Over the past couple years, identity management technologies, including provisioning, web access management and directory services, have been joined by an emerging set of technologies that involve role management, identity audit and governance, and entitlement management.
These technologies can play a key role in meeting both business requirements related to auditing and reporting, and security requirements regarding user access to sensitive applications and information.
But there are other business benefits as well, including improved performance and productivity for employees, more efficient provisioning for system administrators, decreased help desk costs and improved compliance. If you're just getting started on an identity management project, or even if you're well on your way, here are some tips on how to make a business case.
1. Decide what IDM means to you
IDM's complexity lies in the fact that it means different things to different people, says Bryan Palma, vice president of global information security at EDS and former CSO of PepsiCo. One of the first things you should do is decide what it means to your organisation.
"In some circles [like the government], IDM means credentials, hard physical access and authentication," Palma says. In that case, "IDM is more about HSPD-12 than a back-office approach of how to manage users."
Vendors are integrating many of these technologies. Palma says that as a general rule, companies offer an integrated system with the three core components (directory, provisioning and web access, which will be used to manage user provisioning, on-boarding and off-boarding), and also, possibly, for a physical component, such as credentialing.
"The challenge there is the people who are more interested in the credentialing authentication piece aren't pursuing the back-office identity, and vice versa," Palma says.
2. Articulate the business performance and productivity benefits of IDM
To hear Palma tell it, IDM is the rare case where security is not at all something that gets in people's way.
"There are few places where security can actually make a case around productivity and performance and impact to the end user, and identity is one of them," Palma says.
That's why Palma tells his clients to focus on this area — because business productivity is something people can "get their hands around easily".
"It all comes down to putting things in black and white and explaining how IDM can help reduce the costs related to a certain action or set of business processes, says Martin Gee, CTO at ICSynergy, a identity management consultancy. Often, an IDM case can be made as it relates to help-desk costs. You could explain how much time per month the company is spending doing password resets, and how much money an IDM system that puts password resets into the users' hands could save the company, he says.
"Ultimately you want to position your IDM programme at a strategic level so it can be used as a lens through which the business can make decisions," Chris Gervais, SOA programme architect and technology relationship manager at Partners HealthCare, in Boston, says.
You can also use compliance to your advantage, as Gervais has done at Partners. His team rolled out an enterprise-wide password management solution a little more than a year ago. Although the goals behind it were multifaceted, one of them was in response to HIPAA regulations.
"We needed to make sure we had a strong enterprise password policy and that the business was complying with it," Gervais says. He positioned HIPAA compliance as a business imperative, and IDM as one way to achieve it.
3. Create a tangible, phased implementation plan
Without having an idea of how you are going to accomplish what you say you will, an IDM implementation can become a never-ending spiral, says Palma.
"Organisations that try to do too much end up not moving the ball down the field at all. You have to get tangible around your operational plan — what you can get done within a reasonable time frame — and then incrementally push up the bar as you move forward."
This key concept of "under-promise and over-deliver" can be accomplished by taking a phased approach to IDM that produces results at various intervals.
Use a short-term vision (aiming to make sure you can synchronise user passwords across all enterprise-facing systems within a year, for instance) instead of a long term one (to have a completely pervasive distributed federated IDM system that allows us to interoperate and connect with customers and reduce the cost of M&As) right off the bat, says Gervais.
In order to increase your chances of delivering on what you say you will, Gervais says transparency with the business and users is key. "Have a lot of cross-discipline meetings, and be open about your milestones and deliverables. That gives the business a way to gauge what you're true progress is."
A detailed end-user communication plan also aids in a successful IDM implementation, says Palma. Just as the business wants to know how IDM will drive cost out of the organisation, users, (who will be impacted by IDM on a daily basis) want to know "what's coming, why you're doing it, and how it's going to make their end user experience better". For those reasons, Palma says you need to have a strong awareness plan in place and get user buy-in before rollout.
Finally, companies should not underestimate the effort and cost associated with IDM. An implementation can reach four to five times the cost of the software, says Mark McClain, CEO at SailPoint, an identity management vendor.
The more customisation you need to align that software with your businesses processes, the higher the deployment costs and the longer the implementation. "I've seen provisioning deployments stall out after being integrated with just 10% of an organisation's applications because of the time and money required to extend the rollout further."
4. Don't forget to have a 'Mr or Ms IDM'
The IT department may own the budget and the implementation, but it is dependant on the buy-in and participation of business groups at every step in the process. That's why Gervais and Palma agree that every company should have a "Mr. or Ms IDM." That means that one person be responsible for explaining where the organisation is manually, what the vision for automation is and how the plan will be executed. "Structurally," Palma says, "a lot of organisations find that hard to do."
Gervais says the person in charge should be focused on building relationships with the departments most impacted by an IDM solution. "That includes infosec departments, customer facing departments, the help desk (which bears the burden of a lot of the operational issues with IDM) and perhaps the director of application development," he says.
Human resources should also be involved, since it owns key identity processes and holds important information on employees, says McClain. Similarly, it's important to involve lines of business that own the data and applications that an IDM solution would protect, as well as audit and compliance personnel.
5. Avoid scare tactics or pigeonholing
There are wrong ways to approach the business as well. One of them is the use of fear mongering and scare tactics to prod the business into getting something done, says Gervais.
"That's almost like crying wolf. You run out of credibility quickly because you haven't built a business case. You've built an emergency," he says. That isn't to say you shouldn't articulate and communicate risk, but when you fall back on it consistently, you've created a grudging way for the business to accept your solution.
The other no-no is focusing on IDM as a solution to only one problem. If you do that, Gervais says, you artificially limit its business value and pigeonhole the plan. "Because budgets are limited, you have to make a business case for something that is highly leverageable. You need to be agile enough to take business input, iterate over it and continually evolve your programme to meet those needs," he says.