First off, I would like to express my sympathy to victims of the terrible earthquake that hit Haiti. I can only wish that the rescue and recovery efforts yield positive results.

Thanks to the recession, we have learned a lot (or so we would like to think) on the importance of sound business decisions, have we not?

This blog post is my attempt to bring some of the lessons learned, along with scar tissue, that I have been able to sum up from the last 24 months, as it relates to identity and access management initiatives. Last year, I spent time reading some Harvard Business Review articles, and recall reading a blog post titled: "6 Lessons Learned in the Downturn" by Anthony Tjan, which were very influential in shaping my thoughts for this post.

At the risk of stating the obvious, I would start by saying that the last 24 months have forever changed the way in which Identity initiatives will be carried forward.

It is clear that identity and access management systems are, more than ever, critical parts of any IT infrastructure. Organizations will always need to grant application and system access to those who need it and eventually remove that access once it is no longer needed. This is a recession-proved observation. The circumstances of today's economy highlight the need to tackle these activities in a more efficient, transparent and scalable way, and in most cases, automation is about the only choice you've got. Manual labor is way too expensive today, even when outsourced. This should be an encouraging statement for any identirati.

5 Lessons Learned

Below are five points that best capture the essence of this change.  These are based on experience working with clients across many industry verticals:

    1. Your dollar needs to go a much longer way than before - If you even have an approved budget, you really need to maximize the value you will get from your initiative, and be ready to show how. Consider getting a second opinion before you buy new IDM technology. Ask yourself some questions:
      • Have you done proper due diligence?
      • Do you or your team have the cycles to invest in carrying out the proper due diligence?
      • Are you relying only on what the vendor says or what you read on an analyst report?
      • Do you have enough insight on how to negotiate with the vendors you have selected, based on what is important for your initiative?

We have seen from experience that even a nominal 2-week investment in an Identity Management Workshop that assesses your current state, identifies business drivers, high-level requirements, and formulates an implementation roadmap can go a long way.

A case in point: One of our clients allocated $750,000 in budget to acquire IDM technology in 2009.  Before moving forward, they invested in a workshop and in the end, identified a set of previously unknown requirements and ultimately saved 40% ($300,000) in their purchase, all within 8 calendar weeks. Considering what they spent on our services, this is an ROI in excess of 450%. Not bad in any type of economy if you ask me.

    1. Minimize capital expenditure if you can - Consider lease vs. buy scenarios. The maturity of IDaaS today provides options for customers to avoid procuring software and hardware products that require capital expenditure, and instead consume them on an on-demand basis as an operating cost. This of course will maximize your cash-at-hand. Evidently, not all of your identity and access management needs can be met with an IDaaS approach, at least not today, but I would argue that 24 months ago this was not even an option to consider. There are several approaches to IDaaS, which can be appropriate to your initiative. It may be worth exploring these and engaging with providers that specialize in these kinds of models. Not all organizations are ready or comfortable with an all-in-the-cloud approach, but there are managed services models that work on-premise that should be explored.
    2. You have to have metrics - For identity and access management initiatives, there is no longer room for soft ROI; hard dollar is king. As you define your Identity initiative, you need to think about how you can measure value and ROI to the organization. For some organizations, which adopt internal chargeback models for managing budgets, this should be relatively easy. The idea is not to stop at simply measuring costs, but ensure that you are measuring returns. In a way, try to make your metrics meaningful to the lines of business that you support (i.e. your internal clients). A metric that is often overlooked is time to value - everything being equal in cost, you should look to shorten the wait until you can show measurable value to the organization. In practice this will help you decide how you undertake your initiative. Maybe shorter phases are better than longer ones. Perhaps rather than a pure waterfall project management approach, you start to introduce agile methodology concepts. We have seen initiatives whose budget is cut in mid-flight. Even though you cannot fully prepare for this, you want to consider what you will show for if it ever happens, and whether or not delivering value early is the key to preventing your funds from being cut in the first place.
    3. Let's demystify identity management - This may get controversial, but after 14 years of experience in IDM, I would like to demystify it. I agree that IDM is complex, requires specialized skill sets, and above all, is unforgiving if you do not have the right experience, but at the same time it is not unattainable, and settling for less is not the right posture. There are many ways to meet compliance requirements, even if you have not automated all of the access granting flows in your environment.

I applaud the advent of identity activity monitoring (the term we like to use to describe this new trend) in 2009, and while the analysts have not yet coined a particular name for it, there is a great report by Gartner's Mark Nicolett and Earl Perkings that focuses on this area, separate from just SIEM or just IDM, more as a separate niche in its own right.

I intend to further discuss identity activity monitoring in a future blog post, but for now, I would describe it as an approach to tracking user activity in various IT systems and applications that is correlated to the definition of a digital identity; thus creating a closed feedback loop that allows you to more confidently determine if your IDM controls are effective, regardless of whether they are automated or manual. In this way, organizations have a way to extract value out of lazy assets (such as application, database or system logs), which otherwise are used only for security event monitoring, and leverage them to increase visibility into what users are doing within the IT infrastructure. This is a very clever and effective way to approach some of the compliance requirements that Identity initiatives often try to address, in a faster and cost effective way. Moreover, it does not conflict with a traditional IDM implementation, but rather complements it.

    1. Understand and embrace identity assurance - this is not limited to scenarios in the extranet in which users from one organization interact with systems in another - scenarios that some would deem esoteric and not as business critical. Even within the same organization, you need to pay attention to identity lifecycle as a whole and not just as discrete steps: provisioning, authentication, single sign-on, etc. Consider the intersection of identity assurance with your data and risk classification, and ask yourself: am I spending too much in authentication technology and too little in the process of ensuring I know who the person is? Is it the reverse? Strong authentication alone is useless from an identity assurance perspective (a good friend assures me that a well-trained Labrador could figure out how to use a smart card - although I have not seen the documentary on TV yet). The point here is to ensure that your effort and investment is balanced in light of your requirements. Otherwise, you may be wasting precious dollars.

To illustrate, here is a real life example: a client has a request/approval process in place to manage the issuance of access cards (with no picture ID) to various facilities in their organization. When an employee first comes on board, to issue an access card, they undergo a process of vetting their identity against information in HR, and that the request that has been approved by two management levels. Now, since the process often takes a few days to complete, some managers tend to hold on to the access card from a departed employee, and literally keep them in a drawer. When a new employee comes onboard, the manager recycles the access card and increases the employee's productivity by orders of magnitude, but all access activity and access authorization is based on the departed employee's information. The organization is now incurring significant costs to ensure that access to its facility is tightly managed, but the process for ensuring that a departed employee event triggers the deactivation of the access card is not well enforced.  So in the end, this imbalance in identity assurance costs the organization money and does not really mitigate the risk it was intended to.

I would love to hear comments and feedback on these points, particularly if you disagree.


Frank Villavicencio

Frank Villavicencio