Viewpoints

Quotes, research findings and recommendations from leading industry analysts and gurus on topics such as information security, identity management and compliance.

"Enterprise role management is key in efficiently managing user access rights and enforcing access policies such as segregation of duties. Roles help companies group coarse- and fine-grained access rights (like access to and functionality within a financial accounts application) into groups, called enterprise roles. These enterprise roles map to job functions and are only allowed access rights that don't violate segregation of duties. For instance, a financial clerk role can't contain fine-grained access rights that allow someone in the role to access the accounts receivable and accounts payable parts of the financial application."
Andras Cser, Forrester Research"Best Practices: How to Implement and Maintain Enterprise User Roles" SearchSecurity.com |  May 12, 2009

"When considering an identity management suite, don't make the same mistake that many of your colleagues have made by failing to thoroughly evaluate all identity management products under consideration before a purchase. Most organizations begin their evaluations by looking for a single product to meet a pressing need. At purchase time, the vendor then offers the customer a steep discount to compel the purchase of multiple identity management products. The deployment of the primary product goes well, but then the organization finds out that the other purchased products don't meet its needs, or require significant customization to work."
Mark Diodati, Burton Group"Changing Times for Identity Management" Information Security |  May 2009

"In the face of today's challenging economic environment, businesses are moving to reduce IT costs while delivering critical business systems, including regulatory compliance. SailPoint is addressing these challenges by providing faster, less costly, and less risky delivery methods to deliver near term business value. We're seeing great results from our partnership to provide software delivery models to make it easier for companies to buy, deploy and maintain their software."
Terry Jost, CEO, Mycroft, Inc. |  March 23, 2009

"SailPoint Technologies forcefully enters the market during 2008. SailPoint Technologies approached the role management market from the access recertification and role mining side, and added role management and workflow capabilities in late 2007. The IdentityIQ product represents business terms in its user interface and can monitor not only normal user but also privileged user and system administrator activity. Application and organization onboarding, role prioritization, and cleanup of excessive entitlements are aided by the product's advanced risk model. It also provides outstanding support for avoiding role erosion and cleaning up stale roles during access recertification. Of all the vendors, SailPoint Technologies reported the capability to manage the largest number of rules for role definition."
Forrester, "Market Overview: Enterprise Role Management" by Andras Cser  |  February 6, 2009

"Access certification provides relief from regulations, internal controls, and audit pressure and is a powerful means to reduce enterprise risk. Although most enterprises use internally developed processes and not commercial off-the-shelf (COTS) products, numerous vendors are offering products that are sophisticated and well thought out. Enterprises looking to reduce access-related risk while hoping to eventually tackle role management and user provisioning should promote access certification in their thinking, giving it the more prominent role in the overall identity management program that it deserves."
Burton Group, "Access Certification: An Intersection of Compliance and Risk Management" by Ian Glazer  |  January 20, 2009

"IT provides tools that enable governance activities. However, IT departments are increasingly being asked to enact business polices and automate business processes of which they neither have knowledge of, nor control over. To close this divide, policy decisions and compliance monitoring must be pushed to the business owners. Identity management vendors have begun to address this issue through improved workflow, delegated-administration, self-service, and access attestation functionality."
Kevin Kampman, senior analyst, Burton Group  |  October 21, 2008

"GRC costs continue to rise as national and global mandates proliferate. In order to gain sufficient efficiency, enterprises must automate as many GRC-related activities as possible to ensure a repeatable, sustainable, and cost-effective risk and compliance regimen."
John Hagerty, AMR Research  |  October 9, 2008

"SailPoint Technologies has created an innovative identity management and compliance solution that integrates identity governance techniques with a risk-based approach. This solution addresses the challenges in maintaining and managing a large number of users and their entitlements."
Zachariah Thomas, Frost & Sullivan  |  September 2008

"Companies are looking at controls from a risk perspective instead of trying to control everything. It is about people managing risk and not about technology trying to make risk disappear."
Jamie Lewis, CEO, Burton Group  |  Keynote address at 2008 Catalyst Conference  |  June 25, 2008

"I recently published my "2008 GRC Drivers, Trends, & Market Directions" research illustrating the dynamic and growing nature of GRC adoption within organizations and the direction and size of the overall GRC market for products and services. Below are the summary highlights from this piece of research. The Governance, Risk, and Compliance (GRC) market is in significant momentum as organizations embrace collaboration across silos of GRC and generally recognize that something needs to be done."
Michael Rasmussen, Corporate Integrity  |  read blog  |  April 7, 2008

"SailPoint's approach to identity risk management links risk analytics and controls automation with identity audit and identity monitoring to augment the user-provisioning component of IAM. This approach reflects SailPoint's belief that managing risk does not need to be simply a passive or strategic planning phase at the executive level, but should be executed operationally. No other role management vendor tries to bring together such unique stakeholders (executives in business and IT operations) in the IAM buying experience."
Gartner, Inc., "Cool Vendors in Identity and Access Management, 2008" by Earl Perkins et al  |  April 4, 2008

"The requirement to demonstrate compliance has caused audit teams to cast a wider net into other areas of policy and privilege management. For example, identity audit solutions, such as SailPoint Technologies, are being evaluated in conjunction with provisioning solutions in order to satisfy these requirements. Because of the increasing influence of audit and accountability, it is very important to understand the requirements for compliance and how these affect the selection and implementation of appropriate solutions."
Lori Rowland and Kevin Kampman, Burton Group  |  February 13, 2008

"SailPoint is...in the process of establishing the new market segment of "Identity Risk Management." That is a discipline within GRC which deals specifically with risks which are in some way or another identity-related – which are most of the risks, by the way. It's about answering questions like "who is allowed to do what," but in detail and not only high-level. And with a high degree of automation...they understand a lot about Identity Management and...also understand what the customers need beyond provisioning. ...the entire new discipline of Identity Risk Management is a must."
Martin Kuppinger, Kuppinger Cole  |  read blog  |  December 19, 2007

"When a typical large enterprise has tens of thousands of users and thousands of applications, basic identity audit and compliance tasks like certifying which users have access to critical applications and data are monumental. Organizations that master these tactical matters are poised to tackle the next big challenge and opportunity for most enterprises – collaborating with business managers to determine acceptable levels of risk for users and IT resources."
Lori Rowland, Analyst, Burton Group  |  December 5, 2007

"We see many organizations stymied by bad identity data in their enterprise identity management initiatives. Cleaning up bad data, filling in missing data and eliminating orphan accounts are critical prerequisites to successfully undertaking complex identity management projects. Moving past those tasks allows organizations to focus their efforts on matters that yield true business value like automating compliance and reducing risk."
Roberta J. Witty, research vice president, Gartner Inc.  |  November 7, 2007

"Today's enterprise faces a daunting range of IT risks – from security, business malfeasance and insider threats to business-critical IT service availability, performance and integrity issues. Regulatory requirements intended to curb these risks have also driven the pursuit of more effective IT governance. IT risk management has become the lynchpin of all these demands. Putting a strategic IT risk management program into place can provide substantial benefits for the enterprise, not only in controlling threats to critical IT services, but also in giving the business a stronger competitive edge through more effective technology discipline."
Scott Crawford, Research Director, Enterprise Management Associates  |  August 30, 2007

"In order to meet regulatory and corporate governance requirements, enterprises must implement a variety of controls over identity-related information – often requiring products from more than one vendor. Vendors that deliver integrated solutions provide value to customers by lowering costs and making software easier to deploy and easier to use."
Lori Rowland, Analyst, Burton Group  |  June 27, 2007

"A new market that Gartner refers to as identity auditing has been created largely to fill the gap between what the IdM market currently provides and what the customer wants (identity and resource views for users, roles, fine-grained entitlements and the approval process)."
Gartner, Inc., "Hype Cycle for Identity and Access Management Technologies, 2007" by Gregg Kreizman et al, June 21, 2007.

For more insights, visit the Viewpoints Archive »