Anyone who’s been in the IDAM game for a while knows that IDAM solutions are hard to sell. We can be seen as pushing something customers “already have” – even though what they already have is a combination of manual process, scripts, inconsistent data and a tangled web of access “control” that no one really has a handle on. So it’s tempting to try and sell an IDAM solution on how much money it will save you.
Someone’s got to say it – at least for the first couple of years an IDAM solution will probably cost you more, and here’s some of the reasons why.
Depending on what software you select this can range from “free” to millions of dollars in licensing fees. Software cost will of course be the easy one to calculate up-front, but that is only the beginning. Also, as far as I can tell, the expense of the software itself does not have any correlation with the…
Consultancy/Solution Build Cost
Not even the most expensive software will install, configure and run itself. Building IDAM solutions is a detail-oriented art form and the really experienced practitioners are deservedly expensive. Technical compentency in the solution platform is only a fraction of the skill-set – there’s also understanding what makes a good (and bad) automation use case; being able to analyse existing processes and data and explain why and how they must change; being able to design a solution that incorporates a multitude of sub-components and integrations, and thousands of internal decision points, while at the same time being something you can hand over to a BAU resource to administer and extend…
Or you can “Go cheap, build twice” – but it will probably be thrice and upwards, and almost definitely cost as much, if not more, in the long run.
Automation doesn’t reduce IT support head count, if anything all it does is change the nature of some of their tasks. One of my customers had a full-time service desk person assigned to account creation; now he has a full time job chasing down HR data issues which are preventing automatic account creation.
In addition you’ll need someone to administer the solution, and depending on its size and complexity, this can be a full-time job for at least one person, with a second trained as their backup. You build a complex machine, you need someone who understands it and can keep it humming.
Finally, should you have gone down some kind of RBAC path, you may have actually created a whole new job keeping roles/rules up to date with changing source data.
Extending the Solution
It is impossible to get everything you may possibly need in one phase of an IDAM project and, quite frankly, you shouldn’t even try to. The more functionality you attempt to cram into a single delivery phase, the more you increase your risks and dependencies across a range of areas, and not just technical ones.
However if you have delivered a sensibly scoped solution and let it bed in for a bit while everyone gets used to it, the right thing to do is start looking at what can be changed, improved and extended. A truly functional IDAM solution should never be “finished” but should develop along with changing business needs. And that is probably going to mean more consultancy.
End User Licensing Costs
Something I’ve seen on a few occassions now is an IDAM solution leading to an increase in end user licensing costs for desktop OS and applications.
Firstly this can occur because you’re finally getting accurate user numbers, particularly in complex multi-domain environments where there might have been a bit of guesstimation going on before.
Secondly, the IDAM solution may be provisioning accounts that don’t get used, and previously wouldn’t have been created unless someone specifically asked. This can happen in environments where there are workers that don’t need IT access as part of their job, but are still registered in the HR system. Another one to look out for is organisations that hire seasonal or short-term workers, and then have a number of “no shows” – if these are not properly dealt with the accounts can just hang around, inflating user numbers.
However if you look longer term…
Building a solid IDAM Solution based on sensible, achievable requirements, and with a strong committment to ongoing data cleanliness, should be seen as an investment that pays off over time, often only when people have got used to the level of identity automation going on and now take it for granted.
Audit and reporting on user number and IT access becomes straight forward, rather than an onerous task taking days and lots of spreadsheets it once might have been. Migrating users to a new directory or application is straight-forward. And of course, those things your IDAM sales person probaby promised you at the outset – new staff don’t sit around idle waiting for IT access, existing users can get access to the things they need with minimal human intervention, Service Desk spend less time on repeatable tasks, and your IT security is massively imporved by actaully knowing who your users are and what they have access to!