Friday Jan 11, 2013

Bang for the Buck

Author: Kevin Moulton

You’ve just spent a good chunk of change on an Identity Management suite, and you want to find your way to positive ROI. That’s easy. You decide to do everything! You’ll automate 20 enterprise-wide applications, implement password changes every 30 days, deploy web access management across all web-based apps, with single-sign on, risk-based behavioral analysis, separation of duties, and re-certification every six months. You’ll build all of that in the lab, and go live over a long weekend after you get everything working.

When will that be?

Probably never!

These are all excellent goals, but do you really need to accomplish them all at once? Rome wasn’t built in a day.

You may think you’ll get the job done more quickly if you try to boil the ocean but, in my experience, this method will lead to scope creep and continual project changes, while version changes in your production environment will make your lab work obsolete before you get out of user acceptance testing.

While this is going on, your management who wrote the check to purchase the Identity Management suite will grow impatient. They want to see results. Finger-pointing is inevitable.

In my experience, a phased approach is the only way to go if you hope to be successful. Determine what you can implement which will affect the greatest percentage of your user population, and can be implemented quickly and easily. For example, suppose that HR enters all of your in-house employees and contractors into PeopleSoft, and then IT gives them an account in Active Directory and Exchange. This affects everyone in your environment, so automate these steps in Phase 1. This is easy and quick to implement in Oracle Identity Manager. With the completion of Phase 1, the new employee entry in PeopleSoft would trigger a new user creation in Oracle Identity Manager, and simple provisioning rules would generate the Active Directory and Exchange accounts. Create additional rules to automate membership in Active Directory groups and Exchange distribution lists based on attributes of your users that flowed from PeopleSoft.

Now that you’ve automated the Active Directory environment, and group memberships, in Phase 2 you could implement Oracle Access Manager to protect your web-based resources, using the Active Directory accounts for authentication, and the group memberships for authorization. Again, don’t try to tackle every web-based resource. For this phase, just pick the ones that receive the highest amount of traffic.

With this approach, your management will quickly see the value of their investment, and your end-user community will be excited about this new automation tool you put in place. They’ll stop you in the coffee room and ask you what this new thing is, and when can you manage accounts in their database environment, the CRM system, or their home-grown application. Your compliance folks will be happy with the added benefit that you will be able to quickly de-provision these accounts when someone leaves.

In other words, find the biggest bang for the buck, and get it done. This will generate the momentum and excitement that will drive the entire project to success. This approach has the added benefit of not asking your end-user community to accept too much change all at once, which will make them more comfortable with your project.

But what about all of those other target systems that you had hoped to implement in your “boil the ocean” project plan?

If you are managing these targets manually today, then just setup manual workflow for these systems. Create a workflow that allows end-users to request these systems, and then assign that task to the person or group who currently does the work, and let them go into the workflow and mark the task as completed when they are done. In this way, you have a comprehensive record of who has access to what, who requested that access, who approved it, and when it was granted. This will give you compliance reporting and recertification.

In later phases, you can replace these manual tasks with automation. The import/export capabilities of Oracle Identity Management allow you to easily promote new capabilities from development to test to production.

I know that this sounds very simple, and it is. Identity Management can be very complex. By biting off a little bit at a time, you can turn your Identity Management project into a series of successes, each of which generates excitement in your end-user community, the approval of your management, and an ever-increasing ROI.

About the Author:

Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East Enterprise Security Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.

Previous Posts from the Author:

Grow your Business with Security

The Unintended Consequences of Sound Security Policy


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« August 2016