IT managers face a constant challenge to justify spending, demonstrate business value and quantify the impact of security incidents. Organizations too often fail to prioritize security until a crisis arises. Identity and access management (IAM) domains are key because they enable IT teams to address risk and facilitate operational and revenue gains.
Automated provisioning and deprovisioning value calculations are no different. Provisioning and deprovisioning improve the user experience, operational efficiency and security policies and are integral to business operations. It’s important to view provisioning and deprovisioning as a business matter, not an IT issue.
The Value of Provisioning and Deprovisioning
Provisioning and deprovisioning activities include creating and propagating user accounts; requesting, approving and granting access to resources; changing users’ access over time; and decommissioning accounts when no longer needed.
A well-built business case should include the fully loaded costs of software, process changes, organizational changes, hosting, change management and even effects in culture. The costs must be balanced against a full comprehension of value achieved. Whether or not the value exceeds the costs, there is value in simply demonstrating to your stakeholders that you fulfilled every aspect of diligence. Below are some important value drivers for automated provisioning and deprovisioning.
Value No. 1: Operational Efficiency
User accounts consist of structured data, which is specific to a particular person or system account. Some attributes can be derived through business rules, but application-specific attributes are unique and must be manually entered at some point. This requires a high degree of effort in a purely manual provisioning and deprovisioning system. IT managers can automate these activities by:
- Reducing the number of endpoint locations that receive data;
- Feeding data from an HR system to other systems;
- Correlating accounts and credentials;
- Dynamically creating attributes to reflect business logic;
- Propagating accounts and changes to other systems;. and
- Automating approvals and workflows.
Each automation improvement should be measurable in terms of hours saved. For example, let’s say a telecommunications company with 42,000 users has annual turnover of 18,000 internal users. Call centers account for 11,000 users, technicians represent 2,000 and all other corporate employees and contractors represent the remaining 5,000.
It takes 13 business days for a new employee to be given access. The process requires an average of 6.3 hours to create each account and provision access to the 16 common applications. There are eight endpoint repositories for these applications and an HR system that is the enterprise system of record (SOR).
Additionally, each of the organization’s 42,000 internal users receives 5.5 access changes per year, requiring 0.9 hours. Deprovisioning requires 1.1 hours per user. Further, the company estimated that 8 percent of the creation requests, 18 percent of the update requests and 4 percent of the deletion requests are completed incorrectly. The company estimated that the cost of provisioning is $84 per hour and the end-user hourly cost is $71 per hour.
Five potential value calculations are involved:
- Account creation operations The time spent creating and propagating accounts to the end systems, including the 8 percent rework, is 122,472 hours and $10,287,648 per year. With an automated provisioning and deprovisioning solution, the company could reduce the time spent to three hours each and the error rate to 2 percent. That would save 67,392 hours and $5,660,928 annually.
- Account update operations The time spent updating and propagating changes to the end systems, including the 18 percent rework, is 44,604 hours and $3,746,736 per year. The company could reduce the time spent to 0.7 hours each and the error rate to 4 percent with an automated provisioning and deprovisioning solution. That would save 14,028 hours and $1,178,352 annually.
- Account decommissioning operations The time spent decommissioning users on the end systems, including the 4 percent rework, is 20,592 hours and $1,729,728 per year. The company could cut that time to 0.3 hours and the error rate to 2 percent, saving 15,084 hours and $1,330,056 annually.
- Lost time due to lack of access Every hour an end user spends without access represents an explicit cost, totaling 1,872,000 hours and $132,912,000 annually. The time to create accounts could be cut to seven days, but the time to update accounts cannot be significantly reduced; as a result, the company could convert 864,000 hours and $61,344,000 annually into productive employee effort.
- Use of lower-cost resources While many manual processes can be outsourced to low-cost resources, this is not always possible in situations involving many disparate, complex systems. By using a single provisioning and deprovisioning solution with an improved interface and automation, IT managers can reduce effort. This also enables IT teams to use lower-cost resources for some activities. This could reduce the fully loaded cost of provisioning work to $68 per hour. If we apply this to the reduced hours per the calculations above, it saves $1,458,624 annually.
Value No. 2: Improving the User Experience
Account creation is an integral part of every web-based portal experience and a necessity for every employee or contractor. It is one of the first in-depth experiences a user has when interacting with these systems. While most companies ensure a smooth flow of business transactions, they rarely place value on this essential provisioning capability.
Let’s continue our hypothetical example:
Since the telecom industry is fully penetrated and highly competitive, there is significant customer turnover. This telecom company gains 6,000 new customers and 12,700 returning customers and loses 14,000 customers per month. Because the company prefers to label accounts as “temporarily disabled” when customers terminate service, only 4 percent of these accounts are actually deleted.
With the consolidation of media channels, this company acquires 40,000 new customers annually via bulk acquisitions and business partnerships. Of these, 25 percent are net-new customers and 75 percent are existing or returning customers. The affected account provisioning and deprovisioning use cases amount to:
- 82,000 new account creations;
- 182,400 account reinstatement/correlations;
- 161,280 temporary disablements; and
- 6,720 account deletions.
The current customer account provisioning and deprovisioning process requires approximately nine minutes of customer involvement per account. Through user behavior analytics, the company calculated an abandonment rate of 13 percent during the creation of new accounts and 19 percent for existing account reinstatement. Through surveys, it found that 8 percent of customers who leave cite problems with account creation and management as the primary cause.
Three potential value calculations are at play:
- Loss of potential customers The company could reduce the new customer account abandonment to 5 percent and account reinstatement/correlation to 14 percent with an automated provisioning and deprovisioning system. This would increase the number of new customers by 3,280 and returning customers by 9,120.
- Loss of existing customers By losing 8 percent of customers due to provisioning and account management issues, they lose the revenue that those customers would generate. If it could reduce this number to 3 percent, the company would retain 8,400 customers per year.
- Reputation los In the highly competitive market, customer reviews can significantly affect other potential customers. One bad review could dissuade many other potential customers from purchasing. This is a very difficult number to quantify because it pulls from highly dynamic information. While it’s probably not possible to quantify this accurately enough for a business case, it can become an add-on value measurement after implementation. Wouldn’t it be nice to tell the CIO and CEO that an IT solution positively affected net promoter scores by several points?
Value No. 3: Identity Management as a Strategic Differentiator
A strong, agile and automated provisioning and deprovisioning system could be a strategic enabler for our hypothetical telecom company. It could differentiate the business with its customers, simplify acquisitions and divestitures, increase security and attract investors. For some businesses, it can even be a customer-facing service offering.
It takes a lot of creativity and market research to identify these opportunities. IT managers should ask the following questions when looking at alternatives to unlock these advantages:
- How much better could our automated provisioning and deprovisioning solution be than that of our competitors?
- How labor-intensive would it be to manually migrate users following an acquisition?
- How many acquisitions require provisioning and deprovisioning, and how many users are affected each time?
- Are we investing in leading-edge technologies that require convergence of technologies and user accounts?
- Does provisioning and deprovisioning affect a high-volume and low-margin user base?
- How frequently does the company change leadership, shift business focus or restructure?
- Do the company’s stakeholders value security?
Answers to these questions and others may uncover opportunities that could help the company grow and change with market forces.
Value No. 4: Standardized Technology Platforms, Processes and Policies
Because provisioning and deprovisioning are essential and foundational capabilities, they need to be as standardized as possible. Standard integration patterns and policies can greatly simplify the deployment and operations of systems. The standards are difficult to define due to the number, diversity, disparity and inconsistency among systems. It requires a critical mass of servers, applications, roles and users.
There is also a point of diminishing returns regarding system complexity. Some companies with a high level of consistency and a large user population can gain significant value from automated provisioning and deprovisioning solutions because integration will be easier. Companies with few users, many diverse endpoints and diverse technology platforms will gain less value because integration will be more difficult.
Simply put, the more complex your IT organization is, the greater the cost to standardize and the lower the total value.
Value No. 5: Risk Reduction
Let’s assume our example company identified a total of 92,000 customer accounts, replicated among four systems, that have been inactive for years and thus should be deleted. Further, the company found 18,000 instances of excessive privilege. While an automated provisioning and deprovisioning solution cannot independently identify these problems, it’s possible to prevent and remedy the access after the accounts and entitlements are identified.
Below are just two of potentially dozens of risks mitigated by an automated provisioning and deprovisioning solution:
- Excessive unused accounts The work required to manually remove these customer accounts is colossal. Even if it only requires 10 minutes per account, it could take 30-plus full-time equivalents (FTEs) to remedy. If an automated provisioning and deprovisioning solution is available and integrated with the necessary endpoint systems, this could be planned in a matter of weeks and processed in mere minutes.
- Excessive entitlements Users with excessive entitlements are a liability. They can impact the company directly or indirectly if their credentials are acquired by malicious actors. With a very mature provisioning and deprovisioning solution, the company could significantly reduce the cost and time to remedy the excessive entitlements.
Realism and Revenue Versus Cost in Value Calculations
The value calculations described above involve both art and science. Because each company values revenue-related factors differently, each must apply its own IAM value measurements. IT professionals can certainly help to define and direct these evaluations.
Principal Security Architect for Delta Air Lines
Brett Valentine is a Principal Security Architect for Delta Air Lines. He was previously an Associate Partner with IBM Security, and worked for other large ...