Over the past couple years, identity management technologies, including provisioning, web access management and directory services, have been joined by an emerging set of technologies that involve role management, identity audit and governance, and entitlement management. These technologies can play a key role in meeting both business requirements related to auditing and reporting, and security requirements regarding user access to sensitive applications and information.
But there are other business benefits as well, including improved performance and productivity for employees, more efficient provisioning for system administrators, decreased help desk costs and improved compliance. If you're just getting started on an identity management project, or even if you're well on your way, here are some tips on how to make a business case for identity management.
1. Decide What IDM Means to You
IDM's complexity lies in the fact that it means different things to different people, says Bryan Palma, vice president of global information security at EDS and former CISO of PepsiCo. One of the first things you should do is decide what it means to your organization. "In some circles [like the government], IDM means credentials, hard physical access and authentication," Palma says. In that case, "IDM is more about HSPD-12 than a back-office approach of how to manage users." (Learn more from our in-depth article about HSPD-12, the federal government's smart-card project.)
Vendors are integrating many of these technologies. Palma says that as a general rule, a companies offer an integrated system with the three core components (directory, provisioning and web access, which will be used to manage user provisioning, on-boarding and off-boarding), and also, possibly, for a physical component, such as credentialing. "The challenge there is the people who are more interested in the credentialing authentication piece aren't pursuing the back-office identity, and vice versa," Palma says.
Ultimately the choice comes down to where people want to invest their money. "The government is more concerned with access, so they tend to be less focused on how they can run something efficiently on the backend," Palma says. "But the directory, provisioning, web access piece is a business and productivity issue."
2. Articulate the Business Performance and Productivity Benefits of IDM
To hear Palma tell it, IDM is the rare case where where security is not at all something that gets in people's way. "There are few places where security can actually make a case around productivity and performance," Palma says, "and impact to the end user and identity is one of them"." That's why 'Palma tells his clients to focus on this area--because business productivity is something people can "get their hands around easily." (To learn more about the benefits of embarking on an identity management project with business partners, see our in-depth coverage of federated identity management.)
"It all comes down to putting things in black and white and explaining how IDM can help reduce the costs related to a certain action or set of business processes, says Martin Gee, CTO at ICSynergy, a identity management consultancy. Many times, an IDM case can be made as it relates to help-desk costs. You could explain how much time per month the company is spending doing password resets, and how much money an IDM system that puts password resets into the users' hands could save the company, he says.
For example, Palma says, if 40 people are doing manual administration, giving people access to the applications through self delegation could cut that number down to ten eventually. "That's an attractive way to position it," he says.
Chris Gervais, SOA program architect and technology relationship manager at Partners HealthCare in Boston, says, "ultimately you want to position your IDM program at a strategic level so it can be used as a lens through which the business can make decisions." You can also use compliance to your advantage, as Gervais has done at Partners. His team rolled out an enterprise-wide password management solution a little more than a year ago. Although the goals behind it were multifaceted, one of them was in response to HIPAA regulations. "We needed to make sure we had a strong enterprise password policy and that the business was complying with it," Gervais says. He positioned HIPAA compliance as a business imperative, and IDM as one way to achieve it.
Another compliance-related incentive for IDM is automation. "The margin for error is high with the manual approach to compliance, so automation of that process [through IDM] is one way to make the case," says Gee.
3. Create a Tangible, Phased Implementation Plan
Without having an idea of how you are going to accomplish what you say you will, an IDM implementation can become a never-ending spiral, says Palma. "Organizations that try to do too much end up not moving the ball down he field at all. You have to get tangible around your operational plan--what you can get done within a reasonable time frame--and then incrementally push up the bar as you move forward."
This key concept of "under-promise and over-deliver" can be accomplished by taking a phased approach to IDM that produces results at various intervals. "Use a short-term vision (within a year we want to make sure we can synchronize user passwords across all enterprise-facing systems) instead of a long term one (our goal is to have a completely pervasive distributed federated IDM system that allows us to interoperate and connect with customers and reduce the cost of M&As) right off the bat," says Gervais.
In order to increase your chances of delivering on what you say you will, Gervais says transparency with the business and users is key. "Have a lot of cross-discipline meetings, and be open about your milestones and deliverables. That gives the business a way to gauge what you're true progress is."
A detailed end-user communication plan also aids in a successful IDM implementation, says Palma. Just as the business wants to know how IDM will drive cost out of the organization, users (who will be impacted by IDM on a daily basis) want to know "what's coming, why you're doing it, and how it's going to make their end user experience better." For those reasons, Palma says you need to have a strong awareness plan in place and get user buy-in before rollout.
Finally, companies should not underestimate the effort and cost associated with IDM. An implementation can reach four to five times the cost of the software, says Mark McClain, CEO at SailPoint, an identity management vendor. The more customization you need to align that software with your businesses processes, the higher the deployment costs and the longer the implementation. "I've seen provisioning deployments stall out after being integrated with just 10 percent of an organization's applications because of the time and money required to extend the rollout further."
Making a solid business case and having a plan in place will help you avoid these pitfalls. "It takes active participation of business and IT groups, integration with existing technology infrastructure and some degree of customization to accommodate the unique needs of your business processes," says McClain.
4. Don't Forget to Have a 'Mr. or Ms. IDM'--Is This You?
The IT department may own the budget and the implementation, but it is dependant on the buy-in and participation of business groups at every step in the process. That's why Gervais and Palma agree that every company should have a "Mr. or Ms. IDM." That means that one person be responsible for explaining where the organization is manually, what the vision for automation is and how the plan will be executed. "Structurally," Palma says, "a lot of organizations find that hard to do."
Gervais says the person in charge should be focused on building relationships with the departments most impacted by an IDM solution. "That includes infosec departments, customer facing departments, the help desk (which bears the burden of a lot of the operational issues with IDM) and perhaps the director of application development," he says.
Human resources should also be involved, since it owns key identity processes and holds important information on employees, says McClain. Similarly, it's important to involve lines of business that own the data and applications that an IDM solution would protect, as well as audit and compliance personnel.
5. Avoid Scare Tactics or Pigeonholing
That's not to say you can't take these methods too far. There are wrong ways to approach the business as well. One of them is the use of fear mongering and scare tactics to prod the business into getting something done, says Gervais. "That's almost like crying wolf. You run out of credibility quickly because you haven't built a business case. You've built an emergency," he says. That isn't to say you shouldn't articulate and communicate risk, but when you fall back on it consistently, you've created a grudging way for the business to accept your solution.
Says Palma, "[IDM] is a big investment, and driving it internally as a compliance initiative might be a tough sell in many organizations as a result of compliance fatigue."
The other no-no is focusing on IDM as a solution to only one problem. If you do that, Gervais says, you artificially limit its business value and pigeonhole the plan. "Because budgets are limited, you have to make a business case for something that is highly leverageable. You need to be agile enough to take business input, iterate over it and continually evolve your program to meet those needs," he says. That means constantly tying the benefits of IDM back to operational efficiency, reduction of redundant infrastructure, consolidation of policies, improved authentication infrastructure, and other benefits of IDM.