Workshop: How an IAM RFP Can Help You Choose the...

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."

Earl Perkins

Workshop: How an IAM RFP Can Help You Choose the Best Solution for Your Business

http://pvs.gartner.com/technology/about/policies/usage_guidelines.jsp

http://pvs.gartner.com/technology/about/ombudsman/omb_guide2.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Disaster Awaits Your RFP Efforts — Unless You Plan Ahead

Com

ple

xity,

Tim

e t

o D

eliv

er

Processes Principles Policies Practices People Products Production

Proper planning direction

Planning direction frequently used

Consequences (in complexity and time to deliver when you plan

exclusively "backward")


Identity and Access Management Defined

Identity and Access

Management

IAM provides a practical, structured, and coherent approach to the management of users' identities and their access to systems and data in line with business needs.

IAM ensures that right people get access to the right resources at the right times for the right reasons, enabling the right business outcomes.


Cost-justifying IAM Enablement

Effectiveness

Efficiency

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Target Systems

Identity Data and Log Model

The IAM Technology Model

Intelligence

Audit and Report

Analytics

Brokerage — via Target System Integration (Connectors)

Governance and

Administration

Identities

Entitlements

Entitlements Data Identity Data Activity Data

Access

Authentication

Authorization

Policy Governance

Workflow Engine (Processes)


Taxonomy of IAM Technologies

Administration Intelligence Authentication Authorization

Identity administration

Identity governance & administration

ERP SOD controls

SIEM

Web fraud detection

Microsoft resource access administration

CM tools

AD/Unix bridge tools

Authentication methods

Authentication infrastructures

Identity proofing services

ESSO

Federated authentication

Electronic signatures and transaction verification

WAM

Externalized authorization management

Content- aware DLP

Identity- aware networking

Privileged account management

PKI

Password management

EDRM

Encryption

SSL VPN


IAM Project Type and Complexity

Tactical

Strategic

Simple Complex

IAM Project Complexity

IAM

Pro

ject

Typ

e

Password Mgmt.

Limited Scope Single

Sign-on

Web Access Mgmt. Federation

PAM

Identity Governance and Administration

User Administration/ Provisioning

Identity Analytics

Directory Services

Externalized Authorization

Mgmt.

$ $

$

$ $ $ IT

Business

ESSO

User Authentication


Factors That Impact the Cost of IAM


Strategic Planning Assumption

By 2016, alternative methods of IAM delivery will shift 50% of new enterprise IAM proposal requests from a product contract focus to a service one.

Supporting the SPA:

• The pricing model for IAM as a service is growing more compelling as features improve.

• Maturing internal IT services tend to shift to external delivery as more complex challenges beckon for limited internal IT resources.

• More customers with limited internal IT capabilities are seeking IAM solutions.

• Hybrid IAM in-house and cloud-delivered solutions will abound.

Alternate position to the SPA:

• Certain customers will never outsource IAM or address all IAM needs with IAM as a service.

• Cloud computing as a viable IAM service delivery method will continue to struggle.

• Privacy and security management concerns for cloud-delivered services will delay adoption.

• An installed base of in-house IAM solutions won't be soon replaced.


IAM Pricing Models

Perpetual Subscription

IDaaS (Public Cloud)

Enterprise

Market Growth

Market Growth

Tiered, Named, User Based

Per Active User, per Month


An IAM RFP

• Do you seek to acquire IAM products, services, or both?

• Are you establishing an IAM program (with technology needs) or addressing a specific IAM requirement?

• Does this RFP address the planning, building, and/or operational portion of your requirement?

• Are you addressing requirements for your internal employees, external customers and partners, or both?

• Do you have an executive business sponsor, or is this an IT initiative?


Assessment Preparation Submission Response Selection

The IAM Product RFP Process

1 2 3 4 5

1 Gather requirements, manage scope, and assess gaps.

2 Prepare/Review RFP, weight criteria, validate the process.

Submit RFPs to participants and Q&A period. 3

4 Collect RFP responses, review, oral presentation, finalists.

5 Conduct POC, analyze finalists, select vendors.


What an IAM Product RFP Should Include

Introduce

• RFP (and IAM program) goals and executive summary

• Contents of the document

• What document specifies (and does not)

• Selection criteria

Instruct

• RFP process and schedule

• Who to contact

• Format of response and time frame allowed

• Legal conditions and contractual concerns

• Service levels and KPIs (program and post-implementation)

Inform

• Company description, mission, IT mission and geography

• Current technical environment description

• Definitions and acronyms

• Priorities

• Functional specifications

• Technical specifications


What an IAM Product RFP Should Include (Contd.)

Inquire (1)

• Respondent company's general information

• IAM market position, viability, qualifications, client references

• IAM product portfolio descriptions

• Third-party partners for delivery, if any

• Certifications (e.g., ISO 9000), diversity

Inquire (2)

• Functional requirements specification responses

• Technical requirements specification responses

• System integration delivery, migration capabilities

• Implementation plan, schedule

• Training and education • Test and acceptance

Inquire (3)

• Pricing of product, maintenance and support

• Program pricing and expenses

• Payment schedule, milestones and penalties

• Description of services provided

• SLA and product guarantees


Criteria for Vendor Product Selection in IAM RFPs

1. Price (life cycle)

2. Functionality and technical fit

3. Adaptability

4. Support

5. Compatible with your strategy

6. Viability

7. Availability of alternate means of delivery

8. Support for a hybrid coexistence

9. Migration support

10. Transferable skills


Workshop Steps

• Selection of discussion "leaders"

• Break into teams

• Develop individual checklists for:

1. Key requirements

2. Participants in RFP (using RACI matrix)

3. Communications plan

4. Top three selection criteria (for your enterprise)

5. First steps

6. "Do's and don'ts"


Recommendations

Develop an RFP process for yourself and the vendor — as part of an overall IAM program.

Use a "4-I" approach to RFP structure: Introduce, instruct, inform, and inquire.

Select a use-case approach to the RFP that reflects your business approach to IAM.

Apply criteria to selecting a vendor based on real differentiators beyond the technical features.


Action Plan for IAM Leaders

Monday Morning:

- Choose what kind of RFP for IAM is really needed.

Next 90 Days:

- Assess the current state of IAM in the enterprise from an organization, process, and technology perspective to have a starting point.

- Use the assessment to develop an RFP process as part of an IAM program where practical.

Next 12 Months:

- Develop an RFP based on the principles outlined here.

- Deliver to selected respondents.

- Review responses, and choose a vendor.


Recommended Gartner Research

Hype Cycle for Identity and Access Management

Technologies, 2013

Gregg Kreizman (G00247866)

ITScore for Identity and Access Management

Ant Allan, Earl Perkins (G00249408)

Toolkit: Gartner Authentication Method Evaluation

Scorecards

Ant Allan (G00255746)

Magic Quadrant for Identity and Access Governance

Earl Perkins (G00235195)

For more information, stop by Gartner Research Zone.

http://www.gartner.com/document/2556016?ref=QuickSearch&sthkw=G00247866








http://www.gartner.com/document/2279916?toggle=1

http://www.gartner.com/document/2279916?toggle=1

Workshop: How an IAM RFP Can Help You Choose the...

Documents

Transcript of Workshop: How an IAM RFP Can Help You Choose the...