Last week, I was very pleased to see Burton Group publish a report entitled “Access and Identity Governance: Leading to Transparency and Visibility.” The report, authored by Gerry Gebel, describes how an access and identity governance layer has emerged to address enterprise needs for greater transparency, visibility and business controls. The report is notable in that it openly acknowledges the failure of provisioning solutions to meet the demands of governance and compliance:
User provisioning tools are not properly designed to provide access and identity governance functionality. However, they were marketed as compliance platforms, which led to unreasonable expectations on the part of customers.
Most importantly, the new Burton report signals the transition of identity management solutions from pure IT-oriented technology toward business-enabling software. As Gerry puts it, new governance tools “strive to become business decision support tools rather than IT consoles.” This transition is more complex than it sounds, because it involves designing software that allows business users to play a bigger role in identity management business processes, such as requesting, approving, certifying, or removing access privileges.
Beyond the need for business-friendly UIs (which are very important), I want to emphasize the key role that identity governance solutions play in automating identity business processes and underpinning those processes with common policy and controls. I’ll focus on a key identity business process – access request – to illustrate my point:
In most organizations, the processes and tools used to request or change access are inefficient and inconsistent at best. Processes vary from business unit to business unit and from application to application, with users often requesting and gaining new access privileges without going through proper channels. The ad-hoc nature of the typical access request process leaves managers and users frustrated and enterprises vulnerable to increased security and compliance risks.
To address these problems, SailPoint released IdentityIQ Access Request Manager in September of 2008. With this release, we became the first identity governance vendor to automate the business process management (BPM) side of access request, allowing employees and managers to use a business-friendly, fully automated process to request or change access privileges. Underpinning the Access Request Manager is IdentityIQ’s graphical workflow engine that makes it simple to design and customize business processes – across access request, role management, policy enforcement, and other identity governance functional areas.
In my view, the key tie-in between business process management and good governance is our ability to strengthen key identity business processes with our identity governance model, including both role and policy models, controls and risk management – to ensure compliance and introduce preventive controls at each step along the way.
We’ll be at Catalyst next week, where I look forward to continuing this discussion with any of you that will be there. It’s shaping up to be a great event!