Identity management is a hard problem. It's hard technically, it's hard to get executives and business partners to care about it, and it's hard when complexities (like cloud and mobile) are introduced to the environment. In fact, if you look at identity from an economic point of view - and you systematically analyze the costs of identity in your environment (including provisioning, access management, access review, etc.) chances are good that you're spending more on those things - organization-wide - than just about anything else IT related.
If that doesn't resonate with you, it could be because the costs are hidden - or at least don't show up as a line-item in the IT budget. Consider, for example, the costs of provisioning across the enterprise as a whole. The IT side of the issue is probably pretty obvious: You see the impact to staff time; you see the impact to helpdesk overhead, etc. But there are other aspects of this problem that don't hit IT and may be less visible.
Consider provisioning of access to specialized business apps or one-off apps that aren't maintained or supported by the IT department. For example, if the individuals who actually create users accounts are specialists on the business side - their time represents a cost (in many cases a large one) to the organization, but because IT doesn't directly feel the costs involved, they can potentially go unnoticed. If noticed, they may not be top of the priority list to address.
The same is true for access review. If, like many, access review consists of a periodic report to managers along with a request for them to evaluate the appropriateness of accounts and user roles, their time costs money - not your money, but someone's. The time those managers spend in that task don't hit the IT budget, but yet cost the organization significant dollars on a per-year basis.
Lack of ROI Means Money Out of Your Pocket
The point is that it's not cheap. Because of that - and because the economic impact may not be directly visible to management, that means it's often hard to build support for improvements (e.g., automated provisioning, access management, monitoring and other identity-related systems and tools). It's a dilemma: From a security point of view, it's in our best interests to see those tools get deployed and improvements made - but fighting the myopia is hard.
It's hard to have a conversation like, "We spend X on identity now, but we want to spend X-Y on operational costs by purchasing a tool with an initial capital outlay of Z. Although the tool will set us back by Z this year, we anticipate it'll pay for itself in N years and subsequent cost savings of Q over the lifetime of the product, which we estimate to be L."
It's hard to argue with reasoning like that (assuming your numbers aren't bogus). But you can't do it for identity when the relevant variables are spread around the organization.
For security pros it's frustrating because in almost every case, it's cheaper to replace legacy manual processes with an automated system, because it's more effective from a security standpoint (reducing human error and ensuring coverage), and because it helps in a cloud context. Cloud vendors can (or at least should be able to) leverage the output of these tools directly - for example through support of technologies like SAML, SPML and XACML (to mention a few). But proving it's better without numbers is like trying to catch the wind.
Can You Get Visibility? Maybe Now's a Good Time
So for the pragmatists out there - what can you do?
Say you want to be able to build support for an automated identity approach but you're finding building a business case to be challenging because of the invisibility of costs described above? Some will tell you to make stuff up - i.e., "estimate based on numbers of accounts created, average review time, etc." As a last resort, this can be a "better-than-nothing" Hail Mary - but it also has the potential to blow up in your face. Like maybe if the person you're presenting your calculations to spends five minutes reviewing his/her access list and the average you estimated is two hours; it's hard to pull back from that if they lose confidence in your numbers from the get-go.
One strategy you can try first before resorting to guessing involves leveraging existing IT metrics initiatives to attempt to collect data organization-wide (i.e., outside of IT). For example, looking to current hot initiatives to piggyback on: If you're in the federal government, you could include these metrics in your required continuous monitoring strategy (it's a requirement, it's top of everyone's mind, so now is a time you might be able to get farther than otherwise). ... In the private sector, you could attempt to leverage your cloud initiatives themselves to help gather data by making it part of questionnaires or data-gathering being done to support a cloud move. In fact, anything that involves data-gathering from the business (a BIA, vendor review, auditing, etc.) can be a good place to try to find data sources to help drive a realistic cost model.
The point is - getting good data here is a fundamental part of building a useful cost model that accounts for both visible and "hidden" costs. And if you really want to get traction with investments to your identity management program, chances are good you'll need this kind of hard evidence to make progress.
Ed Moyle is senior security strategist at Savvis, a CenturyLink company.