© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner di sclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without n otice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information
Earl Perkins
Workshop: How an IAM RFP
Disaster Awaits Your RFP Efforts —
Unless You Plan Ahead
Co mpl ex ity , T ime t o De liver Processes
Principles Practices Policies People Products Production
Proper planning direction
Planning direction frequently used
Consequences (in complexity
and time to deliver when you plan
Identity and Access Management Defined
Identity and
Access
Management
IAM provides
a practical,
structured,
and coherent
approach to the
management
of users'
identities and
their access
to systems and
data in line with
business needs.
IAM ensures
that right
people get
access to the
right resources
at the right
times for the
right reasons,
enabling the
right business
Cost-justifying IAM
Enablement
Effectiveness
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Target Systems
Identity Data and Log Model
The IAM Technology Model
Intelligence
Audit and Report
Analytics
Brokerage
— via Target System Integration (Connectors)Governance and
Administration
Identities
Entitlements
Entitlements Data
Identity Data Activity Data
Access
Authentication
Authorization
Policy Governance
Taxonomy of IAM Technologies
Administration
Intelligence
Authentication
Authorization
Identity administration Identity governance & administration ERP SOD controls SIEM Web fraud detection Microsoft resource access administration CM tools AD/Unix bridge tools Authentication methods Authentication infrastructures Identity proofing services ESSO Federated authentication Electronic signatures and transaction verification WAM Externalized authorization management Content- aware DLP Identity- aware networking
IAM Project Type and Complexity
Tactical Strategic
Simple Complex
IAM Project Complexity
Strategic Planning Assumption
By 2016, alternative methods of IAM delivery will shift
50% of new enterprise IAM proposal requests from
a product contract focus to a service one.
Supporting the SPA:
• The pricing model for IAM as a
service is growing more
compelling as features improve.
• Maturing internal IT services tend
to shift to external delivery as
more complex challenges beckon for limited internal IT resources.
• More customers with limited
internal IT capabilities are seeking IAM solutions.
• Hybrid IAM in-house and
cloud-delivered solutions will abound.
Alternate position to the SPA:
• Certain customers will never
outsource IAM or address all IAM needs with IAM as a service.
• Cloud computing as a viable IAM
service delivery method will continue to struggle.
• Privacy and security management
concerns for cloud-delivered services will delay adoption.
• An installed base of in-house IAM
IAM Pricing Models
Perpetual
Subscription
IDaaS (Public Cloud
)
Enterprise
Market
Growth
Market
Growth
Tiered,
Named, User Based
An IAM RFP
•
Do you seek to acquire IAM
products, services, or both?
•
Are you establishing an IAM
program (with technology needs)
or addressing a specific IAM
requirement?
•
Does this RFP address the
planning, building, and/or operational
portion of your requirement?
•
Are you addressing requirements
for your internal employees, external
customers and partners, or both?
Assessment Preparation Submission Response Selection
The IAM Product RFP Process
1
2
3
4
5
1 Gather requirements, manage scope, and assess gaps.
2 Prepare/Review RFP, weight criteria, validate the process.
Submit RFPs to participants and Q&A period.
3
What an IAM Product RFP Should Include
Introduce
• RFP (and IAM program) goals and executive summary
• Contents of the document
• What document specifies (and does not)
• Selection criteria
Instruct
• RFP process and schedule
• Who to contact
• Format of response and time frame allowed
• Legal conditions and contractual concerns
• Service levels and KPIs (program and post-implementation)
Inform
• Company description, mission, IT mission and geography
• Current technical environment description
• Definitions and acronyms
• Priorities
• Functional specifications
What an IAM Product RFP Should
Include (Contd.)
Inquire
(1)
• Respondent company's general information
• IAM market position, viability, qualifications, client references
• IAM product portfolio descriptions
• Third-party partners for delivery, if any
• Certifications (e.g., ISO 9000), diversity
Inquire
(2)
• Functional requirements specification responses
• Technical requirements specification responses
• System integration delivery, migration capabilities
• Implementation plan, schedule
• Training and education
• Test and acceptance
Inquire
(3)
• Pricing of product, maintenance and support
• Program pricing and expenses
• Payment schedule, milestones and penalties
• Description of services provided
Criteria for Vendor Product Selection
in IAM RFPs
1.
Price (life cycle)
2.
Functionality and technical fit
3.
Adaptability
4.
Support
5.
Compatible with your strategy
6.
Viability
7.
Availability of alternate means of delivery
8.
Support for a hybrid coexistence
9.
Migration support
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.