The adoption of computers for most business processes has resulted in cybersecurity being an important program of many organizations. Within cybersecurity, the IAM program is an integral part that straddles the line between the cybersecurity and information technology (IT) services of the organization. All organizations need to limit access to their data and resources which is enabled using some form of an IAM program. While one may see this as the cost of doing business, the IAM program has the potential to bring efficiency to an organization while enhancing security and reducing costs.
To understand how an IAM program can be used to improve efficiency, one needs to first understand where the costs or inefficiencies are occurring. Depending on the maturity of the IAM program, nature of the organization and the size of the organization the costs can be categorized as follows:
- Costs or inefficiencies in delivery of access within the organization
- Costs and inefficiencies in activities around compliance and audit
Delivery of Access Costs
The cost of providing the right access can be calculated in terms of time and effort. The “time” can refer to the time wasted by an individual in acquiring net new access or additional access and effort implies the sum of all the time spent by administrators, specialists, and/or engineers in creating or enabling the access. If the total cost of the time spent waiting is added to the cost of effort, then we arrive at the total cost of delivery of access.
While the exercise of calculating a number for the cost of delivery of access is straightforward, there are subjective elements that must be considered as well. The delivery of access is usually called provisioning or access request in IAM parlance and is manual in many organizations. While manual provisioning works, it does not scale and hence unsustainable as the organization grows. Another subjective element is the consistency of performance by the team involved during provisioning and/or access requests. The consistency of performance varies between individuals depending on workload and other pressures or distractions and introduces its own inefficiency.
Based on Simeio internal research, every simple provisioning request costs $80. Based on the size of the organization, a fixed number of employees may be needed to deliver access in an organization. This fixed number of employees comes with fixed costs that usually come out to $80K-120K per full-time employee (FTE) employed for these activities. There has been an explosion of applications being offered as software-as-a-service (SaaS) in the last couple of decades and this has resulted in more need for fulfilment of provisioning requests or access requests. If the number of FTEs required starts approaching over four then the IAM program can be considered at a tipping point and can create efficiencies by implementing an Identity governance and administration (IGA) tool. If an IGA tool exists and the organization still needs to maintain manual provisioning FTE, then Simeio application onboarding services may be the answer for scalability or efficiency concerns.
Reducing Audit & Compliance Costs with IAM
For many organizations, audit and compliance are mandatory costs due to regulations or, as in the case of healthcare, due to legislation. If an organization manages to maintain perfect compliance, there is a cost incurred in simply accumulating the evidence of such compliance. The nature of the cost is repetitive as an audit needs to be performed at a pre-determined frequency. A robust identity management solution can greatly reduce these costs.
A properly implemented IAM program can reduce the effort and risk associated with compliance and audit. An IAM program can be implemented using a well-defined process and complete centralized audit logs so that compliance is easy to archive, maintain, and prove. Access certifications can be performed in an automated manner, thereby reducing effort. There are examples where certain systems pass audit every time repeatedly and this performance makes the case for auditing the system less frequently, a direct reduction of costs.
Notice the use of the term “well managed IAM” or “properly implemented.” There is a tendency to think of IAM as simple, but it’s not easy. Implementation and management of IAM systems are very deterministic factors when it comes to maintain an efficient IAM program, Simeio has been doing this for over 15 years and have developed its people, process and even technology to help an organization not only reach IAM maturity but also efficiency.
Contact a Simeio identity expert and learn how your enterprise can save money on Identity Access Management
Written by Gautam Patel