Without Governance, History Repeats Itself With IDaaS

We’re all familiar with the old adage “those who fail to study history are destined to repeat it.” But for some reason, this practical advice doesn’t always stick. Building upon my reflections of SailPoint’s history in the identity governance market, I’ve been thinking about the cloud-based identity management, or identity-as-a-service (IDaaS), market. Not surprisingly, I see a lot of indicators that history is repeating itself, again.

A quick survey of vendors, analyst reports, and customer inquiries reveals a collective focus on access management as-a-service (single sign-on to be exact). It’s like the year 2000 all over again. At that time, the nascent IAM market was dominated by web access management (WAM) vendors like Netegrity, who provided SSO for companies under pressure to help end-users get easy access to the explosion of web applications in their environments. Even the first Gartner Magic Quadrant published for IAM focused on WAM.

It was after the web app gold rush settled down that organizations realized they had created a new population of access points that required the IAM disciplines needed to address security and risk. That’s what companies like Waveset (my first company) provided to the market with their identity administrative capabilities. But those companies only provided the “A” for what is now called identity governance and administration (IGA).

Fast forward to today: Companies are again feeling the pressure to make it easier for end-users to get access to a rapidly growing number of applications – in this case SaaS applications. Emerging cloud-based access management companies are once again all the rage. Even the first Gartner Magic Quadrant on IDaaS focused almost exclusively on access management.

So what’s wrong with the current picture?

History tells us that while SSO may be the initial pain point for a new application delivery technology, it is certainly not the only IAM discipline that needs to be put in place. In the rush to adopt new application computing paradigms (first client-server, then web application, and now SaaS) the tendency has always been to speed head-long into adoption without a lot of consideration for the potential security and risk implications.

This is primarily due to the reality that the adoption of new technologies usually occurs outside of the control, and even visibility, of the people tasked with managing risk and ensuring security for the enterprise. The end-users within lines of business tend to do most of the initial new technology acquisition when it comes to SaaS apps. And what’s the first thing those end users start clamoring for? An easy way to log in to all those new shiny applications. So, in line with repeating history, SSO was once again the first IAM discipline to appear for the SaaS world.

But we’ve entered a period of maturity now where organizations understand that both the “G” and the “A” (governance and administration) of SaaS apps is as important for these applications as it was for web applications before them, and client-server applications before that. At the same time, these organizations have realized that managing the SaaS environment in conjunction with a unified solution across their hybrid IT environments is the right strategy to undertake.

So what does a mature IDaaS solution look like? It has the functionality required to manage the entire IT environment, with equal attention paid to both sides of the coin: identity governance and administration. A cloud-based IGA solution has three defining capabilities:

  • See everything. You need visibility to all the information about an identity, across all the applications an enterprise uses, all the data they have, and across all users – no matter where they are located or what devices they may use.
  • Govern everything. You need to know who does have access, who should have access, and what users are doing with that access on all your applications for all your users and for all your data.
  • Empower everyone. You need to enable your users to work how they like to work, wherever they are and on whatever device they want to use.

We’re proud of our early innovations that helped create the IGA market. And as SailPoint began thinking about providing a cloud-based identity governance solution, we knew it would only help our current and future customers if we stayed true to our market vision: identity governance must be the foundation upon which all Identity Management capabilities are built. Because without governance, history is destined to repeat itself yet again.