Today’s cloud platforms and SaaS solutions have obliterated the ability to rely on firewalls and VPNs. A recent cloud security report indicates 82% of respondents said their traditional security solutions either don’t work at all, or only provide limited functions in cloud environments. HelpNet points out that close to 80% of the companies surveyed experienced a cloud data breach, and 43% reported ten or more. Despite the numbers, it can still be a struggle to convince senior leaders and executives how much value a cloud identity platform provides.
Yet, some organizations are cashing in with their identity platforms. The Forrester Total Economic Impact™ study on Saviynt Enterprise Identity Cloud reports that customers see $34.4M in benefits and achieve a 240% ROI over three years. Calculating ROI isn’t a simple matter. It hinges on your business goals and the strategies you implement to drive those goals. In a recent webinar, Sean Ryan, a Senior Analyst at Forrester, shared five best practices for maximizing the ROI of your identity platform.
1. Assign Ownership and Accountability
Many identity management projects fail to fully reach their potential due to a lack of alignment, overly broad goals, and ill-defined metrics. Sean suggests that organizations can improve chances of success by creating more accountability. He recommends getting consensus and buy-in from the beginning.
It’s crucial to work with the different application owners and business unit managers to get a strong understanding of their business needs. How? You can start by getting them involved in setting core metrics and business goals. Working together is the best approach for establishing consistent controls and access rights as an organization.
Keep the project’s scope focused and take a phased approach for new initiatives. If not, you risk ailing — or face an implementation that may take years to complete. Ensure you structure the identity source for centralized oversight while engendering a sense of local ownership. You want to make sure that entitlement owners follow the approval process as well. An intuitive, structured process that provides enough contextual identity information to make intelligent decisions quickly prevents rubber-stamping.
2. Rightsize User Roles
If done well, role-based access control (RBAC) saves time and creates an efficient way to manage your user base. But, you have to start by cleaning up your application access first. This means working with Human Resources and other internal business units to do so. Get as close to a clean slate as possible, and be careful not to overengineer your policies. Otherwise, you risk becoming mired in layers of nested access roles — making it impossible to determine who has access to any given resource.
Sean suggests that organizations test their roles on a high-churn, task-oriented department, such as a call center, to generate actionable information on how effective they are.
3. Curate Metrics to Drive Efficiency
Sean recommends measuring what matters — and to avoid boiling the ocean. It’s critical to have the right metrics in place to measure success, so make sure they align with your strategic goals. This brings us back to the importance of best practice number one. When defining your metrics for success, it comes back to working with business teams. There’s a lot of value in their knowledge. They know how their part of the business needs to operate and what success looks like. Working with different application owners and business unit managers to define consistent, reasonable, and quantifiable metrics builds their investment in success.
Limit your scope to benchmarks that provide actionable insight. These insights should lead to changes that propel your organization toward your strategic initiatives. Consider using a balanced metric scorecard that groups metrics into broad categories. Understanding the metrics you want to track — and mapping them to your strategic goals — will ultimately lead to process improvement.
4. Make Better Decisions With Risk-Based Context
Sean reminds us that organizations can use risk-based context to inform decisions. He believes that “better” means having a full portrait of the user requesting access and the risks those permissions might create.
Automated processes available from modern identity platforms can evaluate contextual identity information such as roles, positions, and groups and review the potential access risk. If the risk is within tolerable limits, access is granted for a set period and then auto-decommissioned. This can not only drive smarter, safer decisions, but it also frees up resources so they can focus on higher-value projects and initiatives.
When the risk level is too high, platforms escalate the access review to a human. This prevents toxic combinations that might result in an SoD violation or an over-privileged user. Risk-based decision-making leverages automation to accelerate the approval process without sacrificing security.
5. Stick to the Principle of Least Privilege
Finally, Sean brings up that the principle of least privilege remains a cornerstone of identity governance — and is vital for addressing the ever-present challenge of third-party access. Users should only have access to the precise resources needed to complete a job. Sticking to the principle of least privilege minimizes risk by limiting the damage if a user becomes compromised or malicious.
Identity governance can be challenging when users are dynamic and move from one role — or team — to another over time. This is where time-limited access comes in. Time-limited access through automated tools prevents permissions from lingering, and access management becomes less cumbersome.
Learn more about measuring the financial impact of a modern identity platform. Watch Measuring the ROI of an Identity Platform with Saviynt and Forrester Consulting.