A group of vendors, most not yet household names, even among many industry watchers, are behind e-provisioning. And although this new term may not be catchy, it’s starting to ring bells in its target marketplace, namely the Global 3000 companies.
But what exactly does e-provisioning do? Imagine all the wheels that have to turn when a new employee joins a large company. They need a variety of kit, from office furniture to mobile phones, notebooks and PCs. They also require access to a range of databases and applications as well as email. Giving a new employee everything that they need to do their job can take time. In some cases it can be a couple of weeks before everything has finally been sorted out.
What e-provisioning aims to do is to give a company’s HR or IT department, or whoever is responsible for providing a new employee with what they require, the ability to grant everything that’s needed with a single mouse-click.
Exactly the same thing holds true when an employee leaves. Again, a single mouse-click can kill all those permissions and reverse all of the privileges that have been granted. Here the software takes on an important security role.
Sounds like a “must-have” bit of software? It may well do, but it isn’t cheap. This is a system that’s designed to scale for tens of thousands of employees and hundreds of different application systems. Nothing as complex as that comes with much less than a six figure price tag when it’s aimed at the world’s larger companies. Right now, the economic climate doesn’t favour large-scale investments with medium-to-long payback cycles, so from that standpoint, getting large numbers of big companies to roll out wide ranging e-provisioning implementations looks a little unrealistic at the moment.
However, as Jonathan Penn, senior industry analyst with responsibility for directories, messaging and security at the market watcher Giga Information Group observes, that hasn’t stopped a number of large companies from getting pilot studies off the ground.
“Today there’s no large company in the world that has totally implemented e-provisioning. However, there are already 350 implementations around the world that are either in the pilot stage or in limited roll-out,” he says.
Mike Small, vice president for e-Trust Solutions at Computer Associates (CA) believes that CA has already had a product in this area. The company worked with Giga a few years ago to establish what the corporate requirements were in HR and IT. “What Giga found was that it can take up to 15 days for new staff to become fully operational. In an electronic age, until they get all the permissions and accesses they need, employees cannot become fully operational,” he says.
Small points out that Giga’s research also showed that around half of all companies are concerned about their ability to be certain they have properly and speedily removed those rights when the employee leaves. “The individual application security teams and the administration teams in large companies all have their own turf to protect. Yet to de-provision a leaver properly, you need all the teams to work together. This is hard to do, and having some way of automating this process makes a great deal of sense and has a lot of appeal for companies,” he says.
There’s also the problem of how best to track what kit an employee has been given and what actual privileges in the outside world he or she has been granted. Companies need to have confidence that they have the authorisation process involved in granting these privileges and rights under control.
“What can happen is that a middle-ranking employee phones the help desk and requests a new gold Amex card. The help desk gets one and issues it to them. Only when the auditors come in and question the fact that a card was issued, does the company realise that the employee in question isn’t supposed to have an expense card,” Small says.
The horror stories go on and on. One of the favourites concerns an ex-employee who enjoyed a year’s free gym membership because no one remembered to cancel his corporate membership. Then there are the employees who have access to and use their old email accounts long after they have left.
Izhar Shay, CEO of Business Layers, one of the leaders in the e-provisioning field, counts the undefinable potential losses associated with security breaches that might have occurred had a company not been running e-provisioning software, as one of the four categories of ROI payback that the software is able to deliver. Other savings include cuts in the number of administrators involved with provisioning and de-provisioning joiners and leavers. Then there’s the “down time” involved in not having new employees fully productive from day one. And finally, the consequential losses which relate to all the business that the new employee might have signed, and opportunities they might have created, had they been fully productive.
Based on this ROI model, Shay argues that large enterprises today can save millions of dollars on an annual basis by deploying an e-provisioning system. He points out that the market watcher, AMR, used saved help desk time to generate numbers for actual savings.
Jonathan Penn, at Giga, does much the same. “If you cost the average help desk call at $25 to $30 and you take the number of times an employee contacts the help desk in a year over a forgotten or non-functioning password, you can do a straight multiplication and come up with a figure. The self-service capabilities in an e-provisioning system can help an employee to resolve these queries themselves so that is a direct saving,” he says.
Penn also points that companies operating in a regulated environment have to be able to show which users have access to which systems. Auditing these permissions can be very difficult, but with an e-provisioning system, the audit trail is easy to follow.
As Shay explains, the major part of the work involved in deploying an e-provisioning system lies in defining an appropriate number of roles, together with the permissions associated with those roles.
“An e-provisioning system works by automating the granting of permissions through role analysis. This analysis will vary from company-to-company, but what you don’t want to do is to come up with thousands of different roles. Then all you are doing is transferring a people management problem into a system management problem. The skill in deploying this kind of system lies in achieving the right level of granularity for each role and each situation,” he says.
The next part lies in building the connectors to the various IT systems the user organisation possesses. What happens is that the company selects a few core systems and implements a subset of users onto those systems.
Then, gradually over time, it adds more users and more systems, looking all the time to maximise the benefit it gets, as against the work it has to put in to bring another of its applications into the scope of the e-provisioning system.
Useful as it undoubtedly can be for large corporates, e-provisioning faces some hurdles until it becomes a “must have” application for corporates.
The sale is not straightforward and though the security point, which focuses on the risk of leaving people with inappropriate access to systems, is a strong one, as Giga’s Jonathan Penn notes, it is just one of many risks that companies face.
“The sale is not just a direct benefits sale, but also about security risk mitigation, increased efficiencies and making new staff productive more rapidly. We can see a 50% reduction, for example, in IT administrative workloads with an e-provisioning system, which can amount to a couple of hundred thousand dollars right there,” he says
However, Penn admits that this is a market in its very early stages.
“No more than about 15% of the top 3,000 companies have picked up on this. However, I would expect to see around half the Global 3000 buying in over the next few years, even though the price tag for a complete implementation is steep, at between $500,000 to $1m.”
The vendors using pilot implementations, which will cost them a fraction of what they would otherwise pay. As to whether e-provisioning has a future, it’s believed that the next two years will be vital in determining this.
Josef Richter, MD of Webasto Information Systems, writes about how his company has gone about introducing e-provisioning. It provides IT support for its parent company, Webasto plc, and to third parties.
The main driver for moving to e-provisioning was to reduce the amount of administrative effort involved in managing access rights for 3,000 users world wide, across some 30 sites and across a heterogenous array of applications. Each application required a different user authentication and the password opened specific kinds of privileges depending on the user’s position in the company and job function. There was also the fact that with so many separate systems, it’s very hard to be sure you’ve closed off all a user’s access rights when they leave the company.
We identified a need and carried out an internal examination of the scale of the problem before we realised that there was such a thing as e-provisioning software available on the market. We came across the Business Layers package by chance when one of the consultants from our ERP vendor joined Business Layers.
We had already identified the fact that an ideal solution would be something linked to our personnel department via the payroll system. You need something to drive a set of automated provisioning processes and the payroll system by definition has to be accurate.
The biggest job we had when setting it up was shifting from allocating permissions by individual, to allocating them by roles. Only by moving to role-based provisioning were we able to get the efficiencies we were looking for from automating provisioning.
We went through the payroll and classified employees into functions.
Our first cut gave us some 600 to 700 descriptions. We worked with line managers to reduce this down to around 100 roles with their associated permissions.
There are around 1,850 people at Webasto Information Systems, but not all of them need access to IT systems. In all the e-provisioning system manages the access rights for some 1,100 staff at this stage. We are using 2002 to get all the connections to the different applications implemented and to test the system. Our main roll out to the rest of the company is scheduled to begin in 2003. ROI comes from reducing the number of administrators you need, and from enhanced site security.