While the needs and benefits of IdM are real, many companies feel challenged to build a business case and show the potential ROI for this type of project. But don’t let number-crunching intimidate you! In a world of financial uncertainty where there are many competing technology investments, it’s more important than ever to show financial justification for your IdM strategy and direction.

To help you get started, we’ve developed four steps to consider when building your business case for a governance-based IdM strategy, focused on explaining the technology’s potential for delivering demonstrable ROI to the organization:

1. Internal needs assessment: Begin the evaluation process by first determining what the most pressing IdM issues or opportunities your organization is facing.
2. Baseline costs: Quantify how many and what types of resources are currently being spent on IdM processes (including manual labor costs).
3. Set project goals: Formally define your goals of the project and the expected benefits to the organization.
4. Build the financial model: Estimate how much your project will cost (technology, services, personnel) and then project how the project will save the organization time and money.

One of the keys to building your business case is to provide real-world examples of the tangible and repeatable benefits and cost savings that can result from your IdM project. SailPoint often partners with our customers to provide insight and help throughout this process. Below are some ROI stats that our customers have reported when demonstrating the ROI on their projects:

• Saved 50 full-time employees annually in controls testing and documentation on a project that spanned 600 applications across 28 countries.
• Reduced IT Operations costs by $800k annually by automating the de-provisioning of terminated employees.
• Slashed time spent on compliance by 66% by completing user access reviews in just 4 weeks instead of 3 months.
• Achieved 30% reduction in excess entitlements after the first user access review cycle.

We recently hosted a webinar that delves further into this topic. If you are interested in more details, you can access the free on-demand webinar here. The topics and real world use cases covered in the webinar are designed to help you define clear goals for your project and map out a compelling business case. Check it out!

SailPoint IdentityIQ was the obvious choice because it delivered identity governance and provisioning capabilities in a single solution. It was also immediately evident that it would be easy for our business managers to use, and provided us insight into the risk associated with user access.

We always enjoy sharing customer success stories, but I find this one particularly exciting, because it highlights three dramatic shifts that we’ve seen in the provisioning market over the past half-decade:

1. Customers are looking for solutions that tightly integrate the functions of identity compliance (capabilities including user access certifications, policy enforcement, and risk analysis) with provisioning activities;
2. Customers need a solution that is business friendly – that is, allows non-technical users to participate in IdM processes; and
3. Customers demand fast time-to-value from their provisioning projects (a historical weak point for first generation provisioning solutions).

A core tenet of SailPoint’s next-generation approach to identity management is that identity compliance and provisioning need to operate hand-in-glove to provide coordinated preventive and detective controls. To do this both effectively and efficiently, they must leverage a single identity warehouse, a single role model, and a single policy catalog. To do so otherwise requires a burdensome amount of coordination and synchronization of different internal repositories, rules, roles, and models between product components – which is a time-consuming and expensive deployment exercise, as well as an operations headache. As a case in point, because IdentityIQ’s compliance and provisioning components are architected on a single governance platform and identity warehouse, CUNA Mutual was able to streamline their deployment and leverage a single role model and SoD policy model across both access certification and provisioning activities.

Slowly but surely, we’re hearing the growing recognition that the basic requirements for user provisioning have shifted dramatically with respect to ease of use. At the Gartner IAM Summit in London in March, one of the Gartner analysts echoed this trend by pointing out that:

Today’s IAM buyers expect ease of use, well-designed interfaces, wizard-driven setup, mobile-ready interfaces, and quick and predictable deployments. You are not likely to get this from traditional provisioning vendors … Vendors like SailPoint who are not even on the [2010 User Provisioning] Magic Quadrant can be a perfect fit for your needs.

These are exactly the requirements that customers have been communicating to us for years, and it’s what SailPoint is delivering to the market. We have invested heavily in developing business-friendly user interfaces (designed for non-technical users) that provide meaningful context to identity data – something no legacy provisioning solution can claim. IdentityIQ’s user interfaces are intuitive and make it easy for line of business managers to work hand-in-hand with IT and compliance personnel in minimizing risk and providing higher levels of service. This was an important consideration to CUNA Mutual, who knew that enabling non-technical users from their business entities and external partners with minimal training was key to the successful rollout of the solution.

Lastly, I think it is interesting to note that CUNA Mutual was up in production with SailPoint’s compliance and provisioning solution less than six months after we announced the availability of our provisioning capabilities. This demonstrates just how much we have learned since first-generation provisioning products about architecting solutions that provide fast time to value to customers. Reducing workflow complexity, providing a flexible role model, and taking an agnostic approach to last-mile resource connectivity are just a few of the innovations that SailPoint has built into our products that allow for these significant gains in time-to-value.

We realize that our perspectives and approaches to provisioning are new to some in the market. And while most everyone agrees that legacy provisioning solutions are not designed to meet today’s new IdM requirements, change always takes time. We knew our governance-based approach would help simplify implementation and deliver results much more quickly. And as we were able to report with CUNA Mutual, we were right!

The goal of our Users Group meetings are to foster a community among our customers to share best practices and provide new perspectives on challenges. By far the most interesting part of the day was hearing project updates from each customer and listening to the interactive dialog between companies addressing the same set of identity governance challenges. Our customers face a lot of common issues and challenges – spanning technology, project scope, staffing, organizational change management, executive support, etc. Many creative ideas were shared about how to speed deployment, accelerate adoption, get stronger buy-in from business users, and deal with constant organizational change.

Two “hot topics” of discussion during the day were role management and provisioning. We devoted a significant amount of the discussion on role management best practices, which proved to be a very popular topic. Some of the customers attending have very advanced role management projects and were able to share a lot of insights to their peers. We’ll plan to address some of the more common questions around roles in future blog posts. Another interesting discussion was focused governance-based provisioning, driven by a demo of SailPoint’s Lifecycle Manager (released in April 2010). Although provisioning deployments weren’t a focus of the User Group, it was definitely on the minds of the attendees – many of whom are in the early stages of rethinking their current provisioning implementations.

Regardless of whether a customer is just beginning to deploy identity governance or is two years into their implementation, our users tell us the knowledge and networking from these events is incredibly helpful. SailPoint also appreciated the opportunity to preview future IdentityIQ updates and solicit valuable feedback on our product roadmap. I’d like to send a big thanks to our customers that attended this Users Group!

For our customers who read this blog, I’d like to invite you to attend future meetings. Our quarterly Virtual Users Group is this Thursday, November 4^th. We’ll also be hosting two Users Groups in early-2011- one in the northeast and our first international one. Stay tuned for more details on both of those.

During a phase of dramatic company growth in the 2003-2005 timeframe, Humana set out to improve its user onboarding processes, which were particularly painful in high-growth and high-churn areas of the business. Andy described how Humana’s early IAM projects progressed through a “Peak of Inflated Expectations” phase, then descended into the “Trough of Disillusionment,” as initial enthusiasm and commitment for the IAM program waned. During this period, there were many stops and starts, including a period where Humana considered throwing out its provisioning solution and starting over. But ultimately, the project found stability and success.

In the 2007-2008 timeframe, Humana’s priorities turned to regulatory compliance. SailPoint entered the Humana IAM program in 2008, when Humana selected IdentityIQ to automate access certification and policy enforcement. Andy described how SailPoint IdentityIQ helped Humana gain enterprise visibility to “who has access to what” and automated necessary oversight by IT and business managers. He concluded his presentation with the message that Humana had, after five years, climbed the “Slope of Enlightenment” and was reaping the productivity benefits of a mature IAM program.

Later that morning, Robert Mazzocchi, VP of Identity and Access Management at AIG, took the stage. Robert’s case study described how AIG addressed its compliance and risk management needs during an exceptionally volatile period of the company’s history – events that were exacerbated by AIG’s highly decentralized business units and lack of a centralized HR system. He described how AIG scoped its Global Access Certification project, with the goal of aggregating, correlating and certifying user and access data for high-risk applications that spanned geographies and operating environments.

Robert described how IdentityIQ helped AIG to create certification reports and send them for periodic processing to department and application managers, providing all necessary capabilities such as reminder notices, escalation, delegation, and status tracking and audit reporting. As he described how AIG was conducting global recertifications, Robert emphasized that AIG’s main driver for performing recertifications was to reduce corporate risk. He stressed the need to be able to identify high-risk users in the environment, such as privileged users. And to scope controls accordingly, so that the greatest oversight is applied where it’s needed the most.

For me, the customer presentations were the most compelling ones of the show because they connected the advice presented by the analysts previously at the show to real-world IAM projects. As a result, the attendees got invaluable exposure to first-hand accounts of successful IAM and identity governance projects, which will undoubtedly help them with their own projects.

It’s important to take a step back from your identity governance initiatives to make sure you’re addressing security and compliance challenges in tandem. It not only makes your approach more efficient, which is critical for teams with constrained resources, it ensures maximum effectiveness and value for your efforts and investment.

Take the case of a major insurance company that wanted to implement an identity governance solution to demonstrate proof of SOX compliance while reducing security vulnerabilities. The company is visionary when it comes to proactive risk management because its IT leaders were adamant that they improve security in addition to complying with the “letter of the law.”

With SailPoint IdentityIQ the company was able to quickly and easily aggregate, correlate and cleanse data for high-risk applications, and fully automate review and certification by line managers for 45,000 users. Out-of-box reports now provide visibility and proof necessary for internal and external audits without the need for time-consuming data gathering and compilation. And equally important, the project has lowered risk and improved security through the elimination of orphan accounts, excess privileges and SoD policy violations.

Kevin also discusses the value of identifying “quick wins” to achieve incremental process and garner on-going executive support for your project. You can read all of Kevin’s advice in the September issue of NAVIGATE, available here.

Charlie’s presentation began with the intriguing comment “Roles are like communism. They sound pretty good on paper, but the real challenge is trying to implement them in the real world.” From this introduction, Charlie went on to describe how the bank embarked on the process of aggregating and correlating entitlements across 24 compliance-relevant applications and building roles to improve oversight during quarterly access certifications.

He shared several of the challenges that the bank had to overcome to better address its compliance and security requirements. Prior to implementing SailPoint IdentityIQ, the institution performed access certifications using “Excel over Outlook.” There was a lot of frustration in the various departments because managers were being hit constantly by differing organizations asking them to review and approve access privileges. Charlie also talked about the difficulty of certifying user access because reviewers could not understand cryptic entitlement descriptions. Two of the bigger takeaways from his presentation were the need (and challenge) of getting businesspeople to participate in role definition and maintenance and the importance of cleansing data before mining for roles.

Charlie summed up the results of the bank’s role management project as “making compliance simpler, reducing corporate risk from proliferation of access privileges, and improving control of the entire account lifecycle.” After completing his presentation, he took quite a few questions from the audience and shared some valuable insights. Here are a few of the questions – along with Charlie’s answers.

Question: Did you use role mining to create roles?

Answer: We created our initial set of roles using an interactive process between IT and business groups, in parallel with doing entitlement aggregation and cleanup. SailPoint IdentityIQ supports role mining, but in my opinion mining is not effective until after you’ve gone through and cleaned up your identity data. Dirty data yields dirty results, so it’s important to go through a certification and cleanup cycle before you do role mining.

Question: How many roles did you create?

Answer: I’m not sure of the total number. It really depends on what parts of the organization you’re talking about. For example, in our branches, we need only a limited number of roles, like 5. It’s completely different in our back-office environment, where we have many more systems and functional groups and the number and complexity of roles is a lot greater.

Question: How do you get business users to maintain roles over time?

Answer: We are using the access certification process to ensure regular oversight of roles. SailPoint IdentityIQ automates the certification of both role contents (entitlements that make up a role) and role membership.

Question: How long did this project take?

Answer: It took us about 6 months from the initial design through the final user acceptance testing.

As you can see, Charlie presented a pragmatic example of implementing role management in the financial services world. And as Charlie pointed out, success comes by defining a working process between business and IT and deploying the right tools for people to accomplish defined objectives.

I’ll end with another quote about communism (this time from Will Rogers): “Communism to me is one-third practice and two-thirds explanation.” Continuing with the analogy to roles, I say let’s cut down on the explaining and focus on the practice!

What do you think?

We participated in a round table discussion where a vice president of enterprise security at a national bank presented a case study on how the bank is using SailPoint to solve its identity governance challenges (I don’t have permission to name the customer, so I’ll refer to him as “Charlie Iso”). This was a great opportunity for other CISOs to hear firsthand from one of their peers who is successfully managing IT access controls for security and compliance, while proactively mitigating IT risks associated with access privileges.

Based on his experience, Charlie shared the following pieces of advice:

• Establish an accurate baseline of identity data before initiating governance processes like access certification and role management. For the bank, this involved aggregating and correlating data from 20 different applications in phase 1, with a planned expansion to over 100 applications.
• Recognize the need to provide business friendly data and tools to managers performing certifications. In order to share accountability between IT and business managers for access certifications, Charlie and the IT organization had to ensure those managers understood what they were approving from a business perspective.
• Don’t let previous technology investments limit the scope of your governance program. To provide transparency and oversight over all the bank’s systems at risk (over 100 applications), it was necessary for the bank to look beyond its provisioning solution to a specialized identity governance solution.

The session was very interactive, with the room asking for additional details about application priorities, project staffing, timing, and data integration challenges. I think the audience appreciated the peer-to-peer discussion, and many left with actionable advice. For those of you who didn’t attend, the SailPoint Buyer’s Guide captures best practices from our customers on many of the topics Charlie addressed.

This year, the companies I’m meeting are facing hard deadlines to get their houses in order because many organizations that originally dodged the compliance bullet are now likely to face tough identity-related questions from their executive management. There is now widespread recognition of the need for increased focus on corporate controls around access management – an area that IT auditors are scrutinizing more than ever (In fact, Deloitte’s 6th Annual Global Security Survey points to 10 problems revealed by IT auditors – and the majority are identity-related issues. CIO Insight also posted a slideshow on the survey).

It’s refreshing to see companies moving quickly to proactively get ahead of the curve and begin to implement a identity governance strategy. Of course, my favorite examples are those where SailPoint is helping to make organizations successful with that strategy. One of our customers perhaps said it best recently:

By implementing SailPoint IdentityIQ, [we have] benefited from enterprise-wide visibility into and control over our identity data. We’ve been able to proactively mitigate business risk associated with weak user access controls, map employee access to the risk ranking of our applications based on Sarbanes-Oxley and other regulations, and work closely with business managers to ensure user privileges follow our corporate policies.

If you’d like to learn more, we have a series of webinars available that detail various identity governance best practices. Be sure to check back, as we add new topics each month.