Viewpoints

Quotes, research findings and recommendations from leading industry analysts and gurus on topics such as information security, identity management and compliance.

"Having a foundational identity and access governance platform in place and then expanding it into provisioning makes a lot of sense for companies. Building a complete view of entitlements and access privileges is step one. The next step is to leverage role management and create a centralized policy that dictates who should have access to those resources. Companies then have the benefit of leveraging that model, built for compliance, across its provisioning processes."
Ian Glazer, Senior Analyst, Burton Group (acquired by Gartner)  |  March 22, 2010

"SailPoint IdentityIQ is a mature IAG product that has been available since early 2007. SailPoint supports all of the surveyed IAG capabilities and provides a single, integrated user-interface for them. It has excellent holistic integration of identity threat and SoD that enhances its core role management and access certification capabilities. The product can retrieve entitlements directly from some target platforms and can leverage an external provisioning system for others."
Mark Diodati and Ian Glazer, Burton Group:
"Market Profile: Identity and Access Governance, 2010"  |  January 28, 2010

"Identity and access governance's rise will continue to the point that it is seen as a dominant component of the IdM universe. With its business-centric focus and easy-to-use user interfaces, identity and access governance (IAG) reflects identity management's true nature: managing people and their responsibilities to achieve business goals while minimizing enterprise risk. By being policy driven and relying on business-readable entitlement information, IAG products facilitate conversations between line-of-business, IT, security, audit, and human resource teams; it is those conversations that are the future of identity management."
Mark Diodati and Ian Glazer, Burton Group:
"Market Profile: Identity and Access Governance, 2010"  |  January 28, 2010

"Identity and access management is finally beginning to grow up and bridge some of the gaps between what the enterprise needs and what IT can do for them. In governance, risk and compliance management, for example, strong access controls coupled with access request, approval and review processes are needed by the business to enable them to fully realize value from their policies, guidelines and practices. This is particularly the case for managing risk. Those IAM solutions that provide the business bridge between IAM and GRC management staff will play a significant role in enterprise access needs of the future."
Earl Perkins, Research Vice President, Gartner, Inc.  |  November 9, 2009

"The constant drumbeat of compliance requirements of the past few years has definitely impacted the IdM marketplace. For too long, user provisioning tools were positioned as the cornerstone of compliance activities-primarily role management, access certification, and reporting-but could never live up to expectations. Even mature provisioning deployments do not have the breadth (number of managed applications and systems) or depth (detail of entitlements per user) of access data to perform compliance functions. In response, vendors have dedicated resources to enhancing (and acquiring) role management, access certification, and other tools to improve reporting and dashboard capabilities. Burton Group categorizes this collection of functionality as access and identity governance."
Lori Rowland and Gerry Gebel, Burton Group, "Identity Management Market 2009: Doing More with Less"  |  July 20, 2009

"Many organizations, unfortunately, still do not possess an accurate or complete view of access or identity controls across their environments. One of the biggest benefits of access and identity governance tools is the ability to reach across the application portfolio in an organization and to dig up the application entitlements within these silos. A broad and deep perspective becomes available for a variety of analysis, reporting, or business decision support functions."
Gerry Gebel, Burton Group, "Access and Identity Governance: Leading to Transparency and Visibility?"  |  July 13, 2009

"One of the more interesting aspects of these products is the use of business intelligence (BI) tools and terminology ... SailPoint uses advanced data mining and identity intelligence to provide a risk scoring system to help visualize the risk posture of an organization's infrastructure."
Gerry Gebel, Burton Group, "Access and Identity Governance: Leading to Transparency and Visibility?"  |  July 13, 2009

"[IdentityIQ's] application and organization onboarding, role prioritization, and cleanup of excessive entitlements are aided by the product's advanced risk model. It also provides outstanding support for avoiding role erosion and cleaning up stale roles during access recertification."
Andras Cser, Forrester Research "Market Overview: Enterprise Role Management."  |  May 12, 2009

"One of the more interesting aspects of these products is the use of business intelligence (BI) tools and terminology ... SailPoint uses advanced data mining and identity intelligence to provide a risk scoring system to help visualize the risk posture of an organization's infrastructure."
Gerry Gebel, Burton Group, "Access and Identity Governance: Leading to Transparency and Visibility?"  |  May 12, 2009

"Enterprise role management is key in efficiently managing user access rights and enforcing access policies such as segregation of duties. Roles help companies group coarse- and fine-grained access rights (like access to and functionality within a financial accounts application) into groups, called enterprise roles. These enterprise roles map to job functions and are only allowed access rights that don't violate segregation of duties. For instance, a financial clerk role can't contain fine-grained access rights that allow someone in the role to access the accounts receivable and accounts payable parts of the financial application."
Andras Cser, Forrester Research"Best Practices: How to Implement and Maintain Enterprise User Roles" SearchSecurity.com |  May 12, 2009

"When considering an identity management suite, don't make the same mistake that many of your colleagues have made by failing to thoroughly evaluate all identity management products under consideration before a purchase. Most organizations begin their evaluations by looking for a single product to meet a pressing need. At purchase time, the vendor then offers the customer a steep discount to compel the purchase of multiple identity management products. The deployment of the primary product goes well, but then the organization finds out that the other purchased products don't meet its needs, or require significant customization to work."
Mark Diodati, Burton Group"Changing Times for Identity Management" Information Security |  May 2009

"In the face of today's challenging economic environment, businesses are moving to reduce IT costs while delivering critical business systems, including regulatory compliance. SailPoint is addressing these challenges by providing faster, less costly, and less risky delivery methods to deliver near term business value. We're seeing great results from our partnership to provide software delivery models to make it easier for companies to buy, deploy and maintain their software."
Terry Jost, CEO, Mycroft, Inc. |  March 23, 2009

"SailPoint Technologies forcefully enters the market during 2008. SailPoint Technologies approached the role management market from the access recertification and role mining side, and added role management and workflow capabilities in late 2007. The IdentityIQ product represents business terms in its user interface and can monitor not only normal user but also privileged user and system administrator activity. Application and organization onboarding, role prioritization, and cleanup of excessive entitlements are aided by the product's advanced risk model. It also provides outstanding support for avoiding role erosion and cleaning up stale roles during access recertification. Of all the vendors, SailPoint Technologies reported the capability to manage the largest number of rules for role definition."
Forrester, "Market Overview: Enterprise Role Management" by Andras Cser  |  February 6, 2009

"Access certification provides relief from regulations, internal controls, and audit pressure and is a powerful means to reduce enterprise risk. Although most enterprises use internally developed processes and not commercial off-the-shelf (COTS) products, numerous vendors are offering products that are sophisticated and well thought out. Enterprises looking to reduce access-related risk while hoping to eventually tackle role management and user provisioning should promote access certification in their thinking, giving it the more prominent role in the overall identity management program that it deserves."
Burton Group, "Access Certification: An Intersection of Compliance and Risk Management" by Ian Glazer  |  January 20, 2009

"IT provides tools that enable governance activities. However, IT departments are increasingly being asked to enact business polices and automate business processes of which they neither have knowledge of, nor control over. To close this divide, policy decisions and compliance monitoring must be pushed to the business owners. Identity management vendors have begun to address this issue through improved workflow, delegated-administration, self-service, and access attestation functionality."
Kevin Kampman, senior analyst, Burton Group  |  October 21, 2008

"GRC costs continue to rise as national and global mandates proliferate. In order to gain sufficient efficiency, enterprises must automate as many GRC-related activities as possible to ensure a repeatable, sustainable, and cost-effective risk and compliance regimen."
John Hagerty, AMR Research  |  October 9, 2008

"SailPoint Technologies has created an innovative identity management and compliance solution that integrates identity governance techniques with a risk-based approach. This solution addresses the challenges in maintaining and managing a large number of users and their entitlements."
Zachariah Thomas, Frost & Sullivan  |  September 2008

"Companies are looking at controls from a risk perspective instead of trying to control everything. It is about people managing risk and not about technology trying to make risk disappear."
Jamie Lewis, CEO, Burton Group  |  Keynote address at 2008 Catalyst Conference  |  June 25, 2008

"I recently published my "2008 GRC Drivers, Trends, & Market Directions" research illustrating the dynamic and growing nature of GRC adoption within organizations and the direction and size of the overall GRC market for products and services. Below are the summary highlights from this piece of research. The Governance, Risk, and Compliance (GRC) market is in significant momentum as organizations embrace collaboration across silos of GRC and generally recognize that something needs to be done."
Michael Rasmussen, Corporate Integrity  |  read blog  |  April 7, 2008

"SailPoint's approach to identity risk management links risk analytics and controls automation with identity audit and identity monitoring to augment the user-provisioning component of IAM. This approach reflects SailPoint's belief that managing risk does not need to be simply a passive or strategic planning phase at the executive level, but should be executed operationally. No other role management vendor tries to bring together such unique stakeholders (executives in business and IT operations) in the IAM buying experience."
Gartner, Inc., "Cool Vendors in Identity and Access Management, 2008" by Earl Perkins et al  |  April 4, 2008

"The requirement to demonstrate compliance has caused audit teams to cast a wider net into other areas of policy and privilege management. For example, identity audit solutions, such as SailPoint Technologies, are being evaluated in conjunction with provisioning solutions in order to satisfy these requirements. Because of the increasing influence of audit and accountability, it is very important to understand the requirements for compliance and how these affect the selection and implementation of appropriate solutions."
Lori Rowland and Kevin Kampman, Burton Group  |  February 13, 2008

"SailPoint is...in the process of establishing the new market segment of "Identity Risk Management." That is a discipline within GRC which deals specifically with risks which are in some way or another identity-related – which are most of the risks, by the way. It's about answering questions like "who is allowed to do what," but in detail and not only high-level. And with a high degree of automation...they understand a lot about Identity Management and...also understand what the customers need beyond provisioning. ...the entire new discipline of Identity Risk Management is a must."
Martin Kuppinger, Kuppinger Cole  |  read blog  |  December 19, 2007

"When a typical large enterprise has tens of thousands of users and thousands of applications, basic identity audit and compliance tasks like certifying which users have access to critical applications and data are monumental. Organizations that master these tactical matters are poised to tackle the next big challenge and opportunity for most enterprises – collaborating with business managers to determine acceptable levels of risk for users and IT resources."
Lori Rowland, Analyst, Burton Group  |  December 5, 2007

"We see many organizations stymied by bad identity data in their enterprise identity management initiatives. Cleaning up bad data, filling in missing data and eliminating orphan accounts are critical prerequisites to successfully undertaking complex identity management projects. Moving past those tasks allows organizations to focus their efforts on matters that yield true business value like automating compliance and reducing risk."
Roberta J. Witty, research vice president, Gartner Inc.  |  November 7, 2007

"Today's enterprise faces a daunting range of IT risks – from security, business malfeasance and insider threats to business-critical IT service availability, performance and integrity issues. Regulatory requirements intended to curb these risks have also driven the pursuit of more effective IT governance. IT risk management has become the lynchpin of all these demands. Putting a strategic IT risk management program into place can provide substantial benefits for the enterprise, not only in controlling threats to critical IT services, but also in giving the business a stronger competitive edge through more effective technology discipline."
Scott Crawford, Research Director, Enterprise Management Associates  |  August 30, 2007

"In order to meet regulatory and corporate governance requirements, enterprises must implement a variety of controls over identity-related information – often requiring products from more than one vendor. Vendors that deliver integrated solutions provide value to customers by lowering costs and making software easier to deploy and easier to use."
Lori Rowland, Analyst, Burton Group  |  June 27, 2007

"A new market that Gartner refers to as identity auditing has been created largely to fill the gap between what the IdM market currently provides and what the customer wants (identity and resource views for users, roles, fine-grained entitlements and the approval process)."
Gartner, Inc., "Hype Cycle for Identity and Access Management Technologies, 2007" by Gregg Kreizman et al, June 21, 2007.

For more insights, visit the Viewpoints Archive »