I want to discuss how implementing an Identity and Access management system (from scratch) can produce a higher IT maturity level and give the business a reasonable Return on Investment (ROI) for their IDAM in 2 years.
This paper is based on my experience as an IDAM Architect who has defined IDAM strategies for Corporations, developed IDAM systems (using Microsoft products) from scratch, developed supporting IDAM staff and advised IT management on the econometrics of an IDAM investment.
The current Environment
Here is a typical case I have seen in a number of corporations. May sound like a worst case scenario but its surprising more common than you would imagine. The maturity level is 1, there are a lot of manual processes and I call it a “market place”.
Characteristics
- There is a Service desk (SD) – services all request including IDAM
- There is no dedicated IDAM team at Level 1/2/3 support
- There is no formal self-service request system
- Requests to SD is through phone call or email.
- There is no IDAM system in place
- Active Directory access is managed by everyone and anyone who wants to.
- Active Directory elevated access is given to anyone in IT who asks.
- There is no approval of identity change request like office address, name change, title.
- There is no entitlement review process or attestation for accounts and groups.
- Identity is not deleted on end of life. No formal end of life disposal. [That will be interesting now with GDPR requirements]
- Password change done via Outlook or SD.
- There is no connection between HR and IT systems.
- HR feeds IT with daily spreadsheets.
- Group Membership is manually managed.
What is the cost of all this?
Let’s look at the number of IDAM Tickets or requests that are sent to SD and to IT level 2 or 3. IDAM currently occupies 75% of all ticket requests.
IDAM request
Password/login Issues – 55%
User Provisioning – 35%
User Identity Management – 15%
User Deprovision – 5%
In estimating the hourly cost below, I do not count the indirect cost (Benefits etc) which is more of a collective cost but I am looking at the direct cost for the individual or skill level. The individuals below have limited IDAM skills, it is only one of their many assigned tasks.
Request Type | Service Desk
$25/hr |
Level 2
$45/hr |
Level 3
$65/hr |
Weighted Average cost/hr | For 1000 IT requests |
Password IssueTime spent | 70% | 15% | 15% | $35 | $14,375 |
User Provisioning | 25% | 50% | 25% | $45 | $11,812 |
User Management | 35% | 40% | 25% | $43 | $4,837 |
User Deprovision | 25% | 50% | 25% | $45 | $1,687 |
Total Cost | $32,711 |
So for 1000 IT tickets, 750 are for IDAM issues,
Password/Login issues – 55%, lets use an hr to fix, $14,375
User Provisioning – 35% = $11,812
User Management – 15% = $4,837
User DeProvision – 5% = $1,687
The Future environment
We are going to deploy MIM 2016 SP1 and Active Directory Federation Services (ADFS).
The organizational goal is maturity level 3.
Business Requirements
- Connect HR to AD through MIM
- Give users one common ID via MIM
- Deploy self-service password reset
- Automate provisioning of all types of AD accounts. Service, Regular, Admin etc.
- Automate Access assignment and new employee
- Provide Single Sign-On (SSO) for key applications.
- Provide self-service user request for identity changes for attributes not owned by HR System
- Provide account and group attestation.
- Provide centralized Group management
- Provide IDAM knowledge transfer.
Deployment Cost
Hardware – 5 VMs
License –
- SQL – 1
- W2016 – 5
- MIM Portal – 1
- Visual Studio 2017
- Use SharePoint Foundation for Free. Else License cost for SharePoint Server.
Human Resources
- Consultant 1 – 1700hrs @ $175/hr
- Consultant 2 – 700 @ $175/hr
- Internal IDAM FTEs – 1000 @ $75/hr [Hire during project]
- Architect – 600 @ $275/hr
- PM – 250 @ $135/hr
Infra Maintenance cost
Servers [backup, monitoring, patching, rack space cost] – $5k/month
License renewal
- SQL – 1
- W2016 – 5
- MIM Portal – 1
- Visual Studio 2017
- Use SharePoint Foundation for Free. Else License cost for SharePoint Server.
New IDAM Team
These staff members are specialized in handling IDAM issues. Again, I do not count the indirect cost (Benefits etc) which is more of a collective cost but I am looking at the direct cost for the individual or skill level.
- Level 1 (SD staff focused on only IDAM issues)– 3 dedicated FTE IDAM for every 35k users (Minimum 2) @ $45/hr
- Level 2 (Handle IDAM servers, deployment, upgrades, issues)– 2 dedicated FTE IDAM for every 55K users @ $75/hr
- Level 3 (Senior consultant or Architect, reviews current and future business plans and advises on how IDAM can fit into those plans) – 1 dedicated FTE IDAM for every 100K users @ $115/hr
IT Ticket Operation
IDAM – Post Deployment YR1 – 65% of All IT Ticket requests
Post Deployment YR2 – 35% of all IT Ticket requests
IDAM Requests
Password/Login issues – Post Deployment YR1 – 60% of all IDAM Tickets
Post Deployment YR2 – 55% of all IDAM Tickets
User Provisioning – Post Deployment YR1– 20% of all IDAM Tickets
Post Deployment YR2 – 20% of all IDAM Tickets
User Management – Post Deployment YR1 – 15% of all IDAM Tickets
Post Deployment YR2 – 18% of all IDAM Tickets
User Deprovision – Post Deployment YR1 – 5% of all IDAM Tickets
Post Deployment YR2 – 2% of all IDAM Tickets
Cost
We made the assumption before that support would spend 1hr on a ticket, because specialization has been introduced we expect less time will be spent on the ticket, I will put it at 0.6 of an hr on a ticket compared to when the organization had non-specialists
Request Type | Service Desk
$45/hr |
Level 2
$75/hr |
Level 3
$115/hr |
Weighted Average cost/hr | For 1000 IT Requests
YR1 |
For 1000 IT Requests
YR2 |
Password IssueTime spent | 90% | 10% | 0% | $48 | $11232 | $5544 |
User Provisioning | 75% | 20% | 10% | $60 | $4680 | $2520 |
User Management | 80% | 15% | 5% | $53 | $3100 | $2003 |
User Deprovision | 80% | 15% | 5% | $53 | $1033 | $222 |
Total Cost | $20,045 | $10,289 |
Summary
So the cost per hr per IDAM request will go down because specialization is introduced, the net result is more holistic than just cost.
- A more stable directory
- More efficient IT Operation
- Increase automation reducing impact for staff changes
- Faster processing of user requests
- More secure environment
- Lower operation cost
- The ROI being a factor of savings depends on the current number of tickets
There are several assumptions made here. Its not easy to manage this organizational change. I have done change from top down and change from bottom up. None is easier than the other, without a strong visionary leader and knowledgeable IDAM support staff, it easy to get back to the market place and we can throw all these numbers out.