By Rick Cook -
Jul 26, 2010

Centralized identity management makes life easier, and reduces support and licensing costs.

Identity management is usually thought of in terms of security. By properly assigning passwords, permissions, and such, you can help to protect your company’s computers from data loss and other bad stuff. But a well-managed identity management program can also help cut IT costs.

Unlike some management initiatives, especially in the area of security, the cost savings from a good identity management process are easy to quantify. They show up every place from support costs to licensing to reductions in audit costs. This makes identity management “low hanging fruit” for IT executives looking for fast, straightforward cost savings with a minimum of disruption.

Basically, identity management consists of making sure employees have the right permissions to let them do their jobs and don’t have access where they don’t need it. This is something you do even if you didn’t have a label for it before, although like any other IT process it generally works better once you’ve given thought to doing it right. With or without automated tools, identity management is fundamental to running an IT operation.

Identity management starts with assigning passwords to new users and includes adding permission to access the applications and data the employee needs to do the job. It ends when an employee or associate severs relations with the company, by an IT staff member making sure that person no longer has access to the company IT system.

This is undoubtedly the most common part of identity management. It also has a lot in common with being nibbled to death by ducks. The problem isn’t that provisioning, change, and deprovisioning is hard, or even that each instance of it takes a lot of time. It’s that there’s so much of it. By some estimates, as much as 40% of all help desk calls involve identity management issues.

The result is something that adds up to a significant cost over the course of the year. It robs both support people and end users of valuable time.

A good identity management system largely automates this process. The department supervisor or human resources person authorizes the changes and they’re made automatically. In the case of changes in permissions, the employees can often do most of it themselves.

However, that isn’t necessarily where a well-managed identity management program saves you the most money. Potentially larger savings come from adequately controlling identities and the associated licensing costs.

The most obvious part of this are phantom users: “Users” whose identities are still on the system long after they no longer need them. Typically these phantoms were employees who left the company, moved to different jobs, or contractors who are no longer working with the enterprise. Because of slip ups in record keeping or lack of attention to detail, these phantoms can hang around for weeks or months after they should have been killed, using up resources.

A more subtle but much more expensive cost associated with poor identity management involves unneeded software licenses. Since most large companies license their software on a per-user basis, each unnecessary software license costs the company money. When you consider that many systems have software with hundreds of dollars in licensing costs associated with the average employee, this mounts up fast.

There are really two parts to this problem. The easy one is the effect of phantom users. By killing those phantoms, or by more quickly deprovisioning users, you save licensing costs.

The other part is more complex but potentially saves a lot more money. That is: managing permissions more strictly so people who don’t need a software package don’t have access to it.

In a perfect world, identities are assigned on a case by case basis. Every person gets exactly the permissions he or she needs and no others. Except in the smallest enterprises that’s impossibly unwieldy, so permissions are usually assigned en masse. Often, employees are divided into classes with associated bundles of permissions.

The trick in this kind of identity management is setting up the classification scheme. You want permission classes that are broad enough to let everyone do their work but include the minimum of unnecessary permissions. Of course, setting up such a classification takes work; too many user classes become difficult for the IT staff to manage. As a result, there’s a constant tension between ease of use of the identity management process and granting precise permission bundles.

To get the most out of identity management, and to keep licensing costs down without burdening your support staff, you need to think carefully about which permission classes you create with what permissions that category of user needs. This is, in general a one-time effort that pays off in the end.

One popular way to handle classification is to establish a basic classification which includes software everyone gets, such as e-mail and antivirus, and create additional classes for more specialized needs, such as accounting. You also need to make sure you can easily add permissions for specific applications if needed on a custom basis.

Related Information from Intelligent Infrastructure: The IT You Already Own — But Smarter

Want more like this? Sign up for the weekly IT Expert Voice Newsletter so you don't miss a thing!

Comments are closed.

FM IT Expert Voice is a partnership between Dell and Federated Media. Privacy Statement