In times of economic downturn, the pressure is on to save costs and increase efficiency. Everybody working in the IT sector will be familiar with projects being put on hold, spending frozen, colleagues being laid off. Unsurprisingly, most of those left working in IT departments see their workload and working hours increased, as they are being asked to deliver more with less resources. These are the typical signs of a dire economy, that may or may not be starting to turn around slowly: but those particular problems are not going away any time soon.
With the current squeeze on cost and corporate spending, many IT departments find themselves in a true quagmire. On one hand, the IT industry is focusing on efficiency like never before - elaborating new approaches and processes to increase efficiency and do more with less. Governance and risk management is a big issue whose lack has greatly contributed to the current crisis. IT is under scrutiny to be more of a business enabler and less of a cost center. All of this requires change, new technology, and strategic vision. But as IT spending is reduced or even capped, this creates a Catch 22 situation. Under pressure, some IT departments try for more tactical approaches that can eventually be expanded into a broader strategy. Quick wins are needed to get there.
So what are the quick wins that can be made in identity and access management? In order to get projects approved, many IT directors have to demonstrate a return on investment that must be almost immediate. I have heard of projects not getting approval unless ROI can be demonstrated in six months or in some cases even less. The good news is that there are some pockets of “low hanging fruits” in identity management that have a very immediate ROI. But keep in mind the old wisdom of "think big – start small – grow big". Ideally your "quick wins" should be stepping stones in a broader, transformative strategy to deliver more value.
A good start is always consolidation. This can save money in staff time,server resources, license and support costs. For ROI calculations, the license and support costs will usually not translate into savings until a later date, but savings in staff time and server resources are usually immediate. Consolidation projects are also a vital step to get your house in order for a broader strategy to improve efficiency. Besides, consolidation is just a good practice and is usually easy to get approved when the ROI case can be made. The key here is to get the maximum while spending the minimum of time and money.
In identity management, this is a good time to review the number of identity data silos in your enterprise and think about eliminating some through consolidation. A good way to do this is with virtual directories. Often applications are installed with their own directory server. Identity data is then duplicated through provisioning systems or synchronization mechanisms. Virtual directories can help eliminate some of those extra directory servers by allowing multiple applications to have multiple “views” of the data whilst connecting to the same physical data source.
The Evergreen: Login and Password simplification
It is a well known fact that most users have a problem with passwords. Not only do they tend to forget them and then need to be helped by service desks to reset passwords. It becomes exponentially worse when users have multiple different passwords that need to be remembered and changed at different intervals. It therefore should come as no surprise that projects that simplify the “password mess” are highly visible. The ROI is also well documented. However, comprehensive single sign-on is complex, lengthy and expensive to implement.
When password simplification is done in smaller steps however, the value and can be immediate. Because this has a high visibility from the standpoint of the users, the perceived value is usually significant. Focus on eliminating either additional passwords or sign-ons. For example, if two systems are using different passwords, you can think about a password synchronization between the two. If you already have a single sign-on system in place, there might be the possibility to add additional applications.
Roles and groups are used to give access to resources and allow users to do things. As more applications are deployed, the number of roles increase. Often, roles are created for one purpose and then subsequently re-used for another purpose by another department or application which can create unwanted entitlements. Sometimes roles are forgotten and never reaped. After some time, it becomes difficult to tell who actually has access to what, and who authorized the access. This can - and usually is - a be a big problem. For those organizations that are regulated – for example by the Sarbanes Oxley Act or Basel 2 – lengthy reports must be provided to auditors that contain information about access to high-risk and high-impact applications.
Role management projects can address these shortcomings and enforce proper controls, set up workflows for entitlements and attestation of access. For these projects, ROI can be quick to materialize and implementation time can be fairly short when – and this is important - priorities are set to focus on the most critical applications first. Once the initial quick wins are demonstrated, additional systems and applications can be added subsequently to the role management system.
As usual, those who take a good long-term view are usually rewarded most in the long run. But when strategic initiatives are out, and the thinking is tactical, the above mentioned areas have shown the potential for quick wins. These quick wins have additional benefits because they can be everybody, but that cannot be an excuse to do nothing – those who are smart and creative will be able to push ahead in front of others. Hopefully these ideas will help you delivering value in these tough times.