A Modular Approach
For midmarket firms with a large number of specialized, non-Microsoft applications, however, a modular approach to IAM may be the only way to go. Setting up automated provisioning and de-provisioning in particular "is a tricky proposition that can fail dramatically, visibly and dangerously career-wise," according to Burton Group's Lewis. A company is more likely to succeed when it starts with 15 applications for which regulatory compliance is a top priority, he adds. "Get those working, demonstrate success and move on to the next phase."
Financial Engines has taken a "staged approach" to IAM, because "we lack the resources to tackle an enterprise-wide project with one comprehensive solution for everything from purchasing to customer management," says Todd. So too at H. Lee Moffitt, Martinez initially looked for a system that provided both user provisioning and SSO but decided to focus on SSO first. It was the higher priority, since end users, particularly doctors, were complaining vociferously about the need to use a different sign-on for each system, he says. "Our doctors now have one password instead of 10. Even if the system cost us a million dollars, it would still pay for itself," Martinez says.
Still, the project could not encompass all the cancer center's applications. With "best-of-breed applications for everything, we have dozens -- hundreds -- of applications," each with its own user database, Martinez says. As a result, he is initially focusing the SSO deployment on the applications that physicians and researchers use every day. "A lot of hospitals are moving toward a common user database schema, but for us that'll be years, if ever," Martinez says.
But Martinez still plans to deploy user provisioning soon. "From what I've heard and seen, it's worth the hassle." IT administrators currently have to deal with 30 or 40 employee terminations a week, with a typical end user having accounts for four or five applications. "That's a day's worth of manpower," says Martinez.
This was first published in November 2006