"We did a survey of 1,000 organizations, and 69% of them allowed personal mobile devices to access their network," Fowler says. "They don't have security over the devices used to access data in the cloud, and they are typically using dozens of cloud-based applications."
Today's IAM tools help IT departments manage the conflicting pressures of trying to secure data that is stored by someone else - a hosted service provider - and accessed by a device that's not owned or controlled by the company. IAM tools also help manage the constant churn of employees being hired and fired by an organization and its business partners.
"When you put an application in the cloud, you don't have mechanisms for provisioning users in the cloud automatically," Fowler says. "When you terminate an employee or the employee changes jobs, somebody has to manually go into these cloud-based applications and take them out. We're building connectors to applications that allow you to automate on-boarding and off-boarding individuals."
The latest development is the availability of IAM as a hosted service from such companies as Courion and Lighthouse Security Group. Only a handful of pioneering organization such as Cintas Corp. and Molsen Coors Brewing Co., have chosen a hosted IAM service. For example, Cintas is going into production mode with the hosted CourionLive service for 30,000 users in March.
Sallie Mae, however, isn't ready to put its identity management system into the cloud.
"We're not at the point where we're putting Active Directory into the cloud. We're maintaining our own Active Directory for employees and customer identity," Archer says. "If you move everything into the cloud, with all identities maintained in the cloud, you've put your crown jewels in the cloud now and you really need to begin worrying about a whole different set of problems in terms of protecting your crown jewels. If hackers get to that, they have everything."
Instead, Sallie Mae is sticking with its network-based version of SailPoint, which it has used for two years. Before that, the company used Excel spreadsheets and a manually intensive process to conduct quarterly reviews of employees' access to information systems.
"We would on a quarterly basis pull all the access logs from the systems and distribute them to the managers to approve," Archer says. "With SailPoint, we've implemented role-based access control...No longer do managers have to look at spreadsheets and individual access."
Archer says Sallie Mae has reduced the amount of resources related to compliance by 40% in the last two years, thanks to tools like SailPoint.
"All of this work was very manual with spreadsheets," he says. "We've fundamentally changed everything."
Sign up for Computerworld eNewsletters.