What does Identity and Access Management (I&AM) really mean to a business? The answer varies depending on who you talk to. For example, consider the viewpoints of the three board-level people most directly involved in decisions on any I&AM investment: the CEO, CFO, and CIO/CTO.
To the CEO, I&AM probably means very little. What he wants to know is how something that sounds like an IT project will enable the business to increase revenue, beat the competition and/or reduce costs. I&AM can help an organisation do all these things? but the problem is getting enough CEO airtime to explain why.
To the CFO, the main significance of I&AM will probably lie in its contribution to compliance with regulations such as Sarbanes-Oxley. This means a conversation about I&AM is likely to develop into a request for extra funding? not usually the best way to engage a CFO's attention.
Meanwhile, to the CIO/CTO, raising the issue of I&AM signals the prospect of another attempt to get the various business units to communicate with each other across the enterprise. And he knows that the business case for any central project will always be difficult to justify.
Despite these barriers to the initial conversation, the fact is that an I&AM roadmap actually takes the business a long way towards fulfilling the core agenda of each of these three directors. The key is not to start a discussion about I&AM, but to talk the language of each of these stakeholders ? and to prove the business case by demonstrating how their own priorities for the business can be delivered by investment in I&AM.
With a CEO, this means setting out how the company will be better able to bring new products to market, beat the competition and be far more agile going forward, if it has a reliable handle on who is accessing its services and why. The clincher for the CEO is that increasing the level of trust in the company's systems and processes directly drives a higher propensity to use those systems. So the business not only gains new vistas of product opportunity, but is able to roll out those products faster and target them more effectively. Plus the higher the level of trust I&AM generates among the company itself, its suppliers and its customers, the greater the willingness of all participants to exploit the benefits on offer in terms of larger transaction sizes, speed and/or volume.
For the CFO, the key is to show how implementing a common I&AM infrastructure across all business units can both strengthen the company's ability to demonstrate compliance with Sarbanes-Oxley, and simultaneously reduce costs. I&AM creates a basis not just for user identification and authentication, but for enterprise rights management technology that enables users 'fine grain' control on how data is used (read access, print capability, time to live and so on). These protections can be embedded in the data irrespective of how it is stored and distributed ? be it by email, on a USB data stick or via a website. These capabilities both enhance the business's controls and open the way to greater efficiency and responsiveness.
The CIO/CTO message is different again. Here, the need is to demonstrate the benefits of implementing a common I&AM architecture across formerly discrete business or operational units, each of which has up to now probably been running its own IT architecture and projects. A unified approach to user administration and control will enable resources to be leveraged cost-effectively across the enterprise, and enable suppliers and partners faster and more flexible access to systems. There are also obvious benefits around reducing risk and increasing the ability to demonstrate operational compliance through role-based access control. Where battles often need to be fought is at the divisional level ? but in functions such as HR the argument can be turned around by demonstrating the advantages of having HR-originated information rippling automatically through systems across the enterprise.
Having made the case for an I&AM roadmap from various angles at C-level, the fact remains that I&AM projects are not simple. They involve complex technologies ? metadirectories, integration into multiple systems with their own access control, provisioning of identity and multifactor authentication, which is always a good idea following a consolidation of identities. Then there are processes and procedures such as role definitions, operational process changes and ongoing audit and management. And while a single system brings significant benefits on its own, these are probably not enough to justify the retrofitting of an I&AM project. So multiple business units have to come together and recognise the opportunity to justify the change programme.
All this means that implementing I&AM is as much a management and organisational challenge as a technical one. To make an I&AM project successful, an enterprise needs to bring together a strong multi-skilled team drawn both internally and from external suppliers ? and consisting not just of technologists, but of operational and business specialists. This team will guide the enterprise's I&AM roadmap to the right destination.
The author is an associate partner at Accenture.
