N T S SAILPOINT OTHERS
Does the application highlight privileged user accounts and other high-risk accounts
Yes
(e.g., service accounts) during the certification process?
Does the solution support review and resolution of policy violations directly
Yes
within a certification?
Can automatic notifications be generated and sent out to certifiers when a new
Yes
certification is created?
Can the solution escalate an overdue certification to a user’s manager or other delegate? Yes
Does the access certification process support a challenge period to allow end users to
Yes
contest a pending remediation decision before it is implemented in the environment?
Can risk be used to define a population of end users for certification (e.g., only certify
Yes
high risk users)?
Does the solution support delegation of users to another certifier? Can individual line
Yes
items be delegated to another certifier for completion?
Does the solution track the full history of each certification item, including delegation,
Yes
forwarding, challenge, and review decisions for all entitlements and roles?
Does the solution provide an option to support bulk remediation for all former
employees’ access privileges prior to beginning an access certification, thereby Yes
reducing the workload of reviewers?
Does the solution support the definition and assessment of remediation periods,
Yes
allowing the tracking of the remediation activity within the target system?
Can the solution support electronic signatures for certification sign-off? Yes
Does the solution provide administrative dashboards and reports to track aggregated
Yes
certification metrics across the enterprise and certification campaigns?
Does the solution provide the ability to manage certifications from mobile devices? Yes
Policy Management
With constant changes in user access across multiple, heterogeneous enterprise and cloud applications, businesses
often struggle to validate access against established access policies, including segregation-of-duty, that expose the
organization to risk. The following questions can help you identify a solution that can enable you to simplify policy
definition and automate policy scanning, detection and remediation activities.
Can SoD policy support multiple sided exclusions? For example, “A, B, or C conflicts
Yes
with any of D, E, or F”
Does the solution support policies around activity-based data (e.g., DLP events or
Yes
after-hours access)?
Does the application support the definition of account or identity attribute access policies? Yes
Does the system provide a business-friendly user interface for defining and editing
Yes
access policies without the need for coding?
Does the solution provide a single policy repository that is leveraged by all identity
Yes
processes, including both detective and preventive access controls?
Can the application support the ability to define policy violations within and across
Yes
applications/resources, including both datacenter and cloud applications?
Does the application automatically scan and detect policy violations? Yes
When policy violations are detected, does the application automatically notify
Yes
responsible parties?
Are the policy violations escalated if not addressed in a defined period of time? Yes
Does the application support execution of a business process or workflow when policy
violations are detected, allowing varying responses based on criteria such as the Yes
calculated risk of the violation?
Does the solution provide a business-friendly user interface for managing policy
Yes
violations by both business managers and compliance administrators?
Are policy violations clearly highlighted during access reviews to allow for rapid remediation? Yes
Can revocation recommendations be stored in conjunction with each policy rule and
Yes
exposed to the user when viewing policy violations?
Can policy owners specify a unique risk score for each policy rule in the system? Yes
Can the risk score of a policy be used to control notifications and corrective actions
Yes
when a violation is detected?
Does the solution provide out-of-the-box reports to track policy violation activities? Yes
Traditional approaches to user provisioning have failed to evolve with today’s enterprise identity management
needs. While originally designed to automate IT operational processes, provisioning tools are now being called on to
interface directly with business users and orchestrate complex business processes. This section focuses on finding
a solution which can work for both the business and IT — one that empowers the business to self-manage while
automating common back-end identity management processes.
Can the solution facilitate requesting of different types of access, including roles, Yes
entitlements and accounts?
Does the self-service access request solution allow for additions, changes, and Yes
removals of access?
Can users search for access using configurable metadata attributes such as name, Yes
description, owner or other keywords?
Can the solution suggest access rights based on an analysis of similar identities? Yes
If the solution suggests access rights, is the user informed of high-risk users included Yes
in the comparative analysis?
Does the solution allow the user to specify a priority for access requests? Yes
Can users request a start date (“sunrise”) associated with new access requests? Yes
Can users select an end date (“sunset”) when removing access through the self- Yes
service request interface?
Does the solution support requesting optional IT roles for currently assigned Yes
business roles?
Can the system be configured to restrict end users to only requesting optional IT roles? Yes
Does the solution support preventive policy-checking of self-service and delegated Yes
access requests prior to being submitted for fulfillment?
Does the solution give end users a business-friendly dashboard to view status of Yes
pending and completed requests?
Does the solution enable the user to track access requests made by them and for them? Yes
Does the solution allow users to track the full details of an access request, including
Yes
the status of approvals and fulfillment tasks?
Does the solution allow anyone in the organization to request access for anyone else? Yes
Does the solution offer self-service registration for external or “non-employee” users
Yes
(e.g., contractors, partners, consumers, etc.)?
Does the solution support creating new identities from scratch within the user
Yes
interface (e.g., act as the authoritative source for creating identities)?
Can the solution limit the data which is editable from the user interface? Yes
Does the solution allow you to edit identity attributes of existing users? Yes
A fundamental capability of all identity and access management solutions is the automation of basic account
creation, update and delete functions. Unfortunately, traditional approaches to identity management perform this
through custom-coded workflows and complex policy rules. The following questions will help determine if an identity
management platform can keep pace with the dynamic nature of change in your organization.
A U T O M AT E D L I F E C Y C L E M A N A G E M E N T R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution support the definition of automated lifecycle events — e.g.,
new hire, promotion, termination — that trigger access changes in enterprise and Yes
SaaS applications?
Can lifecycle events trigger specific workflows to manage the change process from
Yes
initiation through provisioning?
Does the solution provide visibility to access changes initiated through automated
Yes
change events — e.g., new hire, promotion, termination?
Can the solution orchestrate changes to user access based on self-service access
Yes
requests and lifecycle events across disparate provisioning processes?
Does the solution provide flexible approval routing for changes initiated through self-
service request or automated lifecycle events — e.g., manager, data owners, role Yes
owners, and security administrators?
Does the solution provide a graphical user interface for configuring/editing business
processes and workflows associated with manually-initiated access requests Yes
(including self-service and delegated requests)?
Does the solution support delegation of approval requests to other users within the
Yes
system and is this information tracked and audited?
Does the solution support dynamic rerouting of approval requests based on the
outcome of other workflow steps — e.g., change approval routing if a policy violation Yes
is identified or if the user’s risk score crosses a defined threshold?
Can the solution automatically determine the chronological order and need to create
Yes
new accounts associated with adding entitlements and roles?
Can the solution request additional information from users involved in the access
Yes
request process — e.g., requester, approver, application/data owners?
Can the solution dynamically generate forms to capture additional information from
Yes
the user based on pre-configured provisioning policies for applications and roles?
Does the solution enable a user to self-register for access and have it create a new
Yes
account either immediately or after approvals?
Can the solution automatically add and remove SSO access to applications as part of
Yes
the provisioning process?
Does the access request and lifecycle management solution track aggregated request
Yes
metrics and workflow statistics?
Does the solution support tracking and reporting on service-level metrics? Yes
A U T O M AT E D L I F E C Y C L E M A N A G E M E N T R E Q U I R E M E N T S SAILPOINT OTHERS
Are metrics available at the business process as well as the individual workflow
Yes
step levels?
Does the solution support the ability to force an electronic signature when a user is
Yes
approving a request?
Password Management
Implementing a self-service interface for assisting business users in changing and resetting their passwords is
one of the fastest paths to cost savings for any identity and access management project. These questions help
you determine if the solution will be sufficient to address your password management needs across enterprise and
cloud-based systems, including defining and enforcing password policies, self-service changes and resets and
password synchronization across systems.
PA S S W O R D M A N A G E M E N T R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution allow end users to manage their own passwords — i.e., reset
Yes
forgotten passwords, change existing passwords?
Does the solution provide an option to help users reset forgotten passwords with a
Yes
Windows desktop (i.e., GINA or Credential Provider plugin)?
Does the solution support multiple password policies per application? If yes, can
different policies be applied to users based on identity attributes (e.g., employee and Yes
contractor policies)?
Does the solution automatically calculate the minimum password policy when
Yes
resetting or changing passwords across multiple systems?
Does the solution support challenge questions for password recovery? Yes
Can the number of challenge questions presented to the user be configured based on
Yes
the organization’s security policies?
Can the solution force the user to answer their authentication questions before using
Yes
other capabilities?
Can the solution provide administrators with a report detailing users who have not
Yes
completed answers to challenge questions?
Can users manage passwords from a mobile device such as a tablet or smartphone? Yes
Are the end-user password management user interfaces integrated with the solution’s
Yes
access request user interfaces for a seamless user experience?
The rapid proliferation of enterprise cloud and SaaS applications has a big downside — users are wasting time
trying to remember all their usernames and passwords and more importantly creating security issues by writing them
down in plain sight or overburdening the help desk when they inevitably forget them. Asking the following questions
will help you evaluate if an identity and access management solution can provide a fully integrated cloud, web, and
mobile SSO experience for users and support continued SaaS adoption in your organization.
Single Sign-on
The best way to simplify and secure access to applications while enabling convenience for the end users is with
single sign-on solutions that also offer strong authentication. The following questions will help you determine if your
solution is designed to seamlessly work within your environment.
Are new SSO profiles for 3rd party vendors’ products provided free of charge? Yes
Can you customize application profiles (name, URLs, quick links, icon) and have
Yes
changes visible to all users?
Can users select a particular task or function of an application and SSO directly into
Yes
that activity from the launchpad or portal?
Are profiles supported for password, federation, and proxy-based SSO for both
Yes
corporate applications and BYOA?
Does the solution provide a launchpad or portal where users can see all web and
Yes
cloud applications they are entitled to and SSO into them with a single click?
Are an unlimited number of SSO users supported to share the same computing device,
Yes
such as a kiosk or tablet?
Does the solution allow you to automatically populate the launchpad with corporate
Yes
applications based on assignments of roles or entitlements?
Does the solution allow you to populate credentials (username/password) into the
Yes
launchpad based on provisioning workflows?
Can the system prevent the shared use of passwords between personal and
Yes
corporate applications?
Are application user IDs and passwords protected and encrypted in such a way that no
Yes
one other than the end user has access to the private encryption key to use them?
Does the solution provide self-service IAM functions from a mobile app, such as
Yes
password reset?
Does the solution provide SSO from a wide variety of Web browsers, regardless of how
Yes
users launch the apps (e.g., via launchpad portal, bookmark, URL email link,, etc.)?
Does the solution provide SSO into Web and cloud applications from tablets
Yes
and smartphones?
Can administrators restrict, by policy or role, which applications, including third party
Yes
apps, are available for SSO?
Does the solution support the presentation and audit logging of a global system wide
“terms of use” acceptance for use of the SSO product by end users (e.g. misuse of Yes
this product is a violation of business conduct guidelines)?
Can the system use activity data to automatically deprovision application access after
Yes
a period of non-use?
Does the solution provide an on-premises reverse proxy and allow agentless
Yes
password-free SSO without application changes?
Does the on-premises proxy automatically update, self-monitor, and recover? Yes
Does the on-premises proxy support virtual hosts as well as customized URL
Yes
extensions per app?
S T R O N G A U T H E N T I C AT I O N R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution include strong authentication options such as one-time passwords
Yes
(OTP) or knowledge-based authentication (KBA)?
Can the solution integrate with third party multi-factor authentication products? Yes
Role Management
An enterprise role model can be an important tool in streamlining and simplifying identity and access management
processes for the business. The following questions can help you determine whether the solution under evaluation
can help you create an enterprise role model and manage the entire role lifecycle to accommodate changes in
business and IT systems, while keeping the quality and reliability of the role model in place.
Does the solution provide a single role model/repository leveraged by all identity
Yes
processes, including compliance, provisioning and access management activities?
Does the solution support a hierarchical role model with n-levels? Yes
Can the business role model support both required and optional IT role associations to
reduce the number of roles required in the system to effectively enforce the principle Yes
of least privilege?
Can the solution automate the creation of roles using data mining techniques to
Yes
discover potential roles using various pattern search algorithms?
Does the solution support automated mining of both business roles (top-down) and IT
Yes
roles (bottom-up)?
Does the role mining support a directed search, whereby the user is able to narrow
the focus of the mining by selecting a set of applications to mine against and by
providing user-specifics such as location, job title, manager, cost center (e.g., “Only Yes
mine against applications 1 & 3 and users of those applications that are in cost center
1204 and work in the Chicago office.”)
Does the role definition process include the ability to identify or suggest candidate
Yes
roles during the access certification process?
Can new role types be configured directly within the user interface? Yes
Can the solution import an existing role model using manual or automated interfaces? Yes
Can role owners provide a business friendly description to help users understand the
Yes
meaning of a role during certification and access request activities?
Does the solution support delegation with respect to role ownership? Yes
Does the solution provide approval workflow options when the definition or contents
Yes
of a role are changed (i.e., add, modify, disable)?
Does the solution provide the ability to perform a “what if” impact analysis on role
Yes
model changes?
Does the solution support certification of both role composition (role privilege/
Yes
entitlement mapping) and role membership?
Does the solution provide analysis of roles indicating role quality based on factors
Yes
such as membership, risk, and usage?
Can role engineers define additional metadata attributes on a role and can those
Yes
attributes be used to control IAM processes without having to customize the application?
Can the solution detect and alert on policy violations that exist within a role definition
Yes
before assigning roles to users?
Does the solution provide the ability to assign and de-assign roles to users from the
Yes
user interface?
Can assignment be done both manually and through automated assignment and
Yes
de-assignment rules associated with a role?
Can a role definition be used to trigger strong authentication within the context of an
Yes
SSO event?
Does the solution provide logging and reporting capabilities for all role changes? (e.g.,
Yes
“when was the role created, who created it, who approved it?”)
Does the solution maintain all previous versions of role definitions? Yes
Can users easily view and roll back to previous versions of role definitions? Yes
Most organizations struggle to understand the underlying risk posed by what users have access to and how they are
using their access. In order to effectively deploy and manage enterprise identity and access management solutions,
you need insight into where the risk hot spots are in your organization. The following questions address a solution’s
ability to take a risk-based approach and provide the functionality necessary for you to assess, manage and control
threats to security posed by people, roles and applications.
R I S K M O D E L I N G A N D A N A LY T I C S R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution provide a comprehensive approach to measuring identity and
Yes
access risk within the enterprise at both the user and application/resource levels?
Does the solution track and monitor the risk of each user based on that user’s access
Yes
to sensitive applications and data (identity risk scoring)?
Does the solution support the creation of an application risk model to determine the
Yes
relative risk of each managed application based on pre-defined risk factors?
Does the solution support the assignment of unique risk values to each application,
Yes
entitlement and role within the system?
Does the solution enable risk mitigation actions (e.g., certifications, de-provisioning or
Yes
activity monitoring) to be targeted at high-risk users?
Can risk scores on access be used to calculate the overall risk score of an identity
Yes
within the organization?
Can certification status or time since last certification be used as a risk factor
Yes
in the model?
Does the solution dynamically calculate a user’s risk score based on changes to
Yes
access within the environment?
Does the solution support using risk scores to trigger strong authentication policies
Yes
for SSO events?
Does the solution support configurable risk factors and weightings for calculating
Yes
identity or risk scores?
Does the solution support the assignment of risk scores to policy rules — e.g.,
Yes
SoD policies?
Can the solution profile aggregate risk scores, e.g., by manager, department, location,
Yes
or company-wide?
Can aggregate risk scores be displayed graphically for easy identification of risk “hot spots”? Yes
Does the solution track risk scores over time for trending analysis? Yes
Can the solution alert or notify managers, application owners or compliance officers
Yes
based on changes to an identity or resource risk score?
Can high-risk users be easily identified via reporting and analytics? Yes
Organizations strive for better visibility into identity and access information across their business. The following
questions can help you identify whether the solution under consideration can give you the information you need via
dashboards and alerts while also enabling you to run ad hoc queries and produce detailed reports on a variety of
identity and access management processes.
Can users drill down from the dashboard into specific tasks and/or supporting data? Yes
Can pre-defined reports be personalized by end users to fit their specific business needs? Yes
Can end users change the columns which are included in reports? Sort order of data?
Yes
Group data?
Can users save reporting personalizations for easy recall and reuse? Yes
Does the solution provide an interactive preview option for reviewing report layouts? Yes
Does the solution provide charting/graphing options for internal reports? Yes
Does the solution support saving reporting results in downloadable file formats (e.g.,
Yes
PDF, Excel or CSV)?
Can the solution require users to “sign-off” that they have reviewed a report? Yes
Can the solution report on historical “point-in-time” access as well as current state? Yes
Does the solution provide an ad hoc analytics interface for creating dynamic searches? Yes
Does the solution provide a way to search on activity information according to various
search parameters related to the system/activity and the target user base? For
Yes
example, show all login activity on an application for users in a specific cost center
with risk scores over a certain threshold.
The success of an organization’s identity and access management solution is highly dependent upon its ability to
connect to target resources and to integrate with its IT infrastructure. The following questions will help you gauge
whether the solution under consideration has the connectivity footprint to govern and fulfill access along with the
ability to establish an integrated identity eco-system.
C O N N E C T I V I T Y A N D I N T E G R AT I O N S R E Q U I R E M E N T S SAILPOINT OTHERS
Can the application derive the employee/manager relationship from an authoritative
Yes
identity source, such as the central HR application?
Can the application support multiple authoritative sources for identity data? Yes
Does the solution allow transformation of data and execution of validation rules as
Yes
part of the data load processing?
Can the solution support collecting data from enterprise applications based in public
Yes
or private clouds?
Does the software create a single view of each user within the enterprise and their
Yes
associated access privileges?
Are all user entitlements, roles, policy information and activity data viewable within
Yes
the context of an individual identity?
Does the solution enable automated correlation of user account information using a
Yes
“wizard-like” interface that can be operated by non-technical users?
Does the application provide a user interface for performing manual correlation of
Yes
user account privileges?
Does the solution include a centralized catalog of all entitlements in the system? Yes
Does the solution support associating contextual metadata with each entitlement —
Yes
e.g., business-friendly description, data owner, and account type?
Are both automated and manual updates to entitlement metadata supported? Yes
Does the solution provide out-of-the-box connectors for the following categories of
enterprise systems?
• directories
• databases
• platforms Yes
• business applications
• messaging applications
• mainframes
• SaaS applications
Does the solution provide a toolkit for creating connectors for custom or
Yes
homegrown applications?
C O N N E C T I V I T Y A N D I N T E G R AT I O N S R E Q U I R E M E N T S SAILPOINT OTHERS
Does the vendor provide access to all connectors free of charge? Are connectors
Yes
developed in future releases included in this policy?
Can the solution manage the complete user account lifecycle (add, edit and delete,
Yes
enable, disable) for connected resources?
Does the solution provide native support for delta aggregation of account and
Yes
entitlement data from connected applications?
Can the solution validate that changes requested are correctly implemented in the
Yes
target resource?
Does the solution provide a web-based interface for administration and configuration
Yes
of application connectors?
Does the application provide a solution for managing enterprise IT systems deployed
Yes
in public or private clouds?
Does the solution provide out-of-box integration with any third party automated
Yes
provisioning systems?
Can the system support the retrieval of entitlement information through another
provisioning system’s connectors without the need to directly connect to the Yes
target system?
Can the system support sending account creation and change requests to third-party
Yes
provisioning systems for execution in a target resource?
Does the solution expose web services for integrating with a third-party provisioning
Yes
solution to bulk re-provision users based on role model changes?
Can the solution monitor third-party provisioning system audit logs and correlate this
Yes
activity data to identities under management?
Does integration with third-party provisioning systems use industry standards such
as the service provisioning markup language (SPML) or the system for cross-domain Yes
identity management standard (SCIM) when supported by integrated systems?
Does the solution support the automatic generation of “tickets” through service/help
Yes
desk integrations?
Can the solution receive updates on ticket status and display the information to users
Yes
when tracking requests?
Are the following file import options supported: CSV, XML and flat files? Yes
C O N N E C T I V I T Y A N D I N T E G R AT I O N S R E Q U I R E M E N T S SAILPOINT OTHERS
Does the solution support modeling fine-grained permissions such as operational
Yes
rights on database tables and file shares?
Can updates to user and access data be scheduled within the application to support
Yes
regular refresh of information?
Does the software support the definition of custom schemas for each connected application? Yes
Does the solution support importing and evaluating activity data (e.g., SIEM feeds and
Yes
application log files) from target systems?
Can activity data be mapped back to a known identity based on unique correlation rules? Yes
Does the solution support integration with service request management systems? Yes
Does the solution support the collection of DLP events for use in compliance and
Yes
provisioning processes?
Does the solution provide integration with mobile device management systems? Yes
Does the solution support integration with privileged user management systems? Yes
Most organizations have a standardized set of processes and technologies that act as a foundation to their IT
infrastructure. The IAM solution you are evaluating should assimilate to that standardized environment.
Does the solution have configurable components that tie to an integrated data store? Yes
Does the solution support definition of user roles and assignment of internal access
Yes
rights based on roles?
Does the solution provide out-of-the-box authorization profiles for common user types
Yes
(Manager, Compliance Officer, Auditor)?
Can the internal authorization model be configured based on customer needs? Yes
Does the application support end-user personalization of tables and charts? Yes
Are user preferences and personalization options stored in between sessions? Yes
Does the solution support the ability to scale tasks such as aggregations, identity
Yes
refresh and certification generation across multiple hosts and threads?
Does the vendor support and participate in standards efforts around identity and
Yes
access management interoperability (e.g., XACML, SPML, SCIM, SAML)?
Checking vendor references is one of the most important steps in finding the right solution for your organization.
When you have the chance to speak with someone else in the industry who has been down a similar path, ask
questions and follow-up to get specific answers. These sample questions can help you focus on the information you
need from references. Not all of these questions apply to every project, but they provide a good starting point for your
own questionnaire.
1. Can you describe the identity management project that you worked on with this vendor? What was the
main business driver for the project? When did the project begin?
3. What stage are you in with the product now (design, deployment, production, etc.)?
4. What is the scope of the project in terms of managed users, applications/resources under management?
5. What 2-3 key factors led you to choose this vendor for the project?
12. What type of production environment (hardware, software) do you run the product in? How well did the
product fit into your production environment?
13. Did you discover things during the implementation that you would have liked to know before you started?
14. Did the vendor provide professional services or did you work with a third-party systems integrator?
How large was the implementation team?
15. If third party, how well did the vendor and systems integrator work together?
16. How would you rate the quality of vendor personnel that you worked with?
17. Did the vendor’s solution “work as advertised” — in other words, did it meet your expectations?
19. How would you rate the quality of support you get from the vendor?
20. How well does the vendor handle patches and upgrades?
21. Does the vendor facilitate discussions with peer groups, such as regional user group meetings and
online communities?
22. What do you like least about this vendor? What do you like most about this vendor?
23. If you had to make the decision all over again, would it be the same? If not, why?
24. If you had to assign a letter grade (A-F) to this vendor, what would it be?
25. Is there anything else I should know about this product and company before we make a decision?
SailPoint
Identity
and Access
Management
A Smarter Way
to Manage Identity
Finding a solution that can automate key compliance, provisioning and access management processes and
deliver risk-aware identity intelligence makes perfect sense. SailPoint offers market-leading identity and access
management solutions that alleviate the cost and complexity of managing user lifecycles, meeting compliance
requirements, and delivering convenient access to cloud and Web applications. With a centralized, holistic approach
to managing user access across the entire IT environment, SailPoint provides superior visibility into and control
over user access to sensitive applications and data both on-premises and in the cloud — helping you identify and
mitigate risk.
From the ground up, SailPoint solutions are distinctively different from previous generations of identity and access
management solutions. They address the needs of today’s complex enterprise business and IT environment from the
perspective of the business — with readily-available self-service capabilities, intuitive user interfaces, powerful business
process automation, and industry-leading capabilities for discovering and prioritizing identity-related business risks.
IdentityIQ delivers integrated compliance, provisioning, and access management capabilities all built on a common
governance model. IdentityIQ delivers all IAM services through a consistent user experience, which empower
business users to effectively participate in a wide variety of IAM processes including automated access certifications,
policy enforcement, access request and provisioning, password management, single sign-on and identity analytics.
With SailPoint solutions you can provide fast, convenient application access that keeps business users
productive, while improving the efficiency of your infrastructure, reducing operational costs, and improving
security and risk management.
SailPoint IdentityIQ
• Compliance Manager - Streamlines the execution of compliance controls and improves audit performance
through automated access certifications and policy management.
• Lifecycle Manager - Combines self-service access request and password management with automated lifecycle
event management to simplify creating, changing, and revoking user access privileges.
• Access Manager - Offers governance-based single sign-on (SSO) across cloud, on-premises web, and mobile
applications through easy-to-use desktop and mobile interfaces.
• Governance Platform - Centralizes identity data and provides a single place to model roles, policies, and risk to
support compliance, provisioning, and access management processes across the organization.
• Connectivity Foundation - Provides flexible options for connecting to enterprise and cloud resources to
aggregate identity data and orchestrate changes resulting from compliance and provisioning processes.
Governance Platform
Connectivity Foundation
Resource Provisioning Service Desk MDM Cloud
Connectors Integration Integration Integration Gateway
Policy Management • Enforce multiple types of access policy across cloud and on-premises applications
• Proactively detect and prevent inappropriate access and violations in real-time
• Prioritize violation response with risk-based approach
• Track and report on violations
C A PA B I L I T Y DESCRIPTION
Self-Service Access Request • Empower users to request and manage access using an e-commerce shopping experience
• Help business users find the right access with keyword and affinity search features
• Facilitate delegated administration by managers and help desk/admins
• Provide visibility to request status and process execution
Password Management • Allow business users to change and reset passwords
• Automatically detect and synchronize passwords
• Enable delegated password management by managers and help desk/admins
• Enforce strong password policies
Lifecycle Event Management • Automate access changes based on HR lifecycle events (i.e., hires, transfers, terminations)
• Prevent policy violations and consistently enforce the desired state
• Orchestrate changes across automated and manual provisioning processes
• Gain complete visibility to process execution
C A PA B I L I T Y DESCRIPTION
Single Sign-on (SSO) • Eliminate the need for users to remember and enter multiple user names and passwords
for SaaS apps, internal web apps, and mobile apps
• Provide convenient SSO from mobile devices using the same security and credentials as
from the desktop
Strong Authentication and • Enforce strong authentication to apps based on identity risk, such as role membership,
Policy-based Controls privileged account ownership, or risk score
• Provide strong authentication via a one-time password (OTP) sent to a user’s phone or
knowledge-based authentication (KBA) consisting of challenge/response questions
• Integrates with third-party authentication tools, such as smartcards or OTP tokens
• Educate users on appropriate terms of use policy for SaaS apps
Synchronized SSO and • Provide convenient App Store to add new applications to SSO Launchpad
Provisioning • Provision access to applications using the same policies and approval processes as for
other IT services
• Identify unused or unauthorized accounts and report them back to the appropriate
business sponsor for removal and potential cost savings
C A PA B I L I T Y DESCRIPTION
Reporting and Analytics • Access predefined reports for compliance, provisioning and access management
• Leverage report designer for custom reporting requirements
• Gain needed information on-demand with powerful advanced search capabilities
Personalized Dashboards • Notify users of required actions with “visual alerts”
• Provide one-click entry into access request, password management and compliance activities
• Deliver at-a-glance charts, graphs and reports with drill-down capabilities
• Highlight scheduled compliance events and the status of in-process tasks
With the Governance Platform, Centralize identity data and leverage one model for
you can:
policy, risk, and roles across all IAM processes.
• Centralize data into a common
Identity Warehouse shared by Traditional approaches to identity management treat
all IAM processes governance, provisioning and access management
• Mine, model and manage roles as separate activities, making it costly, complex and
that are leveraged across all
IAM processes burdensome to enforce access controls, carry out
• Dynamically assign risk compliance initiatives and carry on the day-to-day work of
scores for users and meeting increasingly demanding service level requirements.
resources to better focus
and prioritize controls A more innovative and effective approach is required to
• Define and leverage access streamline all these efforts — one that allows access management, governance and provisioning processes to
policies for detective and leverage a common framework for roles, policy and risk management.
preventive control across all
IAM processes The SailPoint IdentityIQ Governance Platform lays the foundation for effective identity and access management
within the enterprise by establishing a framework that centralizes identity data, captures business policy, models
roles and takes a risk-based approach to managing users and resources. The Governance Platform allows
organizations to build consistent preventive and detective controls that span all critical IAM business processes -
access certifications, access request, single sign-on, password management, and automated provisioning. Likewise,
reporting and analytics are consistent across all identity and access management data.
C A PA B I L I T Y DESCRIPTION
Identity Warehouse • Leverage single system of record for identity data across all IAM functions and activities
• Import data using out-of-the-box connectors or via flat files
Policy Model • Define and implement detective and preventive controls across compliance, access
management and provisioning processes
• Proactively identify and route violations for review or immediate revocation
Role Model • Define flexible role types that enforce “least privilege” access
• Discover business and IT roles based on identity attributes and entitlements
• Provide automated role approvals, role certifications, role quality metrics and role analytics
• Use “what-if” analysis to see impact of changes before they are implemented
Risk Model • Locate and identify areas of risk across users and applications
• Calculate and assign unique identity risk score
• Continuously update risk scores based on changes to user access
Workflow Engine • Orchestrate the logical sequence of business process steps that support compliance and
provisioning processes
• Offer a visual business process modeler to support the design of complex, multi-step
workflow processes
• Leverage a unique data-driven model to orchestrate business processes and generation
of end user forms
C A PA B I L I T Y DESCRIPTION
Cloud and On-premises • Speed provisioning of access changes to managed resources on-premises and in the cloud
Resource Connectors with over 80 out of the box connectors
• Support rapid deployment to custom applications
Third-Party Provisioning • Leverage third party provisioning solutions to import data or provision changes to
Integration target systems
Service Desk Integration and • Generate help desk tickets or manual work items to fulfill access changes
Work Queues
Cloud Gateway • Extend identity and access management capabilities to public/private cloud environments
or host IdentityIQ in the cloud and connect to datacenter applications
MDM Integration • Apply corporate IAM policies and controls to personal mobile devices
• Cross-domain IAM — We seamlessly manage access to both cloud and on-premises resources, giving you the big
picture across all your resources, with unified compliance, provisioning, and access management.
• Mobile-enabled IAM — We provide single sign-on to applications from any device, anywhere, anytime, and we
integrate with Mobile Device Management (MDM) solution providers to extend governance and provisioning to
mobile applications and data.
• Consumer-simple — We provide self-service capabilities and user-friendly interfaces to empower internal and
external users to successfully manage their access needs independent of IT, but within the confines of IT security
and policy.
• Built-in Governance — We provide a single framework that centralizes identity data and defines a common
policy, role, and risk model to manage users and resources. This framework allows you to build a single preventive
and detective control model to support all identity and access management business processes.
• Identity Intelligence & Analytics — We centralize visibility to access risks across the entire enterprise and
provide meaningful insights to help you make effective business decisions. You get one central view across
compliance, provisioning, and access management.
• Unified architecture — SailPoint is the only IAM provider to deliver a fully integrated, unified IAM solution that
spans governance, provisioning, and access management. SailPoint’s solutions are built on a common platform,
giving our customers a solution that’s both easier to deploy, easier to maintain and easier to use.
• Enterprise scalability and performance — Our solutions deliver scalable, streamlined and secure IAM
systems that scale to accommodate growth in user populations, application coverage, and new business units
brought on board. We manage some of the largest IAM implementations in the world spanning thousands of
applications, hundreds of thousands of users, and millions of entitlements.
Access Privileges: The access rights that a user has Attribute: A single piece of information associated
to a system resource, such as the right to access, view, with a digital identity. Examples of attributes are name,
modify, create, or delete. phone number, and institution affiliation. Each piece
of identifying information about a user can be thought
Access Request: Systems or processes used to of as an attribute of that user. Users have identity
request new access, make changes to existing access, attributes, each of which may be stored on one or more
or remove access to resources within an organization. target systems.
Account Management: A set of processes to manage Audit: The independent review and examination
authentication in connected systems. This primarily of records and activities to assess the adequacy of
involves the creation and deletion of user accounts in the system controls, to ensure compliance with established
connected system. policies and operational procedures, and to recommend
necessary changes in controls, policies, or procedures.
Active Directory: A Microsoft application that provides
authentication and authorization resources to Microsoft Audit Deficiency: Auditor’s finding that an IT control is
Windows and other Windows applications. not effective. The term is commonly used in SOX audits
to flag a control deficiency that could adversely affect the
Activity Monitoring: A means to monitor user actions company’s ability to report external financial data reliably.
(e.g., access to systems, modifications to data) using log
data collected from systems or applications.
Audit Log: A log that captures a record of events Breach: The successful defeat of security controls,
that have occurred within a system or application. For which could result in an unauthorized penetration of
example, an audit log may contain all logins made to the a system or application; a violation of controls of a
system, the name of the persons making the logins, the particular system such that information assets or system
time the logins occurred, etc. components are unduly exposed.
Authentication: The process of establishing confidence BYOA: Bring Your Own Application refers to the
in the validity of a claimant’s presented identifier, usually policy of permitting employees to access personal
as a prerequisite for granting access to resources in an application accounts (e.g., Facebook, LinkedIn, TripIt)
information system. while in the workplace.
Authoritative Source: The system that contains the BYOD: Bring Your Own Device refers to the policy of
definitive online value for a particular identity attribute. permitting employees to bring personally owned mobile
In some cases, a system is authoritative because it devices (laptops, tablets, and smart phones) to their
creates the value (for example, employee ID number). In workplace, and use those devices to access privileged
other cases, a system is authoritative because it is the company information and applications.
place where a user must go to enter the information (for
example, cell phone number).
C
Authorization: The process of granting or denying access
to an information resource based on defined policy. Certification: See Access Certifications
Continuous Compliance: Using processes and tools Detective Control: A procedure, possibly aided by
to meet compliance requirements in an automated, automation, that is used to identify events (undesirable
consistent, and predictable manner, rather than treating or desired), errors and other occurrences that an
compliance as a one-time event. enterprise has determined to have a material effect on
its business.
Correlation: The process of combining identity data
from disparate data sources into a common schema Directory: A shared information infrastructure for
that represents an identity. Identities can be linked locating, managing, administering, and organizing
automatically to application accounts and access rights common items and network resources, which can
using correlation rules or manually using a tool to include volumes, folders, files, printers, users, groups,
establish the correct links. devices, telephone numbers and other objects.
Datacenter: A facility used to house computer systems Entitlement Management: A mechanism for
and associated components, such as servers (e.g., web centrally defining the applications and services to
servers, application servers, database servers), switches, which a user may be given authorization. It is the
routers, data storage devices, load balancers, wire cages process of granting, resolving, enforcing, revoking and
or closets, vaults, racks, and related equipment. administering fine-grained access entitlements (also
referred to as “authorizations,” “privileges,”“access
Delegation: a process where a reviewer or approver rights,”“permissions” and/or “rules”).
can pass his decision authority to another user, either
temporarily or permanently. Escalation: a process to alert, notify, or delegate an
action when a reviewer or approver fails to respond to a
Deprovisioning: A process to delete a user account in request after a defined period of time.
a system.
Governance: The system of rules, practices and Hybrid IT: Hybrid IT is an approach to enterprise
processes by which an organization is directed, computing in which an organization provides and
measured and controlled. manages some information technology (IT) resources
on-premises (in the datacenter) but uses cloud-based
Gramm-Leach-Bliley Act (GLBA): Federal legislation services for others.
enacted in the United States to control the ways that
financial institutions deal with the private information
of individuals. GLBA requires financial institutions to I
give customers written privacy notices that explain
information sharing practices. Identity Cube: A multi-dimensional view of each
identity and their associated access and attributes.
Group: A collection of users to simplify access control
to computer systems. Traditionally, groups are static: one Identity Governance: Identity management software
defines a group by individually selecting its members. that automates the rules, practices and processes to
In dynamic groups, however, all users which match manage and control user access to critical applications
specified search criteria will be considered a member of and data. Identity governance allows organizations
this dynamic group. to improve accountability and transparency, meet
compliance mandates and better manage risk.
Identity Provider (IdP): A system that creates, Least Privilege: A concept that seeks to restrict a
maintains, and manages identity information for user’s access (e.g., to data or applications) or type of
principals (users, services, or systems) and provides access (e.g. read, write, execute, delete) to the minimum
principal authentication to other service providers necessary to perform his or her duties.
(applications) within a federation or distributed network.
Password Reset: A process or technology that allows systems, or to run services on systems, or by one
users who have either forgotten their password or application to connect programmatically to another.
triggered a lockout to authenticate with an alternate
factor and then define a new password. Policy Evaluation: Rules that automatically enforce
policy by checking an operation for policy violations
Password Synchronization: A solution that takes a before granting it.
password from a user and changes the passwords on
other resources to be the same as that password. Provisioning: The process of granting, changing, or
removing user access to systems, applications and
Preventive Control: An internal control that is databases based on a unique user identity. Automated
used to prevent undesirable events, errors and other user provisioning is intended to speed and simplify the
occurrences than an organization has determined could administration of users and their access privileges. This
have a negative material effect on its business. is done by automating and codifying business processes
such as onboarding and termination and connecting
Payment Card Industry (PCI) Data Security these processes to multiple systems.
Standard (DSS): A standard developed by the PCI
Standards Council to enhance payment account data Public Cloud: A cloud computing environment that is
security. The standard consists of 12 core requirements, open to the general public and delivered via the Internet,
which include security management, policies, outside of any enterprise firewall. Public cloud computing
procedures, network architecture, software design and uses cloud computing technologies to support customers
other critical measures. that are external to the provider’s organization. Using
public cloud services generates the types of economies
Policy: An authoritative, prescribed set of rules of scale and sharing of resources that can reduce costs
for conducting business that may be defined by an and increase choices of technologies.
organization or by the outcome of regulatory mandates.
Remediation: The act or process of remedying a to perform certain operations within an organization. A
compliance problem or issue, such as a policy violation. simple role is a collection of entitlements defined within
the context of a single system. Roles are used to simplify
Reverse Proxy: software that provides a single point security administration on systems and applications, by
of authentication to web servers on an internal network. encapsulating popular sets of entitlements and assigning
The reverse proxy architecture has the advantage of not them as packages, rather than individually, to users.
requiring software to be installed on each web application.
Role Assignment: The process of granting roles to
Revocation: The act of removing a specified role or users. A role may be implicitly assigned to a user, i.e.,
entitlement from a user based on a decision made by a some database will include a rule of the form “users
reviewer during a certification. matching requirements X should be automatically
assigned role Y.
Risk: The probability that a particular threat-source will
exercise (accidentally trigger or intentionally exploit) Role-Based Access Control (RBAC): A model
a particular information system vulnerability and the that limits user access based on the user’s role within
resulting impact if this should occur. an organization.
Risk Assessment: The process of identifying the Role Creation: The process of defining roles within a
risks to system security and determining the probability role model and mapping those roles to the appropriate
of occurrence, the resulting impact, and additional set of access privileges based on business process and
safeguards that would mitigate this impact. job function.
Risk Management: The total process of identifying, Role Certification: The periodic review of a role or roles
controlling, and mitigating risks. in order to validate that the role contains the appropriate
access privileges and that members of the role are
Risk Mitigation: A process to reduce either the correct. Role certifications are commonly used as an
probability or the consequences of a threat. Risk internal control and a way to prevent role proliferation.
mitigation options can include eliminating vulnerabilities;
strengthening internal controls; or reducing the Role Lifecycle Management: The process of
magnitude of adverse impacts. automating role creation, modification, retirement; role
approvals; role certifications; and role analytics.
Risk-based Authentication: A method of applying
varying levels of stringency to authentication processes Role Management: Roles and role assignment are
based on the likelihood that access to a given system unlikely to remain static for any length of time. Because
could result in its being compromised. As the level of of this, they must be managed — the entitlements
risk increases, the authentication process becomes more associated with a role must be reviewed and updated
comprehensive and restrictive. and the users assigned the role, implicitly or explicitly,
must be reviewed and changed. Role Management
Role: A role is a collection of entitlements or other includes the business processes used to affect these
roles that enables an identity to access resources and reviews and changes.
Role Model: A schematic description of roles that Self-Service: The process of allowing users to request
defines roles and role hierarchies, subject role activation, access to resources using a self-service interface, which
subject-object mediation, as well as constraints on user/ uses workflow to route the request to the appropriate
role membership and role set activation. A role model is manager(s) for approval.
a set of role definitions and a set of implicit or explicit
role assignments. Separation of Duty (SoD): An internal control designed
to prevent fraud by ensuring that no one person has
Rules: A set of prescribed guidelines that may be excessive control over one or more critical business
defined by an organization or by the outcome of transactions. It refers to mutually exclusive access or
regulatory mandates. roles. This involves dividing responsibility for sensitive
information or risky actions so that no individual acting
alone can compromise a system. As a security principle,
S it has as its primary objective the prevention of fraud and
errors. This principle is demonstrated in the occasional
SAML: Security Assertion Markup Language is an requirement for two signatures on a bank check, or by
XML-based standard for exchanging authentication and preventing a person from authorizing their own workflow
authorization data between security domains, that is, requests. Also sometimes called Segregation of Duties.
between an identity provider (a producer of assertions)
and a service provider (a consumer of assertions). Service Account: A typed of shared account that is
used for application-to-application communications
Sarbanes-Oxley Act (SOX): Also known as the when secured access must be granted by one system to
“Public Company Accounting Reform and Investor another system.
Protection Act” is a law enacted in 2002 to protect
investors by improving the accuracy and reliability of Shared Account: A login ID on a system or application
corporate financial disclosures. The regulation affects all that is used by more than one human or machine user.
companies listed on stock exchanges in the U.S. Privileged accounts are often shared by administrators:
for example, root, sa or Administrator.
Security Information and Event Management
(SIEM) Technology: Security information management System for Cross-Domain Identity Management
(SIM) provides log management—the collection, (SCIM): An open standard used to simplify user
reporting and analysis of log data—to support regulatory management in the cloud by defining a schema
compliance reporting, internal threat management and for representing users and groups and a REST API
resource access monitoring. Security event management for all the necessary create, read, update, and delete
(SEM) processes event data from security devices, (CRUD) operations.
network devices, systems and applications in real
time to provide security monitoring, event correlation Single Sign-On (SSO): An authentication process where
and incident response. The technology can be used to the user can enter one username and password and have
discover activity associated with a targeted attack or a access to a number of resources within an enterprise,
security breach, and is also used to satisfy a wide variety eliminating the need to separately authenticate and sign
of regulatory requirements. on to individual applications and systems.
Network World
Provides information, intelligence and insight for network
and IT executives. With an editorial focus on delivering
news, opinion and analytical tools for key decision makers
who architect, deploy and manage business solutions.
www.networkworld.com
SC Magazine
Aims to provide IT security professionals with in-depth and
unbiased information. Each monthly issue contains news,
analysis, features, contributions from thought leaders and
product reviews. Established in 1989, it is the longest
established IT security title in the United States.
www.scmagazine.com
SearchCloudComputing
Created to help information technology (IT) profession-
als, application developers and chief information officers
(CIOs) stay well-informed on the rapidly advancing topic
of Cloud Computing. Offers content to serve the unique
needs of all members involved in a cloud computing
decisions at an enterprise level.
www.searchcloudcomputing.techtarget.com.
SailPoint, the industry leader in identity and access management, empowers the world’s largest organizations to
accelerate business performance, mitigate risk, reduce IT costs and ensure compliance. The company’s innovative
on-premises and SaaS IAM solutions provide superior visibility into and control over user access to sensitive
applications and data, regardless of where they reside. SailPoint’s product suite provides customers a unified solution
for compliance, user provisioning, access management, and identity intelligence — all based on an integrated
governance model. Founded in 2005, the company is headquartered in Austin, Texas, and has offices in Australia,
France, Germany, Great Britain, India, Netherlands, Singapore, South Africa, and Switzerland.