Ubisecure. White Paper Series 2. Business Justification for IAM

Ubisecure White Paper Series 2 Business Justification for IAM

2 Business Justification for IAM Behind each investment decision is a return expectancy and careful consideration of business benefits. When you develop your online solutions further, you need to justify the cost of development with (preferably) quantifiable benefits. Extranets, cloud services and other online services are tools to improve your customer satisfaction, cut cost and gain new customers. Here we ll try to outline some of the tangible business benefits related to access and identity management. The first part of the paper concentrates on these issues. After listing several business benefits of having a robust and comprehensive IAM solution in place for your online services we take a look at some return on investment calculations. Each investment you make should have a reasonable short return, so that the money you ve just invested will start benefitting your bottom line. Not just return on investment, people are looking for Total Cost of Ownership models (TCO), where the money put into the solutions piles up during the years it is used. TCO is usually something you compare to another choice you can make. A typical TCO comparison point is between buy or make, where you compare the total monetary value you put into the solution comparing either a solution that you can buy from someone else, or develop it by your own. We will give you some practical examples on how these two choices can affect your bottom line. money is the decision on how to actually acquire a solution such as the identity management to your service portfolio. Here we are talking about two basic things. Investment up-front, called CAPEX (CAPital EXpense, or EXpenditure) and then the running cost of maintaining, updating, upgrading the solution further in the future. This is called OPEX (OPertational EXpense or EXpenditure). Sometimes you have a choice of having only the OPEX, and sometimes if you want to run things by yourself due to security or policy reasons you have to consider both CAPEX and OPEX. OPEX-only is typically related to cloud services, where someone else is running the infrastructure, operating systems and software on your behalf. In this short paper we ll try to highlight how IAM behaves around these concepts and write about business benefits in general. Then the third thing to consider in terms of

3 Business Justification for IAM Contents Business benefits of running an IAM solution... 4 New customer onboarding... 4 Knowing Your Customer... 4 Automation... 5 New Web Based Services... 5 Self Service vs Customer Service Desk... 5 Proper and Yet Convenient Authentication... 6 Value of personalization... 6 Business ecosystem networks through federation... 7 Making the smart choice... 9 Return On Investment (ROI)... 9 Total Cost of Ownership (TCO)... 10 CAPital EXpenses and OPerational EXpenses (CAPEX and OPEX)... 11 Time-to-Market... 11

4 Business Justification for IAM Business benefits of running an IAM solution New customer onboarding Every business lives and dies with its customers. Growth requires new customers, and the cost of new customer acquisition can affect the bottom line considerably. A fully automated web campaign can have as high cost as 100$/new customer, whereas field sales intensive successes can hike up the cost to tens of thousands of $. So, every and all actions you can implement that can cut cost in new customer acquisition can yield big benefits. The first phase in customer acquisition is naturally getting your message out to the prospective customers. This is where marketing plays a role and thanks to the Internet we have dozens of practically free channels where we can flaunt your message. The traditional company web pages are the first step, but then you have social media feeds, blogs, online videos etc. at your disposal. Once you have an interested person at your sights, you need to be able to get them onboard as easy as possible and as cost efficiently that you can manage. Again, Internet based tools can offer a great way to reduce cost by offering self service functions for the customer. These functions should cover the whole life-cycle management of the user identity, and be available to the user as this would minimize the cost of identity management for the service provider. The cost of new customer acquisition depends heavily on how automated it can be. But according to some experts in the field 1 it can easily vary from a 100$ to ~1800$ (with headcount costs). Any and all human interventions / touch will raise this figure rapidly. If we estimate that one customer call will raise the cost by 50$ it would make a huge cost savings if we could minimize the number of required calls. One feature in Ubisecure Customer ID is e.g. that the sales person can send immediately an invite to the extranet to the customers e-mail, after which everything is done by the customer. These invites can be sent also automatically as part of a campaign, which would further minimize the cost. Speculatively we could argue that using Ubisecure Customer ID even in lower cost customer acquisition process would generate cost savings in the amount of tens of dollars / new customer. Therefore, in a high volume site, where user identities need to be verified properly and where the sites relies on both authentication and authorization, annual cost savings can easily reach hundreds of thousands of $. Knowing Your Customer Know your customer principle can be seen from two different perspectives. The first relates to regulation, and is especially important in the banking sector 2. The KYC is a set of methods and actions put in place to minimize certain risks in financial transactions. KYC is used to thwart fraud, identity theft, terrorist financing and other bad things. Identity and Access management ensures that as a business entity serving other businesses, you can make sure you are dealing with a correct party. A good IAM solution will help you meet the demands of KYC. But knowing your customer is also very important in the sales process of your business. By having instant access to the information on who is capable of buying new products and services from your organizations, you can make the upsell process that much easier. Role 1 http://www.forentrepreneurs.com/startup-killer/ 2 http://en.wikipedia.org/wiki/know_your_customer

5 Business Justification for IAM based IAM typically has the pertinent information to help you make the correct decisions on whom to approach in your customer organization. Automation If you can automate something, it normally translates to direct cost savings. Identity and Access management solutions can be used to automate, or provide information to other automation processes within the company. Registration of the customer identity is a prime example of automation. With IAM and solutions like Ubisecure Customer ID you can first outsource the whole registration process to your stakeholders minimizing the need for human touch during the registration and secondly you can integrate a lot of other systems to this process so that during the registration external data sources can be queried for information about the stakeholder etc. The goal of the registration process automation is to make sure that the customer doesn t turn away from your services due to inconvenience. So the registration itself can increase the influx of new customers if done correctly. Not just registration, IAM can provide a bag full of features to improve your processes, where customer information is handled. RESTful APIs can be used to integrate the IAM solutions to your other back-end systems, delivery of up-to-date customer information can be made to work for your other services etc. New Web Based Services It might happen that you can t consider putting out some of your service concepts online as you might be worried about security. This is especially something that we see in the egovernment sector, and in some extranet cases where the native platform doesn t offer good enough authentication out-of-the-box. Though the UK government has said that they could consider accepting social identities in their online services. But, the fact is that sometimes a lack of a proper security solution, especially in authentication can prevent companies deploying online services, or there s a regulatory requirement that needs to be addressed and until that s covered, the services cannot go online. Here, the loss of revenue or cost savings are harder to calculate as each service tends to be unique and affect the bottom line of the company differently. But with an IdP that can integrate to all available strong IDs combined with social identities, companies need not to worry that the security would insufficient. Self Service vs Customer Service Desk Password reset problem is a well known fact for the companies internally. But it affects also extranet and online customer sites that rely on passwords. It is estimated that a password reset costs around 30-50$ 3. In an extranet site that is not used regularly the frequency of the reset requests might climb higher than in a typical corporate intranet environment. This is where self service functions play an important role. Although many Internet facing sites do allow you to reset or recover your password, it is not always the case. If even 1% of users of an extranet site of 10 000 users will need password recovery per month, it will result in 48 000$ yearly expenses without self service functions. Another major benefit of having a robust and feature rich IAM is that users are authorized properly by the user organizations themselves. There s no need to call a sales rep or account managers to have them add a new user to the list of authorized person accessing the extranet site as it can be done by the end user organization. Again, we can take the estimate of 30-50$ cost / new user or change when calling the customer service desk. A typical organization will have employees leaving and new ones coming in at the rate of 5% / year. People also change jobs within the company, so it is not unrealistic to assume that 3 http://www.net-security.org/secworld.php?id=10954

6 Business Justification for IAM out of the 10 000 users, 1000 need to be changed each year. This represents again a cost of 40 000$ / year, which can be avoided completely by using an IAM product such as Ubisecure Customer ID. It s been calculated that in the telecom industry self service functions can generate cost savings up to 70% 4, or 70% of customer service desk calls could be resolved through self service functions through the web. Another benefit of having an extensive self service portal that does answer the customers needs is the reduced churn, or increased loyalty. Proper and Yet Convenient Authentication Strong authentication is not required all the times. For egovernment sites, it s almost always mandatory as it is in online banking. But for business purposes using strong authentication 100% of the time might be an overkill. And the means to verify the identities using strong methods might incur some costs. Tokens such as smart cards, USB tokens, OTP dongles are not free. Strong authentication based on software approach might have a lower TCO, so the cost varies in strong authentication. Government issued tokens might be considered free for the business users, but they do cost for the government itself. Bank authentication tokens could also be used for business purposes. Lot of the banks would like to see more services linked to the IDs they issue to strengthen their brand and loyalty. But the bottom line is that strong is not always mandatory. Combining strong authentication with weaker methods such as Facebook or Google identities can help companies build websites and extranets, where the registration phase enables customers to link their social identities to a e.g. government issued identity. After the registration the customers can use the social identity for the logins, but as the identity is already linked to a stronger identity the assurance level can be considered to be higher compared to a mere social identity. After all, anyone can create a Facebook profile for the user SuperMan, but it is doubtful that there s a government issued ID for the man of steel. Taking the Finnish bank authentication as an example, we can calculate some tangible monetary benefits for this approach. The Finnish banks offer their identities to be used in commercial services as a strong authentication method. They charge, on average, 0,3 per authentication event 5. If you have a high volume extranet site with thousands of users, the authentication transaction costs can be quite high if you rely only on the bank authentication. An online service in Finland called Netvisor is a typical service. It s a cloud based service for the companies (SME), where invoices can be created, approved etc. Typically the Netvisor user accesses the service at least once a week. That means roughly 50 authentication events / user / year. If they have 10 000 customer organizations with 3 active users the cost of external authentication is (50 x 10 000 x 3) x 0,3, which totals to a 450 000 yearly cost. Theoretically this could be reduced to a fraction by using combined IDs and offer the end users an extremely convenient way to login into the service using e.g. their Facebook identities. But as the service does handle monetary transactions, maybe this is not the whole picture. Nevertheless there can be huge cost savings by providing highly convenient authentication for the end users, which has been strengthened during the registration phase with a stronger identity. Value of personalization In a highly competitive market, knowing your customer is imperative. It s a fact that it s far more easy to sell to an existing customer than to acquire a new one. So, upsell to your 4 http://www.magentaadvisory.com/2013/01/10/development-of-telecom-industry-four-key-digitaltrends-12/ 5 http://www.solinor.fi/blog/tunnistautuminen

7 Business Justification for IAM customer is very important. The best way to introduce new services and products is to market them to people and organizations that actually have a use for them. And here the know your customer plays a key role. By having a database of your customer names is not enough, you need to know their industry to better target your offering, but if you have access to information that tells you who in your customer organization can buy new products and services, the cost of sales reduces dramatically as human intervention is reduced. It should be noted however that personalization is not about knowing personal facts per se. It s about knowing your business partners as best you can. In B2C personal data becomes perhaps more important, but then you have to be careful on how, what, where and when you store data about a user. Personalized products, services, pricelists, communications, etc. have been around for a while now, and they ve proven to be highly efficient in keeping the customers happy, or actually cut manufacturing costs. According to a study 6 Nissan (a car maker) was able to offer customized cars to their customers and at the same time cut cost of manufacturing by 3600$ / car, and for the whole car making industry the resulting capital savings up to 80bn$. Naturally this has a whole lot to do with being able to cut costs in manufacturing through better forecasting, outsourcing etc. Another example given in the study was Dell Computers who had already by 2003 developed a Premier content web pages that were customized for each of their 65 000 biggest customers. Business ecosystem networks through federation As company borders blur and mix in together, partner relations deepen, outsourcing creates wide networks of participating companies business ecosystems are born. The most convenient medium of conducting business is through the Internet as it s always available. When a large number of companies support each other s businesses it makes perfect sense to allow them to access your systems through a convenient method. One of these methods is called federation, whereby an identity existing in one domain can traverse to another domain, and therefore provide single sign-on across company borders to all participating organizations. A very traditional example of federation involves an airplane ticket, car hire and a hotel reservation. This holds true in the B2C segment, but does not give too much for the B2B sector, unless you travel a lot. What does provide tangible benefits and true convenience is allowing your customers, partners and stakeholders to login into your services from their own corporate network without any extra fuss. This is possible quite easily by installing a simple component such as Ubisecure Windows AP to the customer network, and allowing them to login into your services with single sign-on. What s notable about this solution is the fact that as everything happens through the browser, there s no need to open up network ports or otherwise complicate things for the IT department. The other option is to use e.g. Windows Azure AD (AAD) or Google Apps, i.e. corporate cloud service IDs to enable single sign-on to the services. With Ubisecure solutions you can provision cloud IDs easily to any of your services either in a batch mode or just-in-time provisioning. In this way, even a whole company can be integrated to an online service within a few hours. After the provisioning of the users, they can login into the services from their company network with single sign-on. 6 The Power of One: Gaining Business Value from Personalization Technologies By Nirmal Pal, Arvind Rangaswamy

8 Business Justification for IAM The most tangible benefit from B2B federation is convenience that can boost customer loyalty to a completely new level. A lot of the outsourcing companies that provide HR, accounting, health, travel reimbursement and other online services look for new ways of delivering a smoother customer experience. With single sign-on from the customers own network, what could be more convenient. Also the easiness of identity provisioning and federation increases chances of getting new customers, and naturally it cuts cost in the operating level as you don t have to worry about the thousands of customer identities yourself, but rely on the fact that the companies you offer your services to themselves are handling that. After all, they should have the proper and up-to-date information.

9 Business Justification for IAM Making the smart choice Putting business benefits aside, if you have decided to go for the IAM solution, there are business justification arguments that need to made. Business benefits do play a vital role, but on top of the business benefits you need to find hard numbers to support your decision. Identity and Access management is not always a simple thing to quantify, but there are plenty of information available that can help you evaluate the monetary effects and different choices you can make when acquiring an IAM solution. In the next few chapters we ll outline how the choices you make affect the bottom line. Return On Investment (ROI) The concept if ROI is well established in all industries, and you should always have a number showing how long it takes for your investment to positively affect the bottom line of your company financials. Here the evaluation of business benefits play a big role. Each business benefit that you can put a number to can make your ROI calculations more accurate. And if you find out that you don t have enough business benefits to quantify, you can t show a reasonable ROI, and if this is the case, you should consider if you can solve the challenges you face through some other means. ROI considers profits in relation to capital invested and it is used to evaluate the efficiency of an investment in certain time period measuring relative (%) investment profitability ROI % = (Net profit / Investment) 100 Cashflow is the movement of money into or out of a business or project in certain time period. measuring absolute ( ) investment profitability A simple example which should be easy to calculate is based on customer service cost savings. Here we can estimate that a company could generate 20% cost savings through Internet based services, through self service functions. A large company with an extensive customer base can generate e.g. 200 000 customer service desk calls per year with the average cost of 20 / call. The investment in IAM is valued at 370 00 including software licenses, maintenance for a 5 year period and integration to the online services. By simple mathematics we arrive to the following numbers:

10 Business Justification for IAM Payback time for the investment 1,2 years ROI by 2018 549% Cumulative Cash Flow by 2018 2 030 000 Discounted cumulative cash flow 1 400 000 by 2018 (Weight average cost of capital = 10%) Total Cost of Ownership (TCO) As with ROI, the concept of TCO is well established. Here you evaluate different choices you can make to achieve your goals and put them, usually, on a 3 or 5 year span and try to evaluate how much money the different choices will cost you. This evaluation is a tool to help you make the right choice. Even though both choices might have the same end results in terms of business benefits, the money put into these different choices can vary greatly. As IAM is mostly about software we ll be investigating or trying to show the difference between almost all companies that deal with software have to make. Buy or develop on your own from scratch or using open source. Sometimes the boundaries between developing your own solution and using open source to build it are hard to separate. TCO analysis includes all CAPEX and OPEX during the time period TCO is a practical analysis especially when comparing different investment options total cost over certain time period CAPEX: CAPital EXpenditures Investments creating future benefits OPEX: OPerational EXpenditures Cost for running solution An example calculation between inhouse developed and product based IAM. Please note however that the content & features might not be comparable as it takes much longer to develop a fully fledged IAM solution than estimated here for the inhouse development. It is good to realize that you do not need all the features of a product based IAM at once, but as your business develops, so does your need to utilize your investment better, or you find new use cases for your solutions. In the beginning inhouse & open source options might look better in terms of investment, but on the long run product based solutions tend to win in terms of TCO.

11 Business Justification for IAM CAPital EXpenses and OPerational EXpenses (CAPEX and OPEX) ROI and TCO are sometimes just evaluating monetary impacts on the bottom line, but CAPEX and OPEX have also a strategic aspect in them. CAPEX is related buying the services or solutions for onsite installations, whereas the OPEX is either the cost after the CAPEX (running the solution within your own organization), or buying the service from the cloud. And this is the bit that relates to strategy, as some companies do not want to run anything outside their own domain. But this is quickly changing with the cloud services in almost every imaginable area of software and IT. Just considering the amount of companies using Google Apps for Business (5 million as of summer 2013) and Microsoft Office365 (4 million as of summer 2013) the trend is clear. Business cloud services are here to stay. And especially for a cloud service provider the choice should be easy to make buy IAM as a service from the cloud. You can see the differences between CAPEX and OPEX in the previous example. Moving away from on-premise installations to cloud based services can practically nullify the CAPEX numbers and diminish the workload costs. In cloud based services there are also a lot less ambiguous costs, or hidden costs. You pay as you go, and normally the cost is always known well beforehand. Time-to-Market When you realize you need something, it s usually so that you needed it yesterday. Time-to- Market means that you have a timeframe that will have a monetary value to it. The shorter the timeframe or window, the less it will cost you, and can give you a competitive advantage. Time-to-Market is closely related to concepts introduced above, but is being handled here separately to emphasize the effect it can have. IAM ties to a few important aspects in service development that can shorten the time-to-market window, and we ll list some of them here. 1. Relevant authentication methods for connected services available immediately 2. Identity information delivered to the application in a correct format and taking into account privacy issues 3. Identities are not managed by the application itself, no need to build any extra functionality

12 Business Justification for IAM 4. Registration process, self service functions, password resets etc can be handled by the IAM solution If you have to develop all these functionalities to your services you might prolong the timeto-market of your solution by several months. Yes, some of the functions are easy to develop, such as having a table of usernames + passwords in you service. But this simple implementation will take you only so far.

13 Business Justification for IAM Conclusions Identity and access management can clearly deliver benefits for your organizations. You might already be running an IAM solution, but are you taking all the benefits of your solution? You can look where you stand in the Extranet Maturity model by reading Ubisecure White Paper Series 1: Extranet Maturity Model document. If you are considering ways to improve your online services, one way you can do this is by enabling better customer service experiences, single sign-on across your services, or single sign-on directly from your customer network. You can also find ways to improve your bottom line by cutting cost using IAM. But IAM can yield so much more. It can turn the identities that you have into real assets for your organization. IAM can give you the competitive edge against others, it can enable you to put innovative services out there, and with IAM solutions such as Ubisecure delivers you don t have to worry about the sensitive nature of your services. If you wonder how these things can become a reality in your organization, please take a look at the upcoming third installment of Ubisecure White Paper Series 3: Integration in IAM.

14 Business Justification for IAM Ubisecure Solutions, Inc. +358 9 251 77 250 Tekniikantie 14 FIN-02150 Espoo Finland WTC, Klarabergsviadukten 70 Box 70396 SE-10724 Stockholm Sweden www.ubisecure.com www.twitter.com/ubisecure www.facebook.com/ubisecure www.smootherinternet.com