Monday, July 07, 2008

Can Identity Management really be outsourced?

I wrote about this a year ago (almost to the day). At the time, I said outsourcing Identity Management (IDM) and its related activities was "a hard sell". Although I was pretty negative on the idea, I didn't say it would never work or that it wasn't a good idea. I just felt like the market wasn't ready for it yet. That said, I still don't think the market is ready for it in an absolute sense, but we're making some baby steps forward.

To summarise that post for those that don't want to read the whole thing:
  • Outsourcing IDM is like giving away the front door key to your house and letting someone else decide who to let in and what they can do. Something I didn't say at the time was that this implies you are relying on them to tell you what happened while you were out and they can also give out your back door keys without you knowing.
  • IDM is not about technology. It's about people and business processes. Outsourcing works best when trying to solve technology pains. Not only that, IDM lies at the core of your organisation. Because of this, your organisation NEEDS to own it.
  • The day when you can comfortably outsource ALL of your IDM-related functions is the day where you are able to hire a bunch of business analysts to model and maintain your internal identity , access, security, audit and compliance related processes in an industry ratified and standardised fashion that can be sent straight to the IDM service while being automated and enforced with immediate effect. And this is ONLY after you can be assured that the sensitive data you are letting out of your environment is adequately protected.
Matt Pollicove, Matt Flynn, Ash Motiwala and Mark MacAuley have been talking about this lately (timeline of posts - Matt P, Matt F, Ash, Matt P, Mark). Ash even quotes my post from last year, specifically where I used a "bake a cake and eat your dog food" analogy (it'll make sense when you read it...I hope).

I'm also reminded about earlier this year when Mark MacAuley, Ian Glazer and Matt Flynn talked about compliance as a service and Dave Rowe added his thoughts on the issue (timeline of posts - Mark, Matt F, Ian G, Ian G, Dave).

I tried to summarise everyone's thoughts but it just got very confusing, so you'll have to read them at your own leisure. Everyone was talking about very similar things but with slight variances on their interpretations of terms and concepts. I think people (myself included) would agree with each other about certain aspects if they could just set a baseline and have a glossary of terms and definitions...and write their posts based on this glossary. That takes time though...and we are writing blogs after all, not whitepapers :-)

There are a bunch of different things in play when we talk about IDM as a discipline and Outsourcing/Managed Services. I won't over-complicate things but at the risk of over-simplifying, I will point out the following:
  • There is the business, people, process and compliance side of things in IDM.
  • There is also the IT/technology side of things in IDM.
  • Managed Services can be on-site or off-site.
  • Software as a Service (SaaS) is becoming a real option.
I don't think there's going to be much argument when I say that the technology to outsource IDM is there today, whether you want to have an on/off-site model or SaaS (although the SaaS model is not as mature).

If an organisation decides today that they want to do it, there are service providers that have the experience and will give you all the assurances in the world that your data will be protected, all security measures have been taken care of and that they can meet the Service Level Agreements (SLAs) you set for them. Large organisations like IBM, EDS (acquired by HP), Wipro and Infosys (there are others, but I won't bother listing them all) can do it. Smaller ones like Ash's company Identropy can do it. If it's SaaS that you want, the choices are more limited, but Fischer and Symplified come to mind.

The key here is IF an organisation wants to do it. Ash said it himself:
"In my opinion, the reason is more emotional that rational. The market just isn't ready, emotionally, to completely outsource the management of their IdM systems. The whole thing seems so tied to their environment, to their business processes, that handing the management over to a third party just feels wrong."

The first hurdle is always emotional. Once you get beyond that, ask if it's the right thing to do. I still don't think an organisation should outsource it all. An organisation should ALWAYS own the business aspects of their IDM initiatives. Now let's take a look at the technology side of things.

Matt Flynn points out that:
"most companies are already outsourcing IdM – they just do it on a project basis"

He is of course absolutely correct. So from an emotional standpoint, you already have people looking at sensitive data that are not part of the organisation. What's the difference if you formally outsource it to a managed service provider? The difference is mostly psychological. People just don't look at bringing external people or companies in as "outsourcing" so they don't realise that external people already have visible access to their sensitive data (of course, this brings up the issue of data leakage, but let's not complicate the issue any further for now). I should also note that just because it's done today does not make it right. My main objection was to "giving away the keys". If you don't own the solution within the organisation, then that's exactly what you've done.

"Giving the keys away" aside, if the decision's been made to outsource IDM somewhat, the next question is going to be the location. Do you feel comfortable not owning the infrastructure and more importantly, are you comfortable knowing that all your sensitive information is sitting in an environment owned and controlled by another company? Many organisations would not be. That's why it's a hard sell.

Don't think it's a problem having your organisation's data outside of your infrastructure and not on your premises? Then perhaps you can also take the SaaS approach and outsource all of the other painful IT management aspects around trying to manage software deployments and infrastructure. If you're willing to accept the risks associated and "give away the keys", then why not get the SaaS benefits as part of the deal? There are pros and cons in going with SaaS over an off-site Managed Service, but I won't go into them as that's besides the point.

Ash may be onto something when he says:
"I think that the only solution is a pragmatic one, where there is shared management. The customer can still feel "in control", but hand over day to day ops to a third party."

If you read my blog regularly, you'll hopefully get that I'm all for the pragmatic approach to anything. I would modify that statement somewhat. They not only need to feel in control. They really need to be in control and the onus is on the service provider as the subject matter expert to make sure that happens.

He follows up by adding:
"(Customers) get to gradually let go, and initially lean on the service provider as a very knowledgeable augmentation to their staff. Once the comfort level sets in, customers can lean a bit harder, grant "persistent approvals" for break/fix scenarios, and reduce management staff for identity."

The decision to outsource your IDM (whether it's on-site, off-site, SaaS) should not be a big bang approach. It needs to be gradual, and what Ash suggests makes sense if the decision is made.

Ultimately, it boils down to the following:
  • You must still own it. Never take your hands completely off because then you won't know what's going on if it all falls into a heap or when the auditors come knocking. Matt P's statement sums this up nicely:
    "If I were the person in charge of Compliance and Risk management, I'd want to be able to look at the auditors, police/FBI, Upper Management and lawyers after an incident and be able to say exactly what I did to protect my data and not say, "well the hosting company told me they were secure...""

  • There's a difference between outsourcing the business aspects and the technological aspects. Keep the business aspects (people, process, compliance) internal. If you must outsource, only outsource the technical bits you don't want to have to deal with on a day-to-day basis that will not make any difference to the business no matter how it's done.
  • The on-site/off-site debate is all about comfort level. How much do you trust your outsourcer with your data? What happens if something happens to the data? Who is accountable? Is this written anywhere in the contract? If you can't answer this question, don't do it.
  • It's all about the risk you are willing to accept for the amount you have to spend. Perhaps an anonymous commenter to my original post said it best:
    "The level of security one intends to achieve would depend on the amount of money one is willing to spend. Some would rest on this judgment alone to give an IdM provider the keys to their gates. I am sitting in chair just like that right now. Security is business driven."

If you read my original post carefully, you'll realise I haven't really changed my stance too much. If anything, I'm perhaps a little less harsh today about why it's a "difficult sell" and have tried to address it from different points of view. I still don't think organisations in general are ready to outsource IDM completely, and they shouldn't. At least not until standards, processes and solutions mature to the point where most of the moving parts are commoditised and better understood. However, I do think the market is better placed to at least start to take a look at outsourced IDM and make informed decisions. The most dangerous thing to do with outsourcing IDM is to jump in the deep end. Take little baby steps, people.


Unknown said...

I understand the sensitivity around the identity information but aren't organizations today being trusted with such data (ie. Convergys). These folks host HR systems for fortune 100 companies, including benefit.

I think the challenge is the security infrastructure around the Identity date....and ensuring that access to this is controlable via administrative roles.

Ian said...

Alex, that's what I meant when I said it was mostly psychological. People think Managed Service or SaaS and immediately think "oh crap, my data is going off-site". It doesn't dawn on most to think about the systems they already have either being hosted somewhere else or managed by a service provider as containing sensitive data that they don't want to "lose control of".

As for the challenge being the security infrastructure being around the Identity data, it's a start. There's a lot of selling to be done and perceptions to be influenced.

I should also note that your reference to administrative access being controlled by roles is only partially correct. It's not ONLY about roles. In fact, it doesn't even need to involve roles. It's about overall access control and accountability. Roles are just one of many tactical approaches that can be taken to achieve the overall goal. More often than not, they are used in combination with other approaches including (but not limited to) attribute based access controls.

Anonymous said...

Hello Ian:

Thank you for such a well-reasoned, and thought-provoking post. You make some strong points here, and I wanted to take the opportunity and share some additional perspective. In particular, my response addresses the “toughness of sell” factor, market readiness, and emotional drivers around IAM-related outsourcing. Here goes:

First, IAM outsourcing is not all about risk and comfort level, except within select verticals. Primary drivers for many businesses -- both for and not for profit -- are:

--The desire to have the services that IAM platforms provide
--Limited resource availability
--Limited or no IAM core competencies of existing staff
--IAM infrastructure and systems management not core to client business
--Limited staffing / head count budget

I’m sure I may ruffle a few feathers by saying this to some, but business -- by and large -- does not care about security. (Except for providers of security-related products and services...) Or rather, business only cares to the extent that market forces, customers, and regulatory agencies demands it. Security in and of itself is and remains largely intangible for most, and other than the “hey, you can stay out of the front page of the Wall Street Journal, or reduce your fine/audit exposure, or reduce insurance costs” there is very little reason for most business to make anything beyond cursory investments in pure security and compliance technologies. Not to put too fine a point on it, but businesses invest in security because they have to, not because they want to. (True - this is a blanket statement and many exceptions exist, but the statement covers the broadest swathe of international business models and verticals.)

Another thing many do not (really) care about? Best practices. Like “social media,” (enjoyed your post on branding by the way!) is a hip trendy term that people like to use. “Best practices” are the practices all organizations think they should be practicing, but in actuality do not. It’s a term that helps sell frameworks, tools, and conference passes, but that has very little tangible impact in many organizations. I have blogged about this in the past, and covered it to a lesser extent in “IAM Success Tips: Volume 1.”

What businesses *do* care about, is processes, methods, and tools that can facilitate making money, improving bottom and top-lines, improving customer satisfaction, improving end-user experience, reducing time to marketing, reducing help desk costs and calls, streamlining processes, etc. Provide real-world solutions for these needs, and organizations will and do gladly engage in outsourced IAM (at all levels,) and after-market support. Regarding the “sale” difficulty, part of that has traditionally been that IAM-related vendors come from, and focus too heavily on the pure security aspects of their products and offerings, rather than on the more fiscal and user-satisfaction elements.

For the smb, educational markets, e-tailers, retailers, and a slew of other market verticals and business types, the conversations read more like this:

“We really want IAM services, because of the business process management efficiencies and user/client experience improvements they provide”

“But, we don’t have the resources”

”While we want the services that IAM provides, we don’t have the core competencies in house to make the vision a reality“

”While we want the services that IAM provides, the business of standing up instances of IAM software and managing users is not, nor will it be part of our core business service (a case for outsourcing). We sell widgets, not IAM management...“

“Our budget is already heavily over-allocated to other infrastructure initiatives, not to mention market and client acquisition and support costs” which limits how much we want to spend for internal IAM staff. By the time we send them to all the conferences, and vendor training at several thousand dollars per class, and then engage the consulting firm for several additional weeks for knowledge transfer, we have already eaten up several years of outside management costs."

”Let’s bring in some outside expertise, tell them what we want, and have them own the process.“

For many, the premise of outsourced management of IAM is very attractive. Because, many organizations realize that they:

1)Do not have the core competencies
2)Will never have the core competencies
3)Will never be in the business themselves of providing IAM-related services
4)Do not have their processes modeled
5)Do not have enough information or expertise, or time to define their current, much less future-state business processes
6)Are not qualified to determine accurately what risks really exist, levels of data protection needed, data classification levels, etc.

For organizations comprising the aforementioned models, it makes strong fiscal and sound business sense to outsource all or part of IAM functions. An increasing number of organizations want a ”set it and forget it“ model of IAM. When the right support packages provided effectively and with the right assurances, there is indeed strong interest and subsequent execution.

One other discussion point to add. The classic ”command control and audit“ type of organization is gradually giving way to distributed management and shared ownership models. The up and coming generation of network service consumers, and newer-ecomony countries such as India, demand different models and have a different thinking around concepts of business, security, privacy/identity. The market is, and will continue to move (in baby, then teenage, then adult steps) toward the distributed outsourcing model of all IAM services.

Sun, IBM, Oracle et al. are giant centralized entities themselves, and it is extraordinarily difficult for them to provide actual aftermarket services that non-heavily centralized organizations find useful as the global business world evolves. You were spot on in saying that overall, the current market is not fully ready for fully outsourced identity services—yet. Only now, are organizations starting to move portions of their business (including IAM and HR as others have noted,) to managed providers. Having worked with one of the ”dotbomb“ first generation providers, it is clear (now in hindsight...) how un-ready the market was--then. Now, it is becoming readier. Companies *are* doing it, and becoming quite happy with the results.

Best regards,

Corbin Links, President
Links Business Group LLC

Anonymous said...

Interesting topic and I agree with pretty much everyone here but I thought I would add my two cents =). If we think about IdM in context of it's evolution then we might be able to better put outsourcing of IdM into perspective. Think of this evolution as a series of nested Russian dolls, each business driver encompases the former....

First generation IdM was originally developed to automate back office operations such as user [not identity*] provisioning and data synchronisation for example.

It wasn't until the 'user' information took on an 'identity' context, which had more profound security implications. Under this new context, the second generation of IdM was still about automating back office functions, however the projects expanded starting to address more of the 'security' concerns in IT* [who has access to what and should they have that access].

Finally the third generation , and where I believe we are at today, IdM has further grown to take on more of a business context expanding into the governance and compliance arena where it is aimed to address SoX, Basel etc.

So, assuming we agree on my timeline: the question remains, why do people invest in IdM and where does outsourcing fit in?

I would argue that today companies buy IdM solutions b/c their is a business problem that IdM technology can help solve, ie: compliance requirements. Further, I would also argue that outsourcing doesn't even enter into that decision making whether that decisionis to start the project or make a technology choice. For examply you can't decide, humm I need IdM so lets hire Wipro, IBM, Infosys et al. to come and do it for us!

Therefore, outsourcing has no real impact from a customer perspective in terms IdM ... it is a decision one makes when they are ready to divest resources for the project and hand it over to a 3rd party for the likes of technical support and application integration.

IdM remains and will always be a business problem, central to the heart of both IT and the business. Identity and Accsess is a business transformation project that should address how a company can effectively manage business information in a secure manner.

niall said...

I can see outsourcing idm being a valid business decision at the initiation of the project. With new idm projects, any data and business processes that are perceived as sensitive have to be shared with the consultants providing the initial deployment and configuration expertise anyway, so sharing those same processes and data with an outsourced idm service provider really shouldn't 'feel' any different.

Migrating an existing internal idm solution to an outsourcing service provider is a whole other kettle of fish, and is less about psychological issues and more about transfer of knowledge. Identity management is a complicated business, and it would be quite an undertaking to handover business and technical procedures, code and expertise to an FNG.

It would depend on your business drivers. If your current solution is poor and the outsourced options offer cost reductions and a better solution, the it could be a goer. If cost reduction is the sole driver, then the extensive handover process would have to be taken into account.

Just my tuppence.