What is our primary use case?
Access governance related to audits.
BAAN, AX, AS400, AD, Exchange, Footprints, several home-grown applications.
We had a relatively small AD (about 5,000 users) but our primary challenge was that all of the legacy systems in place, including multiple instances of BAAN that came from different M&A deals, each with their own configurations and entitlements.
How has it helped my organization?
The short version is that we gained significant insight into the issues of access governance. One of our largest challenges was lacking insight into who had what access and where. For years access had been granted in an ad-hoc manner, mostly as "I need access like Sally" situations resulting in a mess of too much access son nearly every account in our organization. Implementing an IAM system allowed us to turn this auditing nightmare into praise from our auditors, eliminating fines and cutting operational costs, paying for the implementation within a year.
Additionally, we found all sorts of questionable activity that we were able to address. Using the built in policy tools we were able to identify those who went around controls and address them both stopping their unapproved activities as well as getting feedback to improve the IAM interaction with the company. The loss of unapproved access also stopped a few cases of potentially criminal activity that came to light because of our new found trove of data but further details cannot be shared.
The amount of useful data we were able to gain immediately after a basic implementation was exceptional. Within days of installing the product in production and well before the official go-live we were able to create meaningful reports of all sorts and start correcting missing and wrong data as well as access control issues. We had tried system cleanup projects before and had some success but correcting our data in earnest began once we could see everything in one place.
As the project matured we were able to move more and more out of the hands of IT and into the hands of the LOB representatives. Which in turn both improved the business' view of IT as a whole and allowed IT to focus on other projects and trim staffing levels on low tier work, moving those employees to more important work and helping some of them grow their careers.
The value gained by taking control of your access data and walking the path towards governance is immense and the progress we made inspired me to pursue a career helping other companies achieve the same success. I would recommend that every company undergo an IAM project especially if they have nothing in place now.
What is most valuable?
In dollars: access reviews. In QoL: Entitlement requesting, Approval workflow, and Attestations.
At the start of our project, IT was considered a burden by most of the company. One Identity's easy to set up requestable items and the associated smart approval workflows gave IT the power to become a hero to the company. Eventually we had lines of business coming to us with requests to integrate more and more into the self-service portal. Then on top of that, the existing attestation cycles allowed us to confidently know for certain that correct access was issued and maintained across the company.
What needs improvement?
My largest issue with the product is the ability to customize the web portal.
There is a tool that allows this to happen but it is difficult to use (except for minor changes like Logo or color scheme or basic edits such as displayed columns on an object. Then to make it worse the documentation is not helpful at all in describing what pieces do or how to use them. Even after training, I would not be confident in attempting any large change to the portal.
For certain, this is the area that I think needs the most improvement from the current state.
For how long have I used the solution?
I have been using One Identity Manager
for six years.
What do I think about the stability of the solution?
The stability is fantastic.
Your real stability issues are going to come from SQL and not the product itself. There are redundancies built into any general implementation and always-on availability is expected. If you are already running your SQL in an always-on way, the chance of downtime with One Identity is essentially zero.
Upgrading from one version to another is the only potential issue. You have to have an outage to perform it. There are ways to make this smooth but it is the one area where stability could be an issue.
What do I think about the scalability of the solution?
The solution scales very well. I have experienced issues when attempting to scale to the largest companies. However, when we did encounter issues, One Identity did a fantastic job of providing the resources and fixes needed to scale the system to millions of identities.
How are customer service and technical support?
The support team could be improved on. The first level of support essentially looks up knowledge base articles and often can't provide the answer needed. This could be skewed because any issue we couldn't solve with our implementation partner was certainly not a level 1 issue. However, even with One Identity knowing that we would have to deal with bad level 1 before we could get someone who could actually help on the line.
However, to give a positive side, any time there was an emergency they were very quick to get the right resources on the issue, even when it meant waking people up in the middle of the night.
If you previously used a different solution, which one did you use and why did you switch?
We did not have a solution in place. This was a greenfield project.
How was the initial setup?
The initial setup was very, very easy.
Our complexity all came from integrating outside systems. The out-of-box experience with One Identity was genuinely fantastic.
What about the implementation team?
We used a 3rd party partner of One Identity as well as trained an in-house team to administrate and extend the system.
The partner was extremely knowledgeable and in a couple of cases more so than the vendor. We were extremely happy with the outcome of their work.
What was our ROI?
Our ROI is very, very large.
We eliminated ongoing SOX violations and associated fines.
Additionally, and without including the above, we were able to see savings in IT costs greater than the cost of our implementation within one year. A significant portion of this came from moving our most common help desk requests into self-service.
The example I would give as the largest of these is Baan. Traditionally, a ticket was submitted, then tier 1 moved it to the Baan team who was responsible for both access and troubleshooting. Baan was significantly understaffed and the turnaround was slow. When they did address the ticket it would require calling managers and attempting to figure out what access they actually needed. Turn around was 2 to 3 weeks PER REQUEST. By defining roles with the business (a huge task in itself), creating self-service requestable items, creating approval flows, and automatically producing formatted tickets to Baan (direct connection to add access was not available to us) we were able to reduce the turn-around time to less than a day. Freeing up resources to do more important work.
Finally, we were able to change the perception of IT nearly company-wide. While this has no dollar amount attached this is probably the most significant return we experienced.
What's my experience with pricing, setup cost, and licensing?
One Identity genuinely provides one of the lowest costs for the initial setup of any product while still being a robust suite of tools. Price was a major driving factor in or choice to use One Identity.
Which other solutions did I evaluate?
We did evaluate multiple other options before choosing. Hitachi ID, Salesforce (they really do have an IAM offering), Oracle.
What other advice do I have?
My advice would be to implement the out-of-box product and pull in your initial data sooner rather than later. Planning is needed but I assure you that you likely don't know how much of a mess you're in, especially if you have no IAM solution already in place.
The OOB data collection will help shed light on the issue you have and have yet to discover then you can craft robust solutions to tackle them.
Involve HR, involve your process owners, involve your business unit leads. Ultimately, you want to use a tool like this to empower your business to make decisions and engage in self-service. It may be difficult at first but if you involve them and try to meet their needs you can turn IT from a burden into the hero of your company.
Work with a partner. While the vendor has great staff and is very knowledgeable, ultimately the partners are the ones who can really help you make the magic happen. All partners have the ability to engage the vendor directly should the need arise. You can save a significant amount of cost by going this route.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.