Centrify Resource Center

Home  |  Centrify Resource Center  |  Blogs  |  Tom Kemp's Centrify Blog
Tom Kemp's Centrify Blog

Calculating the ROI for Centrify's Web Application and SAP Single Sign-on Solutions

Monday, August 17, 2009

In my last two blog entries I examined the "before Centrify" and "after Centrify" approaches to managing digital identities for your operating systems. In those blog posts I also talked about how Centrify's approach to identity management and our products and solutions can make your organization more operationally efficient and productive as it relates to securing and managing access to your server and desktops. I have also recently discussed my thoughts on the key security challenges involving application single sign-on. But we all know that in today's economy IT projects are not always driven by best practices. So in this blog post I will talk about how our products drive significant operational efficiency when you deploy our stuff for web and enterprise applications such as SAP Netweaver.

[Many thanks to Corey Williams, our Director of Product Management for Application Support, for assistance on this blog post.]

In order to examine the concrete cost avoidance and user productivity gains that you can realize I will discuss how the behavior of users, the helpdesk and application support improves as a result of leveraging our single sign-on solutions. I will also cover some examples of our real-world customers who have already implemented our application single sign-on (SSO) solutions and how they have benefited by reducing cost and improving user productivity.

Efficiency Driver #1 - Improved User Productivity

The primary driver for application SSO we are hearing from customers is improved user experience. Better user experience improves user adoption and increases user productivity, which is the primary reason that organizations invest in technology in the first place. This improved user productivity can be quantified by examining how users' behavior changes when using a Centrify SSO solution. As you may recall given our solutions support for Kerberos, end users can silently authenticate into SAP without having to enter their username and password (as they already "received" their valid Kerberos ticket upon logging onto Windows, etc. - click here to learn how this auto-magically works)

The first quantifiable improvement in users' behavior with application single sign-on is a reduction in the number of times they need to enter a username and password during their day to day work. Let's take fictional company that uses SAP as an example:

  • Suppose a user logs into their SAPgui client once in the morning and again in the afternoon.
  • Suppose further that it take 10 seconds on average to correctly type the username and password. While this doesn't sound like much, 20 seconds per day per employee adds up very quickly.

Assuming 235 productive days a year and 10,000 employees, this basic productivity gain is a whopping 13,000 working hours per year just for SAP! Even if you discount for users web surfing and filling up the coffee mug..., this is still a very impressive number.

The second quantifiable improvement in users' behavior with application single sign-on is a reduction in the number of passwords they need to manage on an ongoing basis. For example, payment card industry (PCI) standards in section 8.5.9 require that users' passwords be changed at least every 90 days. Many of our customers are requiring changes every 60 or even 30 days. Using our fictional 10,000 employee company from before, and assuming a 60 day password reset policy with a 60 second time to enter the old and create the new password, this company spends 1000 hours for every application in the enterprise. Just to maintain the password! The average computer user may have more than 20 applications they access. So there goes another 20,000 hours of user productivity.

The third and most important quantifiable improvement in users' behavior with application single sign-on is a reduction in the number of mistyped and forgotten passwords. As a result of manually typing username and password at every login as well as having to periodically change and remember 20+ passwords, users often lock themselves out of their account. This can lead to significant user downtime (from 10 minutes up to several hours) as well as involvement of the helpdesk to reset the users account and to create and close a trouble ticket. The typical user locks themselves out of their application account at least once per year. For our 10,000 user company this can lead to another 60,000 hours of lost productivity each year!

Efficiency Driver #2 - Reduced Helpdesk Expenditures

The second most popular driver we are hearing from customers is reducing helpdesk burden with respect to account lockouts and password resets. Several different studies estimate that between 40 and 90 percent of helpdesk calls are for account or password reset issues. For our fictional company of 10,000 users this can lead to more than 10,000 helpdesk calls per year per application. Just for one application, using an industry average of $30 per trouble ticket, they are spending more than $300,000 per year in helpdesk and employee productivity for an avoidable problem.

NOTE: Most of our customers are using just the helpdesk efficiency gains to realize 2-3 quarter ROI or better without using any of user productivity gains to justify their project.

Efficiency Driver #3 - Reduced Application Support Expenditures

While not as dramatic as the last two drivers, many application support owners are seeing productivity gains by reducing account and password creation times, reducing the need to implement costly and complex password synchronization products, and avoiding the need to delete or disable individual user accounts when a user changes jobs or leaves the company. They simply disable the users account in Active Directory and the user is no longer able to access applications protected by Centrify application SSO. They can then use a batch or periodic process to clean up user account in individual applications.

As we have engaged with customers to improve their users experience through the implementation and rollout of Centrify application SSO, we have been able to better understand and witness the productivity and efficiency gains they have realized. Here are just a few examples in the past 12 months:

Customer Example #1 - Large Telecommunications Device Manufacturer

This popular telecommunications device manufacturer, who has around 5000 SAP users, wanted to reduce the helpdesk burden and improve user satisfaction. They were able to complete an onsite evaluation in just a couple of days and expect to save or avoid $400k per year and improve productivity by the equivalent of 4 full time employees. Their ROI is less than 6 months.

UsersYearly $$ SavingsROI Time Period
5000$400,000+Less than 6 months

Customer Example #2 - Large Retailer

This global retailer is implementing SAP and operates in a very scrutinized security and compliance environment. So they were motivated equally by the security features of our SAP SSO solution such as Active Directory-based authentication and client-server encryption as well as the productivity gains and cost avoidance. For 2500 users they expect to save or avoid $350k per year and improve productivity by the equivalent of 3 full time employees. Their ROI is less than 6 months.

UsersYearly $$ SavingsROI Time Period
2500$350,000+Less than 6 months

Customer Example #3 - Small Manufacturer

Mostly motivated by improving their 1200 users experience by not having to remember their SAP username and password, this small manufacturer will save over $100k per year including improving their users productivity by almost 2500 hours per year.

UsersYearly $$ SavingsROI Time Period
1200$100,000+Less than 3 months

One final comment similar to my previous blog posts: I am not implying you should base a decision to purchase the Centrify solutions solely on the operational efficiencies that I described above. I think the benefits of improving users experience and controlling access after a user leaves the company as well as improving security (e.g. encrypting SAPgui to SAP server traffic) are equally compelling drivers. But I do realize that in today's economy showing how a solution such as ours can save time and money is important to articulate up the management chain, so hopefully a blog post such as this (and my previous posts regarding gains from our OS security product) can help you articulate the value proposition we offer.

Categories: Centrify, Centrify Suite, DirectControl for Systems, DirectControl for Web Apps, All
Submit Feedback
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows Live

< Previous Article: How Centrify Makes Your Organization More Operationally Efficient - Part 2
> Next Article: Centrify Offers Day 1 Support for Apple Mac OS X 10.6 "Snow Leopard"


Subscribe to RSS Feed
About Tom Tom Kemp is CEO of Centrify. You can follow him on his Centrify blog or his Secure Thinking blog on Forbes.com. Full Biography Follow Tom on Twitter
Recent PostsComing Very Soon … the Centrify Customer Conference! Register Today!How Centrify DirectControl for Mobile WorksWhat's New in Centrify Suite 2012.2DirectControl for Mobile in Action Centrify Introduces First Solution that Extends Active Directory to Mobile DevicesBuckle up with Cybersecurity ... It's the Law
CategoriesAll (187)Centrify (164)Centrify Express (14)Centrify Insight (3)Centrify Suite (67)Centrify Zones (2)Cloud (11)Customers and Press (65)DirectAudit (39)DirectAuthorize (34)DirectControl for Databases (54)DirectControl for Mobile (3)DirectControl for Systems (93)DirectControl for Web Apps (50)DirectManage (9)DirectSecure (12)Group Policy (55)Mac OS X (37)Mobile Security (4)Open Source Tools (13)Partners (21)Regulatory Compliance (66)Ubuntu (4)
Articles by Year2012 (8)2011 (32)2010 (30)2009 (45)2008 (44)2007 (28)