• United States



by Roberta Witty

ROI Drives Identity and Access Management Implementation

Feb 06, 20035 mins
CSO and CISOData and Information Security

Enterprises are seeking cost-effective ways to manage user account and access rights. Identity and access management solutions, with substantial three-year return on investment, are the answer.

What You Need to Know

Gartner recommends that enterprises implementing identity and access management (IAM) solutions:

  • Obtain cross-organizational buy-in and form a cross-organizational project team. IAM implementations can result in enterprisewide changes in business processes, which may, in turn, raise political issues that can derail the implementation. Ensuring cross-organizational buy-in early in the project can mitigate this risk.
  • Obtain executive sponsorship. Enterprisewide IAM solutions can be expensive, but they also can result in significant savings to the enterprise. Return on investment will be increased by the inclusion of as many business units as possible.
  • Not expect to find one authoritative source for user data. A more desirable and achievable goal is to have one authoritative repository for user access information that can be used in managing a secure access control infrastructure.
  • Implement the IAM solution via a phased project approach. A sound understanding of the enterprise’s strategy for Web-based applications, directory services and portal use will help IT decision makers prioritize the implementation of the various solution components, such as user provisioning, extranet access management, password management and single sign-on, according to their importance to the enterprise. The time and resources required to integrate custom applications should also be analyzed because they can dramatically increase the professional service fees associated with the implementation.


A broad range of factors – including the demands of enterprise resource planning implementation, regulatory compliance issues and the pressure to contain costs – are intensifying the focus on how enterprises manage the processes associated with granting users access to business information. Identity and access management (IAM) solutions, which can offer three-year return on investment (ROI) in the triple-digit-percent range, are becoming essential tools for effective management of user account and access rights information across heterogeneous IT environments, for Web and non-Web applications. These savings are achieved mainly through reductions in application development, security administration and help desk staffing.

Prediction: Customer buying patterns will shift from best-of-breed solutions to product suites as enterprises recognize the complexity of IAM implementations.

As the number of internal and external users that need access to enterprise assets grows, driven by the increasing use of Web applications, managing the locations where user credential and authorization information is stored becomes a management nightmare. Enterprises no longer can manage users in multiple locations (such as external and internal directories, databases and operating systems) using multiple products (such as platform-specific security administration, portals, extranet access management [EAM] tools, user provisioning and password synchronization/reset tools) for multiple access purposes (such as business roles, password management rules and business-hour access rules).

By 2005, identity management solutions will perform user account and privilege management functions for internal and external users of Web and non-Web applications; user provisioning solutions will be the work engines for account creation and access rights mapping; and EAM solutions will perform real-time enforcement of user and transaction privileges for Web-based applications (0.8 probability).

By 2005, the complexity of IAM solutions will cause 60 percent of customers to choose product suites instead of best-of-breed solutions (0.7 probability).

Impact on 2003: Enterprises face increasing demand to reduce the cost of security administration (for example, the expense of software licenses and maintenance, training and help desk/security staff) and provide a secure access control infrastructure – that is, ensuring that users have access to the IT resources they need, at the time they need them, and that the enterprises can prove their adherence to sound practices in these areas. To satisfy these demands, enterprises require a set of integrated products that manage all information in all locations. In this environment in 2003, enterprises can expect:

  • Continued frustration and wasted money on the part of enterprises that have not defined user access and management strategies as part of their application development life cycles.
  • Continued downward pressure on per-user pricing for user provisioning and EAM products.
  • Further consolidation of user provisioning and EAM vendors through acquisition and in-depth partnerships.
  • Increased focus on self-service functionality (such as password reset/password synchronization and end-user registration) that targets additional cost savings.
  • Increased focus on workflow functionality to realize cost savings by reducing the time required to complete a user’s access request.
  • Increased focus on how custom applications, or those not supported “out of the box” by vendors, can be integrated inexpensively into an overall solution to reduce the professional services fees for custom code development.

Reacting in 2003: Enterprises that want to realize IAM’s benefits should:

  • Look for IAM vendors that have integrated user provisioning and EAM functionality at the product level through delivery from one vendor or repeated production implementations of vendors’ products.
  • Select a primary vendor, if using multiple vendors for the overall solution implementation.
  • Demand “proof of concept” – that is, a specific scenario to be implemented within a limited time frame – from shortlisted vendors to determine the solution that best meets enterprise requirements.
  • Select a solution that supports roles and rules to ensure a structured and dynamic access request fulfillment process.
  • Document all user access request fulfillment processes and procedures.
  • Use a systems integrator if the implementation will result in a large volume of business process change.
  • Align the selected IAM solution with the enterprise’s application development architecture to identify the part of the IAM solution to be implemented first (for example, user provisioning, EAM or password management).
  • Begin synchronizing user profile information across multiple repositories.
  • Ensure that contracts address merger or acquisition issues as protection against vendors going out of business.

Key Issue

How will enterprises manage the complexity of authentication and access control in a highly distributed world?

For more Gartner research on Security & Privacy, visit