How IDAM solutions cost you money

Anyone who’s been in the IDAM game for a while knows that IDAM solutions are hard to sell. We can be seen as pushing something customers “already have” – even though what they already have is a combination of manual process, scripts, inconsistent data and a tangled web of access “control” that no one really has a handle on. So it’s tempting to try and sell an IDAM solution on how much money it will save you.

Someone’s got to say it – at least for the first couple of years an IDAM solution will probably cost you more, and here’s some of the reasons why.

Software Cost

Depending on what software you select this can range from “free” to millions of dollars in licensing fees. Software cost will of course be the easy one to calculate up-front, but that is only the beginning. Also, as far as I can tell, the expense of the software itself does not have any correlation with the…

Consultancy/Solution Build Cost

Not even the most expensive software will install, configure and run itself. Building IDAM solutions is a detail-oriented art form and the really experienced practitioners are deservedly expensive. Technical compentency in the solution platform is only a fraction of the skill-set – there’s also understanding what makes a good (and bad) automation use case; being able to analyse existing processes and data and explain why and how they must change; being able to design a solution that incorporates a multitude of sub-components and integrations, and thousands of internal decision points, while at the same time being something you can hand over to a BAU resource to administer and extend…

Or you can “Go cheap, build twice” – but it will probably be thrice and upwards, and almost definitely cost as much, if not more, in the long run.

Solution Support

Automation doesn’t reduce IT support head count, if anything all it does is change the nature of some of their tasks. One of my customers had a full-time service desk person assigned to account creation; now he has a full time job chasing down HR data issues which are preventing automatic account creation.

In addition you’ll need someone to administer the solution, and depending on its size and complexity, this can be a full-time job for at least one person, with a second trained as their backup. You build a complex machine, you need someone who understands it and can keep it humming.

Finally, should you have gone down some kind of RBAC path, you may have actually created a whole new job keeping roles/rules up to date with changing source data.

Extending the Solution

It is impossible to get everything you may possibly need in one phase of an IDAM project and, quite frankly, you shouldn’t even try to. The more functionality you attempt to cram into a single delivery phase, the more you increase your risks and dependencies across a range of areas, and not just technical ones.

However if you have delivered a sensibly scoped solution and let it bed in for a bit while everyone gets used to it, the right thing to do is start looking at what can be changed, improved and extended. A truly functional IDAM solution should never be “finished” but should develop along with changing business needs. And that is probably going to mean more consultancy.

End User Licensing Costs

Something I’ve seen on a few occassions now is an IDAM solution leading to an increase in end user licensing costs for desktop OS and applications.

Firstly this can occur because you’re finally getting accurate user numbers, particularly in complex multi-domain environments where there might have been a bit of guesstimation going on before.

Secondly, the IDAM solution may be provisioning accounts that don’t get used, and previously wouldn’t have been created unless someone specifically asked. This can happen in environments where there are workers that don’t need IT access as part of their job, but are still registered in the HR system. Another one to look out for is organisations that hire seasonal or short-term workers, and then have a number of “no shows” – if these are not properly dealt with the accounts can just hang around, inflating user numbers.


However if you look longer term…

Building a solid IDAM Solution based on sensible, achievable requirements, and with a strong committment to ongoing data cleanliness, should be seen as an investment that pays off over time, often only when people have got used to the level of identity automation going on and now take it for granted.

Audit and reporting on user number and IT access becomes straight forward, rather than an onerous task taking days and lots of spreadsheets it once might have been. Migrating users to a new directory or application is straight-forward. And of course, those things your IDAM sales person probaby promised you at the outset – new staff don’t sit around idle waiting for IT access, existing users can get access to the things they need with minimal human intervention, Service Desk spend less time on repeatable tasks, and your IT security is massively imporved by actaully knowing who your users are and what they have access to!

2 Replies to “How IDAM solutions cost you money”

  1. Thanks Carol. I am actually working a blog post where i plan to show from dollar’s and cents that a solid IDAM system is a money saver in the long run. In this day and age we leave in short term benefits is what the business looks for with the half life of innovation and creativity maxing out at 2 years.

    What i will show is that we can get an ROI in 2 years from an IDAM investment. If we can’t then bury it in today’s business environment.

    There may be some similar hairs between my post and yours so hope its okay to put your article as reference.


  2. Of course Ike! It’s funny how there’s been a few occasions where we seem to have been thinking about something similar 🙂
    And of course I totally believe that properly implemented IDAM (and the data clean-up that should come with it) is a money saver in the longer term – people are just so obsessed with wanting to see immediate cost savings.

Leave a Reply

Your email address will not be published. Required fields are marked *