The following question was posed recently by a sales consultant:
A global customer is implementing a “single forest, single domain” directory (MS AD), supporting among other things SAP and Windows – about 30,000 users. They have asked us to summarise the business case for additional IdM solutions given the single directory approach.
Dr. K says:
With all the material available today on identity management, it continues to amaze me how many people still ask their variations on the question “I have AD deployed, why do I need IdM?”.
The case for IdM is that of a business solution, not a technology solution. It is the business and security benefits it brings to the table – workflow, audit, attestation, separation of duties, provisioning policies – that drive its deployment in the enterprise. These are above and beyond any technical benefits that you get by introducing automated provisioning and password synchronization.
It should not matter if the enterprise environment is relatively simple from a technology deployment perspective. The business, security and regulatory challenges overlaid on that simple environment may still be complex enough to justify an IdM investment. As the cost of deploying IdM drops over the next few years, we will see a larger adoption of IdM in the SMB market. In fact, at OpenWorld recently, we had some customers talk about their experience successfully deploying Oracle Identity Manager within their environments in the span of 4-5 months (from buy decision to production). Again, these deployments do not compare to our much touted deployments at Lehman Brothers and other large enterprises. Yet the business benefits they are deriving from their investment are just as important to them (if not more).
Being able to rationalize your environment enough to standardize on a single identity store is extremely important in making sure that your identity challenges are manageable. But that is a one time challenge that, though painful to go through, only gets you started on the path to identity health. IdM brings in the ongoing lifecycle management that is needed to make sure that it stays manageable, compliant, and able to continue to stay in a single identity store.