What's in the playbookIn part 1 of this 3-part article, we described the scenarios and motivation for a new approach to IAM that is required for these days.  Here we will start explaining what makes up that new playbook.

So, What is New in this New Playbook?

Here are some things, that in my view, should be the guidelines for a new playbook in IAM:

1. If possible, skip the RFP

There it is. I said it. RFPs consume a lot of time and money from the issuer and the responders, and more often than not do not yield the best result (i.e. you may still end up picking the wrong choice).  Why?

  • Vendors are evaluated to see if they are “checkbox compliant”. This dilutes the effectiveness of the RFP as a selection tool altogether – how many times have you seen vendors respond “No” or “Requires heavy customization” to a checkbox-type RFP question?
  • Two vendors are selected to do a POC – they each take a week to put together a plain-vanilla demo. How is this meaningful to you?
  • One vendor is selected for reference calls – surprise, they all say the vendor is great because the vendor is  not going to give you their bad references
  • That vendor is handed over to procurement but how can you get the best deal when they already know they are your top pick?

Rather than an RFP, invest in getting educated in the market, and I don’t mean buying a whole bunch of expensive industry analyst reports. Get someone to educate you and your team on IAM, ensure that your business requirements are properly translated into vendor requirements (yes, they are not exactly the same), and help you define a two-year roadmap, so you know what kinds of products you will need, and try to define the best purchasing strategy, as well as narrow down vendor choices. 

Rather than doing a 3-months RFP with 10 vendors, spend 3 weeks with a competent, vendor-agnostic consulting firm.  Develop your roadmap and implementation plan, map business requirements to outcomes, and narrow down the list of vendors to only 2 players. Then define a bake off between them. That is exactly what our Kickstart Program is all about.

2. Whatever you do, consider TCO, not just upfront costs

Many customers buy a solution based on the upfront price tag - a tactic that many vendors use to their advantage. Even a $0 license price tag may not be the best choice. In fact, you should be suspicious of substantially reduced license price tags. If it sounds too good to be true, it probably is. Consider the ongoing maintenance for instance; are you paying that at full list price? If so, then you may be mortgaging your future. But more importantly, consider how many people you’ll need to support the product on an ongoing basis, and how many customizations you will need to pay for in order to implement it.  A good idea here is to talk to integrators that are familiar with the product you are considering, as well as with customers that have deployed it, or tried to.  Some of our experiences show that the total spend in the first phase to deploy some IAM products is seven times the cost of license, while other IAM products require three times – but what happens when the vendor gives you the license software for free? (Hint: the implementation cost does not go to zero). Here is a reference to a good article focused on TCO for IAM.

3. It is more than just the Cloud

It is clear that the adoption of Cloud apps (i.e. SaaS) is bound to grow and proliferate within your organization – it is inevitable. Hence you need to ensure that your IAM solution is capable of handling Cloud applications. We are way past the point in which support for Cloud applications is a roadmap item. This needs to be a hard requirement, addressed now.

That being said, any IAM solution today should be able to handle both Cloud and on-premise targets. This is the reality of today’s Enterprise: a mix of on-premise systems and applications and a fast-growing set of SaaS applications. The idea of having different solutions for each group does not work. You need a single on-boarding workflow process engine, you need a single access recertification engine, and you need a single termination process engine, all of which should apply consistently and seamlessly to Enterprise and Cloud applications.  Otherwise, you’ll just end up trying to bridge the gaps yourself.

4. IAM nowadays should include Governance

Many traditional IAM product vendors started with user provisioning as their value proposition. Later, they acquired smaller companies to add identity governance (approval-based access request, recertification, roles management), and today, many of them offer these capabilities as an add-on to their core IAM offering. But for the most part, it is like installing 2 or 3 separate products, with very loose integration and synergy. This is no longer viable.

 Organizations that are pursuing IAM today also need to satisfy compliance and governance objectives.  Any solution that does not provide a fully integrated IAM provisioning/de-provisioning engine with an access request application, business process coordination (i.e. workflow), roles management and access recertification is no longer a viable option. Ensure that whatever solution you are considering meets this criterion.

We’ll continue the list of items in the new playbook in part 3.


SCUID Lifecycle Data Sheet

Frank Villavicencio

Frank Villavicencio