| Excerpt | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Table of Contents
| Table of Contents | ||
|---|---|---|
|
The Business Case for IAM Cost Measurement
Surprisingly, a 2009 survey in Europe found that 49% of its respondents didn’t know nor measure their IAM service delivery costs (KPMG and Everett, 2009, p. 30).
...
Finally, top management should have a strong interest in benchmarking IAM costs. In effect, without any point of comparison, top management is blind and does not know if they allocate a low, average or high level of resources to IAM relative to their competitors. Without comparable cost measures, top management is left with FUD and guts feeling.
Barriers and Negative Effects
There are barriers to cost measurement and the implementation of TCO in particular. These include: the difficulty to gather the data and cultural issues such as resistance to change. Top management support is understood as a key element to overcome these barriers. (Hurkens et al., 2006)
...
Even if cost analysis is exempt of mistake, a sound cost analysis may be subject to misinterpretations or misuse to support political agendas. (Foussier, 2006, chapter 2, Cost Measurement)
Benchmarking and Measurement Scales
The absolute TCO of IAM (IAM TCO (Indicator - IAM)) is not a comparable indicator. For instance, if organization A manages 150’000 core IAM active identities while organization B manages 3’000, absolute costs are incomparable and thus meaningless. But absolute costs may be used as a base metric to compute a comparable indicator, Identity Average TCO (Indicator - IAM), that is expressed as average cost per active identity being managed by the organization.
An Iterative Approach to Standardize the Measurement of IAM TCO
To obtain valid figures that are adequate for performance measurement and benchmarking purposes, it is necessary to develop guidelines and standardize the method. At the same time, it is obviously out of the scope of IAM cost measurement to align the detailed accounting practices of organizations throughout the world. Thus a balance need to be found and we should ask ourselves what is an appropriate method of measurement function of its intended usage and the level of reliability that is needed. (Foussier, 2006, chapter 2, Cost Measurement)
...
Figure: an iterative approach to develop the guidelines and standard methodology for IAM TCO measurement
Distinguishing IAM
...
TCO from IAM Program Cost
When considering IAM costs from the perspective of the overall organizational efficiency, it is presumably more meaningful to consider the costs of IAM independently of we take an enterprise-wide perspective, use the TCO approach and do not consider who is responsible for what.
In effect, an organization that has no IAM program, no IAM manager and no clearly defined IAM processes is still Let’s make the following thought experiment and consider the Failed Acme company. This organization does not run an IAM program, has not appointed an IAM manager, has no documented IAM processes. Still, this organization is doing IAM in the sense that the organization still provisions (and hopefuly deprovisions) identities identities are somehow being provisioned and some people somewhere do grant access to systems. The organization does not incur the costs associated with a traditional IAM organization and infrastructure but does incur the costs associated with dysfunctional processes, slow staff onboarding, failed audits and security incidents. For this organization, measuring the IAM TCO indicator makes perfect sense.
In contrast, let’s consider Winning Acme company. This organization runs an IAM program, has a competent IAM manager in place and runs efficient IAM processes. This organization incurs the cost of its IAM organization and infrastructure but does not (hopefully) incur costs of dysfunctional processes, slow staff onboarding, failed audits and security incidents. For this organization, measuring the IAM TCO indicator makes perfect sense.
Hence, the IAM Total Cost TCO should capture the overall cost of IAM independently of the organizational structure that supports it or the maturity of its processes.
Definition: IAM Total Cost TCO is the total cost of the overall IAM-related activities within the organizationorganization’s IAM services, independently of the organizational structures supporting them.
This gives us the equation:
where:
is the IAM Total Cost
is the function that returns the cost of an activity
is one activity
is the set of all IAM activities
From this definition, we immediately see how important it is to define what the “set of all IAM activities” is. This concept will be analysed in greater details in the § Listing IAM Activities section below.
In contrast, large Large and mature organizations have IAM programs in place, run by IAM managers with clearly defined IAM processes. IAM managers do have a genuine need to measure the costs of the program that is under their responsibility. But the scope of IAM programs differ from organization to organization and may change in time. For instance, some organizations consider PAM as a sub-component of IAM. Others consider CIAM as a sub-component of IAM. And it is legitimate for organizations to define their IAM programs in the way that makes sense in view of their unique constraints.
Definition: IAM Program Cost is the total cost of a program designated as IAM that has a defined scope. That scope may be distinct from the organization’s overall IAM scope, that is some activities traditionally linked to IAM may be out-scoped and other activities traditionally not linked to IAM may be in-scoped.
This gives us the equation:
where:
is the IAM Program Cost
is the set of activities assigned to the IAM program by its organization
...
Accounting Periods
For the sake of simplicity, we skip the complexities linked to accounting periods.
Direct versus Indirect Cost
For cost measurement purposes, the distinction between direct costs and indirect costs is important because the measurement methods are distinct (Foussier, 2006, chapter 2, Cost Measurement).
Definition: IAM Total Direct Cost (or similarly IAM Program Direct Cost ) is defined as the expenditures that are fully dedicated to IAM (e.g. IAM dedicated personnel, IAM software licenses, etc.).
Measuring direct costs is straightforward: it is the sum of all the individual costs.
Definition: IAM Total Indirect Cost (or similarly IAM Program Direct Cost) is defined as expenditures that are not fully dedicated to IAM (e.g. general administration, general IT infrastructure costs required to support IAM systems, etc.).
From these definitions, we may derive the equation of IAM Total Cost (or similarly IAM Program Cost):
Where:
...
is the IAM Total Cost
...
...
Indirect
...
It should be noted that what’s a direct cost for one organization may be an indirect cost for another. For example, an organization may have a dedicated IAM support team (direct cost), another organization may solely rely on a central IT Service Desk (indirect cost) while a third organization may compose with both.
Measuring the IAM Total Direct Cost
The direct cost of an activity is straightforward to measure: it is the sum of all the corresponding expenditures. This gives us the following trivial equation:
Where:
is the IAM Total Direct Cost
is the function that returns the direct cost of an activity
is the set of expenditures linked to activity
is an expenditure
For the sake of simplicity, we skip the complexities linked to accounting periods and foreign exchange.
Measuring the IAM Total Indirect Cost
Indirect costs are more complex to measure and methods may vary between organizations. For instance, some organizations will rely on roughly estimated allocation keys while others will use fine-grained accounting schemes. It is presumably outside the scope of IAM cost measurement to redefine the accounting methods used by organizations, hence we should accept a level of inconsistency when comparing these costs between organizations and keep this in mind when interpreting measurements. To enable proper interpretation of results , between organizations engaging in benchmarking activities, organizations should transparently disclose their high-level accounting methods.
It should be noted that the measurement of indirect costs may also vary between activities. For instance, some activities may have varying costs and may thus be charged (e.g.: the consumption of a workload in an IT infrastructure or cloud) while others may have fixed costs (e.g.: general administration).
This gives us the following equation:
Where:
...
is the IAM Total Indirect Cost
...
is the function that returns the indirect cost of an activity
...
)
...
A similar equation may be used to measure the IAM Program Indirect Cost.
IAM Investments and Depreciation
The implementation of Enterprise IAM is known as a complex, demanding and expensive undertaking (e.g.: Royer, 2013, p. 4). Hence, measuring the cost of IAM must not only factor in operating costs but also capital expenses such as IAM projects (deployment of IAM processes and/or systems).
...
In conclusion, for the sake of simplicity, we suggest that when possible and for the sake of making IAM cost measures comparable between organizations, we recommend that for the sake of performance measurement (that is distinct from tax issues), IAM investments be factored in IAM cost measurement using depreciation over a period of 5 years with the straight line approach. This looks like an acceptable average.
When this is not feasible, we recommend that organizations engaged in IAM benchmarking disclose their high-level depreciation methods to facilitate the interpretation of their measures by peer organizations.
Listing IAM
...
Cost Components
Inventorying IAM cost components is key to make TCO measurement “complete” and comparable between organizations. FOr instance, if PAM is considered an element of IAM by organization A but not by organization B, the cost of IAM will be higher for organization A because their scopes are distinct.
Considering that 1) there is no definitive definition of what IAM is, 2) that process modeling is more an art than a science (Reijers et al., 2010, p. 171), and 3) that we may list IAM activities at varying levels of granularity, the following approach is being considered:
...
Once established, this list may be documented with cost estimation methods and used as a checklist by IAM practitioners to measure their IAM TCO.
Ellram, 1993 provides guidelines on how to determine which cost components are significant enough to warrant tracking: that is use Pareto’s law coupled with common sense.
To help us with this, we have already established an initial list of known IAM activities
...
Augment this list using cross-checking with the activities expected from the entries in the IAM Process Map.
...
Mark as conditional activities those activities for which there is no obvious consensus in the profession as to whether it should be considered as within or outside the scope of IAM . When engaging in benchmarking, organizations will need to expressly clarify whether these activities were within or outside their IAM scope.
...
Survey IAM professionals asking them to review, comment and enrich this list.
...
Initiate a first round of benchmarking measurement between voluntary IAM professionals
...
Adapt the approach as needed.
The list of IAM activities . Cf. IAM Process Map and Mapping the IAM Processes. Cost components will be naturally linked to processes.
At this early stage of development, we should start surveying IAM practitioners for cost components and populate our list. The list of IAM cost components will be maintained on the following wiki page:
Measuring the cost Cost of IAM - Activities & CostsCost Categories
Bibliography
...