FIFTH EDITION. Identity and Access Management Buyer s Guide

Transcription

1 FIFTH EDITION Identity and Access Management Buyer s Guide

2 What s Inside

3 What s Inside The Identity Revolution Is Here Are you ready? IAM for Tomorrow. Today Craft a long-term, sustainable identity strategy. Start with the End in Mind Identify priorities and establish clear goals. Gain Confidence with Quick Wins Choose a path with the strongest returns. Ask the Right Questions Evaluate core requirements. SailPoint Identity and Access Management A smarter way to manage identity. The SailPoint Advantage Future-proof your IAM program with SailPoint Glossary 56 Resources 67 Get Started Don t worry, be ready with SailPoint SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

4 The Identity Revolution Is Here.

5 Are You Ready? Today s business world is changing rapidly, and so are your IAM requirements. Maybe you re moving more applications into the cloud. Or you re rethinking security and access control in light of Bring Your Own trends. Or you re simply trying to scale your programs to match the speed of business change. A successful identity and access management strategy can position your organization to better handle whatever the future brings. It can move you toward stronger security and more sustainable compliance, reduced risk, improved service levels and lower operational costs. This guide is designed to help ensure a smooth, speedy journey along the way. It covers everything from building a solid understanding of today s business goals, to reviewing the available choices, to planning for and selecting a solution. Designed as a workbook, with checklists and targeted, detailed information, it s a practical tool that you can use to build a request for proposal (RFP), evaluate vendors, and conduct a side-by-side product analysis. In the pages that follow, we show how identity and access management can be a powerful force for risk management and business improvement on several levels. We present typical concerns and issues that identity and access management can address. We share pathways to help you achieve quick wins when implementing solutions. And we help you assess your functional priorities with checklists that can help make sure you don t overlook anything. As we wrap up, we provide a quick introduction to SailPoint s complete identity and access management solution. We also provide a glossary of terms and a list of resources where you can find additional information. We hope you find reading this guide a useful step on your journey to next-generation identity and access management. Give us a call when you re ready to move ahead! Kevin Cunningham President and Founder, SailPoint 5 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

6 IAM for Tomorrow. Today.

7 Craft a Long-term, Sustainable Identity Strategy Rapid technological change is becoming a way of life for today s identity and access management (IAM) professionals. As cloud, mobile and other IT consumerization trends gain traction and velocity within the enterprise, organizations must look beyond traditional IAM and put in place solutions designed for the future. What is required is an IAM strategy that underpins and enables evolving business needs while at the same time meets security, privacy and compliance requirements. The changes impacting IAM are all around us. What was once a locked-down corporate network is now a globally connected enterprise that extends well beyond the boundaries of the datacenter. There are more people connecting to critical data and applications both inside and outside the enterprise. The proliferation of mobile devices enables anytime/anywhere access. More and more employees work remotely, and business partners and customers expect on-demand access to corporate applications and data. In the face of overwhelming chaos and complexity, IT is still on the hook to manage and control access. In order to secure and protect the new extended enterprise, you will need an IAM solution that centralizes policies and controls and provides visibility to who has access to what across all resources both in the cloud and on-premises. As a result, leaders must work together to implement the right IAM solution to be able to answer the following key questions: Am I adequately safeguarding information assets and sensitive data? Can I prevent and detect fraud, misuse, or unauthorized access? Can I confidently attest to the adequacy of internal controls? Can I cost-effectively meet and prove compliance with regulatory requirements? Are users provided the right access for their role in an efficient manner? IAM must be viewed as a business issue, as much as it is a technology issue. IT and business users need to work together to define policy and controls, monitor the effectiveness of controls, and better manage organizational risk. To this end, key identity business processes, including compliance, provisioning and SSO, must be seamlessly integrated. Jackie Gilbert, CMO & co-founder, SailPoint 7 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

8 Gone are the days when IAM success was defined by automating internal user provisioning to a few birthright applications and leaving everything else to the helpdesk, or providing single sign-on to web applications inside the firewall. The answer to yesterday s business needs is not the answer to today s complex business challenges. In today s world, IAM solutions need to deliver access services efficiently and cost-effectively to internal and external users. They must manage resources in the datacenter and in the cloud, while delivering identity services to almost any device desktops, tablets and smartphones, all while meeting compliance requirements around security and privacy. Faced with these multi-faceted challenges, the right approach should be formulated with sustainability in mind. Identity and access management must address the immediate, tactical needs facing the organization, but at the same time it must be part of a strategy for long-term business improvement. Here are some key issues to consider as you formulate your IAM strategy: Rapid adoption of cloud apps by the business is a reality. You can no longer assume that all critical applications and data will reside inside the corporate network. A growing number of new applications will be deployed as a service from the cloud, and you will need to provide access controls and governance over them in the same manner as on-premises applications. Mobile access and bring your own device (BYOD) are trends that can t be ignored. In many cases, your organization will no longer own the endpoint device (e.g., personal phone or tablet). Access to corporate assets in the cloud can now occur from a variety of devices, without ever touching the corporate IT infrastructure, yet access must still be controlled and managed. As the complexity of the IT environment grows, you don t have time to waste integrating disparate tools. You need to manage IAM as a set of integrated business functions not functions that operate in silos. Deploying cloud-only solutions or buying governance, provisioning, or access management solutions as separate products limits your visibility and control and it increases the cost and complexity of IAM projects. Governance should be considered a fundamental component across all identity and access management processes not something auditors work on after the fact. By embedding policy and controls throughout all identity processes, organizations can achieve ongoing, sustainable compliance and reduce the need for after-the-fact remediation and expensive manual processes. IT can t do it all. You need to involve the business units and business users in IAM processes where appropriate. To empower the business and speed the delivery of services, you need simple, intuitive self-service capabilities for signing on to applications, requesting access, and resetting passwords. You also need the support of the business to identity sensitive resources, define access policy, and better manage risk. 8 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

9 A Smarter Way to Manage Identity To keep pace with today s modern IT environments, organizations must embrace a new approach to identity and access management balancing the needs of business enablement, security and cost containment. Traditional IAM approaches treat governance, provisioning and access management as separate activities, making it costly, complex and burdensome to enforce access controls, meet compliance requirements and carry on the day-to-day work of meeting increasingly demanding service level requirements. A more innovative and effective approach is required to streamline all of these efforts one that allows compliance, provisioning and access management processes to leverage a common governance framework for roles, policy and risk management across all resources from the datacenter to the cloud. This evolution involves four critical shifts, including: Bridging cloud and on-premises IT: Silos make sense for a wheat farm, but not for your server farm. To effectively manage risk and gain insights to make your workforce more productive and secure, it is imperative that you gain visibility and control of users access rights and activity that spans on-premises IT and cloud services. What is required is true cross-domain IAM that manages and controls access across datacenter and cloud applications. Extending IAM to personal mobile devices: Today s business users expect convenient access to cloud and web applications from any device at work, home or on-the-go. The right IAM solution can help you more effectively apply security policy, detect violations and ensure regulatory compliance no matter how and where applications are accessed. Look for IAM solutions that integrate out-of-the-box with mobile device management (MDM) tools to extend enterprise management and control to corporate applications and data on mobile devices. Seamless integration of access and identity: Providing access management and single sign-on capabilities from a unified identity and policy data store not only provides greater flexibility to respond to business changes, but can greatly reduce the total cost of ownership. Your IT team can focus more on protecting the business and providing innovative services, with no more redundant servers and middleware to maintain, nor duplicate data and policy stores to synchronize. Delivering IAM for the business: The right IAM solutions facilitate collaboration between IT and business teams through easy-to-use graphical user interfaces and intuitive dashboards. Today s IAM tools need to be simple enough for non-technical users to participate in business processes such as single sign-on, access request, access certification, policy definition, and password management. 9 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

10 Start with the End in Mind.

11 Identify priorities and establish clear goals. Identity and access management is a strategic imperative for organizations of all sizes. Companies ranging from large, multi-national enterprises to smaller, fast-growing businesses must address requirements to protect and govern access to critical applications, systems and databases whether in the cloud or on-premises. Identity and access management plays a critical role in enabling organizations to inventory, analyze and understand the access privileges granted to their employees and to be ready to answer the critical question: Who has access to what? At the same time, today s enterprise demands faster and higher levels of service delivery across an increasingly diverse and dynamic environment: There are growing populations of external users, such as partners, agents, and customers, that need access; New users come on board daily, requiring immediate access to enterprise resources; Users responsibilities change, or their relationships with the enterprise end, and access must quickly be modified or revoked; Users want fast, convenient access resources anytime, anywhere using smartphones and tablets; and Some applications and users represent a higher level of risk to the organization than others and require more focus. For IT staff, the challenge becomes how to meet service-level demands while identifying and managing high-risk activities, enforcing policy and security, maintaining stringent controls and addressing compliance requirements. Because there are many different business drivers for identity and access management, you may wonder how and when to put the different components of a solution in place. The answer depends on your business priorities and the immediate challenges facing your organization. To get started, step back and assess your most urgent issues. Do you understand what you want your solution to help you achieve? Here are some common business goals that can help you determine your own unique priorities: Speed delivery of access to business users; Increase business user productivity; Manage access across on-premises and cloud applications; Reduce the cost of managing access change; Eliminate audit deficiencies and improve audit performance; Lower the cost of compliance; and Salvage or replace an existing provisioning system. So let s look in more detail at the business drivers for identity management the goals organizations most frequently hope to achieve with their implementation. 11 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

12 Speed Delivery of Access to Business Users I can t keep up with the incoming requests for managing user access across the organization. There s got to be a better way! Given the fast-paced and dynamic environment of business today, IT organizations are challenged to keep up with the demand for identity and access management services, and to do so in a compliant manner. Business users cannot wait days or weeks for access to systems required to perform their job duties. Similarly, organizations cannot tolerate huge gaps in deprovisioning access when a user changes positions or is terminated. Changes to user access must be performed in near-real time, while remaining a controlled and auditable process that is visible to the business. The current state of IAM in most organizations makes it almost impossible to provide consistent and effective service levels to the business due to the following challenges: Heavy use of disparate manual access request and change processes; Lack of end-user participation and visibility into identity management processes; Ad hoc methods for dealing with external identities and their access rights; Growing number of cloud-based applications that are managed outside of IT; and Help desk staff that is over-burdened with access request and password resets. What organizations need is an easier, more cost-effective way to deliver access to the business. With the right self-service tools, business users can manage their own access, from requesting new accounts or roles to recovering forgotten passwords, using intuitive, business-friendly interfaces. In addition, today s user provisioning solutions offer easy-to-configure options for automating the entire access lifecycle of a user based on event triggers from authoritative sources to minimize the need for manual changes. By providing an integrated approach that leverages business-friendly self-service access request tools and automated lifecycle event triggers, identity and access management can streamline the delivery of user access across your organization while continuously enforcing governance rules and compliance policies. It also empowers business users to become an active participant in the identity and access management process, enabling them to manage their own access and passwords while providing them with full visibility into active requests, thereby reducing the workload on help desk and IT operations teams. Increase Business User Productivity Our business users have to remember so many passwords, they re writing them on yellow sticky notes in plain view. Whether you re using identity management for internal users (employees and contractors) or external users (partners, agents, customers), you want to implement technologies that reduce the burden of accessing business services. Having the right identity and access management strategy can reduce internal costs and improve productivity, but it can also contribute to revenue growth and profitability, as more and more users are business partners, agents or customers. As IT becomes more consumerized, all types of users expect quick, convenient access. And that access is no longer limited to logging in from a corporate laptop or PC today s workers want access anytime, anywhere, via any device. Every minute that a user has to spend retrieving a lost password or having the help desk reset a password is an unproductive minute and when you multiply the growing number of applications by the amount of time wasted, the high price of inconvenience becomes pretty clear. 12 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

13 Here are some questions you should consider as you plan your strategy to ensure your IAM solution delivers convenience and improves user adoption and productivity: Do you make it as simple as possible for new users to register and begin using your business services even if they have no prior relationship with your organization? Can users request new access from a self-service tool without having to call the help desk? Do you provide simple password reset capabilities for users who have forgotten their username and passwords? Do you offer users a streamlined and personalized single sign-on experience for all the applications, regardless of where they are hosted or how employees access them via a desktop, laptop or mobile device? Do you use risk-based authentication to ensure that low-risk transactions are as easy as possible, but high-risk transactions require more assurance? Manage Access across On-premises and Cloud Applications We ve lost visibility and control over applications in the cloud. We re not even sure about what s out there. As enterprises accelerate their adoption of the cloud, they must cope with the challenges of managing a hybrid IT environment where some applications reside on-premises and some reside in the cloud. Adding to the complexity of this environment, business units are gaining more autonomy to buy and deploy applications which can often house sensitive, corporate data without consulting or involving the IT organization. Signs that your organization is struggling to manage new cloud applications include: IT is not fully aware of the mission-critical cloud applications in production across various departments and business units; Business units are performing their own user administration via spreadsheets and manual updates; Business units are requesting that IT integrate cloud applications with directories for periodic synchronization; Business units are purchasing their own identity and access management solutions without consulting IT or considering what IAM infrastructure is already in place; and IT audit processes, such as access certifications, have not been extended to cover cloud applications. A proper identity and access management solution should help enterprises embrace the cloud while at the same time allowing the IT organization to effectively apply centralized security policy, detect violations and demonstrate full regulatory compliance. Successful IAM solutions will allow you to automate compliance and provisioning processes for cloud applications in the same manner as on-premises applications. At the same time, it should provide end users with convenient access to cloud applications and empower them with single sign-on from any device at work, home or on the go with mobile devices. 13 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

14 Reduce the Cost of Managing Access Change Requesting new access or even changing a user s existing access is a daunting task in our company. To add access to a single system can take an extraordinary effort to accomplish. Managing the complex relationships between thousands of users and millions of access privileges continues to be a daunting and expensive task for most organizations. Changes to user access are initiated, approved and implemented using fragmented, disjointed processes. Coupled with the fact that in most organizations, the processes and tools used to request or change user access are highly manual, the result is an inefficient and costly execution of access requests and changes. Does your organization wrestle with the following problems when fulfilling access changes across enterprise IT systems? Multiple front-end processes are used by the business to request new or change existing access privileges; Heavy reliance on help desk or IT admins to assess and implement access changes; Manual processes are required to facilitate changes to user access; and Different provisioning/deprovisioning processes are used for different applications. If these situations sound familiar, it s time to take a different approach. You need to centralize the delivery of access across disparate IT resources spanning both the datacenter and the cloud and reduce the costs associated with managing the initiation and fulfillment of access requests and changes. The right identity management solution automates identity lifecycle events, such as onboarding new hires and managing job transfers, by directly assigning or changing roles and entitlements to match a user s current job function. It can also automate removal of access privileges upon termination. By automating these events, organizations can reduce the number of self-service requests initiated by business users, the number of approvals required to grant access, and the number of calls to the help desk. In addition, a centralized solution can orchestrate the automation of changes to access rights for all applications regardless of how last mile provisioning changes are performed via the help desk, a manual process, or an automated provisioning solution. Eliminate Audit Deficiencies and Improve Audit Performance We failed an audit. I need a tool that can help us get back into compliance quickly! Identity management is a focal point for IT audits and one of the areas most commonly flagged for ineffective controls. During many Sarbanes-Oxley (SOX) audits, weak identity controls often receive negative audit findings in the form of control deficiencies or material weaknesses. Here are some of the most common identity risks auditors are looking for: Orphan accounts: Access that remains active for employees or contractors after termination due to failure to remove privileges; Entitlement creep: The accrual of privileges over time through transfers, promotions or other changes in roles resulting in employees with access beyond their job requirements; Separation-of-duty (SoD) violations: Inappropriate access resulting in excessive control over business transactions or the ability to perform conflicting duties; 14 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

15 Poorly managed privileged user accounts: Anonymous accounts that are typically the domain of privileged users are managed using manual processes and are very difficult to audit; and Lack of visibility into access by job function: Business users struggle to interpret technical IT data to make business decisions about what access is required to perform a specific job function. If you ve failed an audit due to weakness around any of these identity risks, we have good news. The right identity and access management solution will improve your visibility into risky or noncompliant areas and automate your processes for managing these risks. An enterprise-wide view of your identity data can help you to effectively analyze risk, make more informed decisions and implement the appropriate controls in an automated and more sustainable fashion. Further, aligning user access with job functions through an enterprise role model can strengthen user access controls by providing valuable business context around how specific sets of access map to the underlying business function being performed by an individual. The result? Less chances of negative audit findings or failing another audit. More chances of seeing audit performance improve over time. Lower the Cost of Compliance Compliance is timeconsuming and expensive. I need to get my costs under control. Compliance can be complex and difficult and as a result, costly. Meeting industry and regulatory mandates requires organizations to regularly review and certify user access privileges. This leaves many companies constantly battling with error-prone and inefficient processes such as manually generating access reports and manually remediating inappropriate user access privileges. Signs that show you need to cut compliance costs include: Building or leveraging multiple, homegrown solutions to handle audit and compliance needs; Hiring full-time staff or consultants to handle compliance projects like access certifications and SoD policy enforcement; Using inefficient tools like spreadsheets and to drive manual compliance processes; and Treating high-risk and low-risk users the same, where insufficient attention is given to high-risk users, or too much time and effort is spent on low-risk users. To gain better control of your identity and access data, including centrally defining policy and risk and automating your access certification process, you need to replace expensive paper-based and manual processes with automated tools. By doing so, not only can you significantly reduce the cost of compliance, you can also establish repeatable practices for a more consistent, auditable, reliable and easier-to-manage access certification effort. If you struggle to effectively implement compliance processes and integrate them into your systems and infrastructure, a governance-based identity and access management solution is the launching pad you need to improve your effectiveness and reduce the costs of sustainable compliance. 15 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

16 Salvage or Replace an Existing Provisioning System Help! The provisioning solution we ve deployed is not meeting our expectations with regard to compliance and is not sustainable for our future needs. Many organizations have a legacy user provisioning solution that no longer meets their needs, doesn t do what the vendor promised it would, or more importantly, in the case of several products, including Sun Identity Manager and BMC Identity Manager, will no longer be supported in the future. Do you find yourself facing any of the following issues with your existing provisioning solution? Your project is behind schedule and over budget; You lack the necessary coverage for applications; Your provisioning product is being retired and must be replaced; or You have compliance weaknesses related to ineffective off-boarding processes, entitlement creep, SoD violations, and more. Now is the time to address those issues and migrate away from your legacy provisioning platform. Invest in a technology that will address your current provisioning challenges, improve your overall identity and access management strategy, and integrate with what you have in place today. Look for a solution that will provide your organization a smooth transition and allow you to take a non-disruptive, stepwise approach while making the most of your existing investment as you transition to a next-generation solution. The new solution must also be able to balance core user provisioning requirements add, change, delete user accounts and password management with user-friendly interfaces and processes that empower business users to request and manage access on their terms. Finally, and most importantly, it must offer an integrated approach to IAM. Governance and compliance should be handled as an integrated activity within your identity infrastructure, not as a separate process. Taking Stock Once you ve evaluated your business drivers for identity and access management, you ll be in a better position to prioritize your investments. If you re like most organizations, you have more than one motivating factor, so the key is identifying your one or two most important business imperatives. Moving ahead without prioritizing may cause you to spend precious resources in the wrong places, inhibiting your ability to meet your most critical needs in a timely manner. The good news is that investing in the right solution will enable you to realize some quick wins, while at the same time strengthening your organization for the long-term. Depending on your business priorities, these immediate results could save you money and reduce the compliance burden on IT; improve your audit performance; improve the efficiency of identity business processes like access request and delivery; address shortcomings with your existing provisioning system; streamline secure access management to cloud and Web applications; and extend IAM to your cloud applications. Whatever path you choose to embark on first, you should avoid taking on every business problem on day one. Best results are achieved by taking a stepwise approach where your project is focused on the business units, departments, or applications that align with your business goals whether they are corporate agility, operational efficiency, service-level improvement, or regulatory compliance. 16 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

17 Gain Confidence with Quick Wins.

18 Choose a Path with the Strongest Returns Now that you ve identified your goals, you ll want to consider the steps you need to take to achieve them. You have several pathways to choose from, and you can prioritize them based on the unique business requirements and goals of your organization. In this section, we outline how to maximize your success in the shortest amount of time to achieve quick wins while laying a strong foundation for a sustainable identity and access management program. Find Your Starting Point For some organizations, the driving force behind an identity and access management project may be based upon any number of challenges such as compliance, security, operational efficiency and business enablement. For example, there might be an urgent demand to close audit gaps after a failed audit or a non-compliance penalty. For others, there may be a requirement to eliminate the inordinate costs and inefficiencies found in current provisioning and access management processes. Maybe the help desk is overwhelmed with trouble tickets and, as a result, service levels are not where they should be. Or, perhaps the end user community is demanding more autonomy and wanting IT to make their lives easier. Once you ve agreed upon your top priorities and goals, you will have a better understanding of what you must achieve first. By focusing on a few quick win opportunities, you can help accelerate and build momentum for future phases of your projects. An incremental approach to project implementation helps you focus, ensuring you tackle high priority applications and user populations that are most affected by your stated objectives. By demonstrating small, quick wins up front, you will build confidence in the solution, help ensure ongoing adoption, and make it easier to secure funding for additional projects. Starting Point: Compliance If audit deficiencies and the high cost of compliance are top of mind issues in your organization, then you may want to focus on compliance automation as a first step. Here s how to get started: Step 1: Gain centralized visibility The starting point for any compliance project should be to understand the current state of user access within the organization by centralizing your identity data across your high-risk datacenter and cloud applications. This stage involves creating a single repository for user and access information by aggregating data from your authoritative source (or sources) and target resources. Adding user account data to the identity warehouse can be performed by leveraging several different options for connecting to resources: flat file data load, direct connectors, or integration with an existing provisioning solution. Once you have selected the right method to aggregate your data and the data is centralized, you can move on to step two the correlation process which will help you resolve the inconsistencies between the various sources of identity data. 18 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

19 Step 2: Identify and close all orphan accounts Finding and eliminating orphan accounts is one of the most effective risk mitigation steps you can take in your compliance project. As part of building an identity warehouse, you can quickly correlate each application account against your authoritative identity source to identify accounts that do not correlate to users in authoritative sources (e.g., orphan accounts and system/service accounts). Once you ve identified these high-risk accounts, you can launch remediation actions for all unowned accounts remove, mark as service, or, where possible, correlate to known identities. Step 3: Automate access certifications Another quick win on the compliance front is to automate the access review process for your critical applications and systems. Once you ve aggregated and correlated your identity data, you can quickly generate a data cleanup certification on the centralized identity data by launching a manager or application owner certification for your high-risk applications. Certification reports will clearly highlight detected roles, policy violations, user risk scores and any changes from the previous certification (new users, new roles, or new entitlements). This information enables your reviewers to quickly focus on areas of potential risk and make better decisions. Your data/application owners and people managers should review the access privileges for all users. These initial certifications should be used to establish a reliable baseline of data. It s not unusual for organizations performing a baseline certification to find up to 40% of user access privileges are inaccurate or inappropriate and should be revoked. After revocations are performed, this cleansed data will be utilized by other identity management functions, including ongoing access certifications, policy enforcement, role management, user provisioning, access management, and risk analytics. Starting Point: Provisioning If your organization struggles with inefficient and/or non-compliant processes for granting new access privileges or making changes to existing access privileges for employees, contractors, and partners, then it may make sense to focus on user provisioning as your starting point: Step 1: Enable self-service access request One of the best ways to get started with provisioning is to focus on the business users first. Empowering business users to find and request access without assistance from the help desk or IT admins can save headaches and money at the same time. A centralized access request management process allows managers and end users to conveniently request new access or make changes to existing access privileges within the constraints of your pre-defined identity governance models (including policy and roles). As part of deploying a self-service access request process, you can select from manual or automated access fulfillment processes to implement the resulting changes in connected resources. Often times the fastest way to get started is to leverage manual work items and help desk tickets, but this step can be combined with the step below for maximum results. Step 2: Automate access fulfillment Another quick win for a provisioning deployment is to automate the fulfillment of access requests down to the target resources. You can maximize the cost savings generated by selecting a few high-churn applications where 19 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

20 user accounts are created, updated or deleted on a regular basis. Once you ve selected the applications, you can determine the best option to complete the full integration cycle deploying a new provisioning connector, or leveraging an existing provisioning solution that is already in place. Step 3: Streamline password management Password management provides a quick path to the success of your IAM project by allowing end users to reset forgotten passwords and bypassing the help desk. Using the same business-friendly user interface with configurable challenge/response questions, users and/or their approved delegates can change or reset passwords across target systems. Allowing end users to proactively manage password changes can significantly reduce help desk calls. Most importantly, centralized password management will enable you to consistently enforce strong password policies, customized for each application. Starting Point: Access Management If an ever-growing number of cloud, Web, and mobile applications is putting your organization at risk based on the proliferation of passwords across personal and business applications or lack of governance over cloud applications you may want to focus on cloud and web access management up front. Step 1: Enable single sign-on for SaaS apps If your organization is increasing its usage of SaaS applications, users are probably struggling to remember all of the usernames and passwords across applications. By putting in place an SSO solution for SaaS applications, you can achieve a very quick win. And by choosing a solution that includes pre-built application SSO profiles, you can speed the initial deployment and allow business users to gain immediate productivity benefits. The right access management solution will enable your end users to sign-on to all of their SaaS applications with one click with no passwords to remember and will work across all the devices that today s workers use to access applications, from PCs or laptops to tablets and smartphones. From an ROI perspective, you should see measurable cost savings from lower help desk calls and lost employee productivity due to locked accounts or forgotten passwords. Step 2: Expand SSO to internal Web applications If you re like most organizations, your users access a combination of SaaS and internal Web applications to do their daily jobs. If so, then it makes sense to choose an SSO solution that supports both cloud and on-premises Web applications, giving your users one convenient access point for applications. This means choosing a solution with pre-built application profiles for federated SSO to major SaaS applications (e.g. using the SAML 2.0 standard); secure password replay to other third party cloud apps; and a reverse-proxy for your internal web applications. (The reverseproxy approach is recommended because it avoids the need to install and maintain agents on each and every application server.) You should also plan to implement the reverse-proxy as a virtual appliance that is firewall friendly, self-monitoring, and self-updating, which means you can quickly integrate it in your environment without burdening your networking or IT operations teams. Expanding your SSO deployment to include internal Web applications can further lower help desk costs and make SSO an even more valuable contributor to worker productivity. 20 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

21 Step 3: Implement risk-based controls As you implement your SSO solution across SaaS and internal Web applications, it s important to balance the need for convenience with the right levels of security and access control. The right approach is to selectively apply controls based on criticality and risk. Risk can be determined based on the systems that are being accessed, the user s attributes, the device being used to access the systems, and more. By deploying a solution that gives your organization insight into the factors that determine risk, you can apply more stringent controls as needed. These controls can include usage monitoring, auditable per-application terms of use agreements, and strong authentication methods with policy-based triggers to step-up to higher levels of identity assurance. You ll want to be highly selective with how you apply policies and controls. For applications and transactions that are not mission-critical, you should make access as seamless and easy as possible, as less stringent controls are needed. SailPoint supplied an automated, centralized solution that reduced the complexity of conducting manual access certifications across critical enterprise applications and a flexible role management approach that aligned access privileges with business function for improved security. Graeme Payne, VP of IT Risk & Compliance at Equifax 21 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

22 P A BUYER S GUIDE Modern Identity and Access Management Components Now that you ve identified your goals and considered the steps you need to take to achieve them, you will want to find the right combination of identity and access management capabilities to help you get there. The diagram below illustrates the key components of today s IAM solutions. And, the section that follows provides all of the key requirements to evaluate these capabilities from vendors once you begin your selection process. The new, modern identity and access management solution can serve multiple business demands and priorities using a more integrated, effective approach. Access Certifications Policy Management Audit Reporting & Analytics C O M P L I A N C E Access Request R O Governance Platform A B C T E N E M Single Sign-On V I A G Lifecycle Events S I O N I N G C A C E S A N S M Strong Authentication Password Management Usage Monitoring SaaS Applications Mainframes Databases Web Applications HR Apps Directories File Shares ERP Applications Cloud Applications 22 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

23 Ask the Right Questions

24 Evaluating Core Requirements Once you have a good handle on your identity and access management needs, it s time to move ahead to evaluating solutions. You ll want to look at the individual capabilities of various identity and access management solutions in order to determine if they can provide the functionality you need to accomplish your goals and whether they can deliver the business and technical benefits of true governance that your organization requires. The following pages provide a framework for evaluating products. Each section includes a set of qualifying questions which can be used to evaluate products across a set of criteria required for completing a successful project. Because identity and access management solutions should be flexible enough to allow you to start at the stage that is appropriate for your organization based on your business and IT goals and your existing identity infrastructure all sections may not be relevant to your needs. Feel free to apply the questions to your product evaluation that are most appropriate to your organization at this time. Finally, remember that checking vendor references is one of the most important steps in finding the right solution for your organization. When you have the chance to speak with someone else in the industry who has been down a similar path, be prepared with a list of questions. At the end of this section on pages 43-44, you ll find a list of 25 questions intended for you to use during these reference calls. With SailPoint, we re able to deliver sustainable business benefits, which are good for the business, not just the IT. That savings in time and therefore money brought about by adopting IdentityIQ was one of the key attractions that moved us towards SailPoint. Ralf Kappler, UBS Head of BBS service delivery 24 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

25 Building the Business Case for IAM Providing a compelling business case for acquiring and deploying an identity and access management solution is a critical step in any project. Ask the following questions to understand how the solution under consideration can help you to solve your current business problems related to governance and delivery of user access within the enterprise. Be sure to ask for example case studies and conduct reference calls for confirmation. See pages for a list of reference call questions. BUSINESS CASE REQUIREMENTS SAILPOINT OTHERS Can the solution quickly deliver a return on investment across compliance, provisioning and access management? Can the vendor provide real-world examples of cost savings from automating end-user access request and provisioning processes? Can the vendor provide real-world customer case study examples demonstrating how the solution has reduced the cost of compliance? Does the solution address common preventive and detective identity controls required by regulatory mandates such as Sarbanes-Oxley, HIPAA and Basel II? Does the solution help to proactively enforce pre-established business policies for how access should be granted within the enterprise throughout access request and provisioning processes? Does the solution reduce the complexity of creating an enterprise governance model across roles, policies and risk? Can the vendor provide specifics on how customers using the solution have leveraged identity risk metrics to improve the effectiveness of preventive and detective identity controls within their organization? Does the product provide a consistent user experience across IAM processes? Does the product provide a consistent user experience across both PC and mobile devices? Can the solution be used to manage internal and external user populations (e.g., business partners, consumers or citizens)? Is the solution architected in a way that allows you to start quickly and expand based on future needs without requiring major rework or purchase of additional solutions? Is the solution architected as a single, unified application that does not require the customer or system integrator to custom code integration between products during deployment? How quickly can the solution be deployed and does it offer a smooth upgrade process between versions? Can the solution scale to support thousands of concurrent users without performance degradation? 25 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

26 Strengthening Compliance and Governance Controls The key to a successful identity and access management solution is one that is business-friendly, reduces the costs and time involved in managing identity compliance, and that strengthens controls and improves audit performance all at the same time. The key components of an identity and access management solution include automated access certifications, policy enforcement, role management and risk modeling and analytics. Access Certification Automated access reviews are an effective detective identity control for regularly validating user access within the enterprise. These questions are designed to ensure that the solution you select is best suited to improve the efficiency and accuracy of your certification process and to help you meet goals for corporate accountability and compliance. ACCESS CERTIFICATION REQUIREMENTS SAILPOINT OTHERS Does the access certification feature support both technical and business user needs within the tool? Does the solution support managing different certification use cases by different user types out-of-the-box e.g., manager certifications, application owner certifications, data owners? When certifiers review a user s access privileges, can they approve, revoke or allow exceptions? Can the solution create certifications for individual entitlements, such as group memberships, and assign them to the appropriate data owners? When access is revoked, can the solution automatically de-provision access? Can the user s SSO access automatically be removed at the same time? Can the software support the display of user-friendly entitlement descriptions during a certification to provide users with a business-oriented translation of complex IT information? Does the solution automatically route access review reports to the appropriate certifiers? Does the reviewer have the ability to bulk certify/approve a particular entitlement for all users in a certification? Does the solution provide visibility to certification activities (e.g., completion status) on a user s dashboard? Can user access certifications be setup to auto-generate on a periodic cycle? Can the solution automatically trigger a certification based on detected changes to a user s access (e.g., user changes departments, job roles)? Does the solution provide an interface for defining and managing certification events? Does the solution support a certification sandbox where certification settings can be tested before rolling out a certification campaign to the organization? Can certification settings be edited in-flight (e.g., modify due dates or notification schedules)? Does the application enable a continuous certification environment where users and their associated access privileges are regularly monitored for changes and any change precipitates a review on a real-time basis? 26 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

27 ACCESS CERTIFICATION REQUIREMENTS SAILPOINT OTHERS Does the application highlight privileged user accounts and other high-risk accounts (e.g., service accounts) during the certification process? Does the solution support review and resolution of policy violations directly within a certification? Can the solution support certification of multi-tiered applications by allowing business users to only sign-off at the high-level business application account level? Is certification decision history provided in active certifications to help reviewer determine the appropriateness of access? Do the user certification screens highlight/identify changes in user entitlements and/ or business roles since the last certification or new users not previously certified? Does the solution provide user activity data on specific applications/transactions during certifications, enabling reviewers to evaluate access based on usage? Can automatic notifications be generated and sent out to certifiers when a new certification is created? Can the solution escalate an overdue certification to a user s manager or other delegate? Does the access certification process support a challenge period to allow end users to contest a pending remediation decision before it is implemented in the environment? Can risk be used to define a population of end users for certification (e.g., only certify high risk users)? Does the solution support delegation of users to another certifier? Can individual line items be delegated to another certifier for completion? Does the solution track the full history of each certification item, including delegation, forwarding, challenge, and review decisions for all entitlements and roles? Does the solution provide an option to support bulk remediation for all former employees access privileges prior to beginning an access certification, thereby reducing the workload of reviewers? Does the solution support the definition and assessment of remediation periods, allowing the tracking of the remediation activity within the target system? Can the solution support electronic signatures for certification sign-off? Does the solution provide administrative dashboards and reports to track aggregated certification metrics across the enterprise and certification campaigns? Does the solution provide the ability to manage certifications from mobile devices? 27 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

28 Policy Management With constant changes in user access across multiple, heterogeneous enterprise and cloud applications, businesses often struggle to validate access against established access policies, including segregation-of-duty, that expose the organization to risk. The following questions can help you identify a solution that can enable you to simplify policy definition and automate policy scanning, detection and remediation activities. POLICY MANAGEMENT REQUIREMENTS SAILPOINT OTHERS Does the solution support the ability to define and enforce access policy, including SoD policies between individual roles, between individual entitlements, and between roles and entitlements? Can SoD policy support multiple sided exclusions? For example, A, B, or C conflicts with any of D, E, or F Does the solution support policies around activity-based data (e.g., DLP events or after-hours access)? Can risk-based policies be created in the application to support notification/alerting when user risk profiles change? Does the application support the definition of account or identity attribute access policies? Does the system provide a business-friendly user interface for defining and editing access policies without the need for coding? Does the solution provide a single policy repository that is leveraged by all identity processes, including both detective and preventive access controls? Can the application support the ability to define policy violations within and across applications/resources, including both datacenter and cloud applications? Does the application automatically scan and detect policy violations? When policy violations are detected, does the application automatically notify responsible parties? Are the policy violations escalated if not addressed in a defined period of time? Does the application support execution of a business process or workflow when policy violations are detected, allowing varying responses based on criteria such as the calculated risk of the violation? Does the solution provide a business-friendly user interface for managing policy violations by both business managers and compliance administrators? Are policy violations clearly highlighted during access reviews to allow for rapid remediation? When addressing policy violations, is flexibility provided to allow different actions, based on the type and circumstances of the violation? Can revocation recommendations be stored in conjunction with each policy rule and exposed to the user when viewing policy violations? Can policy owners specify a unique risk score for each policy rule in the system? Can the risk score of a policy be used to control notifications and corrective actions when a violation is detected? Does the solution provide out-of-the-box reports to track policy violation activities? 28 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

29 Streamlining User Provisioning Traditional approaches to user provisioning have failed to evolve with today s enterprise identity management needs. While originally designed to automate IT operational processes, provisioning tools are now being called on to interface directly with business users and orchestrate complex business processes. This section focuses on finding a solution which can work for both the business and IT one that empowers the business to self-manage while automating common back-end identity management processes. Self-Service Access Request An identity management solution should offer a convenient and easy way for users to request new access or make changes to existing access privileges within the constraints of the pre-defined identity policy and role model. And it should allow you to gain greater transparency not only into who has access to what, but also into how they acquired access privileges. The following questions can help you review these capabilities. SELF-SERVICE ACCESS REQUEST REQUIREMENTS SAILPOINT OTHERS Does the solution provide a business-friendly interface for requesting changes to user access? Can the solution facilitate requesting of different types of access, including roles, entitlements and accounts? Does the self-service access request solution allow for additions, changes, and removals of access? Can users search for access using configurable metadata attributes such as name, description, owner or other keywords? Can the solution suggest access rights based on an analysis of similar identities? If the solution suggests access rights, is the user informed of high-risk users included in the comparative analysis? Does the solution allow the user to specify a priority for access requests? Can users request a start date ( sunrise ) associated with new access requests? Can users select an end date ( sunset ) when removing access through the selfservice request interface? Does the solution support requesting optional IT roles for currently assigned business roles? Can the system be configured to restrict end users to only requesting optional IT roles? Does the solution support preventive policy-checking of self-service and delegated access requests prior to being submitted for fulfillment? Does the solution give end users a business-friendly dashboard to view status of pending and completed requests? Does the solution enable the user to track access requests made by them and for them? Does the solution allow users to track the full details of an access request, including the status of approvals and fulfillment tasks? Does the solution allow anyone in the organization to request access for anyone else? 29 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

30 SELF-SERVICE ACCESS REQUEST REQUIREMENTS SAILPOINT OTHERS Does the solution scope who can request access for others? Can attributes be used to define the requestor relationship? Does the solution offer self-service registration for external or non-employee users (e.g., contractors, partners, consumers, etc.)? Does the solution support creating new identities from scratch within the user interface (e.g., act as the authoritative source for creating identities)? Can the solution limit the data which is editable from the user interface? Does the solution allow you to edit identity attributes of existing users? Does the solution support configurable workflows to manage self-service access request/change processes such as approvals and provisioning? Can the solution automatically add newly requested applications to a user s SSO launchpad? 30 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

31 Automated Lifecycle Management A fundamental capability of all identity and access management solutions is the automation of basic account creation, update and delete functions. Unfortunately, traditional approaches to identity management perform this through custom-coded workflows and complex policy rules. The following questions will help determine if an identity management platform can keep pace with the dynamic nature of change in your organization. AUTOMATED LIFECYCLE MANAGEMENT REQUIREMENTS SAILPOINT OTHERS Does the solution support the definition of automated lifecycle events e.g., new hire, promotion, termination that trigger access changes in enterprise and SaaS applications? Can lifecycle events trigger specific workflows to manage the change process from initiation through provisioning? Does the solution provide visibility to access changes initiated through automated change events e.g., new hire, promotion, termination? Can the solution orchestrate changes to user access based on self-service access requests and lifecycle events across disparate provisioning processes? Does the solution provide flexible approval routing for changes initiated through selfservice request or automated lifecycle events e.g., manager, data owners, role owners, and security administrators? Can lifecycle events be configured from the user interface? Does the solution provide a graphical user interface for configuring/editing business processes and workflows associated with manually-initiated access requests (including self-service and delegated requests)? Does the solution support delegation of approval requests to other users within the system and is this information tracked and audited? Does the solution support dynamic rerouting of approval requests based on the outcome of other workflow steps e.g., change approval routing if a policy violation is identified or if the user s risk score crosses a defined threshold? Can the solution automatically determine the chronological order and need to create new accounts associated with adding entitlements and roles? Can the solution request additional information from users involved in the access request process e.g., requester, approver, application/data owners? Can the solution be configured to take action based on account activity or lack of activity? Can the solution dynamically generate forms to capture additional information from the user based on pre-configured provisioning policies for applications and roles? Does the solution enable a user to self-register for access and have it create a new account either immediately or after approvals? Can the solution automatically add and remove SSO access to applications as part of the provisioning process? Does the access request and lifecycle management solution track aggregated request metrics and workflow statistics? Does the solution support tracking and reporting on service-level metrics? 31 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

32 AUTOMATED LIFECYCLE MANAGEMENT REQUIREMENTS SAILPOINT OTHERS Are metrics available at the business process as well as the individual workflow step levels? Does the solution support the ability to force an electronic signature when a user is approving a request? Password Management Implementing a self-service interface for assisting business users in changing and resetting their passwords is one of the fastest paths to cost savings for any identity and access management project. These questions help you determine if the solution will be sufficient to address your password management needs across enterprise and cloud-based systems, including defining and enforcing password policies, self-service changes and resets and password synchronization across systems. PASSWORD MANAGEMENT REQUIREMENTS SAILPOINT OTHERS Does the solution allow end users to manage their own passwords i.e., reset forgotten passwords, change existing passwords? Does the solution provide an option to help users reset forgotten passwords with a Windows desktop (i.e., GINA or Credential Provider plugin)? Does the solution support the following constraints: minimum/maximum length, password history constraints, exclusion dictionary? Does the solution support multiple password policies per application? If yes, can different policies be applied to users based on identity attributes (e.g., employee and contractor policies)? Does the solution automatically calculate the minimum password policy when resetting or changing passwords across multiple systems? Does the solution allow delegated password administration? Does the solution support challenge questions for password recovery? Can the number of challenge questions presented to the user be configured based on the organization s security policies? Can the solution force the user to answer their authentication questions before using other capabilities? Can the solution provide administrators with a report detailing users who have not completed answers to challenge questions? Can manual password changes be synchronized across multiple systems at the same time? Can users manage passwords from a mobile device such as a tablet or smartphone? Are the end-user password management user interfaces integrated with the solution s access request user interfaces for a seamless user experience? 32 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

33 Simplifying Access Management for Cloud, Web and Mobile The rapid proliferation of enterprise cloud and SaaS applications has a big downside users are wasting time trying to remember all their usernames and passwords and more importantly creating security issues by writing them down in plain sight or overburdening the help desk when they inevitably forget them. Asking the following questions will help you evaluate if an identity and access management solution can provide a fully integrated cloud, web, and mobile SSO experience for users and support continued SaaS adoption in your organization. Single Sign-on The best way to simplify and secure access to applications while enabling convenience for the end users is with single sign-on solutions that also offer strong authentication. The following questions will help you determine if your solution is designed to seamlessly work within your environment. SSO REQUIREMENTS SAILPOINT OTHERS Does the solution provide a wide range of pre-built and configured SSO profiles to speed deployment? Are new SSO profiles for 3rd party vendors products provided free of charge? Can you customize application profiles (name, URLs, quick links, icon) and have changes visible to all users? Does the solution provide an out-of-the-box portal for application access (i.e., lauchpad)? Can users select a particular task or function of an application and SSO directly into that activity from the launchpad or portal? Are profiles supported for password, federation, and proxy-based SSO for both corporate applications and BYOA? Does the solution provide a launchpad or portal where users can see all web and cloud applications they are entitled to and SSO into them with a single click? Are an unlimited number of SSO users supported to share the same computing device, such as a kiosk or tablet? Does the solution allow you to automatically populate the launchpad with corporate applications based on assignments of roles or entitlements? Does the solution allow you to populate credentials (username/password) into the launchpad based on provisioning workflows? Can the system prevent the shared use of passwords between personal and corporate applications? Are application user IDs and passwords protected and encrypted in such a way that no one other than the end user has access to the private encryption key to use them? Does the solution provide self-service IAM functions from a mobile app, such as password reset? Does the solution provide SSO from a wide variety of Web browsers, regardless of how users launch the apps (e.g., via launchpad portal, bookmark, URL link,, etc.)? Does the solution provide SSO into Web and cloud applications from tablets and smartphones? 33 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

34 SSO REQUIREMENTS SAILPOINT OTHERS Does the solution support optional logging of user activity? Does the solution automatically associate self-provisioned or BYOA application use with the corresponding known identity records for reporting and governance? Can administrators restrict, by policy or role, which applications, including third party apps, are available for SSO? Does the solution support the presentation and audit logging of a global system wide terms of use acceptance for use of the SSO product by end users (e.g. misuse of this product is a violation of business conduct guidelines)? Can the system use activity data to automatically deprovision application access after a period of non-use? Does the solution provide an on-premises reverse proxy and allow agentless password-free SSO without application changes? Does the on-premises proxy automatically update, self-monitor, and recover? Does the on-premises proxy scale horizontally? Does the on-premises proxy support virtual hosts as well as customized URL extensions per app? Does the on-premises proxy provide central session control? STRONG AUTHENTICATION REQUIREMENTS SAILPOINT OTHERS Does the solution include strong authentication options such as one-time passwords (OTP) or knowledge-based authentication (KBA)? Can the solution integrate with third party multi-factor authentication products? Does the solution enforce step-up authentication policies requiring strong authentication for accessing applications based on identity risk: All users for a specific application Users with highly privileged entitlements By business role Based on a user s risk score Based on the access environment (country, time, IP, etc.) Is access to the SSO solution optionally protected by strong authentication? Is access to the administrative functions protected by strong authentication? 34 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

35 Role Management An enterprise role model can be an important tool in streamlining and simplifying identity and access management processes for the business. The following questions can help you determine whether the solution under evaluation can help you create an enterprise role model and manage the entire role lifecycle to accommodate changes in business and IT systems, while keeping the quality and reliability of the role model in place. ROLE MANAGEMENT REQUIREMENTS SAILPOINT OTHERS Does the solution support the creation and maintenance of an enterprise role model? Does the solution provide a single role model/repository leveraged by all identity processes, including compliance, provisioning and access management activities? Does the solution support a hierarchical role model with n-levels? Can the business role model support both required and optional IT role associations to reduce the number of roles required in the system to effectively enforce the principle of least privilege? Can the solution automate the creation of roles using data mining techniques to discover potential roles using various pattern search algorithms? Does the solution support automated mining of both business roles (top-down) and IT roles (bottom-up)? Does the role mining support a directed search, whereby the user is able to narrow the focus of the mining by selecting a set of applications to mine against and by providing user-specifics such as location, job title, manager, cost center (e.g., Only mine against applications 1 & 3 and users of those applications that are in cost center 1204 and work in the Chicago office. ) Does the role definition process include the ability to identify or suggest candidate roles during the access certification process? Can new role types be configured directly within the user interface? Does the solution support custom types of roles? Can the solution import an existing role model using manual or automated interfaces? Does the solution support the ability to read or import organizational hierarchy information? Can role owners provide a business friendly description to help users understand the meaning of a role during certification and access request activities? Does the solution support delegation with respect to role ownership? Does the solution provide approval workflow options when the definition or contents of a role are changed (i.e., add, modify, disable)? Does the solution provide the ability to perform a what if impact analysis on role model changes? Does the solution support certification of both role composition (role privilege/ entitlement mapping) and role membership? Does the solution provide analysis of roles indicating role quality based on factors such as membership, risk, and usage? 35 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

36 ROLE MANAGEMENT REQUIREMENTS SAILPOINT OTHERS Can the solution detect and proactively report on the following types of issues with the role model: inactive roles, users with no roles, roles with no users? Can role engineers define additional metadata attributes on a role and can those attributes be used to control IAM processes without having to customize the application? Can the solution detect and alert on policy violations that exist within a role definition before assigning roles to users? Does the solution provide the ability to assign and de-assign roles to users from the user interface? Can assignment be done both manually and through automated assignment and de-assignment rules associated with a role? Can a role assignment automatically provide SSO access to an application by adding one or more SSO profiles to a user s launchpad? Can a role definition be used to trigger strong authentication within the context of an SSO event? Does the solution provide logging and reporting capabilities for all role changes? (e.g., when was the role created, who created it, who approved it? ) Does the solution maintain all previous versions of role definitions? Can users easily view and roll back to previous versions of role definitions? 36 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

37 Risk Modeling and Analytics Most organizations struggle to understand the underlying risk posed by what users have access to and how they are using their access. In order to effectively deploy and manage enterprise identity and access management solutions, you need insight into where the risk hot spots are in your organization. The following questions address a solution s ability to take a risk-based approach and provide the functionality necessary for you to assess, manage and control threats to security posed by people, roles and applications. RISK MODELING AND ANALYTICS REQUIREMENTS SAILPOINT OTHERS Does the solution provide a comprehensive approach to measuring identity and access risk within the enterprise at both the user and application/resource levels? Does the solution track and monitor the risk of each user based on that user s access to sensitive applications and data (identity risk scoring)? Does the solution support the creation of an application risk model to determine the relative risk of each managed application based on pre-defined risk factors? Does the solution support the assignment of unique risk values to each application, entitlement and role within the system? Does the solution enable risk mitigation actions (e.g., certifications, de-provisioning or activity monitoring) to be targeted at high-risk users? Can risk scores on access be used to calculate the overall risk score of an identity within the organization? Can certification status or time since last certification be used as a risk factor in the model? Does the solution dynamically calculate a user s risk score based on changes to access within the environment? Does the solution support using risk scores to trigger strong authentication policies for SSO events? Does the solution support configurable risk factors and weightings for calculating identity or risk scores? Can attributes from authoritative sources be used to influence an identity or resource risk score, such as location, employee status, etc.? Does the solution support the assignment of risk scores to policy rules e.g., SoD policies? Can the solution profile aggregate risk scores, e.g., by manager, department, location, or company-wide? Can aggregate risk scores be displayed graphically for easy identification of risk hot spots? Does the solution track risk scores over time for trending analysis? Can the solution alert or notify managers, application owners or compliance officers based on changes to an identity or resource risk score? Can high-risk users be easily identified via reporting and analytics? Can bulk corrective or mitigating actions (such as an ad hoc certification) be taken against high-risk user populations discovered via reporting or analytics? 37 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

38 Identity and Access Intelligence Organizations strive for better visibility into identity and access information across their business. The following questions can help you identify whether the solution under consideration can give you the information you need via dashboards and alerts while also enabling you to run ad hoc queries and produce detailed reports on a variety of identity and access management processes. IDENTITY AND ACCESS INTELLIGENCE REQUIREMENTS SAILPOINT OTHERS Does the solution provide end users and managers with an easy-to-use dashboard experience where they can see actionable information or new identity related activities? Does the solution include personalized administrative dashboards which highlight compliance and provisioning activities/status within the enterprise? Can users personalize the content and presentation of information on their dashboard? Are personalization settings persisted between sessions? Does the solution provide an extensible framework for adding customer-defined business processes to the dashboard? Can users drill down from the dashboard into specific tasks and/or supporting data? Does the solution include numerous pre-defined reports out-of-the-box across compliance and provisioning BI needs? Can pre-defined reports be personalized by end users to fit their specific business needs? Can end users change the columns which are included in reports? Sort order of data? Group data? Can users save reporting personalizations for easy recall and reuse? Does the solution provide an interactive preview option for reviewing report layouts? Does the solution provide charting/graphing options for internal reports? Is a report scheduler provided that allows user-specified reports to be run on a regularly scheduled basis? Can results be automatically sent via ? Does the solution support saving reporting results in downloadable file formats (e.g., PDF, Excel or CSV)? Can the solution require users to sign-off that they have reviewed a report? Can the solution report on historical point-in-time access as well as current state? Does the solution provide an ad hoc analytics interface for creating dynamic searches? Can ad hoc searches be saved as reports for easy recall? Does the solution provide a way to search on activity information according to various search parameters related to the system/activity and the target user base? For example, show all login activity on an application for users in a specific cost center with risk scores over a certain threshold. 38 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

39 Connectivity and Integrations The success of an organization s identity and access management solution is highly dependent upon its ability to connect to target resources and to integrate with its IT infrastructure. The following questions will help you gauge whether the solution under consideration has the connectivity footprint to govern and fulfill access along with the ability to establish an integrated identity eco-system. CONNECTIVITY AND INTEGRATIONS REQUIREMENTS SAILPOINT OTHERS Can the application derive the employee/manager relationship from an authoritative identity source, such as the central HR application? Can the application support multiple authoritative sources for identity data? Does the solution allow transformation of data and execution of validation rules as part of the data load processing? Can the solution support collecting data from enterprise applications based in public or private clouds? Does the software create a single view of each user within the enterprise and their associated access privileges? Are all user entitlements, roles, policy information and activity data viewable within the context of an individual identity? Does the solution enable automated correlation of user account information using a wizard-like interface that can be operated by non-technical users? Does the application provide a user interface for performing manual correlation of user account privileges? Can an approval be associated with manual correlation of accounts? Does the application provide a way to designate accounts as privileged or system accounts? Does the solution include a centralized catalog of all entitlements in the system? Does the solution support associating contextual metadata with each entitlement e.g., business-friendly description, data owner, and account type? Can business-friendly descriptions and other metadata be imported and associated with entitlements? Is this information presented during certification and access request processes? Are both automated and manual updates to entitlement metadata supported? Does the solution provide out-of-the-box connectors for the following categories of enterprise systems? directories databases platforms business applications messaging applications mainframes SaaS applications Does the solution provide a toolkit for creating connectors for custom or homegrown applications? 39 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

40 CONNECTIVITY AND INTEGRATIONS REQUIREMENTS SAILPOINT OTHERS Does the vendor provide access to all connectors free of charge? Are connectors developed in future releases included in this policy? Can the solution manage the complete user account lifecycle (add, edit and delete, enable, disable) for connected resources? Does the solution provide native support for delta aggregation of account and entitlement data from connected applications? Can the solution validate that changes requested are correctly implemented in the target resource? Can the solution manage password changes in target resources? Does the solution provide a web-based interface for administration and configuration of application connectors? Are provisioning activities recorded for audit purposes? Can the system orchestrate changes to user access across multiple provisioning processes? Does the application provide a solution for managing enterprise IT systems deployed in public or private clouds? Does the solution provide out-of-box integration with any third party automated provisioning systems? Can the system support the retrieval of entitlement information through another provisioning system s connectors without the need to directly connect to the target system? Can the system support sending account creation and change requests to third-party provisioning systems for execution in a target resource? Does the solution expose web services for integrating with a third-party provisioning solution to bulk re-provision users based on role model changes? Does the solution support closed-loop validation of change requests through integration with a third-party provisioning solution? Can the solution monitor third-party provisioning system audit logs and correlate this activity data to identities under management? Does integration with third-party provisioning systems use industry standards such as the service provisioning markup language (SPML) or the system for cross-domain identity management standard (SCIM) when supported by integrated systems? Does the solution integrate help desk/service desk systems? Does the solution support the automatic generation of tickets through service/help desk integrations? Can the solution receive updates on ticket status and display the information to users when tracking requests? Are the following file import options supported: CSV, XML and flat files? Does the solution support automatic discovery of flat-file or database schemas to speed deployment? 40 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

41 CONNECTIVITY AND INTEGRATIONS REQUIREMENTS SAILPOINT OTHERS Does the solution support modeling fine-grained permissions such as operational rights on database tables and file shares? Can updates to user and access data be scheduled within the application to support regular refresh of information? Does the software support the definition of custom schemas for each connected application? Does the solution support importing and evaluating activity data (e.g., SIEM feeds and application log files) from target systems? Can activity data be mapped back to a known identity based on unique correlation rules? Does the solution support integration with service request management systems? Does the solution support the collection of DLP events for use in compliance and provisioning processes? Does the solution provide integration with mobile device management systems? Does the solution support integration with privileged user management systems? Can the solution integrate with Data Governance solutions? Platform, Deployment & Configuration Options Most organizations have a standardized set of processes and technologies that act as a foundation to their IT infrastructure. The IAM solution you are evaluating should assimilate to that standardized environment. PLATFORM, DEPLOYMENT & CONFIGURATION REQUIREMENTS SAILPOINT OTHERS Does the solution run on a wide variety of enterprise platforms, application servers and database combinations? Does the solution have configurable components that tie to an integrated data store? Does the solution support running in a virtualized application environment such as VMware? Can applications run in a clustered environment for load balancing and/or fail-over purposes? Is the solution available as a pre-configured hardware or software appliance? Does the solution provide pass-through authentication, leveraging existing authentication mechanisms to authenticate users? Does the solution support definition of user roles and assignment of internal access rights based on roles? Does the solution provide out-of-the-box authorization profiles for common user types (Manager, Compliance Officer, Auditor)? Can the internal authorization model be configured based on customer needs? 41 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

42 PLATFORM, DEPLOYMENT & CONFIGURATION REQUIREMENTS SAILPOINT OTHERS Can customers modify the user interface and reporting templates (color, fonts, headers, footers, logos, etc.) to meet corporate branding requirements? Does the application support end-user personalization of tables and charts? Are user preferences and personalization options stored in between sessions? Does the solution provide standard/reference workflows? Does the solution enable the customization of workflows? Does the solution support re-usable workflow sub-processes? Do utilities or capabilities exist for tracking requests, workflow execution and fulfillment operations? Can deployment configurations be rolled forward in an upgrade? Can deployment configurations be easily migrated between environments (i.e., development, test, staging, and production)? Does the solution integrate with enterprise mail servers? Does the solution provide a batch scheduling utility? Can actions performed by users of the solution be audited? Does the solution timestamp all actions? Does the solution support the ability to scale tasks such as aggregations, identity refresh and certification generation across multiple hosts and threads? Does the vendor support and participate in standards efforts around identity and access management interoperability (e.g., XACML, SPML, SCIM, SAML)? Is an integrated Identity Provider (IdP) capability available to provide password-free federated SSO via SAML included with the solution so that SSO can be provided from any network? 42 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

43 Critical Questions to Ask During a Reference Call Checking vendor references is one of the most important steps in finding the right solution for your organization. When you have the chance to speak with someone else in the industry who has been down a similar path, ask questions and follow-up to get specific answers. These sample questions can help you focus on the information you need from references. Not all of these questions apply to every project, but they provide a good starting point for your own questionnaire. 1. Can you describe the identity management project that you worked on with this vendor? What was the main business driver for the project? When did the project begin? 2. Which specific products/modules of the vendor are you deploying? 3. What stage are you in with the product now (design, deployment, production, etc.)? 4. What is the scope of the project in terms of managed users, applications/resources under management? 5. What 2-3 key factors led you to choose this vendor for the project? 6. What other vendors did you evaluate? 7. What went well during your implementation? 8. What went poorly during your implementation? 9. Were you able to meet schedules and deadlines? 10. Did you encounter any hidden costs? 11. Were there any integration issues? 12. What type of production environment (hardware, software) do you run the product in? How well did the product fit into your production environment? 13. Did you discover things during the implementation that you would have liked to know before you started? 14. Did the vendor provide professional services or did you work with a third-party systems integrator? How large was the implementation team? 43 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

44 15. If third party, how well did the vendor and systems integrator work together? 16. How would you rate the quality of vendor personnel that you worked with? 17. Did the vendor s solution work as advertised in other words, did it meet your expectations? 18. Was the vendor s solution flexible and easy to customize? 19. How would you rate the quality of support you get from the vendor? 20. How well does the vendor handle patches and upgrades? 21. Does the vendor facilitate discussions with peer groups, such as regional user group meetings and online communities? 22. What do you like least about this vendor? What do you like most about this vendor? 23. If you had to make the decision all over again, would it be the same? If not, why? 24. If you had to assign a letter grade (A-F) to this vendor, what would it be? 25. Is there anything else I should know about this product and company before we make a decision? 44 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

45 SailPoint Identity and Access Management 45 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

46 A Smarter Way to Manage Identity Finding a solution that can automate key compliance, provisioning and access management processes and deliver risk-aware identity intelligence makes perfect sense. SailPoint offers market-leading identity and access management solutions that alleviate the cost and complexity of managing user lifecycles, meeting compliance requirements, and delivering convenient access to cloud and Web applications. With a centralized, holistic approach to managing user access across the entire IT environment, SailPoint provides superior visibility into and control over user access to sensitive applications and data both on-premises and in the cloud helping you identify and mitigate risk. From the ground up, SailPoint solutions are distinctively different from previous generations of identity and access management solutions. They address the needs of today s complex enterprise business and IT environment from the perspective of the business with readily-available self-service capabilities, intuitive user interfaces, powerful business process automation, and industry-leading capabilities for discovering and prioritizing identity-related business risks. IdentityIQ delivers integrated compliance, provisioning, and access management capabilities all built on a common governance model. IdentityIQ delivers all IAM services through a consistent user experience, which empower business users to effectively participate in a wide variety of IAM processes including automated access certifications, policy enforcement, access request and provisioning, password management, single sign-on and identity analytics. With SailPoint solutions you can provide fast, convenient application access that keeps business users productive, while improving the efficiency of your infrastructure, reducing operational costs, and improving security and risk management. SailPoint IdentityIQ One Solution for Everything Identity in the Enterprise. SailPoint IdentityIQ is a complete governance-based identity management solution that provides fast, convenient access to keep business users productive, and access controls to keep the business safe. IdentityIQ integrates provisioning, compliance and access management into a unified solution that leverages a common identity governance framework. Because of this approach, IdentityIQ consistently applies business and security policy and role and risk models across all IAM activities from access requests to access certifications and policy enforcement, to account provisioning, user lifecycle management, password management, single sign-on and identity analytics. With on-demand visibility into who has access to what and a business-friendly interface, IdentityIQ enables nontechnical users to effectively participate and collaborate with IT in IAM activities. Easy-to-use self-service features empower end users to request access, sign-on to cloud and Web applications, reset passwords and perform access reviews without involving IT operations or help desk teams. 46 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

47 The integrated components of IdentityIQ include: Compliance Manager - Streamlines the execution of compliance controls and improves audit performance through automated access certifications and policy management. Lifecycle Manager - Combines self-service access request and password management with automated lifecycle event management to simplify creating, changing, and revoking user access privileges. Access Manager - Offers governance-based single sign-on (SSO) across cloud, on-premises web, and mobile applications through easy-to-use desktop and mobile interfaces. Governance Platform - Centralizes identity data and provides a single place to model roles, policies, and risk to support compliance, provisioning, and access management processes across the organization. Connectivity Foundation - Provides flexible options for connecting to enterprise and cloud resources to aggregate identity data and orchestrate changes resulting from compliance and provisioning processes. Industry-leading Enterprise IAM for Today s Hybrid IT Environments SailPoint IdentityIQ provides a unified approach across core IAM activities leveraging a common identity governance platform to provide the industry s richest set of controls spanning the datacenter to the cloud. IAM Services and Solution Modules A B C Single Sign-On Compliance Manager Password Management Access Certification Lifecycle Manager Access Request & Provisioning Advanced Policy & Analytics Access Manager Governance Platform Policy Model Role Model Identity Warehouse Risk Model Workflow Engine Connectivity Foundation Resource Connectors Provisioning Integration Service Desk Integration MDM Integration Cloud Gateway 47 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

48 SailPoint IdentityIQ Compliance Manager With Compliance Manager you can: Reduce the cost of compliance by automating labor-intensive compliance processes Strengthen controls to address audit deficiencies or weaknesses Provide proof of compliance to internal and external auditors Proactively detect and prevent inappropriate access and violations of corporate policy Enable stronger collaboration across business, IT and audit/ compliance teams Ensure compliance while reducing cost, risk and worry. For many organizations, compliance is top of mind. So are the complex issues and the difficult and expensive processes that come with it. That s why so many organizations are looking to streamline processes and lower the costs of compliance while still ensuring the effectiveness and accuracy that auditors demand. SailPoint IdentityIQ Compliance Manager automates the common auditing, reporting and management activities associated with a strong compliance program, and integrates identity processes such as access certification and policy enforcement to deliver the strong detective controls that auditors demand. By taking a risk-aware approach to compliance, IdentityIQ Compliance Manager helps to prioritize the most critical compliance activities and focus controls on the users, resources and access privileges that represent the greatest potential risk to the business and the greatest possibility of a failed audit. COMPLIANCE MANAGER AT-A-GLANCE CAPABILITY Access Certifications Policy Management Audit Reporting DESCRIPTION Automate access review cycles with flexible scheduling options Present data in business-friendly language Focus reviewers on exceptions and high-risk items Track reviewer progress and actions Enforce a closed-loop provisioning process Enforce multiple types of access policy across cloud and on-premises applications Proactively detect and prevent inappropriate access and violations in real-time Prioritize violation response with risk-based approach Track and report on violations Highlight effectiveness of compliance controls Track compliance performance through a simple enterprise-wide dashboard Archive certification and policy violation history 48 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

49 SailPoint IdentityIQ Lifecycle Manager With Lifecycle Manager, you can: Empower internal and external users to independently register, request new access and change and reset passwords Quickly administer access using automated identity lifecycle events (i.e., hires, transfers, and terminations) Gain complete visibility to process execution and service-level monitoring Streamline IT operations and offload IT and help desk Handles access needs at the speed of business. In today s world of rapid, constant change, organizations need a consistent, secure and compliant approach to manage access changes and meet the needs of internal users, as well as external users such as partners and customers. That s why SailPoint IdentityIQ Lifecycle Manager provides convenient, easy-to-use self-service capabilities that allow users to register, request access and reset their passwords without involving IT or the help desk. By applying policy to all user lifecycle processes, Lifecycle Manager ensures users acquire only the most appropriate levels of access, delivering convenience without impacting the organization s security and risk posture. To simplify the ongoing process of managing workforce churn, IdentityIQ Lifecycle Manager automates change to user access resulting from a range of identity lifecycle events (i.e., new hires, transfers, moves or terminations) through integration with authoritative sources, such as HR systems and corporate directories. When a lifecycle event is detected, Lifecycle Manager triggers the required changes by initiating the appropriate business process, including policy checking and approvals. LIFECYCLE MANAGER AT-A-GLANCE CAPABILITY DESCRIPTION Self-Service Access Request Empower users to request and manage access using an e-commerce shopping experience Help business users find the right access with keyword and affinity search features Facilitate delegated administration by managers and help desk/admins Provide visibility to request status and process execution Password Management Allow business users to change and reset passwords Automatically detect and synchronize passwords Enable delegated password management by managers and help desk/admins Enforce strong password policies Lifecycle Event Management Automate access changes based on HR lifecycle events (i.e., hires, transfers, terminations) Prevent policy violations and consistently enforce the desired state Orchestrate changes across automated and manual provisioning processes Gain complete visibility to process execution 49 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

50 SailPoint IdentityIQ Access Manager With Access Manager, you can: Give business users consistent, convenient sign-on to all their cloud and web applications Support sign-on from mobile devices using the same security and credentials as from desktops Enforce risk-based governance controls, such as strong authentication, when and where needed Enable users to easily find and request access to cloud applications based on their job function and roles Gain complete visibility into application usage to identify and reduce unused subscription charges Deliver convenience without sacrificing security or control. Today s empowered workforce expects to use whatever technology will make them most productive, whether provided by the central IT team or not. And, with the consumerization of IT, users expect convenient, on-demand access that is as easy as downloading mobile applications to a smartphone. IT, however, still needs to maintain control over access while meeting these more demanding service levels. IdentityIQ Access Manager empowers users with single sign-on (SSO) to cloud and web applications from any device, eliminating the need to remember and enter multiple user names and passwords. It delivers a consistent and convenient SSO experience for the applications that users need every day, including internal web apps such as portals, Intranets, HR and ERP systems, and commercial SaaS applications. Because Access Manager is part of the IdentityIQ suite, it leverages enterprise-wide policy and control information to make access management decisions smarter. Critical information such as high-risk users or highly sensitive access permissions can be used by Access Manager to enforce strong authentication where needed. Access Manager also includes application usage agreements to educate users about appropriate use policies and to capture auditable acknowledgement that users will follow policy. When new access is requested, it can be automatically provisioned based on the user s job function or role within the organization, via seamless integration with IdentityIQ Lifecycle Manager. Access Manager can monitor for accounts that are not regularly being used and issue alerts to managers to deactivate or automatically de-provision those accounts. ACCESS MANAGER AT-A-GLANCE CAPABILITY Single Sign-on (SSO) Strong Authentication and Policy-based Controls Synchronized SSO and Provisioning DESCRIPTION Eliminate the need for users to remember and enter multiple user names and passwords for SaaS apps, internal web apps, and mobile apps Provide convenient SSO from mobile devices using the same security and credentials as from the desktop Enforce strong authentication to apps based on identity risk, such as role membership, privileged account ownership, or risk score Provide strong authentication via a one-time password (OTP) sent to a user s phone or knowledge-based authentication (KBA) consisting of challenge/response questions Integrates with third-party authentication tools, such as smartcards or OTP tokens Educate users on appropriate terms of use policy for SaaS apps Provide convenient App Store to add new applications to SSO Launchpad Provision access to applications using the same policies and approval processes as for other IT services Identify unused or unauthorized accounts and report them back to the appropriate business sponsor for removal and potential cost savings 50 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

51 SailPoint IdentityIQ Identity Intelligence With Identity Intelligence, you can: Deliver technical information in business-relevant dashboards and reports for stronger collaboration and communication between business, IT and audit staff Analyze and evaluate identity data to improve the effectiveness of detective and preventive controls Enhance overall security, compliance and audit performance Empower users with better visibility into potential risk factors Greatly reduce the cost and burden of compliancerelated activities Analyze access data to spot risks and gain insights. Organizations strive for better visibility into potential risk factors across their business. With Identity Intelligence from IdentityIQ, organizations can transform technical identity data scattered across multiple enterprise systems into centralized, easily understood and business-relevant information. The visibility and insights offered by IdentityIQ through dashboards, risk metrics and reporting provide a clear understanding of identity and access information and help to proactively manage and focus identity management efforts strategically across even the most complex enterprise environments. IdentityIQ provides out-of-the-box reports and analytics tools that make it easy to track and monitor critical compliance metrics, lifecycle management processes and access data details across the organization. Advanced analytics capabilities help users to quickly create ad-hoc reports to support the unique needs of the business as well. Business-friendly reports provide compliance and audit users with the ability to monitor and analyze the organization s performance around key compliance controls including the status of access certifications, policy violations, remediation activity and risk metrics. Business and IT users can configure the data available in the IdentityIQ dashboard with at-a-glance charts, graphs, detailed reports and task status. The dashboard is interactive, allowing users to drill down into the source data. Each user s dashboard is tailored to his or her role and can be customized by the user with easy drag-and-drop formatting and content selection. IDENTITY INTELLIGENCE AT-A-GLANCE CAPABILITY Reporting and Analytics Personalized Dashboards DESCRIPTION Access predefined reports for compliance, provisioning and access management Leverage report designer for custom reporting requirements Gain needed information on-demand with powerful advanced search capabilities Notify users of required actions with visual alerts Provide one-click entry into access request, password management and compliance activities Deliver at-a-glance charts, graphs and reports with drill-down capabilities Highlight scheduled compliance events and the status of in-process tasks 51 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

52 SailPoint IdentityIQ Governance Platform With the Governance Platform, you can: Centralize data into a common Identity Warehouse shared by all IAM processes Mine, model and manage roles that are leveraged across all IAM processes Dynamically assign risk scores for users and resources to better focus and prioritize controls Define and leverage access policies for detective and preventive control across all IAM processes Centralize identity data and leverage one model for policy, risk, and roles across all IAM processes. Traditional approaches to identity management treat governance, provisioning and access management as separate activities, making it costly, complex and burdensome to enforce access controls, carry out compliance initiatives and carry on the day-to-day work of meeting increasingly demanding service level requirements. A more innovative and effective approach is required to streamline all these efforts one that allows access management, governance and provisioning processes to leverage a common framework for roles, policy and risk management. The SailPoint IdentityIQ Governance Platform lays the foundation for effective identity and access management within the enterprise by establishing a framework that centralizes identity data, captures business policy, models roles and takes a risk-based approach to managing users and resources. The Governance Platform allows organizations to build consistent preventive and detective controls that span all critical IAM business processes - access certifications, access request, single sign-on, password management, and automated provisioning. Likewise, reporting and analytics are consistent across all identity and access management data. GOVERNANCE PLATFORM AT-A-GLANCE CAPABILITY Identity Warehouse Policy Model Role Model Risk Model Workflow Engine DESCRIPTION Leverage single system of record for identity data across all IAM functions and activities Import data using out-of-the-box connectors or via flat files Define and implement detective and preventive controls across compliance, access management and provisioning processes Proactively identify and route violations for review or immediate revocation Define flexible role types that enforce least privilege access Discover business and IT roles based on identity attributes and entitlements Provide automated role approvals, role certifications, role quality metrics and role analytics Use what-if analysis to see impact of changes before they are implemented Locate and identify areas of risk across users and applications Calculate and assign unique identity risk score Continuously update risk scores based on changes to user access Orchestrate the logical sequence of business process steps that support compliance and provisioning processes Offer a visual business process modeler to support the design of complex, multi-step workflow processes Leverage a unique data-driven model to orchestrate business processes and generation of end user forms 52 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

53 Compliance Manager Lifecycle Manager Access Manager A BUYER S GUIDE Governance Platform Policy Role Identity Warehouse SailPoint IdentityIQ Connectivity Model Model Foundation Risk Model Workflow Engine With Connectivity Foundation, you can: Speed the provisioning of access changes to your managed resources Seamlessly manage access changes across on-premises and cloud resources Lower costs associated with managing access changes through automation Orchestrate changes to user access using your choice of fulfillment processes Track and document all provisioning changes for auditors MAGDESIGN - CONFIDENTIAL Connectivity Foundation Establish a connectivity footprint to administer and Resource Provisioning Service Desk MDM Cloud govern user access Connectors Integration Integration Integration Gateway In today s complex IT environment, managing changes to user access can seem like a daunting task for business and IT users alike. Business users want a simple, consistent process for requesting changes. IT operations teams want the flexibility to implement changes in the most cost-effective way, and they need to be able to handle hybrid IT environments with a mix of on-premises and cloud resources. The IdentityIQ Connectivity Foundation provides flexible integration options, including direct connectors to over eighty cloud and on-premises resources, along with integration options for other provisioning vehicles, such as third-party provisioning tools, service desk systems, mobile device management systems, and even manual provisioning processes. IdentityIQ seamlessly orchestrates SAILPOINT how changes - IDENTITYIQ get fulfilled ARCHITECTURE across multiple fulfillment mechanisms, giving organizations maximum flexibility to provision changes in whatever way they choose while providing superior visibility. To extend connectivity to resources in public and private clouds, IdentityIQ provides the Cloud Gateway, which synchronizes access changes over a secure, encrypted connection between IdentityIQ and enterprise systems in different networks. The Cloud Gateway also allows customers or partners to host IdentityIQ in the cloud and seamlessly connect to on-premises resources. SailPoint recognizes that many organizations have significant investments in legacy provisioning systems. To maximize existing investments in these systems, SailPoint offers Provisioning Integration Modules (PIMs) for a variety of third-party provisioning solutions. IdentityIQ also provides Service Desk Integration Modules (SIMs) that automatically generate help desk tickets, and it can create manual work items to assign and track the progress of change requests within IdentityIQ. CONNECTIVITY FOUNDATION AT-A-GLANCE CAPABILITY Cloud and On-premises Resource Connectors Third-Party Provisioning Integration Service Desk Integration and Work Queues Cloud Gateway MDM Integration DESCRIPTION Speed provisioning of access changes to managed resources on-premises and in the cloud with over 80 out of the box connectors Support rapid deployment to custom applications Leverage third party provisioning solutions to import data or provision changes to target systems Generate help desk tickets or manual work items to fulfill access changes Extend identity and access management capabilities to public/private cloud environments or host IdentityIQ in the cloud and connect to datacenter applications Apply corporate IAM policies and controls to personal mobile devices 53 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

54 The SailPoint Advantage

55 Future-proof Your IAM Strategy with SailPoint Only SailPoint brings a unique combination of strengths to bear on every aspect of the new challenges of identity and access management. With innovative, industry-proven technology, a strong heritage in IAM, and the only truly integrated IAM suite in the market, SailPoint is equipped to help any organization run a successful identity and access management program. Here s why SailPoint is the best choice for enterprise-class identity and access management worldwide: Cross-domain IAM We seamlessly manage access to both cloud and on-premises resources, giving you the big picture across all your resources, with unified compliance, provisioning, and access management. Mobile-enabled IAM We provide single sign-on to applications from any device, anywhere, anytime, and we integrate with Mobile Device Management (MDM) solution providers to extend governance and provisioning to mobile applications and data. Consumer-simple We provide self-service capabilities and user-friendly interfaces to empower internal and external users to successfully manage their access needs independent of IT, but within the confines of IT security and policy. Built-in Governance We provide a single framework that centralizes identity data and defines a common policy, role, and risk model to manage users and resources. This framework allows you to build a single preventive and detective control model to support all identity and access management business processes. Identity Intelligence & Analytics We centralize visibility to access risks across the entire enterprise and provide meaningful insights to help you make effective business decisions. You get one central view across compliance, provisioning, and access management. Unified architecture SailPoint is the only IAM provider to deliver a fully integrated, unified IAM solution that spans governance, provisioning, and access management. SailPoint s solutions are built on a common platform, giving our customers a solution that s both easier to deploy, easier to maintain and easier to use. Enterprise scalability and performance Our solutions deliver scalable, streamlined and secure IAM systems that scale to accommodate growth in user populations, application coverage, and new business units brought on board. We manage some of the largest IAM implementations in the world spanning thousands of applications, hundreds of thousands of users, and millions of entitlements. SailPoint is one of the faster-growing organizations within the IAM sector. [SailPoint s] growth figure was more than double that of its nearest competitor and has been a strong measure of the company s success for the last three years. Ovum IAM Decision Matrix, SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

56 Glossary

57 A Access Certifications: The periodic review of user access privileges in order to validate that access privileges align with a user s job function and conform to policy guidelines. Access certifications are commonly used as an internal control to ensure compliance with Sarbanes-Oxley and other regulations. Access Control: The system controls and surrounding processes that grant or deny parties the capability and opportunity to access systems (i.e., gain knowledge of or to alter information or material on systems). Access Management: Systems or processes used to control authentication and authorization to resources within an organization, such as files, applications, systems, devices, etc. Access management is often based on a role and rule evaluation system to grant or deny access to an object in the organization. Access Privileges: The access rights that a user has to a system resource, such as the right to access, view, modify, create, or delete. Access Request: Systems or processes used to request new access, make changes to existing access, or remove access to resources within an organization. Account Management: A set of processes to manage authentication in connected systems. This primarily involves the creation and deletion of user accounts in the connected system. Active Directory: A Microsoft application that provides authentication and authorization resources to Microsoft Windows and other Windows applications. Activity Monitoring: A means to monitor user actions (e.g., access to systems, modifications to data) using log data collected from systems or applications. Aggregation: The collection and correlation of identity data from enterprise applications into a centralized identity data repository. Application Store or App Store: A service that allows users to browse and download applications. Approval Workflow: A business process that automates gathering approvals from authorized users for requested changes to identity artifacts such as user access rights or role definition. Assertion: A claim, such as to be a particular identity or a member of a group. Usually requires proof via a credential, i.e., a user ID and password pair. Attestation: Alternate term for access certification, the periodic review of user access privileges in order to validate that access privileges align with a user s job function and conform to policy guidelines. Attribute: A single piece of information associated with a digital identity. Examples of attributes are name, phone number, and institution affiliation. Each piece of identifying information about a user can be thought of as an attribute of that user. Users have identity attributes, each of which may be stored on one or more target systems. Audit: The independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. Audit Deficiency: Auditor s finding that an IT control is not effective. The term is commonly used in SOX audits to flag a control deficiency that could adversely affect the company s ability to report external financial data reliably. 57 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

58 Audit Log: A log that captures a record of events that have occurred within a system or application. For example, an audit log may contain all logins made to the system, the name of the persons making the logins, the time the logins occurred, etc. Breach: The successful defeat of security controls, which could result in an unauthorized penetration of a system or application; a violation of controls of a particular system such that information assets or system components are unduly exposed. Authentication: The process of establishing confidence in the validity of a claimant s presented identifier, usually as a prerequisite for granting access to resources in an information system. BYOA: Bring Your Own Application refers to the policy of permitting employees to access personal application accounts (e.g., Facebook, LinkedIn, TripIt) while in the workplace. Authoritative Source: The system that contains the definitive online value for a particular identity attribute. In some cases, a system is authoritative because it creates the value (for example, employee ID number). In other cases, a system is authoritative because it is the place where a user must go to enter the information (for example, cell phone number). Authorization: The process of granting or denying access to an information resource based on defined policy. BYOD: Bring Your Own Device refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications. C Certification: See Access Certifications B Basel II: A set of banking regulations put forth by the Basel Committee on Bank Supervision, which regulates finance and banking internationally. Basel II attempts to integrate Basel capital standards with national regulations, by setting the minimum capital requirements of financial institutions with the goal of mitigating financial and operational risks. Biometric: A physical trait or behavioral characteristic that can be used for the purposes of identification or verification. A good biometric should be unique to an individual, stable over time, quick and easy to present and verify, and not be easily duplicated by artificial means. Cloud Computing: Computing service that is delivered over the Internet with three distinct characteristics: the service is sold on demand; the service is elastic a user can have as much or as little of a service as they want at any given time; and the service is fully managed by the service provider (the consumer needs nothing but a web browser). Credential: A means to authenticate a claimed identity, usually meaning the private part of a paired identity assertion (user ID is usually the public part). Credentials can change over time and may be revoked. Compliance: Conforming to a specification or policy, standard or law that has been clearly defined. Policies can be derived from internal directives, procedures and requirements, or from external laws, regulations, standards and agreements. These laws can have criminal or civil penalties or can be regulations. 58 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

59 Continuous Compliance: Using processes and tools to meet compliance requirements in an automated, consistent, and predictable manner, rather than treating compliance as a one-time event. Correlation: The process of combining identity data from disparate data sources into a common schema that represents an identity. Identities can be linked automatically to application accounts and access rights using correlation rules or manually using a tool to establish the correct links. Detective Control: A procedure, possibly aided by automation, that is used to identify events (undesirable or desired), errors and other occurrences that an enterprise has determined to have a material effect on its business. Directory: A shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. CSV: A comma separated values file is a data file used for the digital storage of data structured in a table of lists form, where each associated item (member) in a group is in association with others also separated by the commas of its set. D Dashboard: A reporting mechanism that aggregates and display metrics and key performance indicators (KPIs), enabling them to be examined at a glance by all manner of users before further exploration via additional business intelligence (BI), performance management (PM) and analytics tools. E Entitlement: A specific value for an account attribute, most commonly a group membership or a permission. A security entitlement is a right granted to a user s account on a given system to access some data or function. Entitlement Creep: An access control vulnerability that results from workers accruing access privileges over time through transfers, promotions, or simply through the normal course of business. When workers accrue entitlements beyond what they actually need to do their job, organizations become exposed to unnecessary business risks. Datacenter: A facility used to house computer systems and associated components, such as servers (e.g., web servers, application servers, database servers), switches, routers, data storage devices, load balancers, wire cages or closets, vaults, racks, and related equipment. Delegation: a process where a reviewer or approver can pass his decision authority to another user, either temporarily or permanently. Deprovisioning: A process to delete a user account in a system. Entitlement Management: A mechanism for centrally defining the applications and services to which a user may be given authorization. It is the process of granting, resolving, enforcing, revoking and administering fine-grained access entitlements (also referred to as authorizations, privileges, access rights, permissions and/or rules ). Escalation: a process to alert, notify, or delegate an action when a reviewer or approver fails to respond to a request after a defined period of time. 59 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

60 Extensible Access Control Markup Language (XACML): an open standard XML-based language designed to express security policies and access rights to information for Web services, digital rights management (DRM), and enterprise security applications. F Federation: A set of agreements which allow an organization to trust the authentication provided by a separate organization and provide authorization based on that authentication result. The goal of federation is to allow users to access resources in multiple organizations in a seamless manner. G H Hierarchical Role Model: In role-based access control, the role hierarchy defines an inheritance relationship among roles. For example, the role structure for a bank may treat all employees as members of the employee role. Above this may be roles department manager and accountant, which inherit all permissions of the employee role. HIPAA (Health Insurance Portability and Accountability Act): Federal legislation enacted in the United States to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. HIPAA mandates security mechanisms to ensure confidentiality and data integrity of any information that personally identifies an individual. Governance: The system of rules, practices and processes by which an organization is directed, measured and controlled. Gramm-Leach-Bliley Act (GLBA): Federal legislation enacted in the United States to control the ways that financial institutions deal with the private information of individuals. GLBA requires financial institutions to give customers written privacy notices that explain information sharing practices. Group: A collection of users to simplify access control to computer systems. Traditionally, groups are static: one defines a group by individually selecting its members. In dynamic groups, however, all users which match specified search criteria will be considered a member of this dynamic group. Hybrid IT: Hybrid IT is an approach to enterprise computing in which an organization provides and manages some information technology (IT) resources on-premises (in the datacenter) but uses cloud-based services for others. I Identity Cube: A multi-dimensional view of each identity and their associated access and attributes. Identity Governance: Identity management software that automates the rules, practices and processes to manage and control user access to critical applications and data. Identity governance allows organizations to improve accountability and transparency, meet compliance mandates and better manage risk. Identity Key: A single value used (and usually generated) by an identity store to uniquely identify each identity. 60 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

61 Identity and Access Management (IAM): Software that automates the business processes required to manage electronic identities and their related access permissions. This ensures that access privileges are granted according to one interpretation of policy and all individuals and services are properly authenticated, authorized and audited. IAM-as-a-Service (IDaaS): IAM software that is hosted in the cloud, delivered as a cloud service, and managed by a third-party service provider. L Last-Mile Provisioning: The process for implementing changes on target resources based on user lifecycle changes. LDAP (Lightweight Directory Access Protocol): Set of protocols for accessing information in directories. LDAP makes it possible for almost any application running on virtually any computer platform to obtain directory information. Identity Provider (IdP): A system that creates, maintains, and manages identity information for principals (users, services, or systems) and provides principal authentication to other service providers (applications) within a federation or distributed network. Least Privilege: A concept that seeks to restrict a user s access (e.g., to data or applications) or type of access (e.g. read, write, execute, delete) to the minimum necessary to perform his or her duties. Identity Store: A system which maintains identity information. An identity store is often an authoritative source for some of the information it contains. Insider Threat: The potential risks of fraud, theft, sabotage, or privacy breaches that originate from workers inside an organization with access to sensitive applications and data. Interface: Technology that allows a user to communicate and use computer software and can include the display screen, keyboard, mouse, the appearance of the desktop, characters, colors, help messages, etc. M Material Weakness: Auditor s finding that an IT control is severely deficient. The term is commonly used in SOX audits to indicate that a material misstatement of financials cannot be prevented or detected. Model Audit Rule (MAR): A mandate effective January 1, 2010 that requires non-public insurers in the United States to prove that they have effective controls over the integrity of financial systems and data. Similar to Sarbanes-Oxley, MAR requires more transparency, tighter adherence to internal controls and better corporate governance. Internal Controls: Processes designed to help organizations prevent and detect fraud and protect sensitive assets. Internal controls are usually a means by which an organization s processes and IT resources are reviewed, monitored, and measured. Multi-Factor Authentication: An authentication process that requires multiple elements. The elements are usually grouped into three categories: Something you know (a password, pass phrase, or PIN); something you have (a token or smart card); or, something you are (a fingerprint, voice print, or retina scan). 61 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

62 N North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP): A framework developed to protect the ongoing reliability of the North American bulk power system that was approved in early The CIP standards require utilities to identify and secure their critical cyber assets. O OAuth: An open standard for authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end user). It also provides a process for end users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections. Offboarding: A process for removing access when users, such as employees, contractors, partners, or customers, leave an organization. Onboarding: A process for granting access when users, such as new employees, contractors, partners, or customers, join an organization. On-premises or on-prem : Software that is installed and run on computers in the facility (building) of the person or organization using the software, rather than at a remote facility, such as a cloud service provider. One-Time Password (OTP): a password that is valid for only one login session or transaction, generated by an algorithm when a user needs to authenticate. The OTP is commonly sent to the user s mobile device or security token. OpenID: An open standard that describes how users can be authenticated using a third-party service (known as Relying Parties or RP), obviating the need for organizations to provide their own authentication systems and allowing users to consolidate their digital identities. OpenID Connect: An open standard that performs many of the same tasks as OpenID, but does so in a way that is API-friendly and usable by native and mobile applications. The standard is a simple identity layer on top of the OAuth 2.0 protocol and allows clients to verify the identity of the end user based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the end user in an interoperable and REST-like manner. Orphan Account: An account belonging to a user who has since left the organization. Orphan accounts are a direct result of failure to remove access privileges when workers terminate or transfer jobs and are a frequent focus for IT auditors looking for security risks. P Password: A form of secret authentication data that is used to control access to system services. It enables the holder of an electronic identifier to confirm that he or she is the person to whom the identifier was issued. A credential, something only the user knows and that the authenticator can confirm. Password Management: Automation of the process for controlling, setting, resetting and synchronizing passwords across systems. Password Policy: A set of requirements regarding password creation, storage, and usage. These requirements often constrain several characteristics of passwords. 62 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

63 Password Reset: A process or technology that allows users who have either forgotten their password or triggered a lockout to authenticate with an alternate factor and then define a new password. Password Synchronization: A solution that takes a password from a user and changes the passwords on other resources to be the same as that password. Preventive Control: An internal control that is used to prevent undesirable events, errors and other occurrences than an organization has determined could have a negative material effect on its business. Payment Card Industry (PCI) Data Security Standard (DSS): A standard developed by the PCI Standards Council to enhance payment account data security. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures. Policy: An authoritative, prescribed set of rules for conducting business that may be defined by an organization or by the outcome of regulatory mandates. Policy Enforcement: The set of preventive and detective controls that automatically ensure that defined policy is followed by the organization. Private Cloud: A form of cloud computing that is used by only one organization or ensures that an organization s cloud is completely isolated from others. When a service provider uses public cloud resources to create a private cloud, the result is called a virtual private cloud. Privileged Account: A privileged account is a login ID on a system or application which grants more powerful access rights than a normal user. Privileged accounts are typically used by system administrators to manage systems, or to run services on systems, or by one application to connect programmatically to another. Policy Evaluation: Rules that automatically enforce policy by checking an operation for policy violations before granting it. Provisioning: The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity. Automated user provisioning is intended to speed and simplify the administration of users and their access privileges. This is done by automating and codifying business processes such as onboarding and termination and connecting these processes to multiple systems. Public Cloud: A cloud computing environment that is open to the general public and delivered via the Internet, outside of any enterprise firewall. Public cloud computing uses cloud computing technologies to support customers that are external to the provider s organization. Using public cloud services generates the types of economies of scale and sharing of resources that can reduce costs and increase choices of technologies. R Resource: A system, application, database, or other object under management by an identity management system. Reassign: An action that transfers responsibility for a performing an operation to a different person. Reconciliation: a process that periodically compares identity data in an Identity Management solution with the data actually present on managed resources. Reconciliation correlates account data and highlights differences and can invoke workflow to alert or make changes to the data. 63 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

64 Remediation: The act or process of remedying a compliance problem or issue, such as a policy violation. Reverse Proxy: software that provides a single point of authentication to web servers on an internal network. The reverse proxy architecture has the advantage of not requiring software to be installed on each web application. Revocation: The act of removing a specified role or entitlement from a user based on a decision made by a reviewer during a certification. Risk: The probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and the resulting impact if this should occur. to perform certain operations within an organization. A simple role is a collection of entitlements defined within the context of a single system. Roles are used to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. Role Assignment: The process of granting roles to users. A role may be implicitly assigned to a user, i.e., some database will include a rule of the form users matching requirements X should be automatically assigned role Y. Role-Based Access Control (RBAC): A model that limits user access based on the user s role within an organization. Risk Assessment: The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Role Creation: The process of defining roles within a role model and mapping those roles to the appropriate set of access privileges based on business process and job function. Risk Management: The total process of identifying, controlling, and mitigating risks. Risk Mitigation: A process to reduce either the probability or the consequences of a threat. Risk mitigation options can include eliminating vulnerabilities; strengthening internal controls; or reducing the magnitude of adverse impacts. Risk-based Authentication: A method of applying varying levels of stringency to authentication processes based on the likelihood that access to a given system could result in its being compromised. As the level of risk increases, the authentication process becomes more comprehensive and restrictive. Role: A role is a collection of entitlements or other roles that enables an identity to access resources and Role Certification: The periodic review of a role or roles in order to validate that the role contains the appropriate access privileges and that members of the role are correct. Role certifications are commonly used as an internal control and a way to prevent role proliferation. Role Lifecycle Management: The process of automating role creation, modification, retirement; role approvals; role certifications; and role analytics. Role Management: Roles and role assignment are unlikely to remain static for any length of time. Because of this, they must be managed the entitlements associated with a role must be reviewed and updated and the users assigned the role, implicitly or explicitly, must be reviewed and changed. Role Management includes the business processes used to affect these reviews and changes. 64 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

65 Role Model: A schematic description of roles that defines roles and role hierarchies, subject role activation, subject-object mediation, as well as constraints on user/ role membership and role set activation. A role model is a set of role definitions and a set of implicit or explicit role assignments. Rules: A set of prescribed guidelines that may be defined by an organization or by the outcome of regulatory mandates. S SAML: Security Assertion Markup Language is an XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). Sarbanes-Oxley Act (SOX): Also known as the Public Company Accounting Reform and Investor Protection Act is a law enacted in 2002 to protect investors by improving the accuracy and reliability of corporate financial disclosures. The regulation affects all companies listed on stock exchanges in the U.S. Security Information and Event Management (SIEM) Technology: Security information management (SIM) provides log management the collection, reporting and analysis of log data to support regulatory compliance reporting, internal threat management and resource access monitoring. Security event management (SEM) processes event data from security devices, network devices, systems and applications in real time to provide security monitoring, event correlation and incident response. The technology can be used to discover activity associated with a targeted attack or a security breach, and is also used to satisfy a wide variety of regulatory requirements. Self-Service: The process of allowing users to request access to resources using a self-service interface, which uses workflow to route the request to the appropriate manager(s) for approval. Separation of Duty (SoD): An internal control designed to prevent fraud by ensuring that no one person has excessive control over one or more critical business transactions. It refers to mutually exclusive access or roles. This involves dividing responsibility for sensitive information or risky actions so that no individual acting alone can compromise a system. As a security principle, it has as its primary objective the prevention of fraud and errors. This principle is demonstrated in the occasional requirement for two signatures on a bank check, or by preventing a person from authorizing their own workflow requests. Also sometimes called Segregation of Duties. Service Account: A typed of shared account that is used for application-to-application communications when secured access must be granted by one system to another system. Shared Account: A login ID on a system or application that is used by more than one human or machine user. Privileged accounts are often shared by administrators: for example, root, sa or Administrator. System for Cross-Domain Identity Management (SCIM): An open standard used to simplify user management in the cloud by defining a schema for representing users and groups and a REST API for all the necessary create, read, update, and delete (CRUD) operations. Single Sign-On (SSO): An authentication process where the user can enter one username and password and have access to a number of resources within an enterprise, eliminating the need to separately authenticate and sign on to individual applications and systems. 65 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

66 Software-as-a-Service (SaaS): A software distribution model in which applications are hosted by a vendor or service provider and made available to customers over the Internet, usually on a pay-as-you-go basis. SaaS software is owned, delivered and managed remotely by one or more service providers. Solvency II: A risk-based regulatory framework that applies to all insurers in EU member states that took effect in Solvency II seeks to instill risk awareness into the governance, operations, and decision-making of the European insurance business. U User: Any person who interacts directly with a computer system. Users are people whose access to systems and identity information must be managed. User Lifecycle Management: The process for automating and managing user onboarding, promotions and transfers, and offboarding. Step-up Authentication: Method for determining a required level of authentication based on a defined policy set on a resource. Based on policy evaluation, the user can be required to step-up the level of authentication to access any given resource (e.g., use multi-factor authentication). T Token: Either software or hardware used as an authentication factor to access an information system. Hardware tokens are small devices, typically either the size of a credit card or key fob, which compute a one-time password. A software token performs the same function as a hardware token except that it is installed as a piece of software on a device that the user already has such as a cell phone or tablet. Transparency: The availability of full information required for accountability, risk management, and collective decision making. 66 SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

67 Resources

68 For further information on the topic of identity management, try these links to experts, websites and publications. Websites blog.sailpoint.com Analysts Forrester Identifies and analyzes emerging trends in technology and their impact on business. Gartner Provides research and analysis of the computer hardware, software, communications, and related information technology industries. IDC Provides data, analysis and advisory services on information technology (IT) markets, trends, products, vendors, and geographies. KuppingerCole Provides research and analysis focused on information security, both in classical and in cloud environments. Ovum Provides analysis and guidance focused on converging technologies and markets, including telecommunications, software and IT services. Membership Organizations Cloud Security Alliance The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. Internet Engineering Taskforce (IETF) IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. The organization now has adopted a working group dedicated to the development of SCIM. (ISC)² The global leader in educating and certifying information security professionals throughout their careers. A network of certified information security professionals. Members have access to current industry information, networking opportunities, discounts on industry conferences and valuable career tools. National Institute of Standards Technology (NIST) NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

69 OASIS OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. The consortium produces more Web services standards than any other organization along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. Magazines Australian IT Weekly supplement to The Australian covering the latest trends in the Australian technology market as well as features and reviews about new products and technology. CIO Magazine Resource for Chief Information Officers. Technology executives can find articles, research, events, and CIO communities. ComputerWeekly.com Focused on the UK market, the news site offers business and technical information alongside independent analysis and views on technology, strategy and careers. CSO Magazine Provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more. Dark Reading Designed as a news source for enterprise IT and network security professionals, the site provides up-to-date information about products, management strategies, architectures and security policy. The Data Breach Blog Focused on providing the latest updates on security breaches, the blog discusses data and web security. section/1263 eweek Features breaking technology news and in-depth analysis and reviews targeted toward IT decision-makers on building their enterprise infrastructure. Information Age Focuses on the strategies and technologies involved in maximizing business performance through effective information and technology management. Aimed at UK-based executives involved in the application of technology for strategic, competitive advantage and improved efficiency SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

70 Network World Provides information, intelligence and insight for network and IT executives. With an editorial focus on delivering news, opinion and analytical tools for key decision makers who architect, deploy and manage business solutions. SC Magazine Aims to provide IT security professionals with in-depth and unbiased information. Each monthly issue contains news, analysis, features, contributions from thought leaders and product reviews. Established in 1989, it is the longest established IT security title in the United States. SearchCloudComputing Created to help information technology (IT) professionals, application developers and chief information officers (CIOs) stay well-informed on the rapidly advancing topic of Cloud Computing. Offers content to serve the unique needs of all members involved in a cloud computing decisions at an enterprise level SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

71 Get Started

72 Don t Worry, Be Ready. With SailPoint identity and access management, you ll be ready no matter what the future brings. SailPoint helps you tackle tomorrow s challenges today. Whether you re replacing legacy provisioning solutions with a next-generation approach, delivering secure and convenient access to cloud apps, managing mobile access, or thinking about migrating IAM systems to the cloud, SailPoint s got you covered. Don t let your IAM investment fall behind. Be ready for whatever comes your way with SailPoint. Managing the Business of Identity SailPoint, the industry leader in identity and access management, empowers the world s largest organizations to accelerate business performance, mitigate risk, reduce IT costs and ensure compliance. The company s innovative on-premises and SaaS IAM solutions provide superior visibility into and control over user access to sensitive applications and data, regardless of where they reside. SailPoint s product suite provides customers a unified solution for compliance, user provisioning, access management, and identity intelligence all based on an integrated governance model. Founded in 2005, the company is headquartered in Austin, Texas, and has offices in Australia, France, Germany, Great Britain, India, Netherlands, Singapore, South Africa, and Switzerland. ate Headquarters Four Points Drive g 2, Suite 100 Texas ll-free ailpoint.com Global Offices UK Netherlands Germany Switzerland Australia Singapore Africa +44 (0) (0) (0) (0) Corporate Headquarters Four Points Drive Building 2, Suite 100 Austin, Texas USA toll-free Global Offices UK Netherlands Germany Switzerland Australia Singapore Africa +44 (0) (0) (0) (0) UK Netherlands Germany Switzerland Australia Singapore Africa Corporate Headquarters Four Points Drive Building 2, Suite 100 Austin, Texas USA toll-free Global Offices +44 (0) (0) (0) (0) About SailPoint Corporate Headquarters Four Points Drive Building 2, Suite 100 Austin, Texas As the fastest-growing, independent identity and access management (IAM) provider, SailPoint USA toll-free helps hundreds of the world s largest organizations securely and effectively deliver and manage user access from any device to data and applications residing in the datacenter, on mobile devices, and in the cloud. The company s innovative product portfolio Global offers Offices customers an integrated set of core services including identity UK +44 (0) Netherlands governance, +31 provisioning, (0) and access management delivered on-premises or from the Germany cloud (IAM-as-a-service). +49 (0) For more information, visit Switzerland +41 (0) Australia Singapore SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are Africa trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All other products or services are trademarks of their respective companies SELECTING THE RIGHT IDENTITY AND ACCESS MANAGEMENT SOLUTION

73