By Kevin Cunningham, president and founder, SailPoint
Over the space of 10 years, viewpoints and approaches on the identity and access management (IAM) market have come and gone. This space has evolved and matured, with the industry – vendors, partners, and customers – gaining much experience and making (and learning from) many mistakes.
By looking back at some of the myths over the last 10 years, we can better understand what today’s reality for identity is and how far we have come:
- Myth: “Provisioning will solve my governance problems”. While many of the provisioning solutions from 10 years ago did a decent job of adding and deleting users to key systems, they certainly weren’t designed for identity governance. They lacked the broad application coverage required to meet compliance requirements; they struggled to report “who has access to what”; and they were too technical for business users.
- Reality: a new category of IAM solution was born – identity governance – pioneered by SailPoint and designed specifically to address these deficiencies
- Myth: Identity governance is a necessary evil caused by SOX. It’s true that Sarbanes-Oxley fueled the demand for compliance solutions 10 years ago, but it turns out the auditors were right. Organisations did need to strengthen controls over access to sensitive data and applications. And as we’re now hyper-aware, the risk to organizations is broader and deeper than just the financial systems that SOX was focused on. Today’s organisations must put in place preventive and detective controls to protect all kinds of data – embedded in applications, stored on file shares and in the cloud, and even on mobile devices.
- Reality: The real driver for identity governance is risk management.
- Myth: Identity Governance is ITs problem. Years ago, it was common for organisations to give responsibility for identity governance to the IT department. Business application owners were not held accountable for compliance with internal controls, even though they understood how the systems were being used and which workers needed access to applications and data. As a result, IT shouldered responsibility for a set of risks that were actually business risks. What we now know is that the business side of the house must assume some, if not all, ownership for identity governance.
- Reality: Business managers are best qualified to define and enforce policies and controls that minimise access risks. IT staff can support and assist these efforts, but they cannot own the process.
There’s nothing like the school of hard knocks to make us all smarter. Over the past 10 years, SailPoint has worked with over 500 customers and dozens of implementation partners around the world to solve IAM challenges, and along the way we’ve learned many lessons about what works, how to be more effective for security and risk management initiatives, and how to better predict what future business challenges identity governance will need to address.