1 Introduction

Access Governance has emerged as one of the fastest growing market segments in the broader IAM/IAG market with a focus on Access Request Management, Role Management, Access Recertification, and SoD (Segregation of Duties) management and enforcement. Over the past few years this area has evolved significantly with the incorporation of Access Intelligence, which provides advanced analytical capabilities for identifying access risks and analyzing the current status of entitlements.

Access Governance covers the mechanisms, processes relations and management of access controls in IT systems and thus is about mitigating access-related risks. These risks include the theft of information, fraud through changes to information, and the subversion of IT systems - for example in banking - to facilitate illegal actions, to name just a few. The large number of prominent incidents within the last few years proves the need to address these issues – in all industries. The loss of privacy-related customer data or industrial espionage is a problem in virtually every industry, besides industry-specific issues such as the illegal actions of stock dealers.

Therefore, Access Governance is one of the core areas to cover for any organization due to the potentially massive impact of incidents. Access risks might have severe operational impact and might even relate to strategic risks. The loss of blueprints to competitors, fraud in ERP systems including illegal financial transactions, reputation problems due to the loss of privacy-related data, secret documents being unveiled to the press, and many more are examples for business risk due to access risks.

From the KuppingerCole perspective, a complete Access Governance approach has to go beyond the “standard users” and to cover privileged access as well, e.g. administrative access, technical users, system-level accounts, and other types of privileged (and frequently shared) accounts. However, we don’t see many vendors in the market right now which have a well thought-out, deep integration of Privilege Management with the standard Access Governance features. There are some few players in the market already delivering on that, but most lack this integration. While privileged users are pretty much the same as “standard” users from an Access Governance perspective, Privilege Management tools add features such as restricting elevation of rights at run-time and managing shared account passwords. Complete solutions would require tight integration between both groups of capabilities, to not only identify the risk in Access Governance but mitigate it by using specific Privilege Management capabilities.

SailPoint is one of the pioneers in the emerging market for Access Governance. The company was founded in 2005 by a group of executives with long experience in IAM (Identity and Access Management) as well as in the general IT market. Their product “IdentityIQ V7.0” is one of the leading products in the emerging market for Identity and Access Governance.