Is Your Identity Management Program Protecting Your Federal Systems?With the increase in integrated, cloud and remote technologies, it is more challenging

than ever for federal government agencies to fully protect their sensitive networks

and comply with the numerous federal compliance regulations. External threats are

always top of mind but the threats posed by internal security breaches pose an equal

risk. Due to large contractor and global workforce, extending proper access privileges

without heightening risk is a fine line often difficult to manage. Administration,

compliance, governance, cyber security and budgets must all be considered. This

whitepaper serves to help government agencies understand the full breadth of Identity

and Access Management, and how the proper strategy can help reduce cyber security

exposure and costs while providing additional operational, compliance and risk

management benefits.

BEST PRACTICESWHITE PAPER

2 FED ERAL

BEST PRACTICESWHITE PAPER

Executive Summary

Cyber security threats are increasing as the world and

IT technologies are becoming more integrated. Shared

services, cloud-based virtual systems, and remote and

mobile device access create an intricate and complex

web of connectivity that challenges all organizations to

keep their networks secure.

Government agencies are particularly vulnerable,

due in part to their large global user base and use of

transient contractors. Costly cyber security defense

investments not only fail to provide protection from

most insider-based threats, but they produce almost

no offsetting gains in operational efficiency or cost

reductions. They also do little to ease the governance,

audit and compliance administrative burden levied on

most federal organizations.

While federal organizations have implemented Identity

and Access Management to automate the issuance of

user IDs and passwords, newer technology and a fresh

approach can provide practical mitigation of insider

threat, operational efficiency gains and cost reductions,

and improved governance and compliance.

This whitepaper serves to help government agencies

understand the full breadth of Identity and Access

Management (IAM or IdAM) or what Gartner terms

Identity Governance and Administration (IGA). True IAM is

an opportunity for federal IT and cyber security organiza-

tions to centralize on a single technology to reduce cyber

security exposure and costs while providing additional

operational, compliance and risk management benefits.

False Security

Government agency leaders have a reason to be on

heightened alert. Security threats are only getting more

numerous, brazen and complex. The risk of external

threats by nefarious entities around the world is only

eclipsed by the insider threats. While some of these

security breaches are unintentional, an increasing number

are from patient, persistent insiders who have learned

the networks, the security gaps and where to hide their

activity. These types of threats can cause severe damage

to the network or cause high-profile embarrassments that

the media is all too ready to publicize on a global scale.

Even worse, they can cause damage to national security,

compromising and threatening the safety of American

citizens here and abroad.

Many federal agencies are under the false assumption

they are protected if they have implemented standard

Identity Management (IM) as outlined in federal directives

like HSPD-12, FICAM, and DOD 8500. IM is only a

credential-issuing program (Smart Cards), however, and

does not mitigate the increasingly dangerous insider

threats once a person is on the network. Tracking and

controlling user access privileges across multiple systems

is virtually impossible. When left unchecked, costs

escalate, administration becomes unmanageable and

the network remains vulnerable, particularly to existing

authorized users with approved access.

Many federal agencies are under the false assumption they are protected if they have implemented standard Identity Management (IM) as outlined in federal directives like HSPD-12, FICAM, and DOD 8500.

3FE DE RAL

BEST PRACTICESWHITE PAPER

A Modern IAM Solution for a Modern World

Federal agencies must approach identity management

from different perspective, one that considers much

more than credential management. A practical

solution is found through an integrated, simplified, and

centralized IAM program. Modern IAM encompasses

four essential components:

1. Authentication - proving users are who they claim

to be. This is the only portion of IAM a credential-

issuing or Smart Card program addresses.

2. Authorization - ensuring authenticated users have

access only to authorized resources and applications

3. Audit and Governance - ensuring the entire archi-

tecture and its function can be monitored, controlled

and proved

4. Administration - ensuring processes are automated

and interoperability with existing enterprise IT ap-

plications, assets and other existing cyber security

systems.

SailPoint offers a comprehensive solution that

addresses all four components of IAM. Its IAM product

suite manages the complete user lifecycle to rapidly

mitigate security threats and improve governance, risk

management and regulation compliance - all while

bringing significant operational efficiencies and return

on investment.

How Does a Centralized IAM Solution Address Specific Federal Government Challenges

Federal agencies have unique challenges that require a

tailored solution. When government agencies embrace

IAM with a centralized, integrated tool, the four essential

components are simplified and streamlined. Centralized

IAM solves the most prevalent challenges federal

agencies face:

Cyber Security – Authentication and Authorization

The large, transient contractor workforce makes cyber

security a unique challenge for federal agencies.

Authentication and onboarding can be time consuming

and contractors’ credentials are often not shared between

or within agencies. Their constant joining, moving and

leaving generates a large amount of administrative

paperwork often resulting in a directory of unmonitored

users who are authorized on multiple networks.

IAM improves cyber security, both external and

internal, by allowing agencies to set identity policies

around authentication, provisioning, authorizations and

certifications. Assessing risk across the agency becomes

easier when there is a single Role Model, Policy

Model, Risk Model, Identity Repository, and Workflow

Engine that improves visibility into who is doing what.

Automated, continuous monitoring across the IT infra-

structure enables supervisors to know what is going on

in their environment, proactively prevent potential issues

and rapidly respond to current threats.

IAM includes credential management to prevent the

wrong people from accessing government buildings or

computers, but goes much further by assigning a risk

profile for employees and automatically flagging privilege

escalation requests to deter inadvertent or intentional

access to restricted networks without proper authoriza-

tion. When any activity is outside of standard operating

procedures, an automated alert is generated.

4 FED ERAL

BEST PRACTICESWHITE PAPER

SailPoint’s product suite addresses and streamlines

complete IAM, helping federal agencies identify, map,

set and modify the rights and roles applicable for each

person in the agency. Those rights extend to remote

users accessing cloud, web and mobile applications

from any device for increased productivity. The products

are browser-based to solve modern security and IT

issues immediately without lengthy software or product

upgrades. SailPoint simplifies the process of granting

and modifying user access for improved network

security, but greatly enhances regulation compliance and

governance as well.

Federal Regulation Compliance –

Audit and Governance

As a result of HSPD12, FISMA, FICAM and other

government compliance regulations, government

agencies must manage and comply with a host of

requirements around the constant governance over

identities, access privileges and sensitive IT systems -

without additional budget. Even with these controls in

place, insider threats remain, especially when combined

with old or piecemealed provisioning technology.

These federal regulations, as well as DHS CDM, DOD

8500 Risk Management, NIST Risk Management and

many FIPS PUBS and SPs require modern, automated

IAM for practical and cost-effective implementation.

When data collection, monitoring and reporting are

automated, compliance and audits are simplified and

systems are better protected. IAM drives transparency,

providing visibility into the access and certification of

direct reports and on-demand audit reports.

SailPoint allows agencies to operate from a single

repository, enabling a significant number of controls and

requirements to be consolidated and integrated. The

common framework covers multiple functional risk areas

and provides full traceability to hundreds of mandates.

Managers and supervisors gain automated, real-time

insight and reporting into the level and appropriate-

ness of access for each person for complete identity

management regulation compliance and significant

process efficiencies.

Process Efficiencies –

Administration and Governance

Current operational and administrative processes are

often still manual, particularly around provisioning

systems for issuing user IDs and passwords. The heavy

resource requirements delays implementation of security

products, onboarding new employees and contractors,

provisioning and de-provisioning transient workers,

monitoring access privileges, and audit reporting. When

resources are strained, systems are overly complex and

access privileges cannot be continuously monitored,

risks for security breaches rise.

IAM enforces policy governance and automates

processes, including audit reporting, on/off boarding

and provisioning, separation of duty and access by job

function. IAM is also an opportunity for federal agencies

to centralize their disparate systems for better under-

standing of where applications reside and who has

access. This enables simpler continuous monitoring and

regulation compliance.

SailPoint believes automation is the critical factor

federal agencies need in order to reduce many admin-

istrative hassles. By automating processes, centralizing

management and streamlining the execution of

compliance controls, productivity increases while

support costs and risk decrease. The simple step of

allowing users to manage their own passwords and

access applications remotely means employees and

contractors get to work faster with appropriate access

privileges for the job. Any requests for access to

previous systems or networks for which they have not

been granted continued access is denied and an alert

sent to a supervisor.

5FE DE RAL

BEST PRACTICESWHITE PAPER

Cost Savings

Budgets are always a challenge for federal agencies. A

number of security offerings, often based on numerous

components purchased from various manufacturers,

can cost millions of dollars in multiple product and

coding requirements, integration configurations and

ongoing maintenance. Implementation of these complex

systems can take years to fully deploy. Agencies that

have already spent money on cyber security will need

to have demonstrable ROI to justify the purchase of any

new product.

A comprehensive IAM solution can ease budget

constraints and provide rapid ROI in several ways:

• Complete IAM has all of the necessary components

included in a single product to reduce acquisition,

ongoing maintenance and upgrade costs.

• If the solution is based on single-code architecture,

coding and customization costs decrease.

• Automation immediately reduces administrative

labor costs.

• Onboarding costs decrease when workers can begin

their jobs more quickly.

SailPoint offers a flexible, customizable product with a

unitary code base that integrates with any provisioning

system and most business operation systems. All of

its out-of-the-box connectors are included, eliminating

the need for multiple product purchases and configu-

rations while scaling to meet the changing needs of

federal agencies. With one interface, SailPoint’s software

is relatively uncomplicated to acquire, configure,

implement, deploy and use.

SailPoint Is a Leader in Identity Management

SailPoint leads the industry with its IdentityIQ product suite, which includes IdentityIQ Compliance Manager, IdentityIQ

Lifecycle Manager and IdentityIQ Governance Platform. SailPoint’s sole focus has been on governance and identity

management since 2005, with its founders in the industry since 1992. Gartner places SailPoint as a market leader in

its Magic Quadrant for Identity Governance and Administration (IGA) and mentions some vendors base their products

on OEM technology from SailPoint, further highlighting SailPoint’s influence on the market.

SailPoint IdentityIQ – Complete Identity Management

SailPoint addresses the challenges federal agencies face with a full identity management suite of products that

seamlessly integrate with other systems and applications. All are based on a unified governance framework that can

be fully functional within months or even faster with its cloud-based SaaS IdentityNow option. IdentityIQ consists of:

• IdentityIQ Compliance Manager automates access certifications, policy management, access request and pro-

visioning, password management, identity intelligence and audit reporting, particularly around FICAM and FISMA,

and NIST.

• IdentityIQ Lifecycle Manager manages changes to access through self-service request and password manage-

ment interfaces and automated lifecycle events. Its scalability is ideal for the dynamic nature of federal agencies

and their workforce.

• IdentityIQ Governance Platform ensures the right policies are established with workflows, reporting and role

modeling. It stores identity and log information in a centralized repository which can be aggregated and scaled

without additional costs.

SailPoint’s proprietary IAM product suite gives federal agencies the right level of protection against today’s biggest

security threats while solving many of the most pressing challenges unique to the government. Through strict

governance over the authentication, authorization, auditing and administration processes, federal agencies can better

mitigate cyber security risk, obtain transparency to ease regulatory compliance, and improve operational efficiencies

to achieve rapid ROI.

BEST PRACTICESWHITE PAPER

© 2014 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All other products or services are trademarks of their respective companies. 0914-4356

Corporate Headquarters

11305 Four Points DriveBuilding 2, Suite 100Austin, Texas 78726

512.346.2000USA toll-free 888.472.4578

www.sailpoint.com

Global Offices

UKNetherlands

GermanySwitzerland

AustraliaSingapore

Africa

+44 (0) 845 273 3826+31 (0) 20 3120423

+49 (0) 69 50956 5434+41 (0) 79 74 91 282

+61 2 82498392+65 6248 4820

+27 21 403 6475

Corporate Headquarters

11305 Four Points DriveBuilding 2, Suite 100Austin, Texas 78726

512.346.2000USA toll-free 888.472.4578

www.sailpoint.com

Global Offices

UKNetherlandsGermanySwitzerlandAustraliaSingaporeAfrica

+44 (0) 845 273 3826+31 (0) 20 3120423+49 (0) 69 50956 5434+41 (0) 79 74 91 282+61 2 82498392+65 6248 4820+27 21 403 6475

Corporate Headquarters

11305 Four Points DriveBuilding 2, Suite 100Austin, Texas 78726

512.346.2000USA toll-free 888.472.4578

www.sailpoint.com

Global Offices

UKNetherlandsGermanySwitzerlandAustraliaSingaporeAfrica

+44 (0) 845 273 3826+31 (0) 20 3120423+49 (0) 69 50956 5434+41 (0) 79 74 91 282+61 2 82498392+65 6248 4820+27 21 403 6475

Corporate Headquarters

11305 Four Points DriveBuilding 2, Suite 100Austin, Texas 78726

512.346.2000USA toll-free 888.472.4578

www.sailpoint.com

Global Offices

UKNetherlands

GermanySwitzerland

AustraliaSingapore

Africa

+44 (0) 845 273 3826+31 (0) 20 3120423

+49 (0) 69 50956 5434+41 (0) 79 74 91 282

+61 2 82498392+65 6248 4820

+27 21 403 6475

About SailPoint

As the fastest-growing, independent identity and access management (IAM) provider, SailPoint helps hundreds of the

world’s largest organizations securely and effectively deliver and manage user access from any device to data and

applications residing in the datacenter, on mobile devices, and in the cloud. The company’s innovative product portfolio

offers customers an integrated set of core services including identity governance, provisioning, and access management

delivered on-premises or from the cloud (IAM-as-a-service). For more information, visit www.sailpoint.com.