Recently, BMC announced an alliance with SailPoint, a maker of access governance software. Since that time, engineers from both sides have been working around the clock to combine the best of BMC’s related IDM suite and SailPoint’s IdentityIQ software. The results of this effort have produced an interesting combination of strengths that give both existing BMC IDM customers or SailPoint customers compelling opportunities to expand the value of their current respective programs.
Our perspective is somewhat unique and we wanted to further explain some of the differences between the two products and how they can complement each other.
BMC IDM Suite
To start, the identity management products from the past decade have become better and better at enabling automated creation and maintenance of user accounts across many systems within an enterprise. Many vendors such as BMC, Sun Microsystems, IBM, Novell, Oracle and others created solutions using a variety of techniques. Most of the large vendors didn’t create the products, rather they purchased them from smaller startups such as Waveset, Thor, Control-SA, and others.
BMC’s IDM suite was primarily the Control-SA product but was later incorporated into their Open Services layer, to enable better and easier integration between other BMC software platforms. Control-SA was optimized for high-volume transactions and is still in production use today in hundreds of large institutions around the world. Control-SA is great at provisioning accounts, but hasn’t evolved much in the way of functionality as the definition of Identity Management has continued to mature.
The IdentityIQ (IIQ) suite of tools has historically looked beyond the act of pushing data to many target systems and focused more on raising the visibility of the intelligence that is inherent to the data from a policy, controls, and compliance standpoint.
IIQ supports functionality that is designed to enable business decisions on accuracy of data, track those decisions over time, automate policy enforcement and provide as evidence all of the decisions and activities that are relevant to the access portion of an IT audit. It uses many concepts as a means to that end such as classification of entitlements into roles, complex access review workflows, separation of duties policy monitoring, and very robust reporting and analytics tools to capture just about any slice of the data that one can imagine.
In later revisions, IIQ began to support the provisioning side of things in an effort to fully encapsulate the business processes around access requests/approvals, remediation of inaccurate access data, and general management of accounts from a centralized view. SailPoint, however, didn’t attempt to rewrite the kinds of connectors available in a traditional provisioning system. Rather, they built the architecture to support a pluggable layer for automated (or manual) fulfillment, giving owners of the software flexibility in creating, updating, and deleting accounts and entitlements.
Access Governance Platform
As a combination of platforms, a great deal of flexibility exists. Consider that both systems are very mature and support interoperability through API’s. The strengths of each of the platforms are complementary and make them well suited to provide a fairly complete technology component of an access governance solution.
Functionally, organizations will be able to combine the two systems to achieve the following:
- Create a single view to all enterprise systems that store a large percentage of users, sensitive financially significant data, personally identifiable information (PII), or intellectual property
- Categorize data so that it is simplified in business terms and easy to work with
- Automate management of data as people join the organization, leave the organization, or move around with different responsibilities
- Ensure that access is authorized before being granted
- Track the access that people are granted and periodically have authorized personnel review that access for accuracy
- Fix or remediate inaccurate data as soon as it is found, maintaining a history of the violation and the steps taken to remediate
- Enforce policies and controls to implement security best practices and comply with external legal and regulatory demands
- Provide evidence of activities, decisions, and ongoing accuracy of data for internal and external auditing purposes
This is great news for organizations because having this unified platform enables them to fully realize the goals of balancing scattered data, workforce movement, security of assets, and legal/regulatory obligations.
The SailPoint and Control-SA combination isn’t the only option on the market and customers would be wise to understand their options. For example, SailPoint IdentityIQ has the ability to leverage other provisioning platforms as well because of the open architecture in the provisioning connection layer. Similarly, there are other systems that can leverage Control-SA (the BMC IDM Suite) to complete provisioning tasks along with the capabilities that they offer.
With that said, the two companies have worked together for quite some time on this integration. Based on that, it appears that organizations that choose this option will be less concerned with the integration between the two components and be more focused on the process engineering that must take place either way.