Building Your Business Case for an Identity and Access Management Solution – Part 2

Posted on 5 October 2017

In the second of our 4 posts on building a business case for an identity and access management solution, we look at identifying the baseline. To recap, building a business case for an Identity and access management solution should be a 4 stage process:

  1. Performing a needs assessment
  2. Identifying the baseline
  3. Defining your goals
  4. Creating a financial model

Establishing a baseline

Establishing a baseline requires you to analyse what’s working and what’s not in your current environment. Creating a map that thoroughly documents the process – identifying which parts are done manually, which are automated, how long they take and so on – will ultimately make it possible to understand how the work gets done and the associated costs.

A clear understanding of the current situation (current capabilities, processes, participants and costs) will make it possible to set goals for an IAM project going forward. The baseline almost works like the “current location” function of a GPS; to map out a path to your goal, you must have a starting point.

Too often, organisations underestimate the scope of an IAM process, whether in terms of the number of employees affected, the number of systems included, or the complexity of detail hidden within application security models. This often will lead to a failure to understand how a project will impact the overall business, which is a recipe for disaster when it comes to implementation. It may also water down the business justification for the project at the start.

To ensure that a good baseline understanding for a project is gained, it’s important to identify all key participants – from the IT operations team, to help desk staff, to the security team, to business users – and how they are impacted by your current processes.

Key questions

  1. How many users do you support, including employees, contractors, partners, consultants, etc.?
  2. What is the user churn rate and how long does it take to provision a new user?
  3. What is the average time taken to approve an access change?
  4. How many password resets are performed per month?
  5. How many access certifications are performed by the organisation and how often?
  6. How effective is this?
  7. How much time does your organisation spend on policy (such as separation-of-duty) enforcement?
  8. Is single sign-on a concern for your cloud and on-premises apps?

If you would like help putting together your business case for an IAM solution, please contact us.

Taken from the SailPoint White paper, which can be downloaded here.

A few people we've already done it for