Home » Data Protection » Network Security

Industry View

Recession Makes IAM Crucial

Identity and Access Management technology is the key to defending organizations from threats stemming from the economic downturn, a Forrester analyst argues

By Andras Cser, Principal Analyst, Forrester Research

Page 2

Integration with SaaS applications leads the way to IAM outsourcing. SaaS applications can be integrated seamlessly into the corporate IAM ecosystem, and provisioned and deprovisioned with user accounts. Doing so forces firms to rethink their identity management infrastructure. This refactoring of identity services is fairly common, and it creates a reusable, lower-cost identity fabric if done properly. This identity fabric then yields itself to the partial -- or even full -- outsourcing of identity management to managed security services providers (MSSPs) like Covisint, FuGen, Simeio Solutions, Symplified, VeriSign, Wipro.

It is also important to note in these economic times that the IT organizations that have deployed IAM solutions are helping to reduce costs on IT administration by automating the process of adding, modifying, and deleting users, minimizing audit remediation costs by controlling access to critical enterprise resources like ERP, Web, and thick client applications, and avoiding or reducing the cost of a data breach.

Despite the cut in costs that IAM may provide, security budgets have traditionally been difficult to defend in organizations. Executive management views security and IAM investment as something of a checklist item that will help the company get through an audit, or as a hasty follow-up measure after a security incident (system or data breach, etc.). IT managers should still be prepared to provide hard and fast numbers and statistics when discussing these items with your budget approvers.

Measure the impact of an IAM rollout using easy metrics that translate into dollars. Nothing conveys the value of the IAM project better than its contribution to reduced call center costs due to fewer helpdesk calls, fewer audit findings -- and thus lower cost of mitigation of audit findings around user access recertification. An additional benefit is improved productivity of adequately provisioned users (having all access to applications when they start versus having to wait two to three weeks for all access to be granted).

Treat IAM as mission-critical infrastructure, not an application, regardless of the economy. If your Web access management infrastructure stops working, it usually means business also stops. The people and organizations responsible for maintaining this infrastructure and the policy definitions for it are indispensable in making sure it continues to directly support business.

Use IAM to support facts-based reorganization and savings. Information in IAM systems (access logs to applications in enterprise SSO and Web SSO systems, your role-based access-control policies, usage statistics of who's using what application based on their role, etc.) can be used as direct evidence of which functions of the company need to be outsourced and why.