Workshop: How an IAM RFP Can Help You Choose the Best Solution for Your Business

(1)

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner di sclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without n otice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information

Earl Perkins

Workshop: How an IAM RFP

(2)

Disaster Awaits Your RFP Efforts —

Unless You Plan Ahead

Co mpl ex ity , T ime t o De liver Processes

Principles Practices Policies People _Products Production

Proper planning direction

Planning direction frequently used

Consequences (in complexity

and time to deliver when you plan

(3)

Identity and Access Management Defined

Identity and

Access

Management

IAM provides

a practical,

structured,

and coherent

approach to the

management

of users'

identities and

their access

to systems and

data in line with

business needs.

IAM ensures

that right

people get

access to the

right resources

at the right

times for the

right reasons,

enabling the

right business

(4)

Cost-justifying IAM

Enablement

Effectiveness

(5)

Target Systems

Identity Data and Log Model

The IAM Technology Model

Intelligence

Audit and Report

Analytics

Brokerage

— via Target System Integration (Connectors)

Governance and

Administration

Identities

Entitlements

Entitlements Data

Identity Data Activity Data

Access

Authentication

Authorization

Policy Governance

(6)

Taxonomy of IAM Technologies

Administration

Intelligence

Authentication

Authorization

Identity administration Identity governance & administration ERP SOD controls SIEM Web fraud detection Microsoft resource access administration CM tools AD/Unix bridge tools Authentication methods Authentication infrastructures Identity proofing services ESSO Federated authentication Electronic signatures and transaction verification WAM Externalized authorization management Content- aware DLP Identity- aware networking

(7)

IAM Project Type and Complexity

Tactical Strategic

Simple Complex

IAM Project Complexity

(8)

(9)

Strategic Planning Assumption

By 2016, alternative methods of IAM delivery will shift

50% of new enterprise IAM proposal requests from

a product contract focus to a service one.

Supporting the SPA:

• The pricing model for IAM as a

service is growing more

compelling as features improve.

• Maturing internal IT services tend

to shift to external delivery as

more complex challenges beckon for limited internal IT resources.

• More customers with limited

internal IT capabilities are seeking IAM solutions.

• Hybrid IAM in-house and

cloud-delivered solutions will abound.

Alternate position to the SPA:

• Certain customers will never

outsource IAM or address all IAM needs with IAM as a service.

• Cloud computing as a viable IAM

service delivery method will continue to struggle.

• Privacy and security management

concerns for cloud-delivered services will delay adoption.

• An installed base of in-house IAM

(10)

IAM Pricing Models

Perpetual

Subscription

IDaaS (Public Cloud

)

Enterprise

Market

Growth

Market

Growth

Tiered,

Named, User Based

(11)

An IAM RFP

• Do you seek to acquire IAM

products, services, or both?

• Are you establishing an IAM

program (with technology needs)

or addressing a specific IAM

requirement?

• Does this RFP address the

planning, building, and/or operational

portion of your requirement?

• Are you addressing requirements

for your internal employees, external

customers and partners, or both?

(12)

Assessment Preparation Submission Response Selection

The IAM Product RFP Process

1

2

3

4

5 1 Gather requirements, manage scope, and assess gaps.

2 Prepare/Review RFP, weight criteria, validate the process.

Submit RFPs to participants and Q&A period.

3

(13)

What an IAM Product RFP Should Include

Introduce

• RFP (and IAM program) goals and executive summary

• Contents of the document

• What document specifies (and does not)

• Selection criteria

Instruct

• RFP process and schedule

• Who to contact

• Format of response and time frame allowed

• Legal conditions and contractual concerns

• Service levels and KPIs (program and post-implementation)

Inform

• Company description, mission, IT mission and geography

• Current technical environment description

• Definitions and acronyms

• Priorities

• Functional specifications

(14)

What an IAM Product RFP Should

Include (Contd.)

Inquire

(1)

• Respondent company's general information

• IAM market position, viability, qualifications, client references

• IAM product portfolio descriptions

• Third-party partners for delivery, if any

• Certifications (e.g., ISO 9000), diversity

Inquire

(2)

• Functional requirements specification responses

• Technical requirements specification responses

• System integration delivery, migration capabilities

• Implementation plan, schedule

• Training and education

• Test and acceptance

Inquire

(3)

• Pricing of product, maintenance and support

• Program pricing and expenses

• Payment schedule, milestones and penalties

• Description of services provided

(15)

Criteria for Vendor Product Selection

in IAM RFPs

1. Price (life cycle)

2. Functionality and technical fit

3. Adaptability

4. Support

5. Compatible with your strategy

6. Viability

7. Availability of alternate means of delivery

8. Support for a hybrid coexistence

9. Migration support

(16)

Workshop Steps

• Selection of discussion "leaders"

• Break into teams

• Develop individual

checklists for:

1. Key requirements

2. Participants in RFP (using RACI matrix)

3. Communications plan

4. Top three selection criteria (for your enterprise)

5. First steps

(17)

Recommendations



Develop an RFP process for yourself and the

vendor — as part of an overall IAM program.



Use a "4-I" approach to RFP structure:

Introduce, instruct, inform, and inquire.



Select a use-case approach to the RFP

that reflects your business approach to IAM.

(18)

Action Plan for IAM Leaders

Monday Morning:

- Choose what kind of RFP for IAM is really needed.

Next 90 Days:

- Assess the current state of IAM in the enterprise from an

organization, process, and technology perspective to have a

starting point.

- Use the assessment to develop an RFP process as part of an

IAM program where practical.

Next 12 Months:

- Develop an RFP based on the principles outlined here.

- Deliver to selected respondents.

(19)