The costs of Identity and Access Management

After looking at the most important benefits of Identity and Access Management and the increased security levels you can achieve with Identity and Access Management and its strategic benefits to the enterprise I will now look in part (3) of my little blog series on “Measurable IAM benefits – an infrastructure task” at the costs of identity and access management in more detail e.g. software licenses, maintenance, implementation and operating costs. How do you do an IAM cost calculation?

Cost Driver of Identity and Access Management

So what are the main costs of Identity and Access Management?

The costing of Identity Management solutions includes the following elements:

• software licenses and manufacturers’ maintenance costs,
• external and internal implementation costs,
• implementation of a roles concept, where necessary,
• operating costs.

Software licenses & manufacturer’s maintenance costs

The core of an Identity and Access Management solution is usually the software providing the required functions (automated resource allocation or provisioning for all connected systems from the host up to web applications, workflow, password management, Single Sign-On, synchronization of directories etc.).

The pricing models of most manufacturers are based on the number of human users administered by the software throughout the enterprise on the one hand, and on the number of modules used (administration components and connectors for the connected systems) on the other hand. Maintenance fees usually include upgrades of the connectors to integrate 3^rd party software e.g. SAP and the likes.

External and internal implementation costs

The costs of implementation depend on a project’s execution and the implementation methods chosen. The implementation costs consist of internal and external costs.

The internal costs are determined by the following main factors:

• Preparation costs: These include on the one hand the costs of the product evaluation and of at least one Proof of Concept for the product chosen or for the last two or more candidates. On the other hand costs for concept preparation are also incurred: considerations about a federated administration concept, selecting systems to be connected and analyzing data quality in those systems, determining which parts of the organization will be involved and setting up the project team.
• Costs of the implementation phase: Technical employees (systems maintenance, architecture, maintenance and sup-port for databases/directories, production) and employees from various areas of the organization (corporate organization, data security, auditing) are all involved in implementation. Project controlling, including coordinating the sections involved, must also be taken into consideration.
• Ongoing operational costs: Here the costs of the system’s productive operations and of change management need to be accounted for. The latter also includes the maintenance and upgrade of the necessary hardware and software, the maintenance of roles and their adjustment to organizational changes (see also [KKSM02]).

External costs are incurred for installation, setup, training and any customization of the product by a team from the software vendor or by a systems integration specialist.

Experience has shown that implementation costs can only be correlated with software costs with some difficulty. A corridor of 20-40% percent of the total costs is usual for clearly defined medium-sized projects. Using the complexity of an implementation as an indicator of implementation costs is also difficult because of the many effects which, in the case of Identity and Access Management, are included in this indicator, such as Directory Implementation for example, But I do not want to go into more detail on this issue here.

IAM cost calculation: Total costs

I want to give you an example of an IAM cost calculation: The total costs (license fees and internal and external implementation costs) of an average project for a company with 20.000 users, and 4 system types supported by an Identity and Access Management System (e.g. Windows, Unix, Mainframe and SAP) usually exceed 1 million Euros.

Coming back to the first two parts of my little blogs series I want to give the Return on Investment some thoughts: The Return on Investment becomes evident when the costs and benefits for a specific period are compared. In the case of Identity and Access Management projects, this period should be about three years. In order to reach the break-even point as quickly as possible, a company should pursue the strategy of implementing and rolling out the IAM solution initially for 3 or 4 core systems connections. The benefits will then be quickly achieved for these systems. This rollout could be completed within 3-4 months. After this, further target systems and administration modules can be successively integrated into the solution. Experience has shown that the break-even point will be reached in about 12-15 months.

Conclusion

Identity and Access Management solutions provide countless approaches for concretely and reliably calculating benefits and Return on Investment. The focus is on the abolition or simplification of user administration. Increased end user productivity can also be an important benefit. This can be reliably measured if the effects of the non-availability of resources on the productivity of end users in a company can be assessed.

Another important area is increased security levels. These can be evaluated in money terms using risk management methods. One-off effects and long-term strategic benefits can also be demonstrated.

Legal regulations, the growing influence of security aspects on the corporate business model and the economic necessity to make business processes more efficient will all increase the importance of quantifying the benefits of Identity Management and the IAM cost calculation.

For any further information please contact Beta Systems Software at iam@betasystems.com