Identity Management Success

Smart business decision or analysis paralysis? How long a selection process is appropriate? Tough questions, that every organization must examine when considering the implementation of an Identity Management (IdM / IAM) solution. As part of Links Business Group’s ongoing series of articles, this post examines the evaluation process, and provides suggestions for optimizing the vendor selection cycle.

Though the decision processes involved with selecting Identity Management products can be myriad and complex, it really boils down to two broad categories:

1. People, Culture, Process
2. Technology and Infrastructure

In most organizations, #1 above is the predominant consideration. It is in this crucial area, that most vendor evaluation efforts fail, because Identity Management — by its very nature — introduces, encourages, and enforces process change. As a review, full a Identity Management implementation encompasses the three main dimensions:

• Identity Management (identity creation, deletion, management, and profiling)
• Access Management (verify access rights, application entitlements, determination of “who, what, where”)
• Auditing and Reporting (Validation of existing access controls, access monitoring, entitlement reporting, capacity planning)

So what is the most important consideration in vendor selection? It comes down to supportability over the long haul. In most large organizations, full Identity Management implementations are multi-year endeavors. The big question organizations have to ask themselves is “will this vendor support us, our processes, our culture, and be there — in depth — where and when we need them?” It is this question, more than any other, which separates out the great vendors from the mediocre or unusable ones.

Links Business Group and its client companies have successfully the following software vendor selection approach:

1. Develop a high-level Identity Management requirements list
2. Develop a set of 5 - 10 test cases which will exercise a few of the core product features that are the most important to the organization
3. Design a vendor engagement strategy (facilities, equipment, resource availability)
4. Determine an acceptable timeline (generally, a 5-day business week is a reasonable duration for an initial vendor evaluation)
5. Delegate dedicated lab, target (systems to which access controls and identity lifecycle testing will be applied) systems to the project. This step is crucial. Without dedicated infrastructure and personnel resources, the evaluation will fail.
6. Determine a structured timeline, typically over a 3 month cycle, for scheduling 1-week onsite vendor evaluations
7. Put it all together in a document, create an RFI / RFP around it, and prepare for vendor distribution
8. Leveraging your internally appointed Identity Management Program Team, use the high-level requirements to select a short list of vendors (typically, 3 - 5 vendors maximum.)
9. Send the RFI / RFP to the selected vendors, requesting full responses and whether or not they will commit to an extended 1 week onsite or mixed onsite/offsite demonstration and test case execution
10. Collect and collate the responses. NOTE: Most vendors will want to come on site and give a lot of presentations, and some may shy away from performing a no-charge 1-week engagement. This is a crucial part of your selection cycle - determining up front a vendor’s willingness to work with your organization, its processes, timelines, and program requirements.
11. Using your internal program criteria, read the responses very carefully. Responses should contain a balance of both technical and support/process information. It is the latter that the program team will be most concerned with: how well does this vendor support us in the long haul?
12. Request a strategic roadmap from the vendor. Where is the vendor going in relation to the Identity Management market? More importantly, where is the vendor going in relation to your market? Ask pointed questions. Always bear in mind that any vendor can develop a slick presentation and nice-looking roadmap. Every bit as important as the direction a vendor is going, is where the vendor has been. Has the vendor been in the Identity Management space for a number of years? Is the vendor a recent entrant with a compelling product line, or specialized value proposition? Perhaps it is a company that has recently decided to acquire a number of companies for the purpose of building an Identity Practice?
13. Using the collated results, make a list of the top 3 contenders, and schedule each for a 1-week evaluation.
14. During the evaluation, closely monitor all communications and interaction with the vendor, from the sales organization and delivery teams. Is the experience consistent? If the vendor is leveraging partners to help with the evaluation, is the partner fully integrated with the vendor’s process?
15. Conduct all tests in a pass/fail manner. (Identity test case development and examples will be covered in an upcoming post.)
16. Conduct a full “lessons learned” with the vendor following the evaluation. Were issues encountered? How did the vendor address and mitigate the issues? What was the vendor’s responsiveness and timeliness in dealing with the issues?
17. If the vendor performed satisfactorily in testing, and presented a high level of comfort and integration with your organizational structure and process, then put the vendor on the select short list. After the vendor demonstrates its ability to meet your requirements through completion of live testing, invite the vendor back to deliver a product/company presentation to the your Identity Management Program Team and key sponsors.
18. Repeat the previous steps up to 4 or 5 times. Generally, after running through 3 or 4 evaluation cycles, the best vendor for your organization will emerge. All vendors that successfully complete the evaluation cycle should be assigned a point total based on a predetermined ranking scale. The top 2 or 3 will go on to a secondary round of testing; the others will remain on the list in case one of your top vendors fails.

Conclusion: Following these processes systematically will ensure that the right vendors emerge. Remember that vendors have their own styles, processes, and organizations. Some work well with one type of organization, but may not work as well with others. Finding the right blend of vendor process and technology will ensure that your Identity Management program has a high and ongoing success rate. One final note: Always keep the evaluation process moving. Once one vendor is complete and the results have been thoroughly disseminated, move quickly on to the next. After all, the goal of the vendor selection process is to find the best fit for your organization, in the shortest reasonable amount of time, so that the Identity Program can commence, and deliver value to the organization.

Have additional questions? Need assistance in creating an Identity Management Program and selecting vendors and implementation partners? Links Business Group can help! Contact us anytime to schedule a complimentary 1/2 hour project analysis.