A Smarter Way to Manage Identity
Today, identity management solutions need to do two things equally well: deliver access to the business, and support compliance requirements around security and privacy. No matter how much regulatory demands grow and change, or how many new employees, contractors and other users come on board or change roles, organizations must be able to count on their identity solution to cost-effectively enable strong and consistent controls over access to applications and data, allow for convenient access requests and deliver timely provisioning of access rights. Today’s agile, compliant organization must effectively enforce identity and access controls to minimize business risk and prevent privacy breaches or misuse of data while improving audit performance and streamlining compliance to reduce IT costs. To handle these challenges, organizations require a solution that can scale up and keep up with access demands and compliance requirements, while keeping access-related risks, cost and audit deficiencies down. SailPoint IdentityIQ™ is designed to meet these challenges head on.
Effective Identity Controls for Compliance, Security and Productivity
SailPoint IdentityIQ is an innovative identity management solution that reduces the cost and complexity of both complying with regulations and delivering access to users. Traditional identity management approaches treat these areas separately, often using multiple, disjointed products. IdentityIQ, however, provides a unified approach that leverages a common identity governance framework.
This makes it possible to consistently apply business and security policy, and role and risk models, across all access-related activities. By providing on-demand visibility into “who has access to what,” IdentityIQ enables organizations to successfully address compliance mandates and regulatory requirements, as well as efficiently deliver, modify, and terminate access as needed, across even the most complex IT environments. Its centralized intelligence and risk-based approach to managing access provides transparency and strengthens preventive and detective controls. IdentityIQ provides the following key components to automate access certifications, policy enforcement, and the end-to-end access request and provisioning processes: • Governance Platform centralizes identity data, roles, business policy and risk modeling to support compliance initiatives and user lifecycle management. • Compliance Manager streamlines compliance controls and improves audit performance through automated access certifications and policy enforcement. • Lifecycle Manager provides self-service access request and lifecycle event management to simplify and automate the creation, modification and revocation of user access privileges. • User Provisioning provides flexible options for implementing changes requested by the business during compliance and lifecycle management processes. • Identity Intelligence transforms technical identity data scattered across multiple enterprise systems into centralized, easily understood and business-relevant information including dashboards, reports and advanced analytics.
Support Enterprise-wide Identity Management with a Centralized Framework
The IdentityIQ Governance Platform lays the foundation for effective identity management within the enterprise by establishing a framework that centralizes identity data and captures business policy, models roles, and proactively manages user and resource risk factors. The Governance Platform allows organizations to build preventive and detective controls that support all critical identity business processes.
The Identity Warehouse is at the core of the Governance Platform serving as the central repository for identity and access data across all enterprise IT applications in the data center and the cloud. The warehouse is populated by importing user data from any authoritative source (e.g., HRMS) and user account and entitlement data from business applications, databases, platforms, and other systems. It is designed to scale and rapidly import access data from large numbers of applications and users by leveraging out-of-the-box connectors or via flat files. During the import process, IdentityIQ leverages a powerful correlation engine to link individual accounts and entitlements to create a user’s Identity Cube – a multi-dimensional view of each individual and their associated access.
The Policy Catalog captures enterprise governance, access request, and provisioning policies within the Governance Platform. It provides a highly-extensible framework for defining and implementing both detective and preventive audit controls such as SoD policies. In addition, the Policy Catalog defines and reuses enterprise access policies across business applications and organizational business processes.
IdentityIQ automates the creation, enforcement and verification of role-based access across enterprise applications. Organizations can quickly define roles which fit the unique requirements of their environment using IdentityIQ’s adaptive role model. More importantly, IdentityIQ enables organizations to create roles which enforce “least-privilege” access while controlling role proliferation. To speed the combination of top-down, business-oriented role modeling and bottom-up IT role mining, IdentityIQ enables cross-functional participation in the role-modeling process and makes it easy for both business and technical users to create roles that accurately reflect the organization’s business and IT needs. In the face of dynamic business and IT environments, keeping the role model relevant can be a challenge. IdentityIQ provides end-to-end role lifecycle management capabilities, including automated role approvals, role certifications (role membership and contents), role quality metrics and role analytics to help organizations manage roles over their entire lifecycle – from creation to retirement.
The Risk Analyzer locates and identifies areas of risk created by users with inappropriate or excessive access privileges. It provides a dynamic risk model which leverages patent-pending risk algorithms to calculate and assign a unique identity risk score for each user, application and system resource. The base IdentityIQ risk model is created by assigning unique risk values to each application, entitlement, role, and policy. The risk score is updated continuously based on changes to the user’s access privileges, as well as “compensating factors,” such as how recently the user has been certified and whether a policy violation has been allowed as an exception. Leveraging risk scores, managers or application owners can target highest-risk users or systems first, improving the effectiveness of controls of their departments, and ultimately, the security and compliance of the business.
Get Compliant, Stay Compliant
IdentityIQ Compliance Manager enables the business to streamline complex compliance processes for greater effectiveness while lowering costs. By integrating access certification and policy enforcement, Compliance Manager automates the auditing, reporting and management activities associated with a strong identity governance program. Its integrated risk model leads the industry by providing a framework that prioritizes compliance activities and focuses controls on the users, resources and access privileges representing the greatest potential risk to the business.
One of the most common controls required by IT auditors is regular certification of user access by business and IT managers. Unfortunately, many organizations struggle to implement an effective access review process to ensure that a user’s access privileges match the requirements of his or her job function. IdentityIQ provides a fully automated, repeatable certification process and tracks and reports on the status of certifications by individual, application, and organizational groups. IdentityIQ automates all access certification tasks including formatting of user role and entitlement data into easy-to-read, business-oriented reports; routing of reports to the appropriate reviewers; tracking reviewer progress and actions; and archiving all certification reports.
To make the reviews more effective, IdentityIQ uses descriptive business language in reports and provides helpful information highlighting changes and flagging anomalies so that reviewers are better equipped to mitigate areas of potential risk and make better decisions. To enhance transparency of certification activity across the organization, compliance administrators have access to real-time information about the status of individual certifications from dashboards, reports, and analytics.
Defining and enforcing comprehensive access policy controls across enterprise applications, including separation-of-duty (SoD) policy is critical to implementing strong compliance controls. Unfortunately, for many organizations, enforcing access policy remains a complicated, manual chore. IdentityIQ makes it easy for business and IT managers to define access policy across roles and entitlements using point-and-click interfaces. IdentityIQ supports a wide variety of policy types including account-level policy, activity policy and risk-based policy. Compliance Manager leverages the IdentityIQ Policy Catalog to validate users’ existing access against the pre-established policy model. It automatically scans Identity Cubes for policy violations and can be configured to alert business and IT managers or immediately revoke conflicting access. In addition, policy violations can be resolved directly – through a user-friendly interface designed for reviewing and mitigating policy – or as part of an access certification where violations are highlighted for review and resolution by the certifier. IdentityIQ tracks the status of policy violations incorporating this information into identity risk scores, reports and compliance dashboards. Managers can lower risk scores by revoking access that results in a policy violation or by explicitly allowing an exception for a predetermined period of time.
Empower the Business to Manage User Access
Managing change to user access is a significant business issue as organizations become more complex. More users with more access to enterprise systems leaves IT unable to keep pace with the rapidly evolving access demands. Therefore, business must take an active role in working with IT to manage the day-to-day activities associated with ensuring the rights users have access to the right systems within the enterprise. This shift requires organizations to rethink how they deliver tools and processes which empower business users to manage changes to user access and still enforce enterprise identity controls. In addition, organizations are finding that legacy approaches to provisioning are outdated and ineffective in a world where compliance and governance requirements are driving organizations to implement strong preventive controls that the business can understand and use.
IdentityIQ Lifecycle Manager delivers a business-oriented solution for managing changes to user access, including both self-service access requests and automatic event-driven access changes. By leveraging a combination of business-friendly user interfaces for requesting and managing access and dynamic process generation, which automatically adjusts workflow execution to the unique attributes of a request, IdentityIQ provides a flexible and scalable solution for addressing an organizations access needs in efficient and compliant manner.
Self-Service Access Request
Lifecycle Manager simplifies the access request process for business users through an intuitive “shopping cart” interface – a business-friendly, web-based interface where users can conveniently select roles and entitlements needed to perform their job duties, view current access privileges, and check the status of previous requests. Access policy is automatically enforced during the self-service request process as IdentityIQ evaluates the validity of a request by checking it against the Policy Catalog before initiating the appropriate approval workflows for user provisioning. Business users can also onboard new employees or contractors directly into IdentityIQ to support day-one productivity of new users. The self-service interface increases business user productivity and satisfaction by allowing users to manage their own access – removing a significant administration burden from the IT organization.
Lifecycle Manager provides complete self-service and delegated password management capabilities. Password changes are performed in a secure, compliant fashion thanks to IdentityIQ’s Policy Catalog which stores and enforces application-specific password policies. Users can quickly change existing passwords across multiple systems or recover forgotten passwords by correctly answering configurable challenge/response questions. Password changes are automatically synchronized with target systems through the IdentityIQ Provisioning Engine or other third-party provisioning solutions. Lifecycle Manager also enables managers and administrators to quickly reset users’ passwords from the same user-friendly interface. By allowing users to manage password changes from a business-friendly interface, Lifecycle Manager greatly reduces calls to the help desk related to password management.
Lifecycle Event Management
The process of managing workforce churn and the resulting impact to identities and access privileges is greatly simplified in IdentityIQ with automated lifecycle events. Lifecycle Manager supports a wide range of events such as new hires, transfers, moves or terminations through integration with authoritative sources, such as HR systems and corporate directories. When a lifecycle event is detected, IdentityIQ automatically triggers access changes by initiating the appropriate business process, including policy scans and approvals. Changes are then passed to the Provisioning Broker for closed-loop access fulfillment via automated provisioning systems or manual change management. By automating access changes triggered from identity lifecycle events, IdentityIQ greatly reduces the costs associated with managing those changes while enhancing the organization’s security and compliance posture.
Lifecycle Process Automation
One of the most challenging aspects of deploying a traditional identity management product is building and orchestrating the underlying business processes that control who can request access, what types of access can be requested, who must approve changes to access and how changes to access are implemented. And, in today’s dynamic business environment, building static workflows and policies is an approach that is very brittle and leaves the organization at risk of users having inappropriate access. Lifecycle Manager offers an innovative solution to address this challenge with the Process Assembler. The Process Assembler dynamically constructs individual workflow instances based on predefined business processes each time a change to user access is initiated by the business. This enables Lifecycle Manager to provide a customized workflow experience reflecting the unique requirements of each access request.
The Process Assembler controls all aspects of a self-service access request or automated lifecycle event workflow. This includes generating dynamic forms to capture information from the requester or other participants in the request, determining and orchestrating the flow of approvals for the request, and initiating and tracking change fulfillment processes. All elements of the dynamic business process are controlled through the Policy Catalog allowing access request and provisioning policies to be defined in the centralized repository and reused as needed. SailPoint’s unique approach to defining and executing lifecycle management business processes using the Process Assembler streamlines and speeds deployment activities while promoting a strong governance stance by enforcing enterprise access policies through the request and fulfillment process.
Take a Flexible Approach to Change Management
In today’s complex IT environment, managing changes to user access can seem like a daunting task for business and IT users alike. Business users want a simple, consistent process for requesting changes, and IT operations teams want the flexibility to implement changes in the most cost-effective way. In the past, this meant using different request processes for each back-end provisioning process, a confusing and inefficient solution for the business. SailPoint IdentityIQ solves this problem by allowing end-user request and compliance processes to function independently from the underlying IT processes which implement changes to user access. This allows IT organizations to choose the best method for fulfilling changes requested by the business without negatively impacting the end users.
The IdentityIQ Provisioning Broker separates identity governance processes and controls in a layer above provisioning fulfillment by acting as the bridge between the business processes driving change to access and the technical processes that actually implement the changes. Provisioning Broker can send change requests to automated provisioning systems, including IdentityIQ Provisioning Engine or third-party provisioning systems; or leverage manual change management processes by creating help desk tickets or manual work items to track progress of changes requested by the business. This seamless orchestration of changes across provisioning mechanisms unifies policy enforcement, process monitoring and auditing, and gives organizations the flexibility to provision changes to user access in whatever way they choose. As a best practice, IdentityIQ provides closed-loop remediation to ensure that all changes requested by the business are fulfilled in a timely and accurate manner.
Automating the provisioning process minimizes the time IT spends on repetitive processes and lowers the cost of IT operations related to managing access change. IdentityIQ’s Provisioning Engine automates access changes pushed to target systems based on requests initiated by the business through IdentityIQ Compliance Manager and Lifecycle Manager. Provisioning Engine leverages a scalable framework of connectors to create, update and delete user accounts and set user passwords across platforms, databases, directories and business applications. Provisioning Engine also includes a connector toolkit for rapidly building and deploying connectors to custom applications.
Provisioning Integration Modules
SailPoint recognizes that many organizations have significant investments in legacy provisioning systems. To maximize existing investments in these systems, IdentityIQ can leverage existing connectivity through alternative provisioning systems to connect to enterprise resources and pull user account data into its Identity Warehouse to support compliance and identity lifecycle management activities. IdentityIQ can also be configured to push changes resulting from day-to-day identity business processes down to the provisioning solution to implement account changes in target IT systems. SailPoint offers Provisioning Integration Modules (PIMs) for numerous legacy user provisioning solutions, including BMC Identity Manager, IBM Tivoli Identity Manager, Novell Identity Manager, Oracle Identity Manager, and Sun Identity Manager (Oracle Waveset).
Service Desk and Manual Provisioning Support
Since automating provisioning processes isn’t always the most effective or efficient option, IdentityIQ supports several options for manually making changes to user access through help desks and work queues. • Service Desk Integration Modules (SIMs) automatically generate help desk tickets when access needs to change on a target resource. SIMs are available for common service desk applications including BMC Remedy. • Internal work queue management supports the creation and tracking of internal work items associated with changes requested by the business which need to be fulfilled through manual provisioning processes.
Transform Technical Data into Business-Relevant Information
Organizations strive for better visibility into potential risk factors across their business. With Identity Intelligence from IdentityIQ, organizations can transform technical identity data scattered across multiple enterprise systems into centralized, easily understood and business-relevant information. The visibility and insights offered by IdentityIQ through dashboards, risk metrics and reporting provide a clear understanding of identity and access information and help to proactively manage and focus identity management efforts strategically across even the most complex enterprise environments.
Reporting and Analytics
IdentityIQ provides out-of-the-box reports and analytics tools that make it easy to track and monitor critical compliance metrics and lifecycle management processes across the organization. Business-friendly reports provide compliance and audit users with the ability to monitor and analyze the organization’s performance around key compliance controls including the status of access certifications, policy violations, remediation activity and risk metrics. IdentityIQ reports also provide up-to-date information to business and IT teams on lifecycle management and provisioning activities across enterprise resources. Users can save customized views of reports for future use or download reports as a CSV or PDF for additional analysis.
IdentityIQ also provides advanced analytics capabilities within IdentityIQ so that users can quickly create ad-hoc reports to support the unique needs of the business. This powerful search engine allows users to create customized queries using a point-and-click interface. Each query can be saved as a report for easy recall.
Business and IT users benefit from customizable views in the dashboard with at-a-glance charts, graphs, detailed reports and task status. The dashboard is interactive, allowing users to drill down into the source data. Each user’s dashboard is tailored to his or her role and can be customized by the user with easy drag-and-drop formatting and content selection.
Extend Identity Management from the Data Center to the Cloud
IdentityIQ helps organizations to quickly and easily integrate cloud-based applications into their existing identity management program without impacting business users or processes. This provides a consistent user experience for common identity business processes, such as requesting access, provisioning accounts, managing passwords and certifying user access – across all IT resources, regardless of where an application is hosted. IdentityIQ provides two components that work together to quickly extend compliance and provisioning activities beyond the datacenter to cloud-based applications.
• SaaS Connectors seamlessly integrate user access data from SaaS applications such as Google Apps and Salesforce CRM into IdentityIQ to manage access certification, policy enforcement, access request and provisioning processes.
• Cloud Identity Bridge extends identity governance and provisioning into public and private cloud environments, providing a secure and reliable link between IdentityIQ and cloud-based resources.
SailPoint IdentityIQ – Key Capabilities
SailPoint’s 360-degree visibility into identity data, its ability to transform data into business information, and its risk-based focus that helps prioritize controls all combine to give you the power to make intelligent decisions during access request, review, and approval processes. With SailPoint, you can streamline compliance and provisioning processes – even while you reduce compliance costs and resource burdens.
Why SailPoint? Innovations in Identity Management
Only SailPoint brings a unique combination of strengths to bear on every aspect of the new challenges of identity management. With innovative, industry-proven technology, a strong heritage in identity and access management, and a laser-like focus on identity governance, SailPoint is best equipped to help any organization run a successful identity management program with the following industry innovations:
• Risk-based approach. Only SailPoint offers 360° visibility into identity and access data and applies a risk model that makes it easy to promptly identify specific business risks before they pose a threat to security or compliance.
• Unified architecture. SailPoint is the only identity provider that has built an identity governance and provisioning solution from the ground up to deliver all the capabilities that organizations require to address today’s risk, compliance and lifecycle management needs.
• Flexible last-mile provisioning approach. IdentityIQ integrates easily with whatever identity technologies, tools and process are established or preferred. With SailPoint, the customer decides how changes are fulfilled to the resources across the organization.
• High performance and scalability. SailPoint meets the performance and scalability requirements of some of the world’s largest customers. IdentityIQ is designed to scale horizontally, vertically and functionally, making it possible for SailPoint to manage hundreds of thousands of users, thousands of applications and millions of entitlements.
• Centralized governance across datacenter and cloud environments. IdentityIQ is designed to handle access to all data, applications and other resources throughout the organization, from the datacenter to the cloud.
Managing the Business of Identity
SailPoint helps the world’s largest organizations to mitigate risk, reduce IT costs and ensure compliance. The company’s award-winning software, SailPoint IdentityIQ, provides superior visibility into and control over user access to sensitive applications and data while streamlining the access request and delivery process. IdentityIQ is the industry’s leading governance-based identity management suite that quickly delivers tangible results with risk-aware compliance management, closed-loop user lifecycle management, flexible provisioning, an integrated governance model and identity intelligence.