MIM 2016 and ADFS: Build an IDAM system and get a Return On Investment (ROI) in 2 yrs

I want to discuss how implementing an Identity and Access management system (from scratch) can produce a higher IT maturity level and give the business a reasonable Return on Investment (ROI) for their IDAM in 2 years.

This paper is based on my experience as an IDAM Architect who has defined IDAM strategies for Corporations, developed IDAM systems (using Microsoft products) from scratch, developed supporting IDAM staff and advised IT management on the econometrics of an IDAM investment.

The current Environment

Here is a typical case I have seen in a number of corporations. May sound like a worst case scenario but its surprising more common than you would imagine. The maturity level is 1, there are a lot of manual processes and I call it a “market place”.

Characteristics

  1. There is a Service desk (SD) – services all request including IDAM
  2. There is no dedicated IDAM team at Level 1/2/3 support
  3. There is no formal self-service request system
  4. Requests to SD is through phone call or email.
  5. There is no IDAM system in place
  6. Active Directory access is managed by everyone and anyone who wants to.
  7. Active Directory elevated access is given to anyone in IT who asks.
  8. There is no approval of identity change request like office address, name change, title.
  9. There is no entitlement review process or attestation for accounts and groups.
  10. Identity is not deleted on end of life. No formal end of life disposal. [That will be interesting now with GDPR requirements]
  11. Password change done via Outlook or SD.
  12. There is no connection between HR and IT systems.
  13. HR feeds IT with daily spreadsheets.
  14. Group Membership is manually managed.

What is the cost of all this?

Let’s look at the number of IDAM Tickets or request that are get to SD and to IT level 2 or 3. IDAM currently occupies 75% of all ticket requests.

IDAM request

Password Issues – 55%

User Provisioning – 35%

User Identity Management – 15%

User Deprovision – 5%

In estimating the hourly cost below, I do not count the indirect cost (Benefits etc) which is more of a collective cost but I am looking at the direct cost for the individual or skill level. The individuals below have limited IDAM skills, it is only one of their many assigned tasks.

Request Type Service Desk
$25/hr
Level 2
$45/hr
Level 3
$65/hr
Weighted Average cost/hr For 1000 IT requests
Password Issue

Time spent

70% 15% 15% $35 $14,375
User Provisioning 25% 50% 25% $45 $11,812
User Management 35% 40% 25% $43 $4,837
User Deprovision 25% 50% 25% $45 $1,687
Total Cost $32,711

So for 1000 IT tickets, 750 are for IDAM issues,

Password issues – 55%, lets use an hr to fix, $14,375

User Provisioning – 35% = $11,812

User Management – 15% = $4,837

User Provision – 5% = $1,687

The Future environment

We are going to deploy MIM 2016 SP1 and Active Directory Federation Services (ADFS).

The organizational goal is maturity level 3.

Business Requirements

  1. Connect HR to AD through MIM
  2. Give users one common ID via MIM
  3. Deploy self-service password reset
  4. Automate provisioning of all types of AD accounts. Service, Regular, Admin etc.
  5. Automate Access assignment and new employee
  6. Provide Single Sign-On (SSO) for key applications.
  7. Provide self-service user request for identity changes for attributes not owned by HR System
  8. Provide account and group attestation.
  9. Provide centralized Group management
  10. Provide IDAM knowledge transfer.

Deployment Cost

Hardware – 5 VMs

License –

  • SQL – 1
  • W2016 – 5
  • MIM Portal – 1
  • Visual Studio 2017
  • Use SharePoint Foundation for Free. Else License cost for SharePoint Server.

Human Resources

  1. Consultant 1 – 1700hrs @ $175/hr
  2. Consultant 2 – 700 @ $175/hr
  3. Internal IDAM FTEs – 1000 @ $75/hr [Hire during project]
  4. Architect – 600 @ $275/hr
  5. PM – 250 @ $135/hr

Infra Maintenance cost

Servers [backup, monitoring, patching, rack space cost] – $5k/month

License renewal

  • SQL – 1
  • W2016 – 5
  • MIM Portal – 1
  • Visual Studio 2017
  • Use SharePoint Foundation for Free. Else License cost for SharePoint Server.

New IDAM Team

These staff members are specialized in handle IDAM issues. Again, I do not count the indirect cost (Benefits etc) which is more of a collective cost but I am looking at the direct cost for the individual or skill level.

  1. Level 1 (SD staff focused on only IDAM issues)– 3 dedicated FTE IDAM for every 35k users (Minimum 2) @ $45/hr
  2. Level 2 (Handle IDAM servers, deployment, upgrades, issues)– 2 dedicated FTE IDAM for every 55K users @ $75/hr
  3. Level 3 (Senior consultant or Architect, reviews current and future business plans and advises on how IDAM can fit into those plans) – 1 dedicated FTE IDAM for every 100K users @ $115/hr

IT Ticket Operation

IDAM – Post Deployment YR1 – 65% of All IT Ticket requests

Post Deployment YR2 – 35% of all IT Ticket requests

IDAM Requests

Password issues –     Post Deployment YR1 – 60% of all IDAM Tickets

Post Deployment YR2 – 55% of all IDAM Tickets

User Provisioning –     Post Deployment YR1– 20% of all IDAM Tickets

Post Deployment YR2 – 20% of all IDAM Tickets

User Management –     Post Deployment YR1 – 15% of all IDAM Tickets

Post Deployment YR2 – 18% of all IDAM Tickets

User Deprovision –     Post Deployment YR1 – 5% of all IDAM Tickets

Post Deployment YR2 – 2% of all IDAM Tickets

Cost

We made the assumption before that support would spend 1hr on a ticket, because specialization has been introduced we expect less time will be spent on the ticket, I will put it at 0.6 of an hr on a ticket compared to when the organization had non-specialists

Request Type Service Desk
$45/hr
Level 2
$75/hr
Level 3
$115/hr
Weighted Average cost/hr For 1000 IT Requests
YR1
For 1000 IT Requests
YR2
Password Issue

Time spent

90% 10% 0% $48 $11232 $5544
User Provisioning 75% 20% 10% $60 $4680 $2520
User Management 80% 15% 5% $53 $3100 $2003
User Deprovision 80% 15% 5% $53 $1033 $222
Total Cost $20,045 $10,289

Summary

So the cost per hr per IDAM request will go down because specialization is introduced, the net result is more holistic than just cost.

  1. A more stable directory
  2. More efficient IT Operation
  3. Increase automation reducing impact for staff changes
  4. Faster processing of user requests
  5. More secure environment
  6. Lower operation cost
  7. The ROI being a factor of savings depends on the current number of tickets

There are several assumptions made here. Its not easy to manage this organizational change. I have done change from top down and change from bottom up. None is easier than the other, without a strong visionary leader and knowledgeable IDAM support staff, it easy to get back to the market place and we can throw all these numbers out.