Now is the project of our discontent – King Richard III; Act I, Scene I
Maybe Shakespeare wasn’t talking about identity management projects, but its not much of a stretch. It seems that most identity products are expensive, and their implementations even more so. The cost of services to implement identity management seems to be a never ending black hole of cost. But why? What makes identity management so different then developing an application or building a web service? Once we can identify what is driving up costs, maybe we can address it.
Over our years of implementing identity management solutions we found that there are three primary drivers of cost on these projects:
- Data Ownership
- Cost of Integration
- Cost of Infrastructure
The first two areas are really what sets identity management apart from most IT services. When someone decides to build an application, they generally have a well defined business goal or mission. There’s a set of data to manipulate, maybe with outside data feeds, but as the application owner you own the application and most (if not all) the data being consumed and produced. This isn’t true for identity management. Identity management projects tend to be undertaken for one of two reasons. The first being a specific business goal or mission and the second being compliance.
If identity management is being used to align with a specific business goal then the implementation generally is done in accordance with that goal and is thought to be just part of the application. This means that the person who owns the identity implementation doesn’t really control their own destiny. Since the application product owner is setting the direction, this means that the identity team is not the final owner of the resulting identity data.
However if an identity project begins for a compliance reason, then application owners will do the minimum they need to to get you to go away. Identity management is seen as overhead, not value.
Finally, regardless of the reason for starting the project, the source data is generally owned by the Windows infrastructure group if Active Directory is the main source or the HR group if the HR system is the main source. Either way, both the input data and output data are owned by someone else.
This ownership problem extends from the data to the functionality of the system which drives up the cost of integration. An identity management system that doesn’t integrate with applications is not much more then a directory browser or phone book application. Wether a target application is commercial off the shelf (COTS), government off the shelf (GOTS) or home grown invariably every one has its own ideas about identity management (usually revolving around a username and password). Not only does the identity management team not own the source or destination data, but it has no say in how identity data gets into applications.
These two factors are aggravated by the third issue, the cost of infrastructure. Most identity systems are large and monolithic or small and specialized. The specialized solutions do well for a point solution but do not create an identity service that can be used by the enterprise. The large systems however have exceptionally high costs before any ROI exists (databases, application servers, queues, clustering, reporting engines) and even then its usually a closed system. Want to generate a report? You need the identity tool’s report system. This high cost leads most application developers to believe that they can do something pretty easily and cheaply (especially when you factor in the costs of less expensive off-shore labor), which feeds issue #2 and creates a vicious cycle.
Hidden in these costs is the cost of consulting and professional services. These three factors require consultants that can span both business and technology and are also highly specialized. Sure, the concepts of once brand’s identity system are close enough to another’s that you could take an expert in the first brand and let them figure out the other but thats an additional cost in both schedule and resources. Since its difficult to find these resources, the projects are under-staffed and often delayed. This impacts whatever the original reason for starting the project was and continues to sour stakeholders to the idea of identity management.
Is it possible to end this vicious cycle? Yes. At Tremolo Security we take an application centric approach to identity management. We realize that applications can generally only use some of the functions that large monolithic systems provide and that point solutions must be able to grow to provide value to an organization. We invite you to explore how our approach to identity management helps do this. In the coming weeks and months we will be publishing blog posts that don’t only center around our products, but also around how identity problems can be approached in general. We hope you find this discussion useful, even if you decide not to buy our products. We promise not to do this as a white paper that you need to register for, but rather as blog posts that are freely available. We hope you enjoy them and welcome any and all feedback.