Identity Management systems primarily manage the digital identities used by enterprise employees, business partners and customers, including "technical identities" such as ID codes that computer programs use to access resources. The higher the number of identities, the greater the need for efficient management. For companies with more than 5000 users it's well worth considering implementing such a solution. But Identity Management also improves security, by enabling, among other things, the implementation of enterprise-wide guidelines. These are often derived from legal requirements, such as those included in HIPAA or Sarbanes-Oaxley in the USA, or in Basel II in Europe. Infringements of these guidelines can lead to heavy penalties, as well as damaging a company's image.
The decision to invest in an Identity Management solution should not however be solely based on a perception of "need-to-have", but be oriented more towards its measurable potential value: increased security levels and efficient identity management.
Minimizing manual administration
Password Management and authorization requests are among the most important tasks in managing digital identities. Others include (distributed) administration concepts, the enforcing of security and data protection guidelines, and the synchronisation of identities and their attributes in various databases and directories. Identity Management is an infrastructure task that is indispensable for an organisation's functioning.
Using appropriate administration tools can simplify, or even completely automate, a range of tasks, including routine tasks affecting the life cycle of a digital identity such as setting up a user account for a new employee or allocating resources. Changing resource allocations and deleting user accounts are other examples of administrative tasks that can be extensively automated. New employees are usually entered into personnel data systems such as SAP or Peoplesoft. Entries and changes, such as a change of workplace, can be registered by personnel data systems and automatically transformed into user accounts and access rights to different systems by provisioning systems within the framework of an Identity Management solution. Experience has shown that up to more than 90 percent of routine tasks can be automated. This effect can be directly measured. The administration time required for every administration task on every system– five minutes per task for example – is determined and the savings then calculated using the average costs for an administrator. Introducing an electronic requests procedure for identities and resources is just as efficient. By mapping the approvals process in the form of a workflow, administrative tasks that cannot be completely automated can be performed easily and transparently. One example of this is the provision of resources for the members of a temporary project group. Without an electronic requests procedure the resources requested have to be individually manually allocated to end-users after approval for every relevant IT system. These "individual authorizations" are usually very time-consuming. The requests procedure integrated into the Identity Management system however, allocates them electronically and automatically based on access rules or allocates bundles of authorizations grouped according to department synchronously for all connected systems after approval. The benefits of this can be calculated from the average number of individual authorizations saved.
Save costs on all fronts
For other administrative tasks that can be neither completely automated nor performed manually using an electronic requests procedure, administration can be reduced by using roles-based administration. Roles such as cashier or clerk are allocated to users as a bundle of authorizations instead of as complicated and costly individual authorizations. A roles hierarchy, with rights inheritance mechanisms, further increases efficiency.
Costs can also be significantly reduced when features such as Password Reset Self Service, Password Synchronisation or Single Sign-On are used to free the Help Desk from some of its routine tasks. Savings can be made here from the decrease in the number of Help Desk calls. The calculation is simple. The number of calls saved is multiplied by the length and cost of an average Help Desk call.
Identity Management also provides easier auditing. Here regular cross- platform reports must be distinguished from ad-hoc reports. To calculate the savings for both types of report, the time required for creating reports in each system and the costs of consolidation, which has to be done manually, are determined. According to experience, using a cross-platform reporting tool reduces costs by 50 to 80 percent. Last but not least, working with an integrated administration tool significantly simplifies administration beyond system boundaries; so fewer specialists are needed for the individual technical systems. Administrators then only need to be trained to use the central system. The training costs saved can be calculated based on the number of administrators and the costs of their training.
More efficiency for end users
Short-term provision of resources for internal and external staff can be critical for success when a partner needs access to resources, such as when making a joint tendering proposal. The non-productivity of external staff can be particularly costly here. Faster unblocking of blocked accounts– where a user has typed in the wrong password several times, for example – shortens waiting periods and thus improves productivity. This increase in efficiency is usually hard to measure, since the situations in which staff are actually unproductive, when certain digital resources are not available to them, must first be defined. Higher and much more easily calculable costs are incurred if a new subcontractor cannot work for several days due to lack of an account or authorization, and is unproductive because he or she is fixed on a concrete task.
As well as maintaining accounts, there is also the issue of 'orphaned' and superfluous accounts. A central Identity Management system provides reporting functionalities for finding and deleting unused user accounts. This enables outsourcing costs to be saved in the context of IT services where accounts with the outsourcer are settled based on the number of user accounts. The savings can be calculated from the price per account and the reduction in unused accounts.
ROI calculations in practice
Concrete model calculations for Identity Management solution can be made based on an MS Excel-based "Return on Investment" calculator, developed by Beta Systems for this purpose. An enterprise with a total of 42,000 IT users is used as an example, and the calculation covers a period of 3 years from the beginning of the implementation of the solution. Users are classified separately as employees (30,000), freelancers (7,000) and external users such as partners or customers (5,000). At the beginning of the project 80 IT staff, who spend 70 percent of their working time doing setups and other administrative tasks, are employed.
First the potential savings from automation are estimated. Assuming a figure of about 650,000 system-specific requests, about 379,700 requests could be automated in the third year. Instead of the 57 full-time jobs in the IT department required for manual processing, implementing Identity Management solutions at this point requires only 24 full-time staff. The savings in the third year would be about three million Euros.
The second step deals with the consideration of how many of the remaining requests (which cannot be automated) can be handled using a workflow system and roles-based administration. By the second year 50 percent of these requests can be processed much faster via workflow functionalities, and in the third year this figure increases to about 70 percent. Processing times are reduced by about half. This results in a saving of 13 full-time jobs and a reduction in costs of about 1.1 million Euros by the second year.
Calculating the costs of waiting periods is more complicated. Even leaving aside the controversial estimate for internal staff and assuming completely unproductive waiting periods of about 50 percent for freelancers, there is still an increase in productivity of about 3.2 million Euros in the third year. Underlying this assessment is the estimate that setting up new accounts or making changes to the authorization structure takes five days to do manually, it takes one day using automation and two days using a workflow system. It is also assumed here that in contrast to permanent employees, freelancers cannot usually perform other tasks during the waiting period. An investment of 1.2 million Euros in software licenses and maintenance, and operating costs of about one million Euros in the second and third years as well as external and internal implementation costs are compared with savings of 6.3 million in the second year and 7.7 million Euros in the third year. Added to these savings are also significant reductions in costs achieved by using automatic Password Reset and Password Synchronisation that need to be calculated separately.
Security – a valuable commodity
Improved security levels are harder to measure. Identity Management guarantees the confidentiality of data on the one hand, and prevents it from being misused on the other. The prerequisites for confidentiality include secure authentification, correct assignment of rights, consistent rights administration and regular auditing. Without the "Single Point of Control" provided by an Identity Management System, an overview of a user's current resource allocations would be very difficult. Undesirable correlations of authorizations, leading to a violation of the principle of the separation of functions for example, are often not recognized.
Risk Management methods, which have been under increasing development recently due to new legal regulations and risk minimization standards, can be applied to a quantitative evaluation of increased security levels. The Basel II accord for the European banking industry requires, among other things, an evaluation of operative risks. Unfortunately in many enterprises there are no statistics available on the costs of the damage caused by data misuse, making a monetary assessment difficult.
Qualitative parameters for an improvement in security levels can easily be identified. Without Identity Management solutions effects such as the accumulation of user rights often occur. When employees change their workplaces, they receive new resource allocations. Old authorizations that are no longer needed are however often not deleted. The same applies when employees leave the company. A targeted assignment of these rights, which can also react flexibly to changes, is therefore vital. An increase in security levels can be qualitatively assessed as follows: the percentage of all authorizations accumulated in violation of policy is determined in a preliminary investigation, which could be based on random spot checks. With a figure of 80 percent for potential automation of rights allocations this figure can be reduced by about the same percentage. The number of unused user accounts can be similarly determined and reduced using automated deletion. Systems such as Single Sign-On also reduce the number of passwords, providing users with a single password and satisfying higher security requirements. Compliance with legal guidelines is also made easier, with enterprise-wide guidelines being implemented within an Identity Management framework.
Considered in the long term, Identity Management solutions have many strategic benefits. They standardize user administration and make a significant contribution to improving the data quality of user and authorization data through automation and data synchronisation. Cross-platform reporting supplies information that would otherwise not be available or could only be accessed with great difficulty. An important example affecting security that should be mentioned here is the discovery of unacceptable correlations of one person's rights in different systems.
Earliest possible break even
In the case of ongoing operations, the costs of the system's production and of change management, including the servicing and upgrade of the necessary hardware and software, the maintenance of roles and their adjustment to organisational changes should all be taken into account. External costs are also incurred for the installation, setup, training and perhaps also for the customisation of the product by a team from the manufacturer or a specialized system integrator. Experience has proven that implementation costs can only be correlated with software costs with difficulty. A corridor of 20 to 40 percent proportion of the total costs is the experiential value for well-defined medium-sized projects.
The total costs of an average project – including license fees and internal and external implementation costs – for a company with 20,000 users and 4 types of systems supported by Identity Management systems (e.g. Windows, Unix, Mainframe and SAP) would usually be over 1 million Euros. The Return on Investment is revealed by comparing the costs and benefits for a specific period, which in the case of Identity Management projects might be about three years. With an appropriate strategy the Break Even can be reached even faster. To achieve this we recommend you initially implement and roll out the Identity Management solution for three or four core systems. The benefits described above will be quickly reached for these systems. The rollout could be completed within four months and further target systems and administration modules could then be successively integrated into the solution. It has been our experience that the Break Even will then be reached within 12-15 months.
Dr. Martin Kuhlmann is SAM Product Line Manager at Beta Systems Software