Monday, June 16

Value Adding Security to the ROI of Identity Management

Two months ago, I posted about the prospect of extending the ROI on provisioning. The post was inspired by conversations with many smart people and led to additional conversations (like this one) that helped formulate the ideas presented in an article that was published today at eBizQ titled Value Adding Security to the ROI of Identity Management.

The initial draft had a number of quotes, but the quotes didn't read well according to the editor who was concerned that a quote by anyone less famous than Gartner could appear biased. I see his point, but apologies to those who I had requested permission to quote and who might have been expecting to be a part of the article.

I hope the article clarifies what I meant by extending the ROI of provisioning. I led a round table discussion at a CSO conference recently on the topic and I'm not sure that the idea resonated immediately. The bottom line is that provisioning solutions can be augmented to become a true (secure) funnel for account management rather than just the preferred avenue.


joe said...

Maybe some CSOs are reluctant to justify identity management and provisioning using security ROI because they don't have to - a typical ROI based on self-service provisioning and workflows is usually very compelling on it's own. Although the 'soft' ROI benefit of better security has often been used to justify identity management, mixing in a hard security ROI number can complicate the project by bringing in a whole new set of security requirements and personnel, never mind the possibility that CSOs will have to use their scarce compliance and security dollars to finance an operational necessity like provisioning.

On a technical level, some CSOs may see provisioning as a spoke instead of the hub of security management. As an example, you can see this in SAP's roadmap for how they plan to integrate their GRC compliance solution with the Maxware IDM provisioning solution they acquired in 2007. The IDM solution will use an open API call to GRC solution to 'pre-approve' provisioning actions as needed. Conversely, the GRC solution can initiate provisioning actions and workflows using open APIs in the IDM solution.

In this worldview, identity management and provisioning remain an indispensible part of a CSO's security model by interacting with comprehensive security and compliance solutions instead of replacing them. Provisioning and identity services become a service in a Service Oriented Architecture that includes seperate services for compliance, database monitoring, network security, etc...

Matt Flynn said...

Thanks for the comment Joe! Good insight. I don't really disagree with any of that. Though, I wasn't really thinking pre-purchase ROI worksheet but rather along the lines of: Do more with what you've got.