SailPoint Partnership

Cambridge recently partnered with SailPoint. Cambridge has long been a leader in providing Identity and Access Management services and has maintained partnerships with NetIQ, Oracle and Microsoft for years. We give the highest importance to providing quality services to our clients, using the vendor products we’re partnered with. Therefore, the decision to start a partnership with a new vendor is taken very seriously and involves strategic planning and analysis. This ensures that the vendor is able to provide our clients a high standard of quality.

In case of SailPoint, starting a partnership was an easy decision – they have a leading product in the Access Governance market. Established in 2005, this company has taken a completely fresh approach to Identity Management – through Access Governance. This is the reason why it has managed to set itself apart from the rest so quickly, as it has moved the focus of traditional Identity Management from an IT solution to a Business solution.

Oracle, NetIQ and Microsoft all have strong provisioning engines and provide a comprehensive set of functionalities. However, in all three cases, the Access Governance functionality is missing from their Identity Manager products. Oracle provides this by way of Oracle Identity Analytics while NetIQ is a reseller of SailPoint IdentityIQ. In either case, it is necessary to integrate additional products into the existing environment to get similar functionality. SailPoint IdentityIQ, on the other hand, offers one single product that is able to provide Governance and Provisioning from one single interface.

What sets SailPoint further apart from its competitors, is the intuitive user interface it provides while providing a rich set of features and functionality. From the very little hard disk space and memory it needs, to the ease of installation and patching, it is able to provide powerful results with minimal effort. Therefore, whether it is a large client with millions of identities (their largest client has over 1.7 million) to a small company with less than a 1000 users, the effort and costs associated with the implementation are low.

SailPoint’s recommended strategy while considering any kind of Identity and Access Management project is to start with a business user driven Identity Lifecycle Control, built on a model & policy based approach. That is, understand the current state and clean the data first, before moving on to any kind of provisioning functionality. To support this approach, it provides a Risk Based Model. This Risk-based Model can be used to assign a risk score to all roles and entitlements. Therefore, users with a high risk score can be flagged and their entitlements can be reviewed. If after review, it is discovered that some of the entitlements are not needed by the users, they can be removed, bringing down the user’s risk score. This functionality helps define a strong foundation for any Identity Management solution – clean data leads to easier management of users, easier certification process, and easier maintenance & proof of compliance. Traditionally, Identity Management projects have been, to a certain degree, focused on provisioning while not giving appropriate importance to the data cleansing process. In some implementations, this ends up leading to a state of Garbage In, Garbage Out.

Whether you are completely new to this field and looking for a place to start or already have a centralized provisioning system in place and are looking for a way to integrate Access Governance, SailPoint’s approach helps make this process easier. The technical team responsible for the creation of IBM Tivoli and Sun Identity Manager also created SailPoint IdentityIQ. Therefore their product has been built by experienced people, keeping in mind the issues and challenges faced in the previous generations of Identity Management products.

In summary, they’ve built a single product that solves most requirements around Identity Management and Access Governance. It has been designed with a business user in mind, provides flexible provisioning services as well as a dynamic risk model that allows companies to get compliant, stay compliant and prove compliance. Given all the above-mentioned features, Cambridge has rightly partnered with SailPoint - our team will be happy to help you assess if SailPoint is right for you!

Challenges of an Identity Management Deployment

The concept of Identity Management has always sounded very logical, practical and useful from the start. What’s not to appreciate? Users get one interface for Self-Service. Approvers get one interface to approve or decline all kinds of requests. The support team uses one interface to manage all user accounts, on various systems, whether to unlock accounts or to reset passwords or perhaps even provide additional services. The whole user lifecycle can be managed from one system, roles assigned, permissions revoked. The time, energy, effort saved is huge. The list of good things Identity Management brings is probably endless.

Then why do most companies struggle to implement a viable Identity Management solution? Is it the lack of technology? Are the current vendors unable to provide a framework that addresses consumer needs? Is it difficult to gather the information and find common understanding across all departments and all application owners? Is it that converting business needs into a technical implementation is just too difficult? Or is it all of the above?

Let’s take an example. Company XYZ wants to implement workflows to request access to applications. In theory, it sounds quite simple. Anyone who has tried to create the business rules that support all use cases knows: it’s never that simple. How are users managed? Who approves on the first level? Does Department ABC follow the same rules while granting access as Department PQR? If not, then do we set up different sets of rules for every department?  How long will that implementation take? Otherwise, should we come up with the rules to be followed from now on, with this Identity Management implementation? If so, will end users like the change? Let’s face it, although the advent of technology has made us more accepting of change than before, we still try to avoid it as much as possible. Things should stay as they were. Many end-users would prefer to call the helpdesk and request rights instead of figuring out where to go, which link to click, which application to select from a list, which specific rights and roles to choose and submit. Isn’t picking up the phone and asking for the same thing easier? On the other hand, will Application Owners be ok with giving up the power so that the Identity Management solution automatically creates accounts for users, if the request is approved? Or would they instead prefer to know who is getting what access and decide when it is granted? Will they feel less essential to the functioning of the company if certain tasks can be automated?

Let’s take another example. If Company XYZ has 50 departments with over 500 different job titles and or job codes, how many Business Roles should be created that cover at least 80% of the employee’s rights and permissions across the 100 applications used most frequently by the employees? Of course, all vendors now provide features where one click of a button and these roles are generated automatically; the data is mined in the most practical way. It will even suggest new roles if new rights and permissions are detected. But how do you get the most accurate data from all the applications, and create these roles when many definitions change regularly, the data is not of good quality and there is no pre-defined set of rules or logic that decide when and why a user should be given a set of permissions?

Of course, there are hundreds of successful IdM implementations, there is no denying that. But can those implementations truly be called successful? More importantly, do those implementations continue to be successful? Is manual intervention still needed at several points during a user lifecycle? Are they able to keep up with the growing company needs?

Since there is a lot of talk about the cloud these days, it’s very likely that many companies will want to use IaaS (Identity as a Service). However, moving to the cloud still does not solve the basic problems faced by any Identity Management implementation. What are your thoughts? Is implementing an Identity Management solution challenging for you?