building your roadmap sucessful identity and access management

Building Your Roadmap:

Successful Identity and Access Management (IAM)

2 April 8, 2023 Building Your Roadmap: Successful Identity and Access Management (IAM) Copyright © 2007 CA

What are the CXO’s telling us?

“It’s too expensive and manual to make

sure we’re addressing all the necessary

regulations. And then we have to do it all over again for the

next time.”

ContinuousCompliance

Escalating Administration Costs

Ghost User Accounts

Auditors’ Requirements

Leverage-able It Infrastructure

Negative Security-Related Publicity

Accumulating& Inappropriate

Privileges

Help Desk Overload



“25% of my help desk calls are related to resetting

forgotten passwords!”



Ghost User Accounts





Privileges

Help Desk Overload



“There is just no budget to hire more IT administrators, but our

user population is growing, particularly

as we bring more customers/partners

online.”



Ghost User Accounts





Privileges

Help Desk Overload



“I still have accounts in my

systems for users that are long gone!”



Ghost User Accounts





Privileges

Help Desk Overload



“As employees and partners change

responsibilities they keep acquiring new

system privileges with us while none are removed. How do I

fix that?”



Ghost User Accounts





Privileges

Help Desk Overload



“Internal and external auditors need to see if

you have sufficient control over your IT

systems and access to private data. Auditors don’t care generally how much it costs.”



Ghost User Accounts





Privileges

Help Desk Overload



“Enterprise architects hate to see

the IT ‘wheel’ continually reinvented.

IAM should be employed and

managed as part of enterprise architecture.”



Ghost User Accounts





Privileges

Help Desk Overload



“I don’t want to see my organization in

the news.”



Ghost User Accounts





Privileges

Help Desk Overload


Doing More with Less is no longer a temporary economic issue –

it is here to stay.

The Essence of Business

LESS BUDGETLESS STAFF

SHORTER SCHEDULEREDUCE COSTS

COSTS TIME

MORE USERS MORE ACCESS

MORE FLEXIBILITYMORE APPS

MORE PARTNERSMUCH FASTER

USERS TRANSACTIONS

COMPETITIVE EDGECONDUCT BUSINESS


Definition of Identity & Access Management (IAM)

> Identity & Access Management is the set of processes and the supporting infrastructure and systems for the creation, management and use of digital identities and enforcement of security-related business policies

Who’s there? What can they do?

What dothey need?

How do you manage them?

> Authentication management

> Access control

> User management

> Delegated administration

> Workflow

> Self-service

> Account, resource provisioning

> Account, resource de-provisioning

Enterprise IT Management

Security Management

IAM

> It enables you to answer the following:


Before…

Average Process 7-10 DaysIssues to Consider: Backlog Errors Requests Delays Impact on Productivity

NEWUSER

1. HR Request for Access

2. Manager Request for

Access

3. Policy Examination And

Approval IT

4. Policy Examination And

Approval Administration

5. Return for Corrections

6. Submit Revised Request

7. Revised Policy Examination And

IT Approval

8. Revised Policy Examination And

Approval Administration

9. Identified Exception

10. Exception Approval Granted

11. Approval Granted

UNSATISFIEDNEWUSER

12. Applications Set Up

13. IT Set Up14. Keeping Audit Trail


…And After

NEWUSER

3. Policy Examination Approval And

Execution

2. Manager Request For

Access

1. HR RequestFor Access

SATISFIEDNEWUSER

Average Process 30 Minutes

Issues to Consider: What would you do with the

spare time?


Employment Life CycleA

CC

ESS &

TR

AN

SA

CTIO

NS M

AN

AG

EM

EN

T

Hire Promotion Relocation Team Project Departure

What is the Cost of Quarterly Reorganization?


IAM Business Drivers – The Complete Picture

IncreasingEfficiency

ComplyingWith Regulation

IncreasingSecurity

EnablingBusiness


Exercise – Identify Your Business Drivers

Business Driver Weighted Average (Totaling 100%)

Comply with security regulations

Increase user satisfaction

Reduce cost of IT resources

Streamline business processes

Enable Web services

Secure company data

Increase IT productivity

Manage user life-cycle more effectively

Increase customer and partner satisfaction

Integrate enterprise security apps

Manage information risks

Improve Enterprise Services, SOA & IAM integration

Move your current provisioning toward “Phase 2”


Business Benefits of IAM Functionality

Information Consolidation

Authentication & Authorization

Registration & Enrollment

Single Sign-On

Enabling a comprehensive picture of the entire organizational data

Facilitating an easy implementation of future applications

Managing resources more effectively

Scaling security

Increasing control

Eliminating redundancy in data management

Securing the company’s reputation

Attracting prospective customers to do business online

Securing important corporate data such as branding info

Complying with regulations such HIPAA, Gramm -Leach-Bliley act, 21 CFR part 11, and the Sarbanes-Oxley act

Scaling organizational security

Reducing account management time

Streamlining business processes

Delivering better web services

Increasing productivity of help desk and IT services

Increasing satisfaction of both internal and external users

Reducing calls to help desk

Enabling easy access with one account and one password


Improving help desk services

Delivering a better client web experience

Increasing user satisfaction


Business Benefits of IAM Functionality

Password Management

Delegated Administration &

Self-ServicesAudit

Provisioning & Federated Identity

Increasing organizational security

Eliminating calls to help desk regarding password reset

Closing security gaps


Increasing user satisfaction


Increasing IT & help desk productivity

Decentralizing organizational control

Complying with regulations

Increasing control and management of information flow

Automating auditing and audit trail analysis as much as possible

Maintaining security through de-provisioning on termination, user clean-up and robust auditing capabilities

Managing access rights through centralized user management and delegated administration

Providing automated workflow

Addressing ebusiness initiatives promptly and efficiently to gain and maintain market share

Leveraging the system across the value chain and strengthening commitment


Business Impact of IAM Functionality

Business Facilitation

Cost Containment

Operational Efficiency

Risk Management

User Satisfaction

ESA Support

Regulatory Compliance

Information Consolidation

Authentication and Authorization

Registration & Enrollment Single Sign-On Password Management

Delegated Administration & Self-Service

Audit Provisioning & Federated Identity


> What is the maximum capacity of your current system?

> What is the average growth in application development?

> What is the average impact of a reorganization?

> How often does a reorganization occur?

Key Questions Every Organization Must Consider

> What is the average turnover?

> What menial tasks you would like to eliminate?

> How long does it take to set up a new user in the current system?

> What is the cost associated with this process?


> How many users (customers, partners) will be given access?

> What is your annual application management cost?

> What is the cost of new user management?

> What is the annual cost of existing user management?

> What is the cost by security feature, per application?

Key Questions Every Organization Must Consider CONTINUED

> What is the financial impact of faster access to applications?

> What is the reduced IT management cost of federated provisioning across the extranet?

> What is the financial impact of IAM on supporting Business Processes & Enterprise Architecture?


> A common perception is that by avoiding IAM strategies, companies save money.

> In reality, avoiding IAM results in significant costs arising from inefficiencies and loss of productivity.

> There is a price for doing nothing:

The Price of Doing Nothing

Adding more help desk & IT personnel in the future.

Wasting more time on integration of future applications.

Incurring cost of trying to prove compliance to regulations through manual and un-integrated processes.

Taking the risk of a security breach, which can be tremendously expensive to the organization.

Incurring potential damage to your reputation.

Lagging behind other companies.


“Many midsized companies won’t consider identity management, because they think it is too difficult to deploy, too expensive to purchase and implement, and too complicated to administer and maintain. The problem is that it’s precisely when companies grow to mid-market ($150 million to $1 billion) that user accounts seem to multiply like rabbits…. Postponing an investment in some form of unified account or identity management often proves to be one of the most common — and costly — mistakes in security today.”

The Price of Doing Nothing

David Piscitello, Network World, 08/28/06


> Each company has its own estimates for these input figures.

> A certain section of Return on Negligence can affect one company more than another – it is customizable.

> It is difficult to capture future benefits of an IAM solution.

> Companies tend not to buy into external calculations.

> It is an overwhelming calculation that is difficult to prove.

Financial Drivers – Challenges

> It is the only way to get CFO endorsement.

> Despite the credibility challenges, financial justifications must be developed and managed.

> A critical failure point can be avoided by managing the promised RON past the initial purchase to ensure capturing all the promised financial rewards.

> During project design, a financial manager should join the team to monitor progress and results.


Annual Potential for Cost Avoidance Related to IAM Solutions

Potential IT Cost Avoidance Related to User Provisioning $290,649Potential Lost Productivity Costs Avoidance Related to User Provisioning $220,027

Total Potential for Cost Avoidance Related to User Provisioning $510,676

Potential Lost Productivity (Due to Multiple Login Sessions) Cost Avoidance Related to SSO $673,828Potential Lost Productivity (Due to Trial & Error) Cost Avoidance Related to SSO $485,156Potential Help Desk Passwords Resets Cost Avoidance Related to SSO $354,883

Total Potential for Cost Avoidance Related to SSO $1,513,867

Potential Application Development Cost Avoidance Related to Web Access Control $135,000Potential Security Audits Cost Avoidance Related to Web Access Control $20,000Potential Extranets Help Desk Cost Avoidance Related to Web Access Control $195,186Potential Downtime Cost Avoidance Related to Web Access Control $30,000

Total Potential for Cost Avoidance Related to Web Access Control $380,186

• Please note that potential Help Desk Cost Avoidance alone amounts to $550,068 Per Year

Total Cost of Negligence per Year $2,404,729

Total Cost of Negligence for 3 Years $7,214,187

Return-On-Negligence (RON) on IAM Avoidance - Overview


RON for Typical Identity Management Tool – Basic Input

Company Details

Number of Internal Users (employees) 3,000

Number of External Users (partners and customers) 10,000

Rate of growth per year (% of users) 10%

Turnover rate per year (% of users) 10%

Rate of Moves, Adds and Changes (MACs) 15%

Annual Fully-Burdened Salary for IT Staff Member (Salary +15%) $90,850

Average Fully-Burdened Employee Salary (Salary + 15%) $90,850

Number of Work Hours Per Year 1920


RON for Identity Management – Industry Standard Assumptions

Assumptions

Number of Hours to Set up a New User 3

Number of Hours to Handle Moves, Changes (MACs) 1

Number of Hours to Delete Obsolete User 0.75

Number of Hours From Request Through Resolution (for New Account) 10

Number of Hours From Request Through Resolution for Moves/Changes (MACs) 14


Company Details

Number of Internal Users (employees) 3,000

Average Number of Accounts per Internal User (Employee) 4

Annual Fully-Burden Salary for IT Staff Member (Salary +15%) $90,850

Average Fully-Burden Employee Salary (Salary + 15%) $69,000


RON for Single Sign-On – Basic Assumptions


Assumptions

Time Spent to Login to a Single Account (Minutes) 0.50

Average % of Total Logins that Are Incorrect Out of Total Logins 10%

Average % of Incorrect Logins to be Solved by Trial and Error 80%

Average Time to Trial and Error Forgotten Password Per User (minutes) 2

Average Length of Help Desk Call (Minutes) 10.0

RON for Single Sign-On – Industry Standard Assumptions


Calculations Results

Lost User Productivity Cost Due to Multiple Login Sessions

Login Sessions Per User Per Year 1,000

Number of Hours Spent on Login Sessions Per Internal User Per Year 8

Hourly Cost of Typical Employee $36

Cost of Lost Productivity (Due to Multiple Login Sessions) $898,438

% Lost User Productivity Cost Savings Provided by Single Sign-On 75%

Potential Lost Productivity Costs Avoidance Related to SSO $673,828

Lost User Productivity Cost Due to Trial & Error of Forgotten Password

Total Number of Incorrect Logins Per User Per Year 100

Total Number of Incorrect Logins Solved by Trial & Error per User 80

Total Number of Incorrect Logins Solved by Help Desk Assistance Per User 20

Time Spent on Trial & Error Per User Per Year (hours) 3

Time Spent on Help Desk Calls Per User Per Year (hours) 3

Total Cost of Lost Productivity (Due to Trial & Error of Forgotten Password) $646,875

% Lost User Productivity Cost Savings Provided by Single Sign-On 75%

Potential Lost Productivity (Due to Trial & Error) Costs Avoidance Related to SSO $485,156

RON for Single Sign-On – Avoidance Impact


RON for Web Access – Basic Input

Company Details

Number of External Users (partners and customers) 10,000

Rate of Growth per Year (% of users) 10%

Turnover Rate Per Year (% of users) 10%

Number of New Extranet Applications Per Year 15

Number of Security Audits Per Year 10

Annual Fully-Burdened Salary for IT Staff Member (Salary +15%) $90,850



Assumptions

Average Access Control Development Cost Per Extranet/intranet Application $12,000

Average Cost of Security Audit $4,000

Average Number of Help Desk Calls Per User per Year 11

Average % Help Desk Activity Related to Passwords 30%

Average Length of Help Desk Call (Minutes) 10.0

Average Application Downtime Cost Per Hour (Due to Security Breach) $30,000

Average Number of Downtime Hours Per Year (Due to Security Breach) 2

RON for Web Access – Industry Standard Assumptions



Cost of Application Development Time Associated with Access Control

Cost of Hard-Coding Access Control $180,000

% Application Development Cost Savings Provided by Web Access Control 75%

Potential Application Development Costs Avoidance Related to Web Access Control $135,000

Cost of Security Audits per Year

Cost of Security Audits per Year $40,000

% Security Audits Cost Savings Provided by Web Access Control 50%

Potential Security Audits Costs Avoidance Related to Web Access Control $20,000

RON for Avoidance Impact – Web Access



Cost of Help-Desk (not using Self-Registration and Self-Service)

Number of Help Desk Calls Per Year 110,000

Number of Help Desk Calls Related to Passwords Per Year 33,000

Total Time Spent by Help Desk staff on Passwords Related Calls Per Year (Hours) 5,500

Cost of IT Labor Per Hour $47

Cost of Help Desk Related to Extranets $260,247

% Extranets Help Desk Cost Savings Provided by Web Access Control 75%

Potential Extranets Help Desk Costs Avoidance Related to Web Access Control $195,186

Cost of Downtime Due to Attacks Caused by Unauthorized Access

Cost of Downtime $60,000

% Downtime Cost Savings Provided by Web Access Control 50%

Potential Downtime Costs Avoidance Related to Web Access Control $30,000

Total Potential for Cost Avoidance Related to Web Access Control $380,186

RON for Avoidance Impact – Web Access CONTINUED


RON for Identity Management – Avoidance Impact

User Account Management Cost

Number of New Users Per Year 1300

Number of MACs per Year 1950

Number of Account Terminations Per Year 1300

Total Time Spent Annually on User Account Management (Hours) 6825

Cost of IT Labor Per Hour $47

Annual Cost of User Account Management by IT $322,943

% IT Cost Savings Provided by User Provisioning 90%

Potential IT Cost Avoidance Related to User Provisioning $290,649


RON for Identity Management – Avoidance Impact CONTINUED

Lost User Productivity (Due to Account Management) Cost

Number of New Internal Users/Employees Per Year 300

Number of MACs per Year for Internal Users (Existing Employees) 450

Hourly Cost of Typical Employee $47

Cost of Lost Productivity For New Employees $141,953

Cost of Lost Productivity For Existing Employees $298,102

Total Lost Productivity Costs Per Year (Due to Account Management) $440,055

% Lost User Productivity Cost Savings Provided by User Provisioning 50%

Potential Lost Productivity Cost Avoidance Related to User Provisioning $220,027

Total Potential for Cost Avoidance Related to Admin $510,676


Rank financial drivers criteria by organizational importance

Industry standard figures

Estimates for your organization

Where do I get the numbers from?

Exercise – Building Your Own Financial Plan


Tip for Consideration

No financial plan or RON analysis will be credible unless it is managed throughout the entire process to ensure capturing the promised results.


Pitfalls to Avoid

> Don’t set unachievable goals.

> Don’t try to “boil the ocean”.

> Don’t reduce cost through reducing business workflow analysis.

> Don’t look at IAM as an IT type project.

> Don’t expect to operate IAM without organizational changes and commitments.

> Don’t expect to operate IAM without reengineering some business process.

> Don’t exclude any organizational stakeholder or those with conflicting agendas.


One Last Word …

Good luck!

The longest journey starts with a single step.

building your roadmap sucessful identity and access management

Technology

infrastructure

revised policy

cost avoidance

multiple login

incorrect

user account

policy examination

incorrect