Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Building A Business Case For Identity And Access Management (IAM)

Building A Business Case For Identity And Access Management (IAM)

Today's Identity and Access Management offers more than just piece of mind that the right individuals have access to the right resources. IAM tools include policy management, automation as well as a level of self-service.

A common theme in the enterprise IT space over the past several months has been an emphasis on IT security. IT decision makers are now more clear-eyed about how they spend in this domain. So even though implementing identity and access management (IAM) software is pretty much table stakes, don't think for a moment that you won't need to justify it in dollars and cents.

MORE: A Guide To Identity And Access Management Solutions

IAM Decision Drivers

Start thinking about business justification for IAM software by recalling how you explained the costs and benefits of technology with similar functionality (network access control (NAC) comes to mind).

Hitachi, which sells an IAM software suite into a crowded market, offers a stepwise business case methodology that is consistent with the approach we've used in past business case studies and upon which we now rely to backstop our own thinking.

The quantifiable benefits of identity and access management include:

  • More efficient onboarding and move-add-change (including termination);
  • Fewer security holes;
  • Improved regulatory compliance;
  • Reduced number of access-related contact center calls, as well as less time spent per such call.

Further, it's worth noting that an effective IAM suite will also reduce the number of login prompts and passwords that all end users must remember, and will also streamline the request/approval process, thus reducing a bothersome, hands-on management task.

Another potential benefit is the ability to get a new hire up-to-speed in hours instead of days. In the NAC case, we treated that as a hard, quantifiable benefit. Here we don't, going on the assumption that either the benefit has already been attained by a similar project, or that the CFO considers that a "soft" benefit and disallowed it for analytical purposes. But we don't really need it.

Making The Case For IAM

We will follow the practice established in the NAC case for using a drop in the discount rate for pending projects as a metric for reduced risk.

Here's what the current state looks like:

Figure 1: Current costs to be impacted by identity and access management software adoption

The current state is predicated on these assumptions:

  • $45/hour fully burdened rate for contact center staff, $180/hour for regulatory counsel.
  • 160,000 help desk calls/year, 40 percent of which are access-related, of which 14,400 are for onboarding, termination or other MACs.
  • Despite the efforts of 1.5 full-time regulatory lawyers, the company expects to pay $2.4 million in fines and related costs.
  • Average access-related call lasts 10 minutes.
  • Growth and inflation are held to 0 percent to simplify the analysis.

You'll also notice a line for new ongoing costs, which is, of course, blank in the current state. In the target state below, we expect that the enterprise will retain its current 5,000 logon IDs and pay a SaaS provider $5/month for IAM services.

You have any number of possible IAM software solutions. In addition to the aforementioned crowded field of off-the-shelf solutions, there are open source options available to enterprises with sophisticated development capabilities. But then again, why even go with an in-house solution at all when there's software as a service. SaaS offers much lower up-front costs, and you pay monthly on a straightforward per-user basis.

The above "why even" statement isn't rhetorical. There are plenty of reasons, but those are for IT architects and strategists to decide upon. You might have a regulatory requirement to keep security on your own raised floor, or you might prefer a two-factor authentication approach that differs from those now offered via the cloud. If the decision is left to a humble financial analyst, though, we'll pick SaaS every time—including this time.

With all that in mind, we forecast this target state:

Figure 2: Target costs impacted by IAM software implementation

Turning to risk, the enterprise expects $8 million/year in added value resulting from projects, but these projects tend to be dicey and are assigned a 12 percent discount rate:

Figure 3: Projects' value-add before IAM

If, however, IAM is on the ground plugging security holes, the certainty that value will not be diluted by risk improves markedly:

Figure 4: Projects' value-add after IAM

Attaining the target state should be inexpensive, but that's not to say uncomplicated. Considering we've chosen a cloud solution in this case, capital costs are negligible. However, there will always be some design-and-plan work and, although implementation should be fairly straightforward, expect an iterative testing schedule.

The big spend would probably be on Human Resources; some people will need training, others will need retention bonuses and two or three might need to be provided with a severance package. Aside from those direct costs, you might need to fund preliminary projects related to building directories and ensuring that the contact center has the tools, processes and procedures in place to use the IAM solution to full effect.

One-time costs, then, would add up this way:

Figure 5: IAM one-time costs

Ultimately, it all comes down to cost-benefit analysis which, at a preliminary glance, is favorable but not overwhelmingly so:

Figure 6: Investment analysis: Cost reduction only

Once you factor in the reduced risk, though, it brightens considerably:

Figure 7: Investment analysis: Cost reduction plus risk reduction

Before presenting your IAM business case to the bosses, though, you should consider a couple of points. First, the risk reduction element might be considered a soft benefit by those making the decision and be tossed out, leaving you to rely solely on the cost-only analysis. Subsequently, you need to understand the sensitivities involved in that analysis. Play around with the inputs around annual allowance for fines and hourly contact center costs and you might be surprised.

Editor's note: Looking for an SSO solution for your business? If you're looking for information to help you choose the one that's right for you, use the questionnaire below to be contacted by vendors with additional information:


Business Case Resources:

To help you get your business case for identity and access management (IAM) software off the ground, download this Excel calculator and PowerPoint template, which you can customize to your needs.

The Excel calculator will help you determine your current state, project costs, and target state. It includes all of the inputs you'll need so you can present the final analysis. The PowerPoint template will walk you through adding the analysis from the Excel calculator so you can present the information to your stakeholders in a logical way.

  >> Download Excel Calculator
  >> Download PowerPoint Template

To get a better understanding of the key metrics and math used in these resources, take a look at How to Build a Successful Business Case for an IT Project.

More Business Case Resources:

More Business Cases