ROI equations

As always, cost is a consideration in the buy vs. build argument.

Depending on the size of the implementation, prices vary widely for provisioning tools, which automate the issuing and revocation of user accounts. When Burton Group last surveyed the landscape last summer, costs were around $25 per seat. “We think that number has dropped by half in some cases,” says Kevin Kampman, senior consultant with Burton Group.

Gartner puts the price of provisioning tools at $84 per seat, before discounts. “I would take 30% to 40% off that, at least,” says Roberta Witty, research director for information security strategies at the consultancy. “Prices are trending down.” Integration costs, however, run about two to six times the license cost, she says, depending on how much business automation and customization you’re after.

Costs for Web access management tools, which manage user authentication for Web-based resources, are far less, but just as varied. Witty says software prices range from about $10 per user in a 15,000-user implementation to about 25 cents per user for a rollout with millions of users. Integration fees will cost two to four times the software license price.

But more important than what you might pay for Web access management or provisioning tools is the value you can get from them. “You have to figure out what the business costs are and what the revenue opportunities are, then calibrate the amount you’re prepared to spend to get the cost savings or revenue gain,” says Michael Barrett, vice president for Internet technology strategy for American Express in Phoenix. “I don’t think at its most general level it’s any different from that.”

It’s simplest to make an ROI case for provisioning tools, experts say. For starters, such tools routinely come with password-management functions that let users reset their passwords, dramatically reducing calls to the help desk. For example, Syracuse University students can now activate via the Web their accounts, modify and maintain their passwords using a challenge/response system, and manage their e-mail preferences.

The Business Layers implementation further reduces IT administrative costs by automating the account-generation process. Once a new student is fully registered and entered into the school’s PeopleSoft system, Business Layers picks up on the change and triggers a series of steps to set up new accounts for the student. “In the past, we’d generate those accounts by hand, once in the fall and once in January for winter,” says Gary McGinnis, director of client services for Syracuse’s computing and media unit. “Now it’s automated, not done in batch mode like it used to be.”

Mark Ford, principal with Deloitte & Touche Security Services Group, agrees that the return on a provisioning investment is rapid. “You need fewer administrators and you strengthen security because you automate the process of giving out access as well as taking it away, so there are fewer orphaned or latent accounts,” he says. But unless such account automation is one of the core business problems, it might be more beneficial to turn to a less-expensive access management engine, because, Ford adds, “the longer-term ROI comes from Web access management.”

Access management engines can reduce application development costs dramatically because developers can use the central security engine rather than building authorization functions into each application. And Web access management tools also generally have the self-service password management functions built in.

Kirk Kness, vice president with T. Rowe Price’s Investment Technologies group in Baltimore, is reluctant to give out numbers, but says the ROI on its Web-based access management project was “extremely significant.”

“The ramp-up costs were high – this cost us a couple million bucks to get in place,” he says, noting that costs have since come down. “But we figure we saved at least eight weeks’ worth of development work, if not more, on every project we’ve done in the last three years.” With 150 applications now taking advantage of the IBM Tivoli Access Manager engine, those costs add up. At the same time, the number of calls to the help desk has dropped by more than 60%. “That’s significant given our active user base on the Web site is in the 500,000-user range,” he says.

That doesn’t even speak to the other benefits that Web access management tools provide, Kness says. “In my experience, it provides a very clean mapping between authorization, personalization and customization.” He defines authorization as knowing what each visitor is allowed to have; customization as what each visitor wants to have; and personalization as what T. Rowe wants them to have.

“When you can manage users and provide tailored information, that’s where the real return occurs,” says Joe Duffy, global leader of PricewaterhouseCooper’s Security and Privacy Practice. “That’s when you harness the power of identity.”