In today’s complex world of heritage and bleeding edge systems, identity and access management is pretty much mandatory for medium sized organizations and above. In this post I’ll show you the value of access management in a measurable way instead of the usual “handwavium”. To do this I’ll cover the direct cost avoidance from access management for staff for an organization that has 1000 staff and 10 key applications.
Please note the following:
- I’ll defer some parts that are part of governance for a later post.
- I’ll provide my estimates of cost (okay, some handwavium) so please consult Kuppinger-Cole, Gartner, Forrester and friends to get industry standard numbers, etc. and customize to your specific situation. It’s the approach that’s key, not the numbers in the example….
Access Management deals with four key functions:
- Manage “Authentication Friction”
- Provide an authentication bus
- Deliver authentication governance
- Enforce access control
Authentication on multiple systems is a familiar pain that feels so good when you minimise it for your employees. Whilst it isn’t easy to measure the reduced frustration in a staff environment (captive audience), we can very easily estimate the cost avoidance from eliminating password entry – Single Sign On (SSO).
This value calculation is based on the following assumptions:
- The average username / password entry consumes 10 seconds
- There are 220 effective working days in a year
- The average hourly rate for an employee is $40
- Assume an average of 6 sign-in events avoided per day via SSO.
Thus we have 6 x 10 (60) seconds avoided per day or 220 minutes per year. That means per employee we save 220/60 x $40 = $146.67 per annum. Multiply that by 1,000 employees and we have a saving of 1000 x $146.67 = $146,670.00 each year.
For customer facing access management, authentication friction becomes even more important and A|B testing is the only way to measure this accurately, but we can point to three interesting findings to give us guidance as to the importance:
- Amazon found every 100ms of latency cost them 1% in sales
- Google found 500ms of latency cost them a 20% drop in traffic.
For those wishing a trip down memory lane, rapid response was often discussed as far back as the 1980’s – see the following examples.
This is much less of a problem with today’s applications that support modern authentication protocols such as SAML, Kerberos, etc., but it is still important to note as:
- How are different SSO protocols connected together into a seamless user experience?
- How are heritage applications SSO enabled without significant rework and the attendant maintenance?
- How do you add authentication to your APIs in a way that is both scalable and maintainable?
We can see the following value points:
- SSO enabling a heritage application – value from previous.
- Reduced time to market for new or changed services – too “fuzzy” to quantify
- Reduced development and maintenance costs.
- Reduce the need for VPN or back end encryption protocol updates
Normally I’d use the industry recognised savings identified for an enterprise service bus (ESB), but the availability of many standards based authentication protocols and methods for backwards compatibility – identity injection, form fill, screen scraping, etc. – magnify the savings much more.
The value calculation is based on the following assumptions
- Average time to implement and test an app specific authentication solution is:
- Simple: 100 hours
- Average: 200 hours
- Complex: 600 hours
- Average wage across development and test is $60/hour
- 10 applications – five simple, three average, two complex: Average implementation time of 230 hours
- The use of a modern access management tool will save 95% of the development costs
- Maintenance costs for point solutions are 30% and 20% for the bus solution.
Thus, the one off development savings would be 10 x 230 x 95% x $60 = $131,100 and the annual savings comparison results in a $40,020 saving:
- Custom: 10 x 230 x $60 x 30% = $41,400
- Access Bus: 10 x 230 x (1 – 95%) x $60 x 20% = $1,380
These savings are important for both heritage applications and also integrating all of the different authentication protocols (and versions!) into a seamless and secure whole. This can become important when there is a security update for a protocol – this can be done once quickly at the access management layer and the protected resources can be updated at a more considered pace.
Authentication Governance is about ensuring the appropriate authentication methods are used based on user or application risk rating. The value of this is calculated by the difference in annual breach likelihood against the application or user impact. This will be detailed in a later post on governance.
Access control is a subset of the authentication governance in that it either permits or denies authentication to an application. As a result it uses the same calculation method.
From the above, we can see that access management would deliver about $166,000 of measurable cost avoidance to this imaginary business per year. This does not include indirect benefits such as improved security posture, happier staff and faster time to market.
In my next blog we’ll look at how to measure the value of identity management – so watch this space! If there’s anything you’d like to discuss please don’t hesitate to ‘contact us‘ and feel free to browse through a heap of Access Manager resources here. Or find me directly on LinkedIN if you like?