Why you should consider the total cost of ownership when choosing a credential management system

The traditional definition of the total cost of ownership (TCO) of a solution is the purchase price and the ongoing costs of operation.

For a Credential Management System (CMS) however it is important to include the value of the solution over time in accounting for the level of protection it brings to an organization. In effect the TCO of not deploying a CMS is zero, but the reduction in security and operational efficiency ignores the value a CMS provides.

Fundamentally a CMS enables organizations to replace passwords with more secure digital identities, providing effective protection against the number one cause of data breach – compromised user credentials.

The potential costs to a business of a data breach are numerous and include:

• Reputational damage
• Inability to continue business operations
• The increasing level of fines

The cost of these items should be considered when assessing the value of a CMS.

A number of organisations need to be able to demonstrate compliance with legislation, this may take the form of specific security legislation which mandates the use of strong authentication and specifies which technologies meet the required level of security (such as FIPS 201 in US federal government), or more generic legislation which states data must be protected and best practice followed (such as GDPR in Europe or HIPAA in healthcare).

One of a CMS’s core roles is to keep track of who has which access credentials on what devices.  This, combined with the ability to demonstrate credential management policy and enforcement can help an organisation comply with policy during an audit.

The ability to prove you are implementing best security practice is also starting to impact the premium of those organisations looking to take out cyber insurance.

There are capabilities a CMS may possess that can reduce the ongoing operational costs of running a digital identity scheme, these include:

• The CMS should provide APIs to enable integration with existing identity management systems, reducing the need for manual operations
• The CMS should provide capability to process operations such as requests or approving credentials in batches, reducing the amount of time required for operations staff
• The CMS should provide simple guided interfaces for operators, reducing the amount of training required for roll-out and for new staff
• The CMS should enable the separation of technical system configuration and day to day systems operations, reducing the need for difficult to retain staff with security skills
• The CMS should provide self-service capabilities, enabling end users to collect updates and manage their own devices without the need for operator interaction
• The CMS vendor should provide ongoing support and maintenance, offering support for newer smart cards, USN tokens, PKI versions, operating system version etc. as versions change. Without this keeping a system current can be problematic and expensive

Finally, an element of future proofing should be accounted for when calculating the TCO, security standards change and if the CMS can adapt to new standards, such as mobile ID and FIDO, it can enable an ongoing return on investment without the need to replace a system or run multiple systems in parallel.

Examples

• Over 4 million identities issued via API integration with a national ID solution.
• Extension of a smart card program to incorporate mobile ID reusing the existing system infrastructure and components.
• Self-service card activation and updates via a secure process for widely distributed organisations.
• Self-service card unlock pre-Windows logon for an aerospace and defence contractor reducing operational costs.

To find out more, request a MyID demo today.