Making a business case for identity management

Over the past couple years, identity management technologies, including provisioning, web access management and directory services, have been joined by an emerging set of technologies that involve role management, identity audit and governance, and entitlement management. These technologies can play a key role in meeting both business requirements related to auditing and reporting, and security requirements regarding user access to sensitive applications and information.

But there are other business benefits as well, including improved performance and productivity for employees, more efficient provisioning for system administrators, decreased help desk costs and improved compliance. If you're just getting started on an identity management project, or even if you're well on your way, here are some tips on how to make a business case for identity management.

1. Decide What IDM Means to You

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Over the past couple years, identity management technologies, including provisioning, web access management and directory services, have been joined by an emerging set of technologies that involve role management, identity audit and governance, and entitlement management. These technologies can play a key role in meeting both business requirements related to auditing and reporting, and security requirements regarding user access to sensitive applications and information.

But there are other business benefits as well, including improved performance and productivity for employees, more efficient provisioning for system administrators, decreased help desk costs and improved compliance. If you're just getting started on an identity management project, or even if you're well on your way, here are some tips on how to make a business case for identity management.

1. Decide What IDM Means to You

IDM's complexity lies in the fact that it means different things to different people, says Bryan Palma, vice president of global information security at EDS and former CISO of PepsiCo. One of the first things you should do is decide what it means to your organization. "In some circles [like the government], IDM means credentials, hard physical access and authentication," Palma says. In that case, "IDM is more about HSPD-12 than a back-office approach of how to manage users." (Learn more from our in-depth article about HSPD-12, the federal government's smart-card project.)

Vendors are integrating many of these technologies. Palma says that as a general rule, a companies offer an integrated system with the three core components (directory, provisioning and web access, which will be used to manage user provisioning, on-boarding and off-boarding), and also, possibly, for a physical component, such as credentialing. "The challenge there is the people who are more interested in the credentialing authentication piece aren't pursuing the back-office identity, and vice versa," Palma says.

Ultimately the choice comes down to where people want to invest their money. "The government is more concerned with access, so they tend to be less focused on how they can run something efficiently on the backend," Palma says. "But the directory, provisioning, web access piece is a business and productivity issue."

2. Articulate the Business Performance and Productivity Benefits of IDM

To hear Palma tell it, IDM is the rare case where where security is not at all something that gets in people's way. "There are few places where security can actually make a case around productivity and performance," Palma says, "and impact to the end user and identity is one of them"." That's why 'Palma tells his clients to focus on this area--because business productivity is something people can "get their hands around easily." (To learn more about the benefits of embarking on an identity management project with business partners, see our in-depth coverage of federated identity management.)

"It all comes down to putting things in black and white and explaining how IDM can help reduce the costs related to a certain action or set of business processes, says Martin Gee, CTO at ICSynergy, a identity management consultancy. Many times, an IDM case can be made as it relates to help-desk costs. You could explain how much time per month the company is spending doing password resets, and how much money an IDM system that puts password resets into the users' hands could save the company, he says.