Q&A with Mark McClain: The State of Identity

I’m excited to be at SailPoint’s fourth identity governance conference, Navigate ’16, taking place this week at the JW Marriott in downtown Austin. Navigate is one of the largest gatherings devoted to enterprises using identity governance to mitigate risk and manage an ever-increasingly complex set of regulatory compliance mandates.  

Throughout the next few days, I’m looking forward to a lot of great discussion, panels, keynotes, advice, and (hopefully) some good debates about the future of identity. Just before the show kicked off, I had a chance to speak with Mark McClain, CEO and founder of SailPoint, to get a sense of the state of the identity market today.

Hulme: What do you see as the largest identity management market drivers now? Is it new identity efforts, or are customers trying to be more efficient when it comes to identity, or are they working on ridding a lot of their legacy efforts and rationalize their identity management efforts?

McClain: It’s two or three things. There’s still a set of organizations that come at the problem the way most organizations did in the early 2000s. Identity was mostly about efficiency and cost savings. Provisioning was partly about doing a better job at security, but a lot of it was just about being more efficient at all the operational identity management things needed to simply add, modify, and delete users all day, every day. There’s a lot of human cost in that.

Then regulatory compliance came along and carried both a regulatory and security oriented value proposition around it, but again a lot of the story was one of efficiency. People were doing it with spreadsheets and emails. It was painful for the user community to go through these audits and compliance checks. Now, in the past three or four years, all of these breaches have drawn lots and lots of attention to not just security in general but also to identity. It’s coming out more and more often that the root cause of a lot of these very public, very well-known breaches was in fact a failure in identity management.

Is this changing customers’ perspective on what they need to do around security?

They’re waking up to the fact that some of the bad things that happen on the inside of their network, from an insider perspective, involves using identity in some way. And the network defense has nothing to do with protecting against it. When you have an insider who is doing something either intentionally (or unintentionally) bad, network defenses simply will not prevent that. So we’ve seen a lot of the market becoming aware of the importance of having a set of processes in place to ensure that the right people, and only the right people, have access to the right stuff.

So today, there is a security aspect of the value proposition, in addition to the regulatory compliance and cost savings and efficiency drivers.

Enterprises have been managing identity a long time, I imagine they are also contending with a lot of older identity management applications.

There’s a legacy technology issue here. We see a lot of 10-15 year-old provisioning technology in place. Many of these provisioning tools didn’t provide the value hoped. They over-promised and under-delivered. Many customers are looking to refresh that.

Another factor here is that most of the major identity providers from the past haven’t maintained their investment in their identity products. They haven’t kept their products current. Now, as customers are moving to cloud and mobile, these legacy applications are not very flexible and adaptable to mobile and cloud. They’re hard to use in that way, and they’re held together with bailing wire. When customers try to adapt into these new computing architectures, the identity products just fall over. They literally can’t do it.

It makes sense because once you move one block in the chain, the entire stack starts to shift around. Tell me a little about how SailPoint is positioned to help.

One area that you’ll hear about this week is our focus on provisioning. Provisioning is an area we all know very well. We have built our product to enable us to have an underlying platform that could be leveraged to deliver many services. So, providing access requests and the provisioning workflow was very straightforward because our platform was already designed to do that.

You’ll also hear new things around Identity-as-a-Service (IDaaS). We’re trying to undo a lot of frustration in the market because the focus has been on single sign-on (SSO) as the thing that identity is all about. That’s simply not so. Identity is about a lot of other things, too, such as provisioning, regulatory compliance, security, and efficiency.

With larger companies, and those who have been around a couple decades, they will certainly have a lot of on-premises software and infrastructure to contend with. So cloud isn’t everything to them, I’d imagine.

No, that’s one of the aspects of IDaaS. Allowing you to sign-in into cloud apps. It’s a pain point we agree, but it’s certainly not the entire issue. If you’re going to move to an IDaaS model, ultimately you’ve have to do everything we’ve done before, but as a service: provisioning, compliance, certification, access request and multi-factor authentication.

We see ourselves having a very strong position in this emerging part of IDaaS – that’s the compliance, governance, and provisioning aspect of the value proposition beyond SSO. And a lot of companies don’t realize the complexity here.

To stay up-to-date on SailPoint this week during Navigate ’16, follow SailPoint on Twitter. The official hashtag for Navigate ’16 is #SPNav16. For regular updates throughout the week. You can follow me for updates at @georgevhulme.