Home » Identity & Access » Identity Management

How To

How to Make a Business Case for Identity Management

Sure, a good identity management program is great for security and oftentimes necessary for regulatory compliance--but there are productivity and efficiency benefits as well. Kate Walsh IDs five tips for finding and articulating the business case for IDM.

By Katherine Walsh

April 03, 2008 —

Over the past couple years, identity management technologies, including provisioning, web access management and directory services, have been joined by an emerging set of technologies that involve role management, identity audit and governance, and entitlement management. These technologies can play a key role in meeting both business requirements related to auditing and reporting, and security requirements regarding user access to sensitive applications and information.

But there are other business benefits as well, including improved performance and productivity for employees, more efficient provisioning for system administrators, decreased help desk costs and improved compliance. If you're just getting started on an identity management project, or even if you're well on your way, here are some tips on how to make a business case for identity management.

1. Decide What IDM Means to You

IDM's complexity lies in the fact that it means different things to different people, says Bryan Palma, vice president of global information security at EDS and former CISO of PepsiCo. One of the first things you should do is decide what it means to your organization. "In some circles [like the government], IDM means credentials, hard physical access and authentication," Palma says. In that case, "IDM is more about HSPD-12 than a back-office approach of how to manage users." (Learn more from our in-depth article about HSPD-12, the federal government's smart-card project.)

Vendors are integrating many of these technologies. Palma says that as a general rule, a companies offer an integrated system with the three core components (directory, provisioning and web access, which will be used to manage user provisioning, on-boarding and off-boarding), and also, possibly, for a physical component, such as credentialing. "The challenge there is the people who are more interested in the credentialing authentication piece aren't pursuing the back-office identity, and vice versa," Palma says.

Ultimately the choice comes down to where people want to invest their money. "The government is more concerned with access, so they tend to be less focused on how they can run something efficiently on the backend," Palma says. "But the directory, provisioning, web access piece is a business and productivity issue."

2. Articulate the Business Performance and Productivity Benefits of IDM

To hear Palma tell it, IDM is the rare case where where security is not at all something that gets in people's way. "There are few places where security can actually make a case around productivity and performance," Palma says, "and impact to the end user and identity is one of them"." That's why 'Palma tells his clients to focus on this area--because business productivity is something people can "get their hands around easily." (To learn more about the benefits of embarking on an identity management project with business partners, see our in-depth coverage of federated identity management.)