In most organizations, there is a naturally high correlation between reducing risk and addressing compliance. However, risk management typically takes into account both the likelihood and potential cost associated with of a security breach, and puts in place controls accordingly. Compliance (as measured by auditors) typically takes a much more broad-brush approach and doesn’t do much to discern true risk from potential risk. Unfortunately, this can result in a lot of excess time, energy, and cost being expended without providing a lot of value. This is the “check-box” approach that we all have to be careful to avoid.

While no one in IT can argue against the need to address compliance requirements, it’s important to remember that compliance should not be an end goal in itself, but rather a means to effectively manage IT risk. This is especially a concern as organizations must now face growing and complex IT environments due to the proliferation of cloud technologies and mobile devices, which are significantly increasing their IT risk exposure.

Fortunately, more and more organizations are taking a risk-based approach to compliance. To do that, user populations and IT resources need to be categorized according to the potential damage a security breach could represent, if it occurred. Once categorized, controls can be designed to appropriately address the highest areas of risk with the highest degree of oversight – and the lowest degree of oversight over the areas that represent the lowest areas of risk. Compliance officers can then work hand-in-hand with their security counterparts to demonstrate to auditors that the appropriate controls are in place to address both risk and compliance. Remember, most legislation driving compliance is not prescriptive – it is the interpretation of the auditor that determines what compliance really means.

Due to the complexity of user population access privileges in most organizations and the plethora of systems, applications, databases, etc. in large IT environments, doing this categorization manually is, unfortunately, just not possible. And even if it were, it would quickly fall out of date due to the ongoing churn represented by people joining, leaving, or moving to new positions within the company. The good news is that next-generation IAM solutions (like SailPoint IdentityIQ) enable a risk-based approach to IAM, thereby providing a direct path to aligning compliance and security while addressing enterprise risk.

What is your stance on this debate? Do you think addressing risk management also means that you have taken the proper steps to address compliance?

A recent report from Gartner, “Bring Your Own Device: The Facts and the Future,” suggests that by 2017, half of the world’s employers may impose a mandatory BYOD policy — requiring employees to bring their own laptop, tablet or smartphone to work.

Some interesting findings from the research:

• 1.6 billion BYODs will be used in the workplace just next year;
• 38 percent of companies expect to stop providing workplace devices to staff by 2016; and
• 70% of mobile professionals will conduct their work on personal smart devices by 2018.

Clearly, BYOD is not only on the rise, it’s here to stay!

The popularity of smartphones, tablets and increased employee satisfaction has helped drive the BYOD movement. However, this also is part of the larger shift toward IT consumerization, in which consumer software and hardware are being brought into the enterprise. As more and more businesses jump on the BYOD trend, IT departments are battling to stay ahead of the game to ensure they are supporting business users while at the same time managing the IT risks associated with these evolving technologies. To quote Gartner Analyst David Willis, “More employees and more devices mean more security and management tool costs, more application licenses, more potential problems for an overtaxed help desk to deal with and more confusion.”

Managing risk, meeting the goals of the business and keeping employees happy is a tall order. Here are two things to keep in mind when building your BYOD strategy:

• In order to better manage the risks associated with BYOD, you will need better visibility to and control over the access privileges granted to workers. The use of mobile devices to access both on-premises and cloud applications makes these controls more difficult than ever. Companies must ensure that only authorized users can access sensitive applications and data, and they must be ready and able to remove all access privileges promptly upon worker termination. It’s no longer a simple matter of removing network access privileges.

• It’s important, however, to selectively apply controls and governance based on application risk and data criticality. For mission-critical applications, such as finance, human resources, or applications with confidential data, a high degree of control and governance is required. When these applications are being accessed by mobile devices, you’ll need to implement the right preventive and detective controls, such as approval workflow, access certifications and policy checking, to ensure that compliance and security guidelines are being followed. Not all applications require this level of governance, so you need to strike a balance between giving workers the agility and convenience they want, while giving IT the visibility and control that is essential to managing IT risk.

The bottom line: BYOD is an unstoppable force, with more employees bringing their personal mobile devices into the workforce and demanding fast, easy access to new technologies and applications. Businesses cannot afford to trade the benefits of mobility for unintentional costly consequences such as fraud, misuse of data, privacy breaches, and of course negative audit findings. The good news is that with the right governance-based IAM solution in place, companies can put preventative and detective controls in place that control user access across the enterprise, regardless of where or how an application or system is accessed.

Have you run into BYOD in your organization? What else do you think IT should do to provide employees the tools they need without compromising enterprise security or personal usage?

See highlights from the show:

Navigate ’13 Highlights from SailPoint on Vimeo.

Our promise was to deliver several days of content-rich, pragmatic talks and workshops to help customers maximize their investments in SailPoint technology. The impressive line-up of amazing speakers included a keynote from Gartner Research Vice President Earl Perkins and more than a dozen customers who shared case studies.

During the event, we also were fortunate to partner with leading technology commentator, blogger and long-time tech editor, David Strom. He was our “feet on the street” during Navigate and provided some great insights into the show, including:

• How Providence Health Built Its Next Generation IAM
• How Equifax Has Reduced Their Identity Management Risk
• Selecting the Right SSO Product
• How to Sell IAM to Your Executives and End Users at the Same Time
• The Future of IAM According to Gartner’s Earl Perkins
• How Do You Future-proof Your Business?

We’ve heard positive feedback from across the board about the event, and are happy to report that the attendees left Austin with a better understanding of how our next-generation IAM approach fits into their environment today – and well into the future. Thanks so much to SailPoint’s great team, our customer speakers and partner sponsors who collectively put a lot of hard working into the planning and execution to make this inaugural event one to remember – you guys definitely set a high bar!

To see some pictures of the event, visit our Facebook album and be sure to check back here soon for dates for Navigate ‘14. We hope to see you there next year!

Now imagine running your IAM program using many different systems and manual spreadsheets. These spreadsheets are used to track the access granted, in some cases, to extended workforce that is not directly employed by Providence. And spreadsheets are used when having employee’s managers perform recurring access certifications. Gulp. “In the words of the guys in the movie ‘Armageddon’, I have the worst identity governance environment you might imagine,” he said. “It isn’t easy dealing with this, and on top of this, we are adopting electronic medical records and a new IAM system too,” he said.

When Providence was first looking at IAM, they started with a technology centric view, but it wasn’t very satisfactory. “We needed to fix that from a policy perspective to make sure we could manage our user base that spreads from Alaska to California,” he said. And to make matters even worse, they had to deal with lots of temporary workers that were input into their system as “ER Nurse #1″ rather than specify the person’s real name. He explained that this is common practice in a hospital environment with many contract and/or temporary workers, but that doesn’t make it any easier to deal with.

Cowperthwaite shared some advice on how he improved his identity and access governance platforms. “Before you ever talk to SailPoint or your SI provider, know your objectives and requirements, and make sure both of them understand these goals.” Here were some of his: “We needed to protect the patient privacy and integrity of their personal information, and provide business visibility into our security with appropriate dashboards. And, oh by the way, comply with a bunch of new federal health regulations.”

Next, Providence needed to align policy and process across the enterprise and prioritize attention on higher-risk users, applications and access such as accounting, IT and compliance folks. And finally, they wanted to consolidate their ID repositories into a single authoritative source. In addition to the aforementioned spreadsheets, they had two different ID stores (Active Directory and their ERP system), and the two had differing pieces of identity information depending on whether the person was a full-time employee or a contractor. Providence ended up with IdentityIQ and has been building the next generation of IAM systems across their enterprise.

[SailPoint editor's note: To learn more about how Providence uses of IdentityIQ to achieve compliance and manage risk, you can access its on-demand healthcare IAM case study here.]

David Strom is guest blogging on behalf of SailPoint for its inaugural customer conference, Navigate 2013, in Austin, Texas.

When you are in the IAM space, though, you can’t be so cavalier, and risk quantification is the name of the game. We heard at the SailPoint Navigate conference from Graeme Payne, who runs the access management team for Equifax. He spoke about deliberately trying to reduce his risk portfolio when he had the opportunity to move from Sun’s Identity Manager to SailPoint’s IdentityIQ, a process that is still going on for the next several months. Sun’s IdM was acquired by Oracle and like many other Sun products, is set to expire next year. Equifax is just one of numerous other users of the software that is looking to replace it.

Payne wanted not just to replace the Sun software, but replace it intelligently and use the changeover to re-examine all of his identity governance policies and procedures too. He had several points in his plan that he outlined with the conference attendees:

1. Look at his certifications process. With Sun, he had 28 IT staffer as custodians for his entire employee certification program. Given that Equifax has 10,000 people that work for them, that was quite a burden for these custodians. Instead, he wanted to move that responsibility down to 900 managers, because “these managers have much better insight into what their employees have access to anyway.”
2. Ranking their apps. Equifax ranked their apps according to risk, and picked the high risk ones running on their mainframes, along with Oracle Financials. They got engaged with their system integrator partner to help build the right connectors to these apps, and delayed their cutover from Sun until later this year to stage their implementations.
3. Role development. Equifax wanted to understand where their most critical data access points were and their biggest gains if changed. They set up a role framework to structure things going forward, and they are planning to start deploying roles in areas of high gain, such as in their call centers.
4. Event driven triggers. But roles can’t handle everything, such as when someone moves from one department to another or gets a promotion and changes their role. Equifax wrote special rules to handle these events, and these rules require a manager to re-certify a staffer’s access every six months if their role changes. One of the things that made this easier is that they have a single HR system that can easily keep track of this sort of stuff, and even includes contractors (who also get re-certified every six months too).

All of this had a big benefit. As I said, the rollout of SailPoint is still happening, but they have seen some big improvements and major risk reductions as a result.  Take a look at the flow chart below which illustrates the process by which both Sun and SailPoint go through to certify access. You can see numerous boxes: each box is a step, and the steps that have been omitted by SailPoint’s IdentityIQ are crossed out. Those extra steps represent a big savings in time and money for Equifax.

 [SailPoint editor's note: To find out more information on SailPoint's Sun Migration program, please visit: www.sailpoint.com/sunmigration/]

David Strom is guest blogging on behalf of SailPoint for its inaugural customer conference, Navigate 2013, in Austin, Texas.

I got to see the AccessIQ single sign-on (SSO) product this week at SailPoint’s Navigate conference. When I did my review for Network World last fall, it wasn’t available yet. Too bad, because it would have scored highly given the criteria that I used for the review.

The notion of SSO is a good one: As the number of Web-based applications and SaaS services proliferates, keeping track of your collection of logins and passwords is painful and one of the biggest problems for enterprise security. Many users cope by re-using their passwords, which tends to expose all sorts of security loopholes. The answer is to use a SSO product that automates the sign-on, and allows the enterprise to ensure that users are practicing good password account hygiene.

The SSO market is a crowded one with more than a dozen vendors, including products from most of the major enterprise software companies. Let’s look at the features and issues when you are shopping around for one of these products.

First is the user experience and how it plays out across the various desktop, mobile and tablet versions. With some of the other SSO products, there are different user interfaces that when they use the native app on the mobile, it doesn’t look anything like the desktop app. SailPoint’s AccessIQ looks exactly the same no matter where it runs.

Next is their two-factor support. Some SSO products aren’t very flexible when it comes to using things such as software tokens or one-time passwords that are transmitted to your cell phone via text or voice messages. A better way is to have the ability to add a second factor to particular apps that either need the extra protection or because corporate policies dictate that. SailPoint has this kind of flexibility, what they call “step-up authentication,” that can be deployed for specific apps. And, importantly, this capability is part of the governance model for added security.

Next is how the SSO product sets up relationships with various cloud-based apps. Many products make use of the open standard Security Assertion Markup Language (SAML), which allows for automated sign-ons via exchanging XML information between websites. There are other methods for establishing the automated magic behind the scenes of an SSO tool, such as using scripted Web forms, but having the SAML connection is the best way to deploy a large number of authenticated users into a cloud-based app. Plus, if you want to automate the provisioning of an entire collection of users so they don’t even need to know their passwords for their corporate Google accounts, SAML is the way to go. Not every SSO vendor supports automated provisioning, but SailPoint does.

Finally, you want to be able to make use of roles and policies to make your governance life easier as you deploy your SSO product across your user collection. One of the more unique things that I saw with AccessIQ is that it can present a user with a customized usage agreement prior to the first sign-on for particular services. Why is this important? Say you are using Salesforce or some financial system that you want to remind your users that sensitive data is used on these systems. SailPoint can present users of these apps with a specific dialog box to remind them of this fact, and to make sure that they store the right kind of data in these cloud-based apps.

If you haven’t had an opportunity to take a look at AccessIQ, you might want to do so. I think you will be as impressed with it as I was.

David Strom is guest blogging on behalf of SailPoint during its inaugural customer conference, Navigate 2013, in Austin, Texas.

SailPoint is doing something right: look who is using their software. They are installed in the world’s largest bank, the world’s largest insurance company, the world’s largest packaged goods company, the world’s largest oil company, and the world’s largest food services company. Do you detect a trend here?

I spoke to several banking customers who are using SailPoint to connect hundreds, if not thousands, of their internal apps and make sure they are in compliance with various financial regulations. One bank operates in more than 30 different markets, and as you can imagine, has a regulatory and compliance footprint that is crushing – not to mention costly. They set about to change the culture of identity management by getting buy-in with their board of directors. “We needed a board mandate if we were going to regain control. Given the increases in cybercrime and targeted attacks, we had to do a better job,” said one conference attendee. “We had to demonstrate to our auditors that we have effective controls and governance, particularly for our higher-risk apps.”

One mechanism that the identity team used was relatively simple: they created a dashboard with different views for different audiences. The chief risk officers got one view, divisional people have another one. “All of the data comes straight out of IdentityIQ, and we cut and dice it to make it easier to understand for our executives.”

But as they were selling their board, they also had to straighten out their app portfolio too. So they also created another dashboard for the app owners “so we could give them an understanding of how we are managing privileged IDs for example.” This working both ends of the spectrum was key towards the bank getting their identity act together.

Some of their human resources-related apps were quite frankly a mess. “We have so many legacy apps and it is a real challenge. Some of our regional units have standalone systems that are not well maintained. It was a real shock.” But as they spent time in the trenches clearing up these problem apps and standardizing on their data models, they found the tide was turning. “Now the business units are coming to us to get their apps running on top of IdentityIQ.” This seems to be common. As another banking customer told me, “Since we installed SailPoint, we don’t have to ferret the apps out, now the stakeholders come to us because they see the value of having them integrated into SailPoint.”

Cleaning up an HR database was a starting point for another SailPoint customer that I spoke to. One customer had a separate database for contractors and full-time employees with different schemas, with a couple of flat files for other personnel data mixed in for good measure. That was the beginning of integrating more than 100 different apps and more than 4,500 employees into SailPoint’s IdentityIQ.

So keep track of both the boardroom and the people running the business-level apps concurrently, and make sure that you can get everyone’s requirements satisfied when you are selling IAM.

David Strom is guest blogging on behalf of SailPoint during its inaugural customer conference, Navigate 2013, in Austin, Texas.

Despite these obstacles, IAM is evolving into becoming more of a business decision, where a few years ago it was mired in the tech area exclusively.  “We have moved beyond handling simple compliance justifications into a new realm, where we are more concerned about the aspects of risk management. People are ready for that now, and its time has come,” he said during his presentation.

What does this mean? Take the use case of BYOD, and the issues around what devices IT should bless and manage for the enterprise. This comes down to evaluating relative risk of various IT actions. “BYOD is really a risk issue: how much risk as an enterprise are you willing to accept for the number of devices you are willing to support?” Perkins says it really doesn’t matter what the eventual decision is, because ultimately the enterprise is going to pay for the consequences one way or another. Instead of hiding one’s head in the sand, IT should “embrace mobiles because the business has spoken.” Instead of anointing particular devices, he says enterprises should be “willing to divide up their support into different trust and service levels. This is all part of having the right corporate culture which needs to be able to have conversations about relative risk.”

Perkins had some good advice for IT: “make it a business decision and remove the passionate and emotional arguments. Then it just becomes a math problem.”

Perkins picked several emerging trends:

• Cloud options are beginning to mature, grow in scale, and become more numerous and varied in their support options too.
• Greater support for new mobile identity options is making increased demand for integrated asset management.
• IAM is moving into more analytics and integrating with Big Data approaches. “We still suck at what data we need to collect as we move through the IAM process,” Perkins said during his presentation.
• Socialization of data is expanding the various options available to enterprises. He mentioned today’s SEC ruling that allows public companies for the first time to mention news using social media channels.
• As IAM matures, processes and organizations are finding new uses and it is becoming more mainstream. He did say that part of this maturation is that eventually the customization demands for IAM will decrease.

You can also read some of the things Perkins has written about the future of IAM on Gartner’s blog here.

David Strom is guest blogging on behalf of SailPoint during its inaugural customer conference, Navigate 2013, in Austin, Texas.

McClain says “it should seem holistic to the user, because everything is in the mix now and it doesn’t matter where they actually live.” SailPoint’s latest product, an SSO tool that is entirely SaaS-based, is an example of how they are moving in this direction.

Finally, everything should be mobile enabled. “No one is sitting at their desk all day anymore, and anything we do should integrate with the common mobile device management tools too.” Given how many of us are computing on laptops, tablets and smartphones, this is a no-brainer.

This is great advice, and I would agree with all of his assertions, not just for developing software but for how your structure your business in toto. I realize that for some of you, this isn’t news: good for you. But if you run a business, think about things that you are doing that are keeping you living in the past.

David Strom is guest blogging on behalf of SailPoint during its inaugural customer conference, Navigate 2013, in Austin, Texas.

SailPoint’s recent Market Pulse Survey showed the same trend – that while emerging technologies present “new” IAM challenges, at the end of the day organizations must still grapple with the basics of controlling “who has access to what.” We at SailPoint believe that the answer lies in a governance-based IAM strategy that allows IT and business to collaborate over compliance processes, user lifecycle management, and access management for applications residing in the datacenter and in the cloud. I’m proud to say that hundreds of customers are implementing that strategy and seeing very real results.

Many of those customers are joining SailPoint this week as we host our inaugural customer conference, Navigate ’13, in our great hometown of Austin, Texas! Navigate ‘13 provides an opportunity for our customers to share best practices with their peers and learn about IAM strategies and best practices. We have an impressive line-up of amazing speakers. It will be an educational few days highlighted by a keynote session by Gartner Research Vice President, Earl Perkins. We’ll also feature a series of product demonstrations, hands-on training, and technical sessions.

To ensure that we capture the great insights and highlights from Navigate ‘13, we are very excited to partner with leading technology commentator, blogger and long-time tech editor, David Strom. David will be our “feet on the street” during Navigate, providing his thoughts and observations on the SailPoint blog. Be sure to check in here throughout the week and follow our real-time #Navigate13 highlights on Twitter from SailPoint (@SailPoint) and David (@dstrom).

I look forward to seeing many of our customers and partners in Austin this week to collaborate, learn and celebrate with some Austin-style music and food!