Developing a business case for identity management is often a challenge because there are not always immediate tangible benefits. Furthermore the legal or security need to maintain separation between customer and workforce will create overlap between architecture that may necessitate separate business cases. It is therefore important to explicitly align the business case with the enterprise architecture for identity management.
There are three main drivers of an identity management business case:
1. Risk and/or regulatory requirement business case
2. Operational improvement and/or cost savings business case
3. Business enablement business case (e.g. cloud or deperimiterisation)
Different categories of identity management system:
1. Customer identity management
2. Workforce identity management
Risk and/or regulatory requirement business case can include international regulatory requirements (e.g. International Safe Harbour Privacy Principles) or industry specific regulations (e.g. healthcare HIPAA/HITECH) or specific risks determined by a security audit. These drivers effect both customer and workforce identity management implementations.
Operational improvement and/or cost savings business case drivers include aggregation and simplification of existing identity management solutions, including identity through merger & acquisition. It is very hard to quantify the immediate FTE saving from simplification of identity management systems but a business case can easily be made from the aggregation of multiple workforce identity management systems.
In an organisation with multiple customer identity management systems (often from M&A) a business case can be made from both a cost savings perspective and from a business enablement perspective (e.g. cross-sell opportunities).
A business enablement business case can also include a workforce identity management solution where the employee is granted access to external systems through trust based deperimiterisation. For example securing data on business devices may come under a business enablement business case while supporting secure and encrypted BYOD may come under all three business cases.