IT professionals often have trouble convincing the budget managers that the often costly projects in Identity and Access Management (IAM) are really necessary. That should come as no surprise, since most of them belong to the category “IT infrastructure”, and it’s always hard to show a true ROI on something as fundamental as that. However, in lean times like these the boss man is more inclined than ever to demand a return any type of expenditure.

So what is the poor IT guy to do? One way is to use "soft" sales arguments, and that's why compliance has become so popular recently. It helps, of course, that regulatory compliance actually is a big issue nowadays. However, most compliance demands tend to be rather fuzzy, and besides, IT people aren't lawyers so they tend to lack hard answers when asked by business managers to provide particulars about certain items of compliance legislation. And even if they do, the other side usually fires back something like "SOX doesn't concern us anyway!"; conveniently overlooking the fact that there is much more to compliance than SOX - or to put it another way, compliance starts way before SOX.

There are such things as data protection laws, for instance. And the public has a nagging habit of asking who actually has access to which sets of data and how in tarnation did they just get leaked again! Auditors are also prone to ask unpleasant questions about compliance issues concerning both external and internal regulations. The word "compliance", after all, means following the rules.

Data protection is actually a good example since it shows what IAM is really all about. Identity and Access Management, after all, isn't just an end in itself. Neither is it some purely theoretical problem. Instead, it's the result of a relatively simple demand that has been around since the early days of IT, namely: „Make sure our information is safe!"

Part of IAM's job is protecting data, either directly or by protecting the systems that use and store data. That is also the backdrop against which compliance regulation, both internal and external, must be viewed. That also means that it is much easier to talk with business people about "access" rather than about "identity". The big question is how do we control and monitor access to information and systems? To do that, we need to know who is allowed to do what - and who isn't. The only way to achieve that goal is through true digital Identity Management. Anyone who thinks he can do it by granting rights and approvals based on IP addresses or MAC numbers is seriously kidding himself.

Good IAM is the fundament on which to build information security - nor else not. Individual measures such as banning or monitoring things like USB sticks can help, but only if they are part of an overall system. Companies today need an "access strategy" which determines who is allowed to do what in my system. That cannot be done by a trying to apply and enforce a bundle of unconnected ad-hoc measures.

So selling IAM is actually quite easy, if you think about it. All you have to do is put it in the context of information security and risk management. The danger of losing intellectual property, of being caught ignoring the law or of corporate systems being compromised should be strong enough arguments for even the most hard-headed boss. At least they are stronger than trying to sell IAM as a technology and as yet another part of the company's IT plumbing. Yes, IAM is an essential infrastructure component, but it is also much more than that - namely the basis for a comprehensive security concept and a good investment in more IT security.