Business Drivers and Considerations

Note to the Reader: This draft paper is being authored by Karl Heins in the University of California Office of the President. Please send comments and suggestions to authnframework-comments@internet2.edu.

Business drivers include both quantitative (measurable in dollars) and non-quantitative factors. In addition, new technology projects can complement or detract from technology strategy and efforts. These drivers, external and internal to the organization, are considered at the strategic policy level (typically by an IT or project governance group) and drive the expression of the project, requirements, technology, and short- and long-term policy considerations.

Good institutions will approach rationally the investment in information in technology in a way that meets the long-term needs of the organization. Some of these needs can be quantified; However, the impact of the new system may not be quantifiable. For the factors that are not quantifiable, a scale of one to five could be used to show the relative merits of this project when compared to others.

The factors to be considered for the business are:
• Return on Investment
• Match or fit to the Business Strategy
• Impact on Competitive Advantage
• Improvement in Management Information
• Better Response to Change
• Improvement to Organizational Risk

Additional factors that should be considered include the impact of the new system to the Information Technology organization.

• Match or fit to the Information Technology Architecture and Strategy
• The Extent to Which the Project Represents Definitional Uncertainty
• The Extent to Which the Technology Relies Upon Technical Uncertainty
• The Required Change in the Infrastructure
• Resources

Return on Investment
Often the most important factor for evaluation any project is the return on investment ROI. Many organizations have various was of computing the savings of projects such as, net present value, payback period, and internal rate of return. While in the past, Universities have often not evaluated ROI for the IT projects, with notable cost overruns of IT projects and budget pressures, legislators have become interested in the management and oversight of IT projects.

Reduction of systems development cost – Consolidated systems and business processes for authentication services can reduce the cost and time to deploy new applications. Since these services do not need to be created for each new application, the cost and time of doing so, and the recurring cost of independently maintaining those services are avoided. Reduction of cost for projected new applications should be offset by the cost to implement the enterprise authentication system.

Reduced overhead of service management – In typical application delivery models, each service maintains its own user identity store and related authentication (and authorization) services. Simplifying the authentication model by having the applications use the same infrastructure not only reduces the staff and resulting overhead required to manage the authentication service associate with each application, but also achieves substantial economies of scale for the service providers and results in time and system cost savings. However, the savings may or may not be recoverably, since it involves the reallocation of efforts from the departments’ technical staff to a central group.

Legal and regulation requirements – Increasingly Institutions pay for lapses in security. Failures include access to personal data including health, financial, research and academic records. And while the Family Educational Rights and Privacy Act (FERPA) requires us to keep student information private, both the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB) include requirements that we have plans in place for maintaining security of the covered information. Increasingly the costs of these lapses


Match or fit to the Business Strategy
Enterprise authentication should consider the extent it supports the enterprise’s business strategy. For example, if the organization’s strategy is to improve security to differentiate itself from others, enterprise authentication could significantly support this strategic goal. Consolidating the authentication service for separate applications means that password management and related policies can be supported in one protected place by the same group of staff. Because the same user credential is presented to all integrated services, all system and application log files reference the same identifier. This greatly enhances after-the-fact auditing of online activity, allowing for more complete investigations of alleged cases of abuse and increasing institutional due diligence, thereby reducing our liability. In reduced sign-on instances, users need to remember fewer credentials and therefore employ less creative password memory-jogging mechanisms and are more likely to remember them

Impact on Competitive Advantage
Often non-profits do not consider themselves in competition, however one always wants the best students, the best professors, the research grants of our choice. Many of these resources do choose among competing choices. The extent the competitive position can be enhanced by enterprise authentication should be reflected in the evaluation. The alternative, the lack of a central authentication may be perceived as a negative impact by the resources in which one has an interest.

Improvement in Management of Information
Consolidating the authentication service for separate applications means that password management and related policies can be supported in one protected place by the same group of staff. Because the same user credential is presented to all integrated services, all system and application log files reference the same identifier. This greatly enhances after-the-fact auditing of online activity, allowing for more complete investigations of alleged cases of abuse and increasing institutional due diligence. This approach gives the organization the ability to manage the identities of all users and all systems. This is in contrast to environments where each system manages the users, thus there are multiple user identifications and the information is and cannot be organize in a timely way for managing identities.

Better Response to Change
All organizations are required to respond to changes in the environment in which they operate. Organizations are faced with continued changes in technology, budget reductions, new federal and state laws and new regulations. New identity management systems with central administration and control can enable an organization to enhance the ability of organizations to adapt quickly while maintaining proper security during and after the change.

Legal and regulation requirements – The legal and regulatory changes require a higher standard for security management. Failures are increasingly visible because of (California state) law requiring reporting of security lapses (SB1386 California) for certain information. And while the Family Educational Rights and Privacy Act (FERPA) requires us to keep student information private, both the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB) include requirements that we have effective controls to maintain security of the covered information.

Budget pressures -- Budgetary pressures may require organizations to dramatically change their processes and procedures. An identity management system

Improvement to Organizational Risk

Contractual requirements – Campuses must be able to prove that those with permission are the only ones using the resources. This could be due to a license agreement for a specific library or course resource or because of funding agency requirements and access to restricted research findings.

Business and ethical stewardship – Institutions must also consider the requirements of doing business including safeguarding confidential information and intellectual property, and other strategic information. This includes ensuring appropriate access to tenure committee communications, salary and review information, institutional planning and archive information, to name a few. The institution also has an ethical obligation to protect information that can be, for example, used for identity theft. A very concrete example of this is restricting access to and use of social security numbers in states where no legislation exists to protect them

For those campuses with a distributed model that provide password feeds to departments to simulate a reduced sign-on environment, having the applications instead access a consolidated authentication service reduces the likelihood of password theft and the chance the department password data is corrupted. Authentication verifies not only the identity of a person when requesting to view a restricted resource, but also verifies the identity of a service or machine requesting to access or communicate to another. This machine or service-level authentication restricts security breaches, such as man-in -the-middle attacks or message compromise and maintains system and network integrity.

Match or Fit to the Information Technology Architecture and Strategy
Just as the value of central management of identity may support organizational goals, consideration should be given to the match with information technology strategy and plans. While centralization of support appears to be common in most IT organizations, it is not universal. Part of the business drivers includes how well enterprise identity systems will it fit with the existing architecture and IT strategy.

Simplified network and online service access – Consolidated authentication can enable unified identity verification for many online services, so our constituents need only to provide a reduced set of credentials, userid/password pairs being the most common. Because of the integration with web-based applications, solutions to common service issues like self-service password resetting and management are enabled using a common infrastructure.

The Extent to Which the Project Represents Definitional Uncertainty
Are the requirements needed to successfully implement an enterprise identity system clearly understood? Many projects fail from insufficient attention devoted to the definition and translation of the concepts to technical specifications. Within the technical organization, are the skills and talents available to define, develop, plan and implement an enterprise identity management system? These steps are critical for the success of any technical project, because of the nature of the interrelationship of an identity management system to all other systems the ability to understand the challenges of implementing the system are key to the projects success.

The Extent to Which the Technology Relies Upon Technical Uncertainty
Evaluate the new system’s technology to determine IT department’s staff with skills and experience with the technology. The more experience the IT staff has with a technology, the less risk of problems with an implementation. In addition, because of the nature of this system, the ability to develop the proper interfaces should also be considered (can the systems be modified to accept information in real time). Also, understanding the maturity and robustness (or lack thereof) of the tools should be considered when planning the project.

The Required Change in the Infrastructure
A new system may require changes to the existing infrastructure. Consider the existing infrastructure and the ability of the existing IT organization to be able to make the change. This assessment could include the resources, skills, tools and the extent existing and future systems. The resources needed for ongoing management should also be considered.

Resources
The business model presented by Marilyn M. Parker and Bovert J. Benson in their book “Information Economics -- Linking Business Performance to Information Technology” seems to provide a good balance to understanding the rational business approach to new technology and concepts such as the centralization of authentication. While their work is primarily intended for profit making organizations, many of the factors that drive decisions of good non-profit and for-profit seem to be the same.

Revision 1.0, December 10, 2004