GDS International - Next - Generation - Security - Summit - US - 1
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


GDS International - Next - Generation - Security - Summit - US - 1



SailPoint IdentityIQ Product Overview

SailPoint IdentityIQ Product Overview



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

GDS International - Next - Generation - Security - Summit - US - 1 Document Transcript

  • 1. PRODUCT OVERVIEW SailPoint IdentityIQ Managing the Business of IdentitySailPoint IdentityIQA Comprehensive Identity Governance SolutionToday, identity management solutions need to do two things address compliance mandates and regulatory requirements,equally well: deliver access to the business, and support as well as efficiently deliver, modify, and terminate access ascompliance requirements around security and privacy. No needed, across even the most complex IT environments. Itsmatter how much regulatory demands grow and change, or centralized intelligence and risk-based approach to managinghow many new employees, contractors and other users come access provides transparency and strengthens preventive andon board or change roles, organizations must be able to count detective controls.on their identity solution to cost-effectively enable strong andconsistent controls over access to applications and data, allow IdentityIQ provides the following key components to automatefor convenient access requests and deliver timely provisioning access certifications, policy enforcement, and the end-to-endof access rights. access request and fulfillment process:Today’s agile, compliant organization must effectively enforce • Governance Platform centralizes identity data, roles,identity and access controls to minimize business risk and business policy and risk modeling to support complianceprevent privacy breaches or misuse of data while improving audit initiatives and user lifecycle management.performance and streamlining compliance to reduce IT costs. • Compliance Manager streamlines compliance controls and improves audit performance through automated accessTo handle these challenges, organizations require a solution certifications and policy enforcement.that can scale up and keep up with access demands and • Lifecycle Manager provides self-service access request andcompliance requirements, while keeping access-related risks, lifecycle event management to simplify and automate thecost and audit deficiencies down. SailPoint IdentityIQ™ is creation, modification and revocation of user access privileges.designed to meet these challenges head on. • User Provisioning provides flexible options forEffective Identity Controls for Compliance, implementing changes requested by the business duringSecurity and Productivity compliance and lifecycle management processes.SailPoint IdentityIQ is an innovative identity governance • Identity Intelligence transforms technical identity datasolution that reduces the cost and complexity of both scattered across multiple enterprise systems into centralized,complying with regulations and delivering access to users. easily understood and business-relevant informationTraditional identity management approaches treat these areas including dashboards, reports and advanced analytics.separately, often using multiple, disjointed products. IdentityIQ,however, provides a unified approach that leverages a common “SailPoint IdentityIQ was the obvious choice because it delivered identityidentity governance framework. This makes it possible to governance and provisioning capabilities in a single solution. It was alsoconsistently apply business and security policy, and role and immediately evident that it would be easy for our business managers to use,risk models, across all access-related activities. and provided us insight into the risk associated with user access.”By providing on-demand visibility into “who has access Brad Jobeto what,” IdentityIQ enables organizations to successfully Director of Information Security, CUNA Mutual
  • 2. Governance PlatformSupport Enterprise-wide Identity Management with a Centralized FrameworkThe IdentityIQ Governance Platform lays the foundation In the face of dynamic business and IT environments, keepingfor effective identity management within the enterprise by the role model relevant can be a challenge. IdentityIQ providesestablishing a framework that centralizes identity data and end-to-end role lifecycle management capabilities, includingcaptures business policy, models roles, and proactively manages automated role approvals, role certifications (role membershipuser and resource risk factors. The Governance Platform allows and contents), role quality metrics and role analytics to helporganizations to build preventive and detective controls that organizations manage roles over their entire lifecycle – fromsupport all critical identity business processes. creation to retirement.Identity Warehouse Risk AnalyzerThe Identity Warehouse is at the core of the Governance The Risk Analyzer locates and identifies areas of riskPlatform serving as the central repository for identity and access created by users with inappropriate or excessive accessdata across all enterprise IT applications in the data center and privileges. It provides a dynamic risk model which leveragesthe cloud. The warehouse is populated by importing user data patent-pending risk algorithms to calculate and assign afrom any authoritative source (e.g., HRMS) and user account unique identity risk score for each user, application andand entitlement data from business applications, databases, system resource. The base IdentityIQ risk model is created byplatforms, and other systems. It is designed to scale and rapidly assigning unique risk values to each application, entitlement,import access data from large numbers of applications and role, and policy. The risk score is updated continuouslyusers by leveraging out-of-the-box connectors or via flat files. based on changes to the user’s access privileges, as well as “compensating factors,” such as how recently the user hasDuring the import process, IdentityIQ leverages a powerful been certified and whether a policy violation has beencorrelation engine to link individual accounts and entitlements allowed as an create a user’s Identity Cube – a multi-dimensional view of  each individual and their associated access. Leveraging risk scores, managers or application owners can target highest-risk users or systems first, improving thePolicy Catalog effectiveness of controls of their departments, and ultimately, the security and compliance of the business.The Policy Catalog captures enterprise governance, accessrequest, and provisioning policies within the GovernancePlatform. It provides a highly-extensible framework for definingand implementing both detective and preventive audit controlssuch as SoD policies. In addition, the Policy Catalog defines andreuses enterprise access policies across business applicationsand organizational business processes.Role ModelerIdentityIQ automates the creation, enforcement andverification of role-based access across enterprise applications.Organizations can quickly define roles which fit the uniquerequirements of their environment using IdentityIQ’s adaptiverole model. More importantly, IdentityIQ enables organizationsto create roles which enforce “least-privilege” access while SailPoint’s risk-based approach allows organizations to focus certifications, prioritize remediations, and modify access changecontrolling role proliferation. To speed the combination of processes, including access approvals, based on the potential risktop-down, business-oriented role modeling and bottom-up IT to the organization posed by a user’s access privileges.role mining, IdentityIQ enables cross-functional participation inthe role-modeling process and makes it easy for both businessand technical users to create roles that accurately reflect theorganization’s business and IT needs.  SailPoint IdentityIQ: Product Overview 2
  • 3. S a i l Po i n t I d e n t i t y I Q P r o d u c t O v e r v i e wCompliance ManagerGet Compliant, Stay CompliantIdentityIQ Compliance Manager enables the business To make the reviews more effective, IdentityIQ uses descriptiveto streamline complex compliance processes for greater business language in reports and provides helpful informationeffectiveness while lowering costs. By integrating access highlighting changes and flagging anomalies so thatcertification and policy enforcement, Compliance Manager reviewers are better equipped to mitigate areas of potentialautomates the auditing, reporting and management activities risk and make better decisions. To enhance transparencyassociated with a strong identity governance program. Its of certification activity across the organization, complianceintegrated risk model leads the industry by providing a administrators have access to real-time information about theframework that prioritizes compliance activities and focuses status of individual certifications from dashboards, reports,controls on the users, resources and access privileges and analytics.representing the greatest potential risk to the business. Policy EnforcementAccess Certifications Defining and enforcing comprehensive access policy controlsOne of the most common controls required by IT auditors is across enterprise applications, including separation-of-dutyregular certification of user access by business and IT managers. (SoD) policy is critical to implementing strong complianceUnfortunately, many organizations struggle to implement an controls. Unfortunately, for many organizations, enforcing accesseffective access review process to ensure that a user’s access policy remains a complicated, manual chore. IdentityIQ makesprivileges match the requirements of his or her job function. it easy for business and IT managers to define access policyIdentityIQ provides a fully automated, repeatable certification across roles and entitlements using point-and-click interfaces.process and tracks and reports on the status of certifications IdentityIQ supports a wide variety of policy types includingby individual, application, and organizational groups. account-level policy, activity policy and risk-based policy.IdentityIQ automates all access certification tasks includingformatting of user role and entitlement data into easy-to-read, Compliance Manager leverages the IdentityIQ Policy Catalogbusiness-oriented reports; routing of reports to the appropriate to validate users’ existing access against the pre-establishedreviewers; tracking reviewer progress and actions; and archiving policy model. It automatically scans Identity Cubes forall certification reports. policy violations and can be configured to alert business and IT managers or immediately revoke conflicting access. In addition, policy violations can be resolved directly – through a user-friendly interface designed for reviewing and mitigating policy – or as part of an access certification where violations are highlighted for review and resolution by the certifier. IdentityIQ tracks the status of policy violations incorporating this information into identity risk scores, reports and compliance dashboards. Managers can lower risk scores by revoking access that results in a policy violation or by explicitly allowing an exception for a predetermined period of time. “As a publicly-traded company and financial services provider, we are subject to a variety of regulations including FISMA, SOX, PCI, and SAS 70. To meet these requirements, we are standardizing and automating our compliance processes for identity management, so that we can centrally control who gets access to sensitive resources and maintain compliance as the organization changes over Access Certification in Action: Compliance Manager delivers time. This centralized and automated approach allows us to proactively address visibility and control over enterprise access. Annotating reports with risk and more efficiently maintain a compliant, secure environment.” descriptive business language and other helpful information to highlight changes and flag anomalies enables reviewers to focus Jerry Archer on areas of potential risk and make better decisions. Chief Security Officer Sallie Mae SailPoint IdentityIQ: Product Overview 3
  • 4. Lifecycle ManagerEmpower the Business to Manage User AccessManaging change to user access is a significant business issueas organizations become more complex. More users with moreaccess to enterprise systems leaves IT unable to keep pace withthe rapidly evolving access demands. Therefore, business musttake an active role in working with IT to manage the day-to-dayactivities associated with ensuring the rights users have accessto the right systems within the enterprise. This shift requiresorganizations to rethink how they deliver tools and processeswhich empower business users to manage changes to useraccess and still enforce enterprise identity controls. In addition,organizations are finding that legacy approaches to provisioningare outdated and ineffective in a world where complianceand governance requirements are driving organizations toimplement strong preventive controls that the business canunderstand and use.  Lifecycle Manager enables business users to request  rolesIdentityIQ Lifecycle Manager delivers a business-oriented and entitlements their staff need easily and initiate the newsolution for managing changes to user access, including both access changes according to policy.self-service access requests and automatic event-driven accesschanges. By leveraging a combination of business-friendly userinterfaces for requesting and managing access and dynamic Password Managementprocess generation, which automatically adjusts workflow Lifecycle Manager provides complete self-service andexecution to the unique attributes of a request, IdentityIQ delegated password management capabilities. Passwordprovides a flexible and scalable solution for addressing an changes are performed in a secure, compliant fashion thanksorganizations access needs in efficient and compliant manner. to IdentityIQ’s Policy Catalog which stores and enforces application-specific password policies.Self-Service Access RequestLifecycle Manager simplifies the access request process for Users can quickly change existing passwords across multiplebusiness users through an intuitive “shopping cart” interface systems or recover forgotten passwords by correctly answering– a business-friendly, web-based interface where users can configurable challenge/response questions. Password changesconveniently select roles and entitlements needed to perform are automatically synchronized with target systems through thetheir job duties, view current access privileges, and check the IdentityIQ Provisioning Engine or other third-party provisioningstatus of previous requests. Access policy is automatically solutions. Lifecycle Manager also enables managers andenforced during the self-service request process as IdentityIQ administrators to quickly reset users’ passwords from theevaluates the validity of a request by checking it against the same user-friendly interface. By allowing users to managePolicy Catalog before initiating the appropriate approval password changes from a business-friendly interface, Lifecycleworkflows for user provisioning. Business users can also Manager greatly reduces calls to the help desk related toonboard new employees or contractors directly into IdentityIQ password support day-one productivity of new users. The self-serviceinterface increases business user productivity and satisfactionby allowing users to manage their own access – removing asignificant administration burden from the IT organization. SailPoint IdentityIQ: Product Overview 4
  • 5. S a i l Po i n t I d e n t i t y I Q P r o d u c t O v e r v i e wLifecycle Event Management Dynamic Process AssemblyThe process of managing workforce churn and the resulting A Better Way to Build Forms and Workflowimpact to identities and access privileges is greatly simplified in Forms Approvals FulfillmentIdentityIQ with automated lifecycle events. Lifecycle Manager Provisioning Enginesupports a wide range of events such as new hires, transfers, 3rd Partymoves or terminations through integration with authoritative Access Request Provisioning Help Desksources, such as HR systems and corporate directories.When a lifecycle event is detected, IdentityIQ automaticallytriggers access changes by initiating the appropriate businessprocess, including policy scans and approvals. Changes are Policy Catalogthen passed to the Provisioning Broker for closed-loop accessfulfillment via automated provisioning systems or manual Dynamic Process Assembly in Action: On-the-fly businesschange management. By automating access changes triggered process assembly reduces custom workflow coding while dynamic form generation eliminates hard-coded end-user request forms.from identity lifecycle events, IdentityIQ greatly reduces the costsassociated with managing those changes while enhancing theorganization’s security and compliance posture. The Process Assembler controls all aspects of a self-service access request or automated lifecycle event workflow. ThisLifecycle Process Automation includes generating dynamic forms to capture information from the requester or other participants in the request,One of the most challenging aspects of deploying a traditional determining and orchestrating the flow of approvals foridentity management product is building and orchestrating the the request, and initiating and tracking change fulfillmentunderlying business processes that control who can request processes. All elements of the dynamic business process areaccess, what types of access can be requested, who must controlled through the Policy Catalog allowing access requestapprove changes to access and how changes to access are and provisioning policies to be defined in the centralizedimplemented. And, in today’s dynamic business environment, repository and reused as needed.building static workflows and policies is an approach that isvery brittle and leaves the organization at risk of users having SailPoint’s unique approach to defining and executing lifecycleinappropriate access. management business processes using the Process Assembler streamlines and speeds deployment activities while promotingLifecycle Manager offers an innovative solution to address this a strong governance stance by enforcing enterprise accesschallenge with the Process Assembler. The Process Assembler policies through the request and fulfillment process.dynamically constructs individual workflow instances basedon predefined business processes each time a change touser access is initiated by the business. This enables LifecycleManager to provide a customized workflow experiencereflecting the unique requirements of each access request. SailPoint IdentityIQ: Product Overview 5
  • 6. User ProvisioningTake a Flexible Approach to Change ManagementIn today’s complex IT environment, managing changes to Provisioning Engine leverages a scalable framework ofuser access can seem like a daunting task for business and IT connectors to create, update and delete user accounts andusers alike. Business users want a simple, consistent process set user passwords across platforms, databases, directoriesfor requesting changes, and IT operations teams want the and business applications. Provisioning Engine also includesflexibility to implement changes in the most cost-effective way. a connector toolkit for rapidly building and deployingIn the past, this meant using different request processes for connectors to custom applications.each back-end provisioning process, a confusing andinefficient solution for the business. SailPoint IdentityIQ solves Provisioning Integration Modulesthis problem by allowing end-user request and compliance SailPoint recognizes that many organizations have significantprocesses to function independently from the underlying IT investments in legacy provisioning systems. To maximizeprocesses which implement changes to user access. This existing investments in these systems, IdentityIQ can leverageallows IT organizations to choose the best method existing connectivity through alternative provisioning systemsfor fulfilling changes requested by the business without to connect to enterprise resources and pull user accountnegatively impacting the end users. data into its Identity Warehouse to support compliance and identity lifecycle management activities. IdentityIQ can also beProvisioning Broker configured to push changes resulting from day-to-day identityThe IdentityIQ Provisioning Broker separates identity business processes down to the provisioning solution togovernance processes and controls in a layer above provisioning implement account changes in target IT systems.fulfillment by acting as the bridge between the businessprocesses driving change to access and the technical processes SailPoint offers Provisioning Integration Modules (PIMs) forthat actually implement the changes. numerous legacy user provisioning solutions, including BMC Identity Manager, IBM Tivoli Identity Manager, Novell IdentityProvisioning Broker can send change requests to automated Manager, Oracle Identity Manager, and Sun Identity Managerprovisioning systems, including IdentityIQ Provisioning Engine (Oracle Waveset).or third-party provisioning systems; or leverage manualchange management processes by creating help desk tickets Service Desk and Manual Provisioning Supportor manual work items to track progress of changes requested Since automating provisioning processes isn’t always the mostby the business. This seamless orchestration of changes across effective or efficient option, IdentityIQ supports several optionsprovisioning mechanisms unifies policy enforcement, process for manually making changes to user access through helpmonitoring and auditing, and gives organizations the flexibility to desks and work queues.provision changes to user access in whatever way they choose. • Service Desk Integration Modules (SIMs) automaticallyAs a best practice, IdentityIQ provides closed-loop remediation generate help desk tickets when access needs to changeto ensure that all changes requested by the business are fulfilled on a target resource. SIMs are available for common servicein a timely and accurate manner. desk applications including BMC Remedy. • Internal work queue management supports the creationProvisioning Engine and tracking of internal work items associated with changesAutomating the provisioning process minimizes the time requested by the business which need to be fulfilledIT spends on repetitive processes and lowers the cost of IT through manual provisioning processes.operations related to managing access change. IdentityIQ’sProvisioning Engine automates access changes pushed to targetsystems based on requests initiated by the business throughIdentityIQ Compliance Manager and Lifecycle Manager. SailPoint IdentityIQ: Product Overview 6
  • 7. S a i l Po i n t I d e n t i t y I Q P r o d u c t O v e r v i e wIdentity IntelligenceTransform Technical Data into Business-Relevant InformationOrganizations strive for better visibility into potential risk factors Customizable Dashboardsacross their business. With Identity Intelligence from IdentityIQ, Business and IT users benefit from customizable views in theorganizations can transform technical identity data scattered dashboard with at-a-glance charts, graphs, detailed reports andacross multiple enterprise systems into centralized, easily task status. The dashboard is interactive, allowing users to drillunderstood and business-relevant information. The visibility and down into the source data. Each user’s dashboard is tailoredinsights offered by IdentityIQ through dashboards, risk metrics to his or her role and can be customized by the user with easyand reporting provide a clear understanding of identity and drag-and-drop formatting and content selection.access information and help to proactively manage and focusidentity management efforts strategically across even the mostcomplex enterprise environments. Reporting and AnalyticsIdentityIQ provides out-of-the-box reports and analytics toolsthat make it easy to track and monitor critical compliancemetrics and lifecycle management processes across theorganization. Business-friendly reports provide complianceand audit users with the ability to monitor and analyze theorganization’s performance around key compliance controlsincluding the status of access certifications, policy violations,remediation activity and risk metrics. IdentityIQ reports alsoprovide up-to-date information to business and IT teamson lifecycle management and provisioning activities acrossenterprise resources. Users can save customized views ofreports for future use or download reports as a CSV or PDF foradditional analysis. Identity Intelligence in Action: Dashboards empower users with  better visibility enabling them to conveniently drill down into theIdentityIQ also provides advanced analytics capabilities within source data for more details or to view the status of pending tasks. Each user can easily tailor the dashboard to his or her level ofIdentityIQ so that users can quickly create ad-hoc reports sophistication, as well as his or her role and support the unique needs of the business. This powerfulsearch engine allows users to create customized queries usinga point-and-click interface. Each query can be saved as areport for easy recall.Cloud SolutionsExtend Identity Governance from the Data Center to the CloudIdentityIQ helps organizations to quickly and easily integrate beyond the datacenter to cloud-based applications into their existing identity governance • SaaS Connectors seamlessly integrate user access dataprogram without impacting business users or processes. This from SaaS applications such as Google Apps and Salesforceprovides a consistent user experience for common identity CRM into IdentityIQ to manage access certification, policybusiness processes, such as requesting access, managing enforcement, access request and provisioning processes.passwords and certifying user access – across all IT resources,regardless of where an application is hosted. • Cloud Identity Bridge extends identity governance and provisioning into public and private cloud environments,IdentityIQ provides two components that work together to providing a secure and reliable link between IdentityIQ andquickly extend identity governance and provisioning activities cloud-based resources. SailPoint IdentityIQ: Product Overview 7
  • 8. SailPoint IdentityIQ – Key CapabilitiesSailPoint’s 360-degree visibility into identity data, its ability to transform data into business information, and its risk-based focus thathelps prioritize controls all combine to give you the power to make intelligent decisions during access request, review, and approvalprocesses. With SailPoint, you can streamline compliance and provisioning processes – even while you reduce compliance costs andresource burdens. CAPABILITY DESCRIPTION Compliance Manager Access Certifications · Drive automated review cycles · Present data in business-friendly language · Focus reviewers on real business risk · Track reviewer progress and actions · Support flexible certification cycles · Enforce a closed-loop provisioning process · Archive certification history Policy Enforcement · Enforces multiple types of policy across applications · Proactively identifies violations · Mitigates violations in real-time · Risk-based approach prioritizes violations · Tracks and reports on violations Lifecycle Manager Self-Service Access Request · Offloads IT staff with self-service interface · Empowers users to request and manage access · Facilitates delegated administration · Provides visibility to request status Password Management · Allows business users to reset or change passwords · Enables delegated password management · Enforces password policy Lifecycle Event Management · Simplifies access request processes · Speeds change with automated event triggers · Prevents policy violations Lifecycle Process Automation · Promotes reuse of governance, request and provisioning policies · Drives on-the-fly process assembly · Reduces custom workflow coding · Eliminates the need to hard-code end user request forms User Provisioning Provisioning Broker · Encapsulates resource-specific provisioning policies · Orchestrates changes to user access across disparate fulfillment processes Provisioning Engine · Synchronizes account, entitlement and password changes across IT resources · Connects to over 40 enterprise applications, platforms and databases · Supports rapid deployment to custom applications Provisioning Integration Modules · Leverage third party provisioning solutions to implement changes Service Desk Integration Modules · Generate help desk tickets automatically Manual Provisioning Support · Supports the creation and tracking of changes through internal work queues Identity Intelligence Customizable Dashboards · Deliver at-a-glance charts, graphs and reports with drill-down capabilities · Highlight scheduled compliance events and the status of in-process tasks Reporting and Analytics · Highlight issues, status and improvements over time · Enable end users to have fast access to actionable information · Readily demonstrate compliance SailPoint IdentityIQ: Product Overview 8
  • 9. S a i l Po i n t I d e n t i t y I Q P r o d u c t O v e r v i e wWhy SailPoint? Innovations in Identity ManagementOnly SailPoint brings a unique combination of strengths to bear on every aspect “SailPoint is competing – and winning – against someof the new challenges of identity management. With innovative, industry-proven very large companies in the identity managementtechnology, a strong heritage in identity and access management, and a laser-like market because of our innovative products, and ourfocus on identity governance, SailPoint is best equipped to help any organization run unmatched commitment to helping companies succeeda successful identity management program with the following industry innovations: with their compliance and security efforts. We’re very • Risk-based approach. Only SailPoint offers an identity governance solution that focused on maintaining our high customer satisfaction can identify specific business risks within an organization, so that they can be levels, and have invested a significant amount of addressed before they pose a threat to security or compliance. resources internally to make that possible.” • Unified architecture. SailPoint is the only identity provider that has built an Mark McClain CEO and Founder identity governance solution from the ground up to deliver all the capabilities SailPoint that organizations require to address today’s risk, compliance and lifecycle management needs. • Flexible last-mile provisioning approach. IdentityIQ integrates easily with whatever identity technologies, tools and process are established or preferred. With SailPoint, the customer decides how changes are fulfilled to the resources across the organization. • High performance and scalability. SailPoint meets the performance and scalability requirements of some of the world’s largest customers. IdentityIQ is designed to scale horizontally, vertically and functionally, making it possible for SailPoint to manage hundreds of thousands of users, thousands of applications and millions of entitlements. • Centralized governance across datacenter and cloud environments. IdentityIQ is designed to handle access to all data, applications and other resources throughout the organization, from the datacenter to the cloud.Managing the Business of IdentitySailPoint helps the world’s largest organizations to mitigate risk, reduce IT costs and ensure compliance. The company’s award-winningsoftware, SailPoint IdentityIQ, provides superior visibility into and control over user access to sensitive applications and data whilestreamlining the access request and delivery process. IdentityIQ is the industry’s first business-oriented identity governance suite thatquickly delivers tangible results with risk-aware compliance management, closed-loop user lifecycle management, flexible provisioning,an integrated governance model and identity intelligence. USA Phone: 512.346.2000 Toll-free: 1.888.4SAILPT UK Phone: +44 845 273 3826 © 2011 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All other products or services are trademarks of their respective companies. 1011