CUT OFF HERE FOR PRINT
One advantage for Sallie Mae is that the firm already had invested in an identity management system based on Microsoft's Active Directory that provides a single identity and single sign-on for every employee. What SailPoint added was role-based access to systems that helps Sallie Mae comply with industry regulations that require regular audits.
Sallie Mae says it saw a return on its SailPoint investment the first year after installation.
``Last year, I was audited 28 times on access management control, so having a system like SailPoint that provides that has solved a really big problem,'' Archer said. ``I can attest to the auditors that nobody has access that's inappropriate to their role.''
Next, Sallie Mae plans to automate the provisioning and de-provisioning of cloud and network-based applications. Archer hopes to have this functionality in place by year's end.
``Now we have a staff of 22 people doing provisioning and access,'' Archer said. ``Our next step is automated provisioning. We will simply get out of the game of doing this, and it will more or less be a self-service function...When the automated provisioning step is done, we will have increased our savings to 70%.''
Archer's advice to other CIOs is to tackle compliance first, and then worry about automated provisioning and de-provisioning of cloud-based and premises applications.
"Define what consists of successful and appropriate levels of access," Archer says. "The next step is to define roles. If you can get to roles, then provisioning on the front end becomes much easier...The hardest part is provisioning and de-provisioning."
Slideshow: What's hot at RSA
Most enterprises like Sallie Mae are keeping their IAM solutions in-house today rather than adopting a hosted service, admits Vick Viren Vaishnavi, President and CEO of Aveksa, which has both types of offerings. He says companies are too worried about maintaining control over the actions people can take on data and applications in the cloud to outsource the governance piece of identity management.
"Governance is what I call a command and control structure that drives adherence to compliance policies and regulations," Vaishnavi says. "You want to control that within the enterprise because it's like your keys to the kingdom. Most enterprises are not prepared to put it into the cloud yet."
Vaishnavi predicts that more enterprises will be comfortable with hosted services that handle authentication and governance within the next three to five years, particularly as these services demonstrate cost savings.
"The two drivers with identity and authentication in the cloud are risk posturing and cost," Vaishnavi says. "Companies need compliance control, operational control, access control and avoiding audit fines or penalties. They need to protect their brands and mitigate risks. But the other issue is cost. Access is constantly changing. Employees are coming and going. Contractors are coming and going. How do you keep your access entitlements in lockstep with roles performed in the organization? That's expensive."
Sign up for Computerworld eNewsletters.