GDS International - Next - Generation - Security - Summit - US - 1

PRODUCT OVERVIEW

SailPoint IdentityIQManaging the Business of Identity

Today, identity management solutions need to do two things equally well: deliver access to the business, and support compliance requirements around security and privacy. No matter how much regulatory demands grow and change, or how many new employees, contractors and other users come on board or change roles, organizations must be able to count on their identity solution to cost-effectively enable strong and consistent controls over access to applications and data, allow for convenient access requests and deliver timely provisioning of access rights.

Today’s agile, compliant organization must effectively enforce identity and access controls to minimize business risk and prevent privacy breaches or misuse of data while improving audit performance and streamlining compliance to reduce IT costs.

To handle these challenges, organizations require a solution that can scale up and keep up with access demands and compliance requirements, while keeping access-related risks, cost and audit deficiencies down. SailPoint IdentityIQ™ is designed to meet these challenges head on.

Effective Identity Controls for Compliance, Security and ProductivitySailPoint IdentityIQ is an innovative identity governance solution that reduces the cost and complexity of both complying with regulations and delivering access to users. Traditional identity management approaches treat these areas separately, often using multiple, disjointed products. IdentityIQ, however, provides a unified approach that leverages a common identity governance framework. This makes it possible to consistently apply business and security policy, and role and risk models, across all access-related activities.

By providing on-demand visibility into “who has access to what,” IdentityIQ enables organizations to successfully

address compliance mandates and regulatory requirements, as well as efficiently deliver, modify, and terminate access as needed, across even the most complex IT environments. Its centralized intelligence and risk-based approach to managing access provides transparency and strengthens preventive and detective controls. IdentityIQ provides the following key components to automate access certifications, policy enforcement, and the end-to-end access request and fulfillment process:

• Governance Platform centralizes identity data, roles, business policy and risk modeling to support compliance initiatives and user lifecycle management.

• Compliance Manager streamlines compliance controls and improves audit performance through automated access certifications and policy enforcement.

• Lifecycle Manager provides self-service access request and lifecycle event management to simplify and automate the creation, modification and revocation of user access privileges.

• User Provisioning provides flexible options for implementing changes requested by the business during compliance and lifecycle management processes.

• Identity Intelligence transforms technical identity data scattered across multiple enterprise systems into centralized, easily understood and business-relevant information including dashboards, reports and advanced analytics.

SailPoint IdentityIQ

A Comprehensive Identity Governance Solution

“SailPoint IdentityIQ was the obvious choice because it delivered identity governance and provisioning capabilities in a single solution. It was also immediately evident that it would be easy for our business managers to use, and provided us insight into the risk associated with user access.”Brad Jobe Director of Information Security, CUNA Mutual

SailPoint IdentityIQ: Product Overview2

The IdentityIQ Governance Platform lays the foundation for effective identity management within the enterprise by establishing a framework that centralizes identity data and captures business policy, models roles, and proactively manages user and resource risk factors. The Governance Platform allows organizations to build preventive and detective controls that support all critical identity business processes.

Identity WarehouseThe Identity Warehouse is at the core of the Governance Platform serving as the central repository for identity and access data across all enterprise IT applications in the data center and the cloud. The warehouse is populated by importing user data from any authoritative source (e.g., HRMS) and user account and entitlement data from business applications, databases, platforms, and other systems. It is designed to scale and rapidly import access data from large numbers of applications and users by leveraging out-of-the-box connectors or via flat files.

During the import process, IdentityIQ leverages a powerful correlation engine to link individual accounts and entitlements to create a user’s Identity Cube – a multi-dimensional view of each individual and their associated access.

Policy CatalogThe Policy Catalog captures enterprise governance, access request, and provisioning policies within the Governance Platform. It provides a highly-extensible framework for defining and implementing both detective and preventive audit controls such as SoD policies. In addition, the Policy Catalog defines and reuses enterprise access policies across business applications and organizational business processes.

Role ModelerIdentityIQ automates the creation, enforcement and verification of role-based access across enterprise applications. Organizations can quickly define roles which fit the unique requirements of their environment using IdentityIQ’s adaptive role model. More importantly, IdentityIQ enables organizations to create roles which enforce “least-privilege” access while controlling role proliferation. To speed the combination of top-down, business-oriented role modeling and bottom-up IT role mining, IdentityIQ enables cross-functional participation in the role-modeling process and makes it easy for both business and technical users to create roles that accurately reflect the organization’s business and IT needs.

In the face of dynamic business and IT environments, keeping the role model relevant can be a challenge. IdentityIQ provides end-to-end role lifecycle management capabilities, including automated role approvals, role certifications (role membership and contents), role quality metrics and role analytics to help organizations manage roles over their entire lifecycle – from creation to retirement.

Risk Analyzer The Risk Analyzer locates and identifies areas of risk created by users with inappropriate or excessive access privileges. It provides a dynamic risk model which leverages patent-pending risk algorithms to calculate and assign a unique identity risk score for each user, application and system resource. The base IdentityIQ risk model is created by assigning unique risk values to each application, entitlement, role, and policy. The risk score is updated continuously based on changes to the user’s access privileges, as well as “compensating factors,” such as how recently the user has been certified and whether a policy violation has been allowed as an exception. Leveraging risk scores, managers or application owners can target highest-risk users or systems first, improving the effectiveness of controls of their departments, and ultimately, the security and compliance of the business.

Governance Platform

Support Enterprise-wide Identity Management with a Centralized Framework

SailPoint’s risk-based approach allows organizations to focus certifications, prioritize remediations, and modify access change processes, including access approvals, based on the potential risk

to the organization posed by a user’s access privileges.


S a i l Po i n t I d e n t i t y I Q Pr o d u c t O v e r v i e w

IdentityIQ Compliance Manager enables the business to streamline complex compliance processes for greater effectiveness while lowering costs. By integrating access certification and policy enforcement, Compliance Manager automates the auditing, reporting and management activities associated with a strong identity governance program. Its integrated risk model leads the industry by providing a framework that prioritizes compliance activities and focuses controls on the users, resources and access privileges representing the greatest potential risk to the business.

Access Certifications One of the most common controls required by IT auditors is regular certification of user access by business and IT managers. Unfortunately, many organizations struggle to implement an effective access review process to ensure that a user’s access privileges match the requirements of his or her job function. IdentityIQ provides a fully automated, repeatable certification process and tracks and reports on the status of certificationsby individual, application, and organizational groups.IdentityIQ automates all access certification tasks including formatting of user role and entitlement data into easy-to-read, business-oriented reports; routing of reports to the appropriate reviewers; tracking reviewer progress and actions; and archiving all certification reports.

To make the reviews more effective, IdentityIQ uses descriptive business language in reports and provides helpful information highlighting changes and flagging anomalies so that reviewers are better equipped to mitigate areas of potential risk and make better decisions. To enhance transparency of certification activity across the organization, compliance administrators have access to real-time information about the status of individual certifications from dashboards, reports, and analytics.

Policy Enforcement Defining and enforcing comprehensive access policy controls across enterprise applications, including separation-of-duty (SoD) policy is critical to implementing strong compliance controls. Unfortunately, for many organizations, enforcing access policy remains a complicated, manual chore. IdentityIQ makes it easy for business and IT managers to define access policy across roles and entitlements using point-and-click interfaces. IdentityIQ supports a wide variety of policy types including account-level policy, activity policy and risk-based policy.

Compliance Manager leverages the IdentityIQ Policy Catalog to validate users’ existing access against the pre-established policy model. It automatically scans Identity Cubes for policy violations and can be configured to alert business and IT managers or immediately revoke conflicting access. In addition, policy violations can be resolved directly – through a user-friendly interface designed for reviewing and mitigating policy – or as part of an access certification where violations are highlighted for review and resolution by the certifier. IdentityIQ tracks the status of policy violations incorporating this information into identity risk scores, reports and compliance dashboards. Managers can lower risk scores by revoking access that results in a policy violation or by explicitly allowing an exception for a predetermined period of time.

Compliance Manager

Get Compliant, Stay Compliant

“As a publicly-traded company and financial services provider, we are subject to a variety of regulations including FISMA, SOX, PCI, and SAS 70. To meet these requirements, we are standardizing and automating our compliance processes for identity management, so that we can centrally control who gets access to sensitive resources and maintain compliance as the organization changes over time. This centralized and automated approach allows us to proactively address risk and more efficiently maintain a compliant, secure environment.”Jerry Archer Chief Security OfficerSallie Mae

Access Certification in Action: Compliance Manager deliversvisibility and control over enterprise access. Annotating reports with

descriptive business language and other helpful information to highlight changes and flag anomalies enables reviewers to focus

on areas of potential risk and make better decisions.


Managing change to user access is a significant business issue as organizations become more complex. More users with more access to enterprise systems leaves IT unable to keep pace with the rapidly evolving access demands. Therefore, business must take an active role in working with IT to manage the day-to-day activities associated with ensuring the rights users have access to the right systems within the enterprise. This shift requires organizations to rethink how they deliver tools and processes which empower business users to manage changes to user access and still enforce enterprise identity controls. In addition, organizations are finding that legacy approaches to provisioning are outdated and ineffective in a world where compliance and governance requirements are driving organizations to implement strong preventive controls that the business can understand and use. IdentityIQ Lifecycle Manager delivers a business-oriented solution for managing changes to user access, including both self-service access requests and automatic event-driven access changes. By leveraging a combination of business-friendly user interfaces for requesting and managing access and dynamic process generation, which automatically adjusts workflow execution to the unique attributes of a request, IdentityIQ provides a flexible and scalable solution for addressing an organizations access needs in efficient and compliant manner.

Self-Service Access RequestLifecycle Manager simplifies the access request process for business users through an intuitive “shopping cart” interface – a business-friendly, web-based interface where users can conveniently select roles and entitlements needed to perform their job duties, view current access privileges, and check the status of previous requests. Access policy is automatically enforced during the self-service request process as IdentityIQ evaluates the validity of a request by checking it against the Policy Catalog before initiating the appropriate approval workflows for user provisioning. Business users can also onboard new employees or contractors directly into IdentityIQ to support day-one productivity of new users. The self-service interface increases business user productivity and satisfaction by allowing users to manage their own access – removing a significant administration burden from the IT organization.

Password ManagementLifecycle Manager provides complete self-service and delegated password management capabilities. Password changes are performed in a secure, compliant fashion thanks to IdentityIQ’s Policy Catalog which stores and enforces application-specific password policies.

Users can quickly change existing passwords across multiple systems or recover forgotten passwords by correctly answering configurable challenge/response questions. Password changes are automatically synchronized with target systems through the IdentityIQ Provisioning Engine or other third-party provisioning solutions. Lifecycle Manager also enables managers and administrators to quickly reset users’ passwords from thesame user-friendly interface. By allowing users to manage password changes from a business-friendly interface, Lifecycle Manager greatly reduces calls to the help desk related to password management.

Lifecycle Manager

Empower the Business to Manage User Access

Lifecycle Manager enables business users to request roles and entitlements their staff need easily and initiate the new

access changes according to policy.



Lifecycle Event ManagementThe process of managing workforce churn and the resulting impact to identities and access privileges is greatly simplified in IdentityIQ with automated lifecycle events. Lifecycle Manager supports a wide range of events such as new hires, transfers, moves or terminations through integration with authoritative sources, such as HR systems and corporate directories.

When a lifecycle event is detected, IdentityIQ automatically triggers access changes by initiating the appropriate business process, including policy scans and approvals. Changes are then passed to the Provisioning Broker for closed-loop access fulfillment via automated provisioning systems or manual change management. By automating access changes triggered from identity lifecycle events, IdentityIQ greatly reduces the costs associated with managing those changes while enhancing the organization’s security and compliance posture.

Lifecycle Process AutomationOne of the most challenging aspects of deploying a traditional identity management product is building and orchestrating the underlying business processes that control who can request access, what types of access can be requested, who must approve changes to access and how changes to access are implemented. And, in today’s dynamic business environment, building static workflows and policies is an approach that is very brittle and leaves the organization at risk of users having inappropriate access.

Lifecycle Manager offers an innovative solution to address this challenge with the Process Assembler. The Process Assembler dynamically constructs individual workflow instances based on predefined business processes each time a change to user access is initiated by the business. This enables Lifecycle Manager to provide a customized workflow experience reflecting the unique requirements of each access request.

The Process Assembler controls all aspects of a self-service access request or automated lifecycle event workflow. This includes generating dynamic forms to capture information from the requester or other participants in the request, determining and orchestrating the flow of approvals for the request, and initiating and tracking change fulfillment processes. All elements of the dynamic business process are controlled through the Policy Catalog allowing access request and provisioning policies to be defined in the centralized repository and reused as needed.

SailPoint’s unique approach to defining and executing lifecycle management business processes using the Process Assembler streamlines and speeds deployment activities while promoting a strong governance stance by enforcing enterprise access policies through the request and fulfillment process.

ApprovalsForms Fulfillment

ProvisioningEngine

3rd PartyProvisioning

Help Desk

AccessRequest

PolicyCatalog

Dynamic Process AssemblyA Better Way to Build Forms and Workflow

Dynamic Process Assembly in Action: On-the-fly business process assembly reduces custom workflow coding while dynamic

form generation eliminates hard-coded end-user request forms.


In today’s complex IT environment, managing changes to user access can seem like a daunting task for business and IT users alike. Business users want a simple, consistent process for requesting changes, and IT operations teams want the flexibility to implement changes in the most cost-effective way. In the past, this meant using different request processes for each back-end provisioning process, a confusing and inefficient solution for the business. SailPoint IdentityIQ solves this problem by allowing end-user request and compliance processes to function independently from the underlying IT processes which implement changes to user access. Thisallows IT organizations to choose the best methodfor fulfilling changes requested by the business without negatively impacting the end users.

Provisioning BrokerThe IdentityIQ Provisioning Broker separates identity governance processes and controls in a layer above provisioning fulfillment by acting as the bridge between the business processes driving change to access and the technical processes that actually implement the changes.

Provisioning Broker can send change requests to automated provisioning systems, including IdentityIQ Provisioning Engine or third-party provisioning systems; or leverage manual change management processes by creating help desk tickets or manual work items to track progress of changes requested by the business. This seamless orchestration of changes across provisioning mechanisms unifies policy enforcement, process monitoring and auditing, and gives organizations the flexibility to provision changes to user access in whatever way they choose.

As a best practice, IdentityIQ provides closed-loop remediation to ensure that all changes requested by the business are fulfilled in a timely and accurate manner.

Provisioning EngineAutomating the provisioning process minimizes the time IT spends on repetitive processes and lowers the cost of IT operations related to managing access change. IdentityIQ’s Provisioning Engine automates access changes pushed to target systems based on requests initiated by the business through IdentityIQ Compliance Manager and Lifecycle Manager.

Provisioning Engine leverages a scalable framework of connectors to create, update and delete user accounts and set user passwords across platforms, databases, directories and business applications. Provisioning Engine also includes a connector toolkit for rapidly building and deploying connectors to custom applications.

Provisioning Integration ModulesSailPoint recognizes that many organizations have significant investments in legacy provisioning systems. To maximize existing investments in these systems, IdentityIQ can leverage existing connectivity through alternative provisioning systems to connect to enterprise resources and pull user account data into its Identity Warehouse to support compliance and identity lifecycle management activities. IdentityIQ can also be configured to push changes resulting from day-to-day identity business processes down to the provisioning solution to implement account changes in target IT systems.

SailPoint offers Provisioning Integration Modules (PIMs) for numerous legacy user provisioning solutions, including BMC Identity Manager, IBM Tivoli Identity Manager, Novell Identity Manager, Oracle Identity Manager, and Sun Identity Manager (Oracle Waveset).

Service Desk and Manual Provisioning SupportSince automating provisioning processes isn’t always the most effective or efficient option, IdentityIQ supports several options for manually making changes to user access through help desks and work queues.

• Service Desk Integration Modules (SIMs) automatically generate help desk tickets when access needs to change on a target resource. SIMs are available for common service desk applications including BMC Remedy.

• Internal work queue management supports the creation and tracking of internal work items associated with changes requested by the business which need to be fulfilled through manual provisioning processes.

User Provisioning

Take a Flexible Approach to Change Management



Organizations strive for better visibility into potential risk factors across their business. With Identity Intelligence from IdentityIQ, organizations can transform technical identity data scattered across multiple enterprise systems into centralized, easily understood and business-relevant information. The visibility and insights offered by IdentityIQ through dashboards, risk metrics and reporting provide a clear understanding of identity and access information and help to proactively manage and focus identity management efforts strategically across even the most complex enterprise environments. Reporting and AnalyticsIdentityIQ provides out-of-the-box reports and analytics tools that make it easy to track and monitor critical compliance metrics and lifecycle management processes across the organization. Business-friendly reports provide compliance and audit users with the ability to monitor and analyze the organization’s performance around key compliance controls including the status of access certifications, policy violations, remediation activity and risk metrics. IdentityIQ reports also provide up-to-date information to business and IT teams on lifecycle management and provisioning activities across enterprise resources. Users can save customized views of reports for future use or download reports as a CSV or PDF for additional analysis. IdentityIQ also provides advanced analytics capabilities within IdentityIQ so that users can quickly create ad-hoc reports to support the unique needs of the business. This powerful search engine allows users to create customized queries using a point-and-click interface. Each query can be saved as a report for easy recall.

Customizable DashboardsBusiness and IT users benefit from customizable views in the dashboard with at-a-glance charts, graphs, detailed reports and task status. The dashboard is interactive, allowing users to drill down into the source data. Each user’s dashboard is tailored to his or her role and can be customized by the user with easy drag-and-drop formatting and content selection.

Identity Intelligence

Transform Technical Data into Business-Relevant Information

Cloud Solutions

Extend Identity Governance from the Data Center to the Cloud

Identity Intelligence in Action: Dashboards empower users with better visibility enabling them to conveniently drill down into the

source data for more details or to view the status of pending tasks. Each user can easily tailor the dashboard to his or her level of

sophistication, as well as his or her role and authority.

IdentityIQ helps organizations to quickly and easily integrate cloud-based applications into their existing identity governance program without impacting business users or processes. This provides a consistent user experience for common identity business processes, such as requesting access, managing passwords and certifying user access – across all IT resources, regardless of where an application is hosted.

IdentityIQ provides two components that work together to quickly extend identity governance and provisioning activities

beyond the datacenter to cloud-based applications.

• SaaS Connectors seamlessly integrate user access data from SaaS applications such as Google Apps and Salesforce CRM into IdentityIQ to manage access certification, policy enforcement, access request and provisioning processes.

• Cloud Identity Bridge extends identity governance and provisioning into public and private cloud environments, providing a secure and reliable link between IdentityIQ and cloud-based resources.


SailPoint IdentityIQ – Key Capabilities

SailPoint’s 360-degree visibility into identity data, its ability to transform data into business information, and its risk-based focus that helps prioritize controls all combine to give you the power to make intelligent decisions during access request, review, and approval processes. With SailPoint, you can streamline compliance and provisioning processes – even while you reduce compliance costs and resource burdens.

CAPABILITY DESCRIPTION

Compliance Manager

Access Certifications · Drive automated review cycles · Present data in business-friendly language · Focus reviewers on real business risk · Track reviewer progress and actions · Support flexible certification cycles · Enforce a closed-loop provisioning process · Archive certification history

Policy Enforcement · Enforces multiple types of policy across applications · Proactively identifies violations · Mitigates violations in real-time · Risk-based approach prioritizes violations · Tracks and reports on violations

Lifecycle Manager

Self-Service Access Request · Offloads IT staff with self-service interface · Empowers users to request and manage access · Facilitates delegated administration · Provides visibility to request status

Password Management · Allows business users to reset or change passwords · Enables delegated password management · Enforces password policy

Lifecycle Event Management · Simplifies access request processes · Speeds change with automated event triggers · Prevents policy violations

Lifecycle Process Automation · Promotes reuse of governance, request and provisioning policies · Drives on-the-fly process assembly · Reduces custom workflow coding · Eliminates the need to hard-code end user request forms

User Provisioning

Provisioning Broker · Encapsulates resource-specific provisioning policies · Orchestrates changes to user access across disparate fulfillment processes

Provisioning Engine · Synchronizes account, entitlement and password changes across IT resources · Connects to over 40 enterprise applications, platforms and databases · Supports rapid deployment to custom applications

Provisioning Integration Modules · Leverage third party provisioning solutions to implement changes

Service Desk Integration Modules · Generate help desk tickets automatically

Manual Provisioning Support · Supports the creation and tracking of changes through internal work queues

Identity Intelligence

Customizable Dashboards · Deliver at-a-glance charts, graphs and reports with drill-down capabilities· Highlight scheduled compliance events and the status of in-process tasks

Reporting and Analytics · Highlight issues, status and improvements over time· Enable end users to have fast access to actionable information· Readily demonstrate compliance

© 2011 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All other products or services are trademarks of their respective companies. 1011

Why SailPoint? Innovations in Identity Management

Only SailPoint brings a unique combination of strengths to bear on every aspect of the new challenges of identity management. With innovative, industry-proven technology, a strong heritage in identity and access management, and a laser-like focus on identity governance, SailPoint is best equipped to help any organization run a successful identity management program with the following industry innovations:

• Risk-based approach. Only SailPoint offers an identity governance solution that can identify specific business risks within an organization, so that they can be addressed before they pose a threat to security or compliance.

• Unified architecture. SailPoint is the only identity provider that has built an identity governance solution from the ground up to deliver all the capabilities that organizations require to address today’s risk, compliance and lifecycle management needs.

• Flexible last-mile provisioning approach. IdentityIQ integrates easily with whatever identity technologies, tools and process are established or preferred. With SailPoint, the customer decides how changes are fulfilled to the resources across the organization.

• High performance and scalability. SailPoint meets the performance and scalability requirements of some of the world’s largest customers. IdentityIQ is designed to scale horizontally, vertically and functionally, making it possible for SailPoint to manage hundreds of thousands of users, thousands of applications and millions of entitlements.

• Centralized governance across datacenter and cloud environments. IdentityIQ is designed to handle access to all data, applications and other resources throughout the organization, from the datacenter to the cloud.


USA Phone: 512.346.2000Toll-free: 1.888.4SAILPTUK Phone: +44 845 273 3826www.sailpoint.com

Managing the Business of Identity

SailPoint helps the world’s largest organizations to mitigate risk, reduce IT costs and ensure compliance. The company’s award-winning software, SailPoint IdentityIQ, provides superior visibility into and control over user access to sensitive applications and data while streamlining the access request and delivery process. IdentityIQ is the industry’s first business-oriented identity governance suite that quickly delivers tangible results with risk-aware compliance management, closed-loop user lifecycle management, flexible provisioning, an integrated governance model and identity intelligence.

“SailPoint is competing – and winning – against some very large companies in the identity management market because of our innovative products, and our unmatched commitment to helping companies succeed with their compliance and security efforts. We’re very focused on maintaining our high customer satisfaction levels, and have invested a significant amount of resources internally to make that possible.”Mark McClain CEO and FounderSailPoint

Technology

GDS International - Next - Generation - Security - Summit - US - 1