Sailpoint

SailPoint IdentityNow - Cloud Identity Governance Service

Cloud based Identity Governance solution from leading identity vendor, SailPoint. IdentityNow enables business friendly identity governance via access request, certification and effective provisioning and deprovisioning of joiners, movers and leavers, along with improved productivity and usability via Password Management capabilities. Patented Zero Knowledge Encryption security model.

Features

  • Access Review covering cloud and on premise applications
  • Automated provisioning and user life cycle management as a service
  • Over 100 pre built read and write connectors
  • Password Management for on and off network password resets
  • Access Request delivered as a service
  • Identity warehouse representing the entire truth about the user identity
  • Governance of roles and role policy management
  • Securely deliver IGA with patented Zero Knowledge Encryption algorithm
  • Visibility, reporting and querying for identities, entitlement, accounts and policies

Benefits

  • Enables resources owners and business managers to manage access
  • Automate joiner/mover/leaver scenarios, create custom HR states driving user access
  • Connector library supporting leading enterprise systems and custom connectors
  • Reduced helpdesk calls for password management, improving security and efficiency
  • Secure self-service password management reduces IT load enhancing user producitivity
  • Contains ShadowIT growth while improving security and user productivity
  • Single source of truth for all questions concerning user access
  • Govern business and IT roles for automation and security
  • Communicates with existing infrastructure securely without forcing any changes
  • Instantly answers "who has what level access to what resource"

Pricing

£50000 per unit per year

  • Education pricing available

Service documents

G-Cloud 9

280525701319776

Sailpoint

Stephen Allcock

+44 (0)7837 340241

stephen.allcock@sailpoint.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints IdentityNow is deployed in Amazon Web Services (AWS). Hosted data resides in one of several AWS regions, the location of which is determined by the customer. Customers may elect to have their data hosted in the EU in Frankfurt, Germany or in the US in Oregon or Virginia.
System requirements
  • Web Browsers: Firefox, Internet Explorer, Chrome or Safari
  • Hypervisor for Virtual Appliances housing our 80+ OOTB direct connectors
  • SaaS solution. Other components are managed in AWS by SailPoint

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Severity 1 - Response time one hour; Severity 2 - Response time two hours; Severity 3 - Response time eight hours; Severity 4 - Response time 12 hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels SailPoint offers Premium support for our IdentityNow SaaS solution. Premium support provides 24x7 support for severity 1 issues.

Support and maintenance includes: Telephone or electronic support in order to help Customer locate and correct problems with the SaaS Services; Bug fixes and code corrections to correct malfunctions in order to bring such SaaS Services into substantial conformity with the operating specifications contained in the Documentation; All extensions, enhancements and other changes that SailPoint, at its sole discretion, makes or adds to the SaaS Services and which SailPoint furnishes, without charge, to all other subscribers of the SaaS Services; Up to five (5) dedicated contacts designated by Customer in writing that will have access to support services; Access to Compass, SailPoint’s customer and partner portal, which includes discussion forums, technical information, latest company and product information, webinars, and product downloads. It also provides collaborative forums, which allow interaction between customers and SailPoint subject matter experts; Appointment of a Customer Success Manager to serve as your primary point of contact and advocate within SailPoint. -

SailPoint also offer professional services that can be provided onsite or remotely. Professional services are not included, but are available at an additional cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Comprehensive documentation is provided by SailPoint to cover all aspects of IdentityNow functionality. All IdentityNow documentation is provided online via the Compass web portal and includes technical white papers, implementation guidance, IdentityNow wiki, and other documentation. Compass also includes a User Forum where clients can ask specific questions and get answers from our technical support staff and other clients.

SailPoint offers instructor-led Administrator and Implementation training sessions that are tailored to each customer’s deployment and cover topics such as: Introduction to IdentityNow; Setup; Data Aggregation and Correlation; Implementation Guidelines; Access Certification; SSO; Password Management; Troubleshooting.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction When the SaaS subscription term (contract) ends the users may request an export of all data stored in the system by submitting a request to the IdentityNow support team. The data will be delivered to the users in a CSV file format.
End-of-contract process Upon termination of the SaaS Agreement or expiration of the Subscription Term, SailPoint shall immediately cease providing the SaaS Services and all usage rights granted under this SaaS Agreement shall terminate.

The contract (SaaS subscription) includes access to the service and customer support for the service. All professional services are additional costs and this would include any transitional professional services required at the end of the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The service is a cloud based service, which is accessed via a browser interface. IdentityNow supports all modern browsers and is agnostic when it comes to the device accessing the service. When accessing the interface, the page is automatically scaled for whichever device is being used.

In addition, SailPoint offers a mobile application for iOS and Android, which supports Identity Federation and credential replay Single Sign-On.
Accessibility standards None or don’t know
Description of accessibility The service is accessible via all modern browsers.
Accessibility testing N/A. SailPoint has not conducted interface testing with users of assistive technology.
API Yes
What users can and can't do using the API SailPoint offers a fully functioning, versioned API.

The IdentityNow Platform APIs allow you to build your own applications, web sites, and tools that take advantage of IdentityNow's data, features, and flows. The APIs follow a familiar RESTful standard, using query and path parameters, request/response headers, and JSON request/response bodies.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation IdentityNow has a host of customisation options. For example, customers can change the User Interface (colours and logos), create custom connectors to applications, and custom workflow elements.

Scaling

Scaling
Independence of resources IdentityNow is a highly scalable SaaS solution. It automatically scales to handle load, and there is no practical limit of transactions.

IdentityNow is routinely tested for performance in an environment with approximately 500,000 identities with targeted end-user performance metrics, such as performing 25,000 logins over 1.5 hours with an error rate less than 1%, 400 password resets in 20 minutes with 0% failure rate, and over 15,000 logins per hour with no degradation. The performance test strategy and benchmarks are continually evaluated in order to improve performance and increase the testing coverage.

Analytics

Analytics
Service usage metrics Yes
Metrics types Metrics include:
Availability of IdentityNow;
# of active and inactive users;
# of SSO access per application and per user;
# of successful and unsuccessful changes on a per application basis;
Audit log metrics for all provisioning, access request and access certification actions within the service.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach IdentityNow is hosted in Amazon Web Services and is built as a secure, fault-tolerant and scalable SaaS offering. SailPoint utilises its patented zero knowledge encryption to provide multiple layers of encryption on all critical data stored in the IdentityNow cloud database.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach IdentityNow has API’s and reports which the users can use to export their data as needed. If the user wants all data exported they can submit a request to the IdentityNow support team and the team will deliver that data in a CSV file format.
Data export formats
  • CSV
  • Other
Other data export formats Report and audit data exportable in CSV or PDF format
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks All sensitive data transmitted through the IdentityNow infrastructure is encrypted using SailPoint's patented "Zero Knowledge" encryption. The encryption methods used include TLS for all HTTPS layer encryption, and AES 256 for all credentials in transit. Also note that the private key supporting the Zero Knowledge encryption is a key chosen by the customer, stored behind the customer firewall and can be changed at any time by the customer.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network IdentityNow utilizes Amazon Web Services (AWS) for hosting. AWS data centers are state of the art, utilizing innovative architectural and engineering approaches.

AWS implements least privilege throughout its infrastructure components. AWS prohibits all ports and protocols that do not have a specific business purpose. Network scanning is performed and any unnecessary ports or protocols in use are corrected.

IdentityNow provides encryption of sensitive customer data using keys that are only ever controlled by the customer or end user's device. No key is persisted or made available to SailPoint.

Availability and resilience

Availability and resilience
Guaranteed availability The SaaS Services will achieve System Availability of at least 99.9% during each calendar month of the Subscription Term. “System Availability” means the number of minutes in a month that the key components of the SaaS Services in a Customer production environment are operational as a percentage of the total number of minutes in such month, excluding downtime resulting from (a) scheduled maintenance, (b) events of Force Majeure, (c) malicious attacks on the system, (d) issues associated with the Customer’s computing devices, local area networks or internet service provider connections, or (e) inability to deliver services because of acts or omissions of Customer or any Identity Cube user.

If SailPoint fails to meet System Availability in an individual month, upon written request by Customer within 30 days after the end of the month, SailPoint will issue a credit in Customer’s next invoice in an amount equal to ten percent (10%) of the monthly fee for the affected SaaS Services for each 1% loss of System Availability below stated SLA per SaaS Service, up to a maximum of fifty percent (50%) of the Customer’s monthly fee for the affected SaaS Services.
Approach to resilience SailPoint’s IdentityNow solution is provided utilising Amazon Web Services with each primary hosting location providing full redundancy of hardware, software, and network infrastructure. SailPoint provides fully automated failover and advanced backup and recovery measures to ensure that IAM services are available for operation and use. Additionally, controls are in place to provide quick restoration capabilities from backup, in the event that a site or overall service experiences a critical failure.
Outage reporting IdentityNow is a pure SaaS solution and IdentityNow service components are monitored by SailPoint DevOps personnel. There is a public status dashboard online.

For issues broadly impacting all customers, notice and updates would be posted to the Compass portal. You can elect to receive email notification when such notices are posted to Compass. For serious issues, your customer success manager will reach out to you via email and/or phone. SailPoint Assigns a Customer Success Manager to every client. The Customer Success Manager serves as your primary point of contact and your advocate within SailPoint.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels SailPoint applies the principle of least privileged access. Employees are granted access based on pre-approved roles and job descriptions, which are reviewed and re-certified at least annually.

In IdentityNow, administrative access is restricted to DevOps. We utilise a support account, which is separate from customer access accounts. Access to the production environment by SailPoint DevOps personnel requires remote access into the EC2 environment (operated by AWS) which is restricted through the use of a Secure Shell (SSH) connection from the SailPoint corporate IP address and two-factor authentication.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations SailPoint has completed an SSAE16 SOC 1 Type II audit

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach SailPoint maintains policies and procedures consistent with industry best practice. SailPoint's information security standards include elements from ISO, COBIT, CSA CCM and NIST.

SailPoint has begun the process for ISO 27001 certification and expects to be complete in 2017. We have completed an SSAE 16 SOC 1 Type II audit. We have begun the process for a SOC 2 audit and expect to be complete in 2017. We have also begun the process for FedRAMP
Information security policies and processes The Company maintains IT Security policies which define IT security protocols in order to help minimise security risks. The policies (including incident response, change management, data handling, DR/Backup) are available on the Company’s intranet and are reviewed annually.

All SailPoint employees complete online computer-based security awareness training annually. The Wombat Security Training includes computer-based training on traditional security awareness topics, including physical, email and mobile device security. The training also includes anti-phishing simulated attacks throughout the year and training designed to improve employees' recognition of baits and traps commonly found in phishing emails and spear phishing attacks. Employees learn to identify and avoid manipulative content, malicious and disguised links, dangerous attachments, inappropriate data requests, and other threats.

Additional training is provided at the departmental level as appropriate for each role. All members of the engineering team are provided education about developing and testing secure applications including the Open Web Application Security Project (OWASP) Guide to Building Secure Web Applications and Web Services, the most current documents from the OWASP Top Ten Project, Essential Skills for Secure Programmers Using Java/JavaEE from the Secure Programming Council, and SANS’ Top 25 Programming Errors.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Changes to the IdentityNow production environment are performed by SailPoint DevOps personnel. Once testing has been successfully completed and a release is approved by the Director of Engineering, DevOps personnel create new virtual server images (using the Build server). These builds are created in Jenkins using the final, tested version of the change from the staging environment. These machine images are then deployed/implemented by DevOps personnel into the production environment, and old machine images are disabled.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach SailPoint completes both internal automated vulnerability scans, which are executed during regular verification cycles as part of each weekly release, and external penetration tests conducted by a third-party firm.

AWS performs regular vulnerability scans on the host operating system, web application, and databases in the AWS environment using a variety of tools.

SailPoint subscribes to vendor notification services with notifications of newly released patches and updates. Patches reviewed by SailPoint and deemed to be “Critical” are applied within 30 days of release. SailPoint generally upgrades IdentityNow on a weekly basis but can apply a patch within 24 hours if warranted.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach SailPoint leverages Amazon Web Services (AWS) to host IdentityNow. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. AWS security monitoring tools help identify several types of denial of service (DoS) attacks, including distributed, flooding, and software/logic attacks.

SailPoint uses a variety of tools to monitor the availability of the IdentityNow production environments for its clients, including alerts from AWS. These tools send alerts to the SailPoint DevOps team that trigger follow-up procedures.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Customers should report any issues with the IdentityNow service to SailPoint support via the Compass portal, email or telephone.

SailPoint maintains a Security Incident Management Policy and an Incident Response Policy, which specify the steps and roles and responsibilities should such an incident occur. These policies address remediation and follow-through to ensure the issue is understood and fully addressed.

As it relates to a security issue with a SailPoint product or service broadly impacting all customers, notice and updates would be posted to the Compass portal. For serious issues, your customer success manager will reach out via email and/or phone.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £50000 per unit per year
Discount for educational organisations Yes
Free trial available No

Documents

Documents
Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑