Looking Back at 10 Years of Identity Governance

SailPoint recently celebrated our 10th anniversary as a company. During that time, I’ve seen a lot of viewpoints and approaches come and go in the IAM market. Our space has evolved and matured over the past 10 years. We as an industry – vendors, partners, and customers – have gained a lot of experience and learned from our mistakes.

How far have we come? Let’s take a look back at the last 10 years, to understand some myths and the reality that came to be:

  • Myth: Provisioning will solve my governance problems. (I could write a book on this one.) While many of the provisioning solutions from 10 years ago did a decent job of adding and deleting users to key systems, they certainly weren’t designed for identity governance. They lacked the broad application coverage required to meet compliance requirements; they struggled to report “who has access to what”; and they were too technical for business users. Reality: SailPoint pioneered a new category of IAM solution – identity governance – specifically to address these deficiencies.
  • Myth: Role management will solve everything. Ten years ago, many in the industry believed that role management was the cure for what ailed IAM. Roles were viewed as the panacea that would bring business context to IAM and simplify provisioning and compliance. What we realize now is that roles are a means to an end, not a standalone solution. Reality: We see roles being employed by many of our customers as components of identity governance solutions, when and where they are useful.
  • Myth: Identity governance is a necessary evil caused by SOX. It’s true that Sarbanes-Oxley fueled the demand for compliance solutions 10 years ago, but it turns out the auditors were right (yes, I just said that). Organizations did need to strengthen controls over access to sensitive data and applications. And as we’re now hyper-aware, the risk to organizations is broader and deeper than just the financial systems that SOX was focused on. Today’s organizations must put in place preventive and detective controls to protect all kinds of data – embedded in applications, stored on file shares and in the cloud, and even on mobile devices. Reality: The real driver for identity governance is risk management.
  • Myth: Identity Governance is IT’s problem. Years ago, it was common for organizations to give responsibility for identity governance to the IT department. Business application owners were not held accountable for compliance with internal controls, even though they understood how the systems were being used and which workers needed access to applications and data. As a result, IT shouldered responsibility for a set of risks that were actually business risks. What we now know is that the business side of the house must assume some, if not all, ownership for identity governance. Reality: Business managers are best qualified to define and enforce policies and controls that minimize access risks. IT staff can support and assist these efforts, but they cannot own the process.

There’s nothing like the school of hard knocks to make us all smarter. Over the past 10 years, SailPoint has worked with over 500 customers and dozens of implementation partners around the world to solve IAM challenges, and along the way we’ve learned dozens of lessons about what works, how to be more effective for security and risk management initiatives, and how to better predict what future business challenges identity governance will need to address.