SailPoint Identity Security Cloud Reviews

User Access Review, User Access Request and SOD Policy detection. Another important feature is IdentityIQ’s provisioning broker which allows us to either use its built-in provisioning engine or easily integrate with third-party provisioning and help desk/ticketing systems (such as IBM TIM/SIM, Oracle IdM, BMC IDM, BMC Service Desk, Novell IdM, Microsoft Forefront IdM, ServiceNow etc.) The backend provisioning of IdentityIQ is lightweight and fast to implement. Generally account provisioning can be setup in days versus weeks as is the case with some of the competing products.

SailPoint’s roots began with governance and compliance in 2006. Over time the IdentityIQ compliance and governance stack (user access reviews, SOD and access request) has evolved to provide deeper and more flexible functionality than we’ve found with competitors.

We’ve used IdentityIQ to help customers update their ‘paper and spreadsheet’ based user access review processes. This has helped customers increase the efficiency of access reviews, reduce workload, increase oversight of access remediation as well as start to fulfill regulatory and audit compliance requirements that where previously unattainable.

We’ve seen organisations go from detecting and reviewing high-severity SOD Policy violations once or twice a year to being able to detect and remediate SOD violations in the same day. IdentityIQ provides the detection, enforcement and traceability to take the manual, paper-based policies into real automated rules.

Many of our customers have also used IdentityIQ to replace homegrown and out dated access request solutions (some even manual and paper based), as well as migrate away from expensive and difficult-to-implement provisioning systems. Implementing IdentityIQ has allowed customers to reduce the cost of on-boarding applications into enterprise access review and access request processes as well as tightly integrate access request and remediation with approval workflows and back-end provisioning.

Unlike other competing products IdentityIQ is designed with end-users in mind rather than just targeting the IAM system administrators, we would like to have a bit more flexibility in how the screens are laid-out and the content. Some of our clients prefer feature-rich UI/screens whilst other would like to have simpler interaction and presentation.

Dashboards – whilst better and more feature rich than a number of competing products, they are still nowhere near the functionality one gets from dedicated portal and analytics tools (eg. drill-downs, comparative views, etc.).

Report writing is much better in the latest versions, but it is still not comparable to what one can get out of dedicated reporting tools.

I started working with IdentityIQ in 2007. Until now, I’ve been actively involved in design and configuration of a large number of IdentityIQ deployments across Australia, Asia, America and the Middle East. We (First Point Global) have been a SailPoint partner since 2007.

In terms of the product itself - no. Deployment of the product is very straightforward; there are a lot of resources available to assist you in finding the answer to any deployment question you might come up with. There is a large community of people working on IdentityIQ. If you come across a problem there’s always someone around that’s done that before and has suggestions.

The main challenge has been that each client’s environment is different; from the way in which they configure their ‘managed’ systems, to constraints imposed by the client’s SOE (standard operating environment), to the client’s infrastructure topology, to change control and migration processes and tools the client wants to/has to use.

One of the main challenges is for clients to understand and accept that IdentityIQ implementations are not a systems development/coding exercise; rather IdentityIQ deployment is more about configuration than coding.

No, IdentityIQ is stable. It has easy, built-in redundancy to handle any unforeseen events. Also, server management is simple and easy to understand.

IdentityIQ scales well both vertically (‘bigger’ servers) and horizontally. When load increases additional servers can be added to the UI or task server groups with minimal configuration effort. IdentityIQ supports the notion of having dedicated UI servers handling user interaction and task servers, which handle background activities (eg. data loading and refresh, generating reports, re-evaluating SOD policies, etc.). IdentityIQ manages its own batch server load balancing in the background. SailPoint also provide whitepapers and supporting materials on tuning your IdentityIQ deployment to meet your needs and your environment.

However, we have encountered issues using IdentityIQ on virtualized platforms. These were caused by the virtualization hosts being overloaded (i.e. several virtual machines on one overloaded host). If you are going to virtualise IdentityIQ application servers, I would recommend allocating vCPU and memory to each virtual machine. If resources are not allocated, IdentityIQ can be starved by other virtual machines running on the same hosts.

Great, SailPoint offers several points of contact. You can use either the SailPoint communities, customer portal (Salesforce-based) for management of support cases and queries, or directly contact your professional services manger or engagement manager. SailPoint has staff located in most geographies and it’s easy to get hold of someone technical when you need a hand.

Excellent, SailPoint provides both customer and partner community forums; SailPoint technical staff, partners and customers actively contribute to these forums. Often you can find the answer to a question in a forum without the need to raise a support ticket. The communities are an invaluable repository of technical knowhow as well as a source for documentation, tutorials and videos. SailPoint also holds regular webinars. These and all whitepapers are stored and made available to the community. By using the community, it’s possible to find out who has done it before, see what solutions they came up with, as well as even contact that person to ask questions. It’s a great way to get to the bottom of something quickly.

SailPoint support engineers are located in most geographies so your questions get answered quickly. The SEs are also approachable and easy to work with.

As a company we implement identity solutions for customers. We’ve implemented a variety of product replacements and migrations, including:

Oracle Identity Analytics (OIA) replacement (formally Sun Role Manager and Vaau RBAC), OIA lacked the flexibility and functionality to meet the customers’ SOD (Segregation of Duty) Policy requirements as well as entitlement and role modeling requirements. Lack of industry resources with implementation product knowledge was also a factor in retiring OIA solutions; lack of supported application connectors (and/or complexity, eg. requiring fully functional implementation of Oracle IdM for OIA to function) was another factor.

BMC IDM / Control-SA, we’ve implemented both Control SA replacement, and more recently we worked on Control SA end-of-life migration projects. SailPoint offers a clear migration strategy to replace existing Control SA/ESS deployments. SailPoint acquired the BMCs IDM/Control-SA Connector stack people/technology to make migration much simpler exercise; replacing Control SA/ESS can be as simple as configuring the application connectors in IdentityIQ and pointing them to the existing Control SA Agents or Service Manager. Since acquiring the BMC ESS Connector stack, SailPoint has started rewriting the connectors into agentless Java connectors which are simpler to use. Some legacy connections still require agents i.e. RACF, ACF2, NIS.

Prior to compliance and governance solutions coming to the forefront of identity management, we found our customers were starting to think about and “roll their own” solutions to complement the gaps in their IdM stacks; this often involved attempting to ‘bolt on’ access reviews and SOD functionality into existing provisioning systems.We’ve worked with customers to replace several in-house developed solutions, including customer-developed Access Request, User Access Review and even a custom developed Provisioning system! In each case the customer chose to migrate off their home-rolled solution to take advantage of the savings offered from an out-of-the-box solution as well as take advance of the deep compliance and provisioning functionality that IdentityIQ offers.

Installation requires knowledge of application servers and relational databases; a high availability environment can be setup in a matter of hours-days once infrastructure is in place. IdentityIQ requires a relational database and supports all the main flavors, Oracle, IBM, Microsoft, MySQL; IdentityIQ runs on a Java application server, again the common platforms are supported, Oracle, IBM, Apache Tomcat and Red Hat JBoss.

We (First Point Global) are a solutions integrator specialising in identity management; a typical project implementation team involves First Point Global consultants with years of experience in deploying IdentityIQ into large organisations. We work with and train the customer team to up-skill employees to assist in transfer of the IdentityIQ solution from implementation to BAU.

Of course you will always rate yourself as high, but we are the largest team of IdentityIQ implementers in APAC. Also, we won the SailPoint Amarda Award in both 2013 and 2014 for SailPoint’s top partner in the Asia Pacific region.

Through our implementations we’ve seen the existing manual access review processes shrink from a team of people used to gather, send and review certification results down to one or two administrators. Gathering of account data, sending of access review notifications, escalation of incomplete access reviews and detection of remediation is all automated. Administrators can focus on reviewing the results not doing the heavy lifting, results can be easily summarised for the people that need it.

IdentityIQ is still a relatively new comer to identity management, but its implementation is modern and it has built on the lessons learnt from the older, harder to use and often cryptically complex provisioning systems. Workflows and connections to applications do not need to be complex and take far less time to implement than heavy provisioning systems.

IdentityIQ is quicker to implement than its pure provisioning counterparts, implementing IdentityIQ for compliance and governance means you can later reuse the existing on-boarded application connections to implement provisioning.

The cost associated with setup depends on the scope of work, and largely the extent of integration with the applications to be on boarded as well as the functionality applied to those applications (i.e. access review, access request, provisioning, roles, SOD, etc.).

IdentityIQ is a very flexible product. We’ve found the key to using it well and getting the best value for money is to determine how to model your access review, access request or provisioning processes in IdentityIQ, then apply that to a majority of applications. If applications require unique processes for each department, there can be additional configuration overhead, aim for economies of scale where possible.

Some examples of projects:

-30 day IdentityIQ ‘quickstart’ project, on-boarding of 7 high-risk enterprise applications + HR feeds. User access reviews configured and kicked-off in production.

-90 day Control SA migration project, migration of hundreds of provisioned applications into IdentityIQ. And replacement of Control SA Password Management and Access Request functionality with IdentityIQ

-100-200 days IdentityIQ governance project, on-boarding of all enterprise applications into IdentityIQ to perform regular access reviews and detect SOD violations as they occur.

For day to day running of IdentityIQ post implementation we generally advise a small administration team of 2-3 people; some of our clients are supporting IdentityIQ deployment with a 0.5 FTE. Administrators are responsible for performing general house keeping as well as fielding queries on access reviews and scheduling access reviews, new application on-boarding and patching.

We’ve reviewed Oracle Identity Analytics (OIA) and RSA as well as the Dell offerings. Of the three we found RSA Aveska the closest competitor to SailPoint; the Oracle and Dell offerings do not have the same depth of functionality. When doing feature-by-feature comparison as is in a typical RFP/RFQ the majority of IdM products look the same. There are two areas where IdentityIQ often proved to be better than competing products were ‘time to market’ (i.e. how long it takes and how much effort is required to start addressing real issues and delivering value to the business) and complex user access review scenarios.

Listen to the vendor and other clients who have successfully implemented the product; lots of, problems with hardware and implementation process can be avoided by taking the advice of those who have been there before.

Ensure the project has strong leadership. You’ll need this to ensure cooperation of system administrators that are often protective of access to their applications. You need to configure provisioning, but administrators will only give you a read-only account until it is proven it works and will not cause problems. Or enterprise architects may insist that all integration has to be done through corporate middleware, requiring lots of custom development, rather than using OTB connectors.

Make sure your hardware meets the SailPoint requirements (see the ‘IdentityIQ Performance Optimization Checklist’ on SailPoint’s forum - this details the required hardware and network requirements at a glance). IdentityIQ supports virtualisation nicely, but you do need to make sure your virtualisation hosts have enough resources to meet IdentityIQ processing requirements. We suggest allocating CPUs and memory to IdentityIQ application hosts to ensure dedicated usage of required resources.

Make sure your database and application servers have a low latency round trip. We recommend putting the two in the same data centre. IdentityIQ is a big user of data - lower the time it takes to retrieve the data and the UI and batch tasks perform snappier.

Install your development environment to get started with IdentityIQ, then read the ‘IdentityIQ Performance Management Guide’ to ensure that all non-development environments are installed and tuned correctly for your infrastructure. A tuned environment is a fast environment; and fast environment means happy end-user. Also, make sure your administrators do regular health checks.

Deploying IdentityIQ is an integration task, use agile development to on-board applications quickly, have a simple to document application template to capture integration details, but remember you are not designing a system from the ground up. This is not a Java/VB/C++/you-name-it coding exercise.

Using OOTB means fast implementation times and lower cost to you. IdentityIQ is flexible but customizing everything will add to your costs now and your maintenance later. Keep it simple and keep the process standardised.

How often do you need to refresh the data? The hardware required to run IdentityIQ is largely dependent on how often you configure IdentityIQ to reload the data. How often the data is really required to be reloaded is largely dependent on the features you are using,. For example, SOD policy violation detect might require daily updates, but reviewing user access quarterly does not require daily data refreshing!

If you do want to keep all data up to date, then be smart and take advantage of IdentityIQ’s delta aggregation and partitioning functionality. Build application on-boarding tuning into your application on-boarding process and have database administrators review queries for performance.

Always utilise the direct connectors. Although IdentityIQ supports a variety of file feed connectors using the direct connectors now means you can take advantage of provisioning later without reconfiguring. Remember file feeds are unlikely to match the data the direct connector will pull back, reuse the investment SailPoint have made in the OOTB connectors and save time and money!

Standardise the compliance processes applied to applications. IdentityIQ is flexible but a unique access review process for each application will require more configuration and maintenance. Keep it simple and easy to maintain.

IdentityIQ has been the market leader according to the Gartner IGA Magic Quadrant for the past two years. We deploy and support several identity and access management products, and have reviewed numerous other vendors’ offerings.On balance we find IdentityIQ to have the best mix of functionality and ease of use, as well as being the easiest and most flexible to deploy.Quite a few of our engineers prefer to use and deploy IdentityIQ over other compliance, governance and provisioning solutions.

Certification of user's access, enabling the organization to have a strict governance of what its employees are for entitled to currently.

By using this product the organization has moved from manual access governance done previously to automated governance which has a full audit trail, and this is very beneficial.

Some of the features like multi-aggregation and self healing feature in case of corrupted certificates would be pretty useful which would enable easy debugging in case of issues.

More than two years.

No, the deployment is pretty straightforward.

No, the product is pretty stable given it has sufficient clustering and HA catered for seamless 24x7 high volume access.

Yes, with a growing number of certificates there was slowness in the overall certificate generation time which I believe is corrected in the upcoming release of the solution.

7/10.

8/10.

Yes, we used Aveksa's access governance which seemed to have a lot of issues with regards to aggregation and certificate generation which prompted the switch to Sailpoint.

It was pretty straightforward, just need to follow installation documentation properly.

It was done by the in-house team.

Aveksa was compared with Sailpoint identityIQ and Sailpoint IdentityIQ fared better in terms of performance and features.

If you are looking for a product that would suit your access governance needs then perhaps Sailpoint identity IQ is a good option, but if you require automatic remediation capabilities as well then you might need to integrate it with an identity management product like OIM.

Building/expanding a directory tree for my customers was the most valuable tool. Another was the ability to remove someone from the network with just a few clicks.  It was fairly easy to learn and the layout of the controls had an intuitive feel.

The organization is moving to replace several tools with this one tool.

Broke down several times during my 4 months but overall the delays were mostly minor.

I used it for four months.

I was an Identity Access Management operator for a company contracted as an outsource for a major global company. My involvement was brief. I was part time help while looking for full time employment in an unrelated field.

SailPoint started as a product for certification and governance. This is their most mature module and the first portion of the tool my clients want to implement.

But other valuable features are the strong user interface, quick ability to stand up solution, and many out of box connector.

This product, when implemented correctly, can streamline access control operations, reduce risk by provisioning and de-provisioning access quickly and hold approvers accountable for decisions on access.

There seems to be a rush to add new features in SailPoint. I would prefer cutting the amount of features in half to increase the stability, reduce the resource utilization and reduce bugs..

I have been using IdentityIQ and other Identity and Access Management solutions for over 3 years

We encountered major issues with the Active Directory connector caching configurations and concurrent major release upgrades. If you are running SailPoint 5.3, you need to update to 5.5, 6.0, 6.1, and 6.2 before upgrading to 6.3, it was a mess.

Although it seems to be getting better, for each deployment it seems a new set of bugs appear. There has never been a deployment where we have not encountered a product bug. If you are looking to do a deployment it may be better to deploy on the previous version with the latest patch than with a new version (e.g. 6.2.5 instead of 6.3).

Being based on Java, this tool is very heavy in memory and in processing. Word of advice, for large implementations be sure to use Intel processors. SailPoint supports Unix deployments, but it really is only better for smaller environments

SailPoint has a strong account management and support team, each company has an account manager and they are available to escalate issues quickly. Do not hesitate to escalate issues if they are time sensitive, sometimes it is tough to get their attention if something needs to be resolved quickly.

Similar to customer service, the technical support is strong. It might take a few times back and forth to get them out of the “try this and send us your logs” cycle, but getting them on a WebEx or LiveMeeting is a great way to watch them shine.

The initial setup is very straight forward and it takes around 30 minutes end to end. It is a Java app on a web server; you can do it locally very quickly.

The initial setup is very straight forward and it takes around 30 minutes end to end. It is a Java app on a web server so you can do it locally and very quickly.

We have had deployments with combinations of consultants, vendor hours(~200), and in house teams. The vendor help has always been very good, albeit sometimes you may get a fresh college graduate as an expert.

We achieve two returns in the investment in a SailPoint implementation. We were able to streamline access control related business processes and reduce identity management and access control risks, including potential audit/regulatory findings.

The other major players in the Identity Management space are Oracle OIM/OIA, Aveska and CA Technologies Identity Management. We had evaluated all via a vendor scorecard.

It is very difficult to go at this alone. If you are interested in implementing send your engineers to the SailPoint provisioning training and get a few experienced consultants to help you.

We can use different types of DBs and Application Servers from different different brands for the business. Many are supported by II.

Customization of workflows as per business needs is easy & most effective part is certification for easy compliance and access monitoring & revokes extra access if any.

Complex configuration if you want to have AD forest architecture in place.

Three years.

No issues encountered.

No issues encountered.

Only if we have a combination with an AD forest.

Very good. Support is provided even on weekends.

1. Very user friendly unified UI (for users and administrators)
2. An excellent out-of-the-box features (hierarchical RBAC, flexible provisioning policies, role-mining, certifications, life-cycle events, etc)
3. Modest hardware requirements
4. A large list of out-of-the-box connectors (with no additional charge)
5. Using only standard java technologies (java, beanshell, HTML, jsp, JavaScript, XML, some Apache projects)
6. Possibility to deploy the solution on different DBMS and application servers of your choice
7. Very fast implementation of the solution with custom modifications

1. The price is very high
2. The partnership program is very inflexible
3. Provisioning. This functionality sometimes require too much coding to implement some customers' requirements
4. "Ease of use." IdentityIQ has a function that can be described as duplication (this can depend on the point of view) for example, groups, population, and work-groups
5. Implement the support of organizational structure

About one year.

Yes, of course. Every time, when you implement a project for a customer you will encounter some issues.  The primary question - how quickly the vendor will help you with issues, or how strong are the programmers and engineers in your team to find a solution in-house.

No, I didn't.

No, I didn't.

Of course. In addition to SailPoint IdentityIQ I have experience in implementing MS FIM 2010, OIM 11gR2, and Oracle Waveset (Sun IDM) 8.

In my opinion this is the best product and I agree with Gartner which described it as the best product in the "Identity Governance and Administration Magic Quadrant" in 2013-2014.

I would say it's simple (compared with OIM 11gR2, but more difficult when compared with MS FIM 2010 R2).
IdentityIQ has very good documentation and you shouldn't face problems with the installation.

With an internal team. All team members have very strong experience in the IDM sphere, including working experience with other IDM vendors (Sun, Oracle, IBM).

SailPoint IdentityIQ is a very good product (in my opinion - it is the best product and it took the leading place in Gartner's Magic Quadrant two years in a row) and I can recommend it to all who are looking for a very strong IDM solution (if the price suits you).

The solution includes all aspects of user lifecycle management, like joiners, movers and leavers, regulatory compliance, reporting and auditing. And the compliance part of the solution includes certification from time to time basis. All these are usual IEM cases. The aforementioned instances are all IAM cases.

The first valuable feature of the solution is its interface. The second feature of the solution is the level of flexibility it provides. So, it can be easily configured by a person using just a few rules and coding standards, after which that person can make anything out of the solution. SailPoint is quite an old solution in the market. So they know what new things are coming into the market along with artificial intelligence, and they have ensured that they have integrated into their solution the developments over time. Basically, SailPoint is up to date with the market standards.

Regarding the scope for improvement in the solution, reporting is an area that can be a bit more UI-oriented. Apart from that, it's a very good product, and I do not have any complaints about it.

Our company works as a distributor in the Middle East region for SailPoint. So, we are not just selling the product but also selling other products. I have been working with SailPoint IdentityIQ for eight years. Presently, I am working with SailPoint IdentityIQ Version 8.3.

It's a totally stable and very robust product. I've never seen it going down in the last eight years. I rate the solution's stability a ten out of ten.

Since it is a very scalable product, I rate the solution's scalability a ten out of ten. Our clients include small, medium, and enterprise businesses.

Since SailPoint is a big company, it usually takes time. The company has to schedule an appointment with the people and organizations to address their issues. So, I rate the solution's technical support a seven out of ten.

Neutral

Given a person has a background in implementing solutions, site architecture, and infrastructure, I rate the difficulty level of the current solution as an eight out of ten, with one being very difficult and ten being very easy.

The solution is deployed on the cloud, hybrid cloud and on-premises.

The basic deployment of SailPoint over user lifecycle management can depend on a client's use cases. However, for the basic setup of the system, it may take a week or so to get the solution ready with everything configured. One architecture is enough to carry out the deployment process. Also, the number of people required for maintenance depends upon the total number of use cases we have configured, so we can't categorize or quantify it.

I rate the solution a seven on a scale where one is cheap and ten is too expensive. In short, the solution falls under the higher side of pricing. For the solution, our company has secured a perpetual license.

I would tell those planning to use this solution that it is a very good and robust product in the market which supports almost all use cases. Also, SailPoint plans to expand to consumer identity. If one plans to proceed with this product, it will be a good decision. Additionally, it is not feasible for very small businesses, but it could be an amazing product and a good investment for the medium to large organizations. Overall, I rate the solution an eight out of ten.

We use this solution for identity governance and to understand who has access to what and whether that access should be granted or not. We also use it for access to recertification automation which provides a complete report of who has what access in the organization at the press of a button. We are able to automate the entire process of joiners, movers, levers and the provisioning and deprovisioning of identities. 

When someone joins any organization, all their roles and access is provided at the click of a button. When they move from one department to the other, the accesses which are not required are revoked, and the ones which are necessary are provisioned. Sailpoint offers complete automation of the lifecycle of any user.

We are able to offer on-prem on cloud based deployments, depending on our customer's requirements. 

This solution has made our team more effective. We need less manual approvals when someone new joins our company. There is less paperwork and fewer support tickets raised for access. 

The number of integrations that they have is amazing. The flexibility of the tool is great and you can really customize a lot. The dashboards that can be created are very useful. The proactive revoking of accesses in the case of an attack is amazing.

The cost of this solution is high. The technical assistance center could be improved. They're very good, but considering the intricacies of the solution, they can further improve.

We have been using this solution for six and a half years.

This is a stable solution. 

This is a very scalable solution. A couple of million users can be scaled overnight.

I would rate this solution's technical support a three and a half out of five. 

Neutral

The initial setup is complex due to the handling of identity and access management. If you have the expertise and if you are trained well, then it is not difficult. Deployment takes between three and twelve months.

This is an expensive solution. I would rate it a two and a half out of five for pricing. 

I would recommend Sailpoint to others. 

I would rate this solution a ten out of ten.