SailPoint jibes identity to the cloud

Phil Wainewright Profile picture for user pwainewright July 22, 2013
Enterprise identity and access management vendor Sailpoint has rebuilt its entire product set for the cloud to help manage SaaS and mobile apps. But are large organizations ready to manage identity in the cloud?

Kevin Cunningham, Sailpoint

Enterprise access management vendor SailPoint today took a big step into the cloud with the launch of IdentityNow. The cloud-native identity and access management (IAM) offering marks the first time SailPoint has offered its complete set of functions as SaaS (software as a service).

"This is an entirely new product line for the company," founder and president Kevin Cunningham told me in an advance briefing last week. "This has been a multi-year effort."

Unlike better-known competitors such as Okta, OneLogin and Ping Identity that focus primarily on accessing cloud services, the company's background is in governing access to traditional enterprise applications. But compared to traditional vendors in that market, SailPoint has chosen to build a completely new cloud architecture rather than taking a SoSaaS approach of porting its existing on-premise product to the cloud. As Cunningham had told me in an earlier conversation about the company's SaaS strategy:

"A lot of vendors have made that ASP [application service provider] mistake; they've taken an existing on-prem product and just put it on the cloud. We're actually a whole new product from scratch."

The new IdentityNow service is intended to offer exactly the same range of functionality as its existing, traditional licensed software product IdentityIQ. "The goal is to have two products that provide the same fundamental capabilities and allow customers to make their own decision," said Paul Trulove, SailPoint's VP product marketing. The company also provides an 'on-ramp' process to ease migration from one to the other.

Combination of access points

[sws_pullquote_right]Read also:

Steelcase, furnishing the cloud

Identity in a hybrid world

Enterprise apps reborn in the cloud [/sws_pullquote_right]

Whereas many of the startups targeting cloud access management, such as OneLogin and Okta, focus on providing single sign-on to an organisation's application portfolio, SailPoint's functionality encompasses governance, policy management and provisioning tools. Founded in 2005 by a team drawn from identity management vendor Waveset Technologies, it started out offering identity governance, then added provisioning in 2010 and access management after acquiring BMC's Control-SA product in 2011 and cloud and mobile access vendor Cloudmasons at the beginning of 2012.

That breadth of functionality is what's needed in the large, Global 2000 organizations that SailPoint aims to target, said Cunningham. As well as connecting to everyday directory services such as LDAP and Microsoft's Active Directory, it also plugs into more esoteric identity services ranging from RACF on IBM mainframes to mobile device management systems. As Cunnigham told me in our earlier conversation:

"Often it's a combination of access points ... There's a big opportunity to cater to that hybrid environment and give a 360-degree view.

"Enterprise-grade provisioning and governance are key parts of the offering alongside SSO — there's complex workflow and policy settings around that kind of thing."

Access wherever, whatever

The challenge those enterprises now face is that their users are increasingly accessing cloud applications or want to work with a range of applications from mobile devices both at the office and when they're out on the road. As Trulove put it:

"Business users want to be able to access the apps they need to do their job from wherever, on whatever device. 'I don't really care whether they're cloud or legacy apps, I just want to do my job'."

Therefore, line-of-business divisions or departmental teams are often adopting cloud apps without consulting or informing the IT department. This is a concern for enterprises, as Cunningham explains:

"Security people don't want anything unmanaged, and they don't want to have a separate management paradigm for a certain class of applications ...

"That lack of visibility, or blindspot, is where all the problems creep in from a security perspective ... SailPoint's proposition is to help IT get caught back up with who's signing on and what they're doing."

Mobile interface

Bringing access controls to the mobile environment is front-of-mind in many organizations at present. SailPoint says it has built a 'mobile-first' interface for the IdentityNow product "to simplify how business users manage daily IAM needs, including logging into cloud and web applications, requesting or reviewing access, and resetting passwords," according to the press release.

Administrators can also use the mobile interface for certain functions that are needed on-the-go. "Especially with password management, extending to mobile is really important," said Trulove.

A cloud-based service has special value when managing a mobile device population, Cunningham added.

"The interesting thing about the BYOD phenomena, it's the fact that the end user wants or needs to access the IDM system when they're off the network. A cloud-based service enables their access to all the apps they need to stay productive."

Keys to the kingdom

All the same, SailPoint expects many of its customers will have reservations about trusting a cloud-based service with such a crucial utility as access management.

"We're managing the keys to the kingdom, right? There's some concern about putting this outside of their firewall," he said. "Also the inherent nature of what we do, given we have our tentacles all over the organization, doesn't lend itself easily to a SaaS model."

"There are also concerns — especially in Europe and Asia — around privacy and where that data is hosted."

However SailPoint expects those sentiments to change over the next year or two, said Cunningham. "We expect that going into 2014 and 2015 the market is really going to shift," he said. "The conversations are happening now, the interest is there. The buying proclivity is more towards hosted [rather than cloud-native], but that will change."

Security silos

Another challenge for SailPoint is to make sure it is speaking to the right level of person in the enterprise. Its offering cuts across several different activities that have traditionally had separate lines of reporting. One person buys the application, another decides on access rights to the data. There's one team in charge of security and another looking after compliance.

The trend towards rapid deployment of easy-to-use applications and services across the enterprise is challenging those old dividing lines, says Cunningham:

"What we're doing is not new, but it's interesting — these used to be siloed activities. If you take all those silos of identity management and just pierce a hole through the side, that's what's happening with consumerization of IT.

"Identity's becoming much more of a business transactional process that merges all of these activities into one transaction."

Whether SailPoint can be the vendor that successfully unites those activities remains to be seen. IdentityNow services including SSO, access certifications, and password management will be available from September, with access request and provisioning, advanced policy and analytics services available in early 2014.

Photo credits: Finger scan © psdesign1 -; Kevin Cunningham headshot courtesy of SailPoint.

A grey colored placeholder image