Dave,

Having served on the same panel at Kuppinger Cole EIC, I thought I’d add a few thoughts to Ron’s. Certainly, roles are a critical component of Identity GRC, but it’s not true to say that you can’t achieve Governance Risk or Compliance without a completed role model being in place. I would argue that the role model is a very important member of a family of controls needed to achieve sustainable identity governance. An effective governance model for identity needs to include role management, access certifications, policy enforcement, activity monitoring and risk analysis.

I agree that it’s important to recognize that Governance, Risk and Compliance for Identity is a journey. Sure, you want to be on the fastest road possible, but sometimes there are required detours to meet business needs, security concerns and compliance directives. That’s why I believe that saying all you need for compliance is roles is like saying the only one way to get from LA to New York is by driving that freeway. The reality is there are many options, even if you do now have to pay an extra $15 for your bag :-). The best way to get there always depends on specific circumstances, needs, timing and resources. Every role project, every enterprise GRC deployment and potentially every client, has very different challenges that need to be addressed through the development of that role model. As a vendor in the roles space, I’m obviously glad to see the industry at large now addressing roles more strategically. I am, however, a little concerned by the notion that roles are being seen as a quick-fix for every failing identity management project. That feels like a flight to New York that’s likely to land in Wichita Falls due to a failed customer expectation on the left wing.

Gee, it must analogy Friday :-)

Darran Rolls (CTO SailPoint)