workshop: how an iam rfp can help you choose the...
TRANSCRIPT
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Earl Perkins
Workshop: How an IAM RFP Can Help You Choose the Best Solution for Your Business
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Disaster Awaits Your RFP Efforts — Unless You Plan Ahead
Com
ple
xity,
Tim
e t
o D
eliv
er
Processes Principles Policies Practices People Products Production
Proper planning direction
Planning direction frequently used
Consequences (in complexity and time to deliver when you plan
exclusively "backward")
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Identity and Access Management Defined
Identity and Access
Management
IAM provides a practical, structured, and coherent approach to the management of users' identities and their access to systems and data in line with business needs.
IAM ensures that right people get access to the right resources at the right times for the right reasons, enabling the right business outcomes.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Cost-justifying IAM Enablement
Effectiveness
Efficiency
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Target Systems
Identity Data and Log Model
The IAM Technology Model
Intelligence
Audit and Report
Analytics
Brokerage — via Target System Integration (Connectors)
Governance and
Administration
Identities
Entitlements
Entitlements Data Identity Data Activity Data
Access
Authentication
Authorization
Policy Governance
Workflow Engine (Processes)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Taxonomy of IAM Technologies
Administration Intelligence Authentication Authorization
Identity administration
Identity governance & administration
ERP SOD controls
SIEM
Web fraud detection
Microsoft resource access administration
CM tools
AD/Unix bridge tools
Authentication methods
Authentication infrastructures
Identity proofing services
ESSO
Federated authentication
Electronic signatures and transaction verification
WAM
Externalized authorization management
Content- aware DLP
Identity- aware networking
Privileged account management
PKI
Password management
EDRM
Encryption
SSL VPN
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IAM Project Type and Complexity
Tactical
Strategic
Simple Complex
IAM Project Complexity
IAM
Pro
ject
Typ
e
Password Mgmt.
Limited Scope Single
Sign-on
Web Access Mgmt. Federation
PAM
Identity Governance and Administration
User Administration/ Provisioning
Identity Analytics
Directory Services
Externalized Authorization
Mgmt.
$ $
$
$ $ $ IT
Business
ESSO
User Authentication
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Factors That Impact the Cost of IAM
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Strategic Planning Assumption
By 2016, alternative methods of IAM delivery will shift 50% of new enterprise IAM proposal requests from a product contract focus to a service one.
Supporting the SPA:
• The pricing model for IAM as a service is growing more compelling as features improve.
• Maturing internal IT services tend to shift to external delivery as more complex challenges beckon for limited internal IT resources.
• More customers with limited internal IT capabilities are seeking IAM solutions.
• Hybrid IAM in-house and cloud-delivered solutions will abound.
Alternate position to the SPA:
• Certain customers will never outsource IAM or address all IAM needs with IAM as a service.
• Cloud computing as a viable IAM service delivery method will continue to struggle.
• Privacy and security management concerns for cloud-delivered services will delay adoption.
• An installed base of in-house IAM solutions won't be soon replaced.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IAM Pricing Models
Perpetual Subscription
IDaaS (Public Cloud)
Enterprise
Market Growth
Market Growth
Tiered, Named, User Based
Per Active User, per Month
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
An IAM RFP
• Do you seek to acquire IAM products, services, or both?
• Are you establishing an IAM program (with technology needs) or addressing a specific IAM requirement?
• Does this RFP address the planning, building, and/or operational portion of your requirement?
• Are you addressing requirements for your internal employees, external customers and partners, or both?
• Do you have an executive business sponsor, or is this an IT initiative?
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Assessment Preparation Submission Response Selection
The IAM Product RFP Process
1 2 3 4 5
1 Gather requirements, manage scope, and assess gaps.
2 Prepare/Review RFP, weight criteria, validate the process.
Submit RFPs to participants and Q&A period. 3
4 Collect RFP responses, review, oral presentation, finalists.
5 Conduct POC, analyze finalists, select vendors.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
What an IAM Product RFP Should Include
Introduce
• RFP (and IAM program) goals and executive summary
• Contents of the document
• What document specifies (and does not)
• Selection criteria
Instruct
• RFP process and schedule
• Who to contact
• Format of response and time frame allowed
• Legal conditions and contractual concerns
• Service levels and KPIs (program and post-implementation)
Inform
• Company description, mission, IT mission and geography
• Current technical environment description
• Definitions and acronyms
• Priorities
• Functional specifications
• Technical specifications
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
What an IAM Product RFP Should Include (Contd.)
Inquire (1)
• Respondent company's general information
• IAM market position, viability, qualifications, client references
• IAM product portfolio descriptions
• Third-party partners for delivery, if any
• Certifications (e.g., ISO 9000), diversity
Inquire (2)
• Functional requirements specification responses
• Technical requirements specification responses
• System integration delivery, migration capabilities
• Implementation plan, schedule
• Training and education • Test and acceptance
Inquire (3)
• Pricing of product, maintenance and support
• Program pricing and expenses
• Payment schedule, milestones and penalties
• Description of services provided
• SLA and product guarantees
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Criteria for Vendor Product Selection in IAM RFPs
1. Price (life cycle)
2. Functionality and technical fit
3. Adaptability
4. Support
5. Compatible with your strategy
6. Viability
7. Availability of alternate means of delivery
8. Support for a hybrid coexistence
9. Migration support
10. Transferable skills
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Workshop Steps
• Selection of discussion "leaders"
• Break into teams
• Develop individual checklists for:
1. Key requirements
2. Participants in RFP (using RACI matrix)
3. Communications plan
4. Top three selection criteria (for your enterprise)
5. First steps
6. "Do's and don'ts"
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
Develop an RFP process for yourself and the vendor — as part of an overall IAM program.
Use a "4-I" approach to RFP structure: Introduce, instruct, inform, and inquire.
Select a use-case approach to the RFP that reflects your business approach to IAM.
Apply criteria to selecting a vendor based on real differentiators beyond the technical features.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Action Plan for IAM Leaders
Monday Morning:
- Choose what kind of RFP for IAM is really needed.
Next 90 Days:
- Assess the current state of IAM in the enterprise from an organization, process, and technology perspective to have a starting point.
- Use the assessment to develop an RFP process as part of an IAM program where practical.
Next 12 Months:
- Develop an RFP based on the principles outlined here.
- Deliver to selected respondents.
- Review responses, and choose a vendor.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
Hype Cycle for Identity and Access Management
Technologies, 2013
Gregg Kreizman (G00247866)
ITScore for Identity and Access Management
Ant Allan, Earl Perkins (G00249408)
Toolkit: Gartner Authentication Method Evaluation
Scorecards
Ant Allan (G00255746)
Magic Quadrant for Identity and Access Governance
Earl Perkins (G00235195)
For more information, stop by Gartner Research Zone.