Outsourcing in Control with Identity & Access Management

(1)

Identity & Access Management

Milan D. Kaihatu

October 2007

(2)

Outsourcing in control with

Identity & Access Management

By

Milan D. Kaihatu (S1485792)

October 2007

Master of Science in Business Administration Specialisation Business & ICT

Faculty of Economics and Business University of Groningen, The Netherlands Supervisors:

Ir. F.B.E. van Blommestein Faculty of Economics and Business

University of Groningen

Drs. K.F.C de Bakker Faculty of Economics and Business

(3)

Acknowledgements

(4)

Preface

Ever since I started studying, information security has been on my mind. I visited hackers’ event like We Are Networking and Megabit. Also, I worked at an internet provider and later at my own company where being engaged at security tasks was part of my job. Combining my interest in security and having the experience of running a small IT company, I decided to combine my knowledge of both information security and business theories to write a thesis.

During summer 2006 I met X at a gathering of Ictmanagers.com, which is a community of the Business & ICT track of the Master of Science in Business Administration course. He introduced me to the activities of Company X, and informed me of the existence of a business unit that is specialised in IT security and control. Autumn 2006, Company X invited me to their selection procedure and offered me a very interesting internship.

The following months I had a lot of things on my mind: completing my Bachelors, arrange accommodations, handing in my resignation at the company I worked for the past five years and to pick a research subject. I was about to find how Identity & Access Management was to be applied in outsourcing situations.

The first few weeks as being an intern at COMPANY X were intensive to me. I had to get used to driving my own car while managing the “Randstad mentality” on the roads. Also, COMPANY X had some great activities in store for me. At the third day of my internship all employees of Company X were about to head of to Noordwijk for the Tuning Days, which purpose was to learn from each other by taking part in several work-shops. I surely learned a lot and got acquainted with my new colleagues. The next weeks were diversified with an etiquette course, driving fast cars at the Lelystad circuit and a sailing trip. What a great way to start an internship!

During writing my thesis I found that my interests where a bit broader than just information security, so sometimes I had to be steered clear of digging too much into interesting subject that also crossed my path in the search for information on outsourcing and Identity & Access Management.

(5)

Management summary

This research examines the management issues, risks and security aspect of positioning Identity & Access Management (IAM) in outsourcing situations. The study finally leads towards a model to help decision-makers to position IAM in outsourcing situations.

To end up with a decision model, first the domains of both outsourcing and IAM have been studied. Both subjects have been clarified with a commonly accepted definition. Also, management issues, risks and security aspects have been taken into account. The two chapters following the introduction of the research cover outsourcing and the specifics of IT outsourcing. Herein, several important management issues and risks came forward. An issue that needs to be treated as of key importance is the trade-off on flexibility and control. Where outsourcing leads to flexibility, it incurs a decrease of control over processes at the same time. The gain of flexibility can be found in the ability to choose over a number of providers to fulfil processes as well as the ability to vary on production numbers. The loss of control over processes can be traced back to the fact that processes are executed on other locations, are being performed with different standards in mind and perhaps with less care.

IAM gives the firm a set of tools to setup a system to regulate who has access to what. Amongst this set of tools, a monitoring and audit component can be present. This part can be set-up to check if the current set-up of access rights is identical to the desired set-up. Having such a system, management can obtain a real-time overview of the current status of access rights. This leads to an increase of control over business processes. Therefore, IAM could be put in place to make use of the gain in flexibility of outsourcing while limiting the decrease of control.

Although IAM seems to be a magic potion towards the control issue of outsourcing, the compounding of IAM requires a deeper look inside the distribution of the various components over the firm and the outsourcing vendor. This research describes four IAM layout situations varying from keeping the complete IAM toolset within the firm to outsourcing all components towards an outsourcing vendor. Each option has its benefits and risks, but a middle way in which most components are performed at the outsourcing vendor seems to be most valuable. However, outsourcing the authorisation component implies outsourcing the direction over business layout and is advised against.

To offer a holistic overview of the positioning of IAM in outsourcing situations, also the outsourcing vendor perspective has been taken into account. Based on Porters Five Forces (1979) management issues and risks of delivering outsourced IAM services are discussed. Within this discussion, it has been made clear that an IAM outsourcing vendor has to cope with contending forces like vendors and clients at the same moment. Whereas buying standardised products from a vendor can safe expenses on both acquisitions as development, offering a custom-made product towards the client can strengthen the relationship with the client by raising exit barriers.

(6)

List of figures

Figure 1.1 IAM Blueprint ... 8

Figure 1.2: Where to position IAM? ... 10

Figure 1.3 Positioning IAM in an outsourcing environment ... 12

Figure 1.4 Thesis layout ... 13

Figure 2.1 The sourcing cycle... 18

Figure 2.2 Taxonomy of four classes of outsourcing relations... 19

Figure 2.3 Flexibility versus control ... 24

Figure 4.1 IAM in a desired situation ... 36

Figure 4.2 provisioning flowchart... 38

Figure 4.3 Threats to data on networks... 39

Figure 4.4 The difference between using a role and not using a role... 41

Figure 4.5 IAM Growth model... 44

Figure 5.1 IAM at the firm... 50

Figure 5.2 IAM at the outsourcing vendor ... 51

Figure 5.3 IAM partly outsourced... 51

Figure 5.4 IAM Concept ... 52

Figure 5.5 Division of IAM components... 52

Figure 5.6 IAM connected by FIM... 55

Figure 5.7 IAM instances connected by FIM... 55

List of tables

Table 2.1 Pros and cons of outsourcing locations ... 22

Table 2.2 Overview of much cited opportunities and risks of outsourcing ... 22

Table 3.1 Eleven risks of IT Outsourcing ... 30

Table 5.1 Strategic risks ... 47

Table 5.2 Tactical risks... 48

(9)

1 Introduction

In this chapter the subject of research (Identity & Access Management in an outsourcing situation) and how this study has been conducted is discussed. The first paragraph is devoted to this objective. This is followed by a paragraph on the relevance of the subject matter. After that the problem definition along with the research questions is discussed. In the third paragraph the method of working is explained. Finally, in the concluding paragraph of this chapter, the structure of this

thesis is presented.

1.1 Objective

Years ago consensus was that companies had to grow. They had to grow either by conglomerating, by integrating horizontally or by integrating vertically. These actions were designed to help achieving economies of scale and give companies the opportunity to exercise more market power. However, business was about to change. Since the recession in the early 1980s more and more companies had to focus on fewer activities. At a certain moment in time it became difficult for companies to pay the costs of staying up to date in more than one supply chain (Lonsdale & Cox, 2000). To cope with this problem, companies can follow a focussing strategy. There are two variants: a cost focus, which is about seeking cost advantages in its target segment and a differentiation focus, which is about seeking differentiation in its target segment (Porter, 1985). To execute upon such a strategy outsourcing can be used, since outsourcing gives the firm the opportunity to focus on what it does best (Gilley & Rasheed, 2000). This can also be described as having a strategy for being focused on core competencies. Core competencies can be denoted as a set of diverse skills, which are orchestrated within a company (Prahalad & Hamel, 1990). Quinn (1999) describes core competencies a bit more precise as “those activities – usually intellectually-based service activities or systems – that the company performs better than any other enterprise. They are the sets of skills and systems that a company does at ‘best in world’ levels and through which a company creates unique high value for customers.”

(10)

Although outsourcing seems to be a magic potion, there are several risks and issues involved when firms follow the outsourcing path. Risks like loss of control, loss of innovation power (Quinn & Hilmer, 1995), becoming dependent to the outsourcing vendor (De Vita & Wang, 2006; COMPANY X, 2006; Everaert & Sarens, 2005; Gallivan & Oh, 1999; Lonsdale, 1999) or security related issues (Khalfan, 2004; Karyda et al., 2006; Yang et al., 2007) are not inconceivable. With regard to outsourcing information systems several risks are incorporated. For example threats of possible weaker management of IT, weaker staff at the outsourcing vendor, a business uncertainty because of selling out people which are needed most at a certain moment in the future etcetera (Earl, 1996). Also threats on the edge of information security may arise. The staff at the outsourcing vendor1 needs to access the client’s2 data and systems to ensure availability. It can be complicated to find out what the outsourcing vendor’s staff needs to know and at what level they should be able to access data and systems owned by the client (Alner, 2001). To make sure only the right personnel will get the right level of access to data and establish segregation of duties, Identity & Access Management (IAM) can be applied.

Figure 1.1 IAM Blueprint

S ou rce

Pro visio nin g

(‘ IS T’) (‘ IS T’) (A utomated ) Reporting IA M processes supported by automation A uthentication M anagement M anagement A ctions: • Create • Update • Delete A uthorization Role M odel “SO LL” “IST” Provisioning Monitoring and Auditing Authorisation Management User Management Security A dministration

(Source: Hermans et al., 2006)

1_{The outsourcing vendor is the party who offers the service of performing business processes for other}

parties. In this thesis the outsourcing vendor is also denoted as vendor or outsourcer.

2_{The client is the party who is contracting out business processes to other parties. In this thesis the}

(11)

According to the COMPANY X Blueprint IAM is a set of five processes (figure 1.1) by which can be ensured that information can only be accessed and altered by the right instances (Hermans & Ter Hart, 2005):

• User management. This component handles actions like the addition of a new employee, job rotation and dismissal of staff. This element lays the foundation for registering users of information, IT resources and physical assets.

• Authentication management. This part answers the ‘who are you?’-question. Within this element passwords and tokens are managed and distributed towards users.

• Authorisation management. Authenticated users need to be coupled with privileges for accessing information, IT resources and physical assets (‘what are you allowed to do?’).

• Provisioning. This component is responsible for routing credentials to it-objects, which are accessed by users. Provisioning can be carried out automatically or by hand.

• Monitoring and audit. One of the major advantages of an IAM solution is the ability of real-time monitoring and auditing. Whenever needed, this presents a possibility to carry out an investigation on the effect of user credentials policies.

The two main reasons for implementing IAM are achieving operational excellence and compliance to laws and regulations which is one of the aspects of having IAM ‘in control’ (Hermans & Ter Hart, 2005).

1.2 Setting and Relevance

At Company X’s business unit ICT Security and Control (ISC) one of the activities is providing advisory services on how to implement, use and manage IAM. A lot of knowledge on this subject is already present within the organisation, but increasingly clients are demanding knowledge on how to best apply IAM in an outsourcing situation.

In contrary to research on sourcing, information security and IAM individually, yet little research has been done on the fields of IAM in an outsourcing environment. Scoping in on outsourcing and information security one can ask how and where IAM should be positioned and whether or not IAM addresses before mentioned outsourcing issues like the risk on lack of control or the setup of segregation of duties. In a wide perspective IAM can be positioned at four distinct places (Figure 1.2):

• Inside the firm (I); • At a vendor (II);

(12)

Figure 1.2: Where to position IAM? IAM firm vendor firm vendor firm vendor firm vendor IAM IAM

IAM IAM IAM

I _II

III IV

Each of these four options has its own merits and demerits. Having the complete IAM system within the firm has control benefits, but flexibility disadvantages. The opposite goes for a set-up where the complete IAM system is situated at a vendor, where flexibility is maximized, but control is minimized. The third option is having IAM partly inside and partly outside the firm. Interesting is which parts should be kept inside and which parts can be sourced to another party. The final mentioned option is having a complete IAM solution at both the firm and the vendor. In this case both solutions are connected through Federated Identity Management (FIM). A profound investigation on FIM is not in the scope of this research. However, it will be addressed in a less extensive analysis.

1.3 Problem definition and research questions

According to De Leeuw (2003) there are two kinds of problem definitions for practical research: a design variant and a classical variant. The classical variant of a problem definition consists of an answer to ‘what do you want to know for whom and why?’ along with the preconditions of the research. The design variant is less forced and tries to give an answer to the following three questions:

• What do you want to make for who? • To which demands should it comply? • What are the constraints?

(13)

1.3.1 Task

The first design question can be translated into a task. In this research the task will be:

Design a framework to help choosing how and where to apply IAM to an outsourcing situation.

To complete this task, the following questions need to be answered:

• What is outsourcing and how did this evolve?

• What are the risks, management issues and security aspects of outsourcing in general?

• What are the risks, management issues and security aspects of outsourcing IT? • What is IAM and what risks, management issues and security aspects does

IAM address?

• How does IAM fit in an outsourcing situation?

• What are the risks, management issues and security aspects of outsourcing IAM?

Finally, answering these question leads to the design question:

• How and where can IAM be applied to an outsourcing situation?

1.3.2 Demands

• The framework should be applicable when organising IAM in an outsourcing

situation.

• The framework will be concerned with making recommendations on how to align

IAM with outsourcing. The framework contains both prescriptive as explanatory elements, which is quite common for frameworks (McIvor, 2000).

1.3.3 Constraints

This research is bounded to several constraints: • The research will take place at Company X.

• The available time to conduct the research is five months.

(14)

1.4 Method

As depicted in figure 1.3 the need for information security can be viewed as a connection between outsourcing and IAM. This is the setting of the research. First of all a literature study on outsourcing will be conducted, providing a view on its risks and benefits. Following, there will be zoomed in to information security as being one of the risk areas of outsourcing. Next, there will be a focus on IAM and how IAM addresses the risks, management issues and security aspects of outsourcing. Based on the gathered information a decision model on the setup of IAM in an outsourcing situation will be created. By surveying hands-on experts the model will be validated.

Figure 1.3 Positioning IAM in an outsourcing environment

Outsourcing

Information security

(15)

1.5 Structure

This thesis consists of seven chapters (figure 1.4). The first chapter regards the research proposal and can be seen as an introduction to the research subject. After that, a chapter will be about the different aspects of outsourcing, including a paragraph zooming in on risks, management issues and security aspects of outsourcing. This chapter is followed by a discussion on the specific aspects of IT outsourcing. Next, the IAM concept will be introduced, where also management issues and security aspects of IAM will be introduced. In the fifth chapter IAM will be positioned in an outsourcing environment, also considering the vendor’s perspective to provide a holistic overview on the matter. In chapter six based on the gathered information a decision model on the setup of IAM in an outsourcing situation will be proposed. The concluding chapter sums up the research outcome and contains recommendations for further research.

Figure 1.4 Thesis layout

(16)

2 Outsourcing

This thesis has been targeted towards creating a framework to position Identity & Access Management (IAM) into outsourcing environments. To accomplish this goal, one of the first steps is paying attention to the subject of outsourcing. And that is what this chapter is devoted to. The purpose of this chapter is to provide clarity on the management issues of outsourcing, its risks and its security aspects, answering the first two research questions stated in the introduction chapter:

• What is outsourcing and how did this evolve?

• What are the risks, management issues and security aspects of

outsourcing in general?

First, this chapter offers an insight on the various definitions of outsourcing from which a holistic definition has been distilled to be used throughout this thesis. Next, to give an overview of the development of outsourcing, its evolution will be discussed based on a breakdown of three generations of outsourcing. During this debate the opportunities that outsourcing brings along, like being able to farm out non-core competencies and thus becoming more flexible and efficient form the thread of the discussion.

Following the discussion on the evolution of outsourcing, a focus will be put on the steps a firm needs to take to decide whether and how it should execute an outsourcing strategy. Within a paragraph on the outsourcing process, an answer is given to the questions of when to outsource and what to outsource. Supporting this, a generic outsourcing cycle based on theories of Delen (2000) will be disclosed.

To show that outsourcing can be put into action through various types of links with outsourcing vendors, the four types of outsourcing relationships will be examined founded by the taxonomy of Gallivan & Oh (1999). In this paragraph, along with a description of each relationship, attention is spent to its opportunities and risks. Next, this chapter will handle the longitudinal aspects of outsourcing relationships to give attention to the risks and opportunities of domestic, near shore and offshore outsourcing.

Following these paragraphs in which several threats and advantages have already been handled, a section dedicated to the risks and opportunities of outsourcing will come forward. Based on a collection of by scholars much cited risks and opportunities an overview is presented. Using this overview, a model of trade-offs has been constructed. Having this model, shown is which choices on outsourcing issues need to be made.

2.1 Outsourcing defined

(17)

• substitution, in which internal activities are substituted by activities by an external service;

• abstention, where products or services are obtained from an external service, without creating them by themselves in the past.

By demonstrating these contradistinctions in definitions, shown is that there is some disagreement on the concept of outsourcing. However, there is a matter of overlap. In short, the following definition of outsourcing can be stated:

outsourcing is contracting out work to external parties

2.2 Evolution of outsourcing

Outsourcing has evolved over time. To give an overview, De Vita and Wang (2006) classify the evolution of outsourcing in three generations which describes how outsourcing developed over time from an instrument giving companies the opportunity to outsource minor business processes towards the outsourcing of processes that used to be considered of strategic importance like marketing activities and the ultimate manufacturing of products, creating so called virtual companies.

2.2.1 First generation

As noted in the previous chapter, firms changed from large sized to lean companies focused on what they do best. By outsourcing non-core competencies firms are able to achieve this focus. Quinn and Hilmer (1995) give four opportunities3 of such a strategy:

• maximizing returns on internal resources;

• strong core competencies are a good barrier against newcomers on the market; • all capabilities of the outsourcing vendor can be used (investment, innovations

and specialized professional capabilities);

• lower risks, smaller cycle times, lower investments, and in this way better responsiveness to customer needs.

Efficiency and cost-saving are key drivers of first generation outsourcing. Within this generation type of outsourcing only peripheral activities like cleaning, catering and uniformed security are outsourced.

2.2.2 Second generation

One of the characteristics of second generation outsourcing is the farming out of IT. Where IT used to be a support activity, nowadays IT is considered as near-core competence. This means that IT is becoming significant to firms to deliver their products and services, but that IT is not a deliverable itself. A thoroughgoing example of this is when General Motors (GM) began to value its IT increasingly, until at some point they decided to change the way the executed outsourcing. To become less dependent on their outsourcing supplier EDS GM handed of a part of its outsourcing

(18)

practices to other outsourcing vendors. This shows that second generation outsourcing is less focussed on a cost focus, and more on flexibility (De Vita & Wang, 2006). Therefore, to measure the performance of second generation outsourcing the impact on overall business performance is examined, where at first generation outsourcing only cost saving is measured.

2.2.3 Third generation

In contrast to the advice of Quinn and Hilmer (1995), there are companies who outsource more than only non-core competencies.De Vita and Wang (2006) envision a third generation of outsourcing where also primary activities, which were treated as core competences in the past, are being outsourced. A reason to do so may be found in cost saving (Lonsdale & Cox, 2000). Companies who conduct this kind of outsourcing only keep their soul of business in-house. Because most of their value-chains are outsourced these can be seen as virtual value value-chains. Such companies can be denoted as “virtual companies”. For example, De Vita and Wang (2006) cite an article in which a company with an 80 million dollar business is ran by only three employees without touching the products throughout the entire value chain. Another illustration is Nike which is outsourcing 100 percent of its shoe production and even subcontracts the advertising part of its marketing agenda.

2.3 The outsourcing process

Shifting towards outsourcing requires companies to think ahead. In order to obtain the desired position of such an initiative, objectives and a strategy to achieve those objectives, have to be formulated. Numerous frameworks on this issue have been published and there are several commonalities among them. Topics like the risks and importance of outsourcing are found throughout literature (McIvor, 2000). This paragraph discusses when, what and how to conduct an outsourcing strategy.

2.3.1 When to outsource

Typically, outsourcing is inspired by the wish of gaining efficiencies and a desire to become more flexible (Porter, 1996). To do so, activities need to be contracted out. However, companies do not initiate outsourcing by letting their most strategic important activities be performed by others. Usually, the outsourcing path initiates at functions that can be denoted as non-core competences like janitorial, administrative or maintenance functions. After a while, when a company has gained experience on outsourcing (e.g. how to manage vendors), activities of higher strategic importance are contracted out (Bragg, 1998). Decisions on outsourcing are made at operational, tactical and strategic levels within a firm (Dekkers, 2000).

2.3.2 What to outsource

(19)

2.3.3 Outsourcing cycle

(20)

Figure 2.1 The sourcing cycle

(Source: Delen, 2000)

2.4 Types of relationships

(21)

Figure 2.2 Taxonomy of four classes of outsourcing relations

(Source: Gallivan & Oh, 1999)

Simple Dyadic. This type of relationship is the most plain. In most academic studies

on IT outsourcing this type is used as default. It can be found in relationships with large IT outsourcing vendors like EDS, IBM and Accenture4, which can equip their clients with full IT services (Gallivan & Oh, 1999). An important risk that can be found in this kind of relationships is overdependence: The vendor party has virtually no competition on providing services towards the firm. This way, price and level of services can be enforced to the client.

Multi-Vendors. A multi-vendor relationship is an association between one client and

several vendors. The advantage to the client is having access to special technical skills at each vendor (Gallivan & Oh, 1999). One of the reasons to adopt a multi-vendor relationship with suppliers can also be to keep switching costs low. In this situation a single sourcing approach is used, but services are obtained at more than one provider. In this case, the client can switch vendors in a relatively short time (Lonsdale, 1999), which means an increase of flexibility. In such a situation the risk of overdependence is less likely. However, having connections to multiple contractors increases security risks: Integrity of data could be impaired because of the fact that data is being handled in several situations, possibly in different manners. Also, having numerous connections means an increase of the perils of unintentionally sharing of information. This sharing of information can be instigated from both the partner as the firm itself. In the first manner, the partner initiates a request for information, either through human interaction or by using available access points towards company information like the extranet. The second manner considers voluntary sharing of information by the firm’s staff. An example of this can be illustrated by a student-teacher relationship between two firms. Where the student wants to learn new things, the teaching party

4_{Gallivan & Oh mentioned Andersen Consulting. However, Andersen Consulting changed its name to}

(22)

wants to share information to make benefit of later on. However, these benefits are not always obtained fully. In literature examples are to be found of business relationships amongst US and Japanese parties. The latter mainly act as students and are doing so in a smart way: by acting humble they are able to obtain information about how the other party has optimized its processes and in return the Japanese party give little or no information in return. Therefore, each connection needs to be monitored by a gatekeeper sufficiently (Hamel et al., 1989).

Co-Sourcing. When a group of clients obtains a shared service at one supplier, this

can be described as co-sourcing. For example, co-sourcing can be found in situations where marketing or management is being shared. Gallivan & Oh (1999) mention three advantages of co-sourcing:

• risk-sharing and reduction; • increased bargaining power; • buyer economies of scale.

Nevertheless, co-sourcing has its disadvantages. Just like with the multi-vendor relationship an important risk of co-sourcing can be found in unintentionally sharing information. Because of the fact that the systems and data of several competitors are shared in one environment and possible serviced by the same people, it is not unlikely that a breach in security will occur. An example of co-sourcing is the processing of electronic transactions amid several Dutch banks by Equens (formerly known as Interpay). By sourcing this processing to Equens, the banks are able to make use of economies of scale (Equens, 2007).

Complex. Gallivan & Oh (1999) use the term complex to indicate a relationship of

multiple clients and multiple vendors in a single outsourcing contract. This is in fact a combination of a multi-vendor relationship and a co-sourcing relationship. An example of such a case is the outsourcing contract between Andersen Consulting teaming up with GE Capital and seven insurance companies to deliver a broad array of information technology services4,5 (Gallivan & Oh, 1999). The risks that concur with this kind of relationship are also found in the earlier treated risk of unintentionally sharing information because of the complexity and linkages within the contract. Besides, the flexibility, which normally would be a profit of outsourcing, can be affected, since the concerns of different parties are usually reckoned with in outsourcing contracts. These concerns are not always an interest to each individual party.

Throughout every kind of outsourcing relationship the risk of unintentionally sharing of knowledge is a recurring issue. Every time a connection between the firm and the outside world is established, security measures should be put in place. In this case it does not matter whether the connection is made just by a simple request for information over the phone or if the connection is made by accessing information on the firm’s intranet by an external party over a networked connection. In both situations adequate measures and controls should be put in place to prevent the aforementioned risk of unintentionally sharing of knowledge.

5_{The original newspaper report can be found at}

(23)

2.5 Where to outsource

After making a decision on outsourcing one of the following questions will be where to outsource. On this matter, companies have several choices as well. The options can be divided over domestic-, near shore-, and offshore outsourcing. Each option has pros and cons.

2.5.1 Domestic outsourcing

This variant of outsourcing is chosen when labor is to be executed within the perimeter of the firm. Examples of this kind can be found in office cleaning and the running of the works canteen. Other reasons to choose domestic outsourcing can be found in market knowledge of an outsourcing partner. Local marketing is an example in this.

2.5.2 Near shore outsourcing

Making benefit of lower wages and fiscal advantages may often be a reason to choose near shore outsourcing, while having the opportunity to visit the outsourced process without too much traveling expenses. Also immigration laws can trigger the use of near shore outsourcing. For example, a company like Microsoft is outsourcing software development to Canada having as main reason by-passing US immigration laws (Eweek.com, 2007). To European companies the choice to outsource business processes to Romania is inspired by lower wages and the presence of highly skilled personnel.

2.5.3 Offshore outsourcing

(24)

2.5.4 Pros and cons of outsourcing locations

In table 2.5 the pros and cons of each outsourcing variant are placed against each other. Shown is that what is a pro at one option, can be a con at another option.

Table 2.1 Pros and cons of outsourcing locations

Pros Cons

Domestic -same location -market knowledge -distance

-no price advantage -no advantage on law and regulations concerning labour Near

shore

-lower labour costs -skilled personnel -distance

-less price advantage

Offshore -lower price

-advantage on law and regulations concerning labour

-skilled personnel

-distance

-cultural differences -managerial difficulties

2.6 Opportunities and risks of outsourcing

The opportunities of outsourcing are myriad. However, the same concerns to its risks. In table 2.2 an overview of much cited characteristics is presented.

In the following paragraphs the opportunities (paragraph 2.6.1) and the risks (paragraph 2.6.2) of outsourcing from the viewpoint of the client are discussed. The Opportunities and risks of the outsourcing vendor are left out of scope. Each Opportunity or risk has been divided over a strategic, tactical or operational classification.

A strategic risk is a risk that considers whether or not to undertake an action which has effects on the long term. A wrongfully taken decision leads to bankruptcy. An example of such a decision is the choice of outsourcing.

A tactical risk is can be placed in between short-term and long-term risks. Risks like these are in coherence with taking decisions on how and where an operation will be performed, like choosing a partner, service levels and pricing.

Operational risks are risks of operations that are actually being performed like signing-up new users or changing roles. The effect of a wrong decision is that it brings a cost disadvantage.

Table 2.2 Overview of much cited opportunities and risks of outsourcing

Opportunities Risks

Focus on core competencies Overdependence on external provider Free up assets Outsource competitive advantages Reduce increasing investment requirements Not achieving expected benefits

Higher flexibility Hollowing out

Gain technical expertise Security related risks

Buffer for product fluctuations Lack of information and control / Regulatory risks

(Source: Various6₎

(25)

2.6.1 Opportunities

Strategic

Focus on core competencies

A significant advantage of outsourcing is enabling a focus on core competencies (Harland et al., 2005; Everaert & Sarens, 2005; Gilley & Rasheed, 2000; Quinn & Hilmer, 1995). Having this focus, management can provide increased managerial attention to those tasks a firm does best. Also, the firm is able to give more attention to resource allocation. This leads to a sustainable competitive advantage (Quinn, 1999).

Reduce increasing investment requirements

By contracting out work, a reduction of increasing investment requirements can be accomplished (De Vita & Wang, 2006; Everaert & Sarens, 2005; Alner, 2001; Gilley & Rasheed, 2000). The outsourcing vendor has benefits of economies of scale, which can be passed on to their clients.

Tactical

Free up assets

Being able to free up assets when sourcing activities externally is also one of the gains of outsourcing (Harland et al., 2005; Bragg, 1998; Quinn & Hilmer, 1995). When certain activities are performed at an outsourcing vendor, the company’s workforce can address their skills to what they do best. This leads to a matching benefit of access to a greater production capacity.

Higher flexibility

The ability to replace fixed costs by variable costs is a essential advantage of entering an outsourcing relationship (Everaert & Sarens, 2005; Quin & Hilmer, 1995). This entails a better responsiveness to competitive and market changes. According to Porter (1996), the urge of being flexible is one of the new set of rules for managers since the last two decades. Mind that the disadvantage of this benefit is a decrease of control.

(26)

Figure 2.3 Flexibility versus control Full ownership Partial ownership Joint development Retainer Long -term contract Call option Short-term contract C o n tr o l n ee d Flexibility need

(Source: Quinn & Hilmer, 1995)

Gain technical expertise

An increase of technical expertise when outsourcing, is possible. This is most certainly the case in a multi-vendor situation where specific knowledge is present at the various purveyors (Gallivan & Oh, 1999).

Operational

Buffer for product fluctuations

Seasonal influences may require a buffer for product fluctuations. One of the opportunities of contracting out work is that having one or more outsourcing vendors, brings along this buffer (Bragg, 1998). If a company has more jobs to execute for a limited length of time, it can turn over this work to one of his suppliers. In service operations, a buffer of available personnel can be used if for any reason a lot of workers are needed. For example, this advantage could be applied in case of overloading a helpdesk after a malfunctioning has arisen. Having disposal over extra team members when needed, could reduce pressure on the helpdesk.

2.6.2 Risks

Strategic

Overdependence on external provider

(27)

However, the risk of becoming dependent to a supplier can be mitigated. An option to do so is to seek after a multi-vendor outsourcing strategy in which a firm decides to outsource an activity to more than one supplier. Such a strategy can be made feasible by standardising operations, which makes them mutual exchangeable (Overbeek et al., 2005). By doing this when necessary the firm can switch suppliers with limited disruption and low costs. Another advantage is that competition between vendors will originate. Each vendor will strive to give the best service for the lowest price (Gallivan & Oh, 1999). This concept has been proven by Hewlett Packard (HP), which has a policy of dual sourcing. They outsource production at two suppliers, so there is a backup when needed. Also, HP installs its own equipment at the vendor. This prevents high switching costs (Lonsdale, 1999).

Outsourcing competitive advantages

Outsourcing competitive advantages is the second main risk of outsourcing, according to Lonsdale (1999). This risk happens when a mistake is made in identifying core and non-core activities (Harland et al., 2006; COMPANY X, 2006; Lonsdale, 1999). To prevent this risk from occurring, companies should take a careful look at their current and future core competencies. Because the fit between core competencies mean a difference between failure and success and can be seen as the pillars underneath a firm these core competencies must remain within the firm. Outsourcing one of the core competencies will decrease the value of others because this will disrupt the fit between the mentioned competencies.

Tactical

Not achieving expected benefits

The outcome of outsourcing will not always be the expected benefits anticipated on (Harland et al., 2006; Lonsdale, 1999; McIvor, 2000; Gilley & Rasheed, 2000). According to Harland et al. (2006) only five percent of the companies who participated in a survey on outsourcing obtained the longed results. In addition, Gilley & Rasheed (2000) state that especially with respect to foreign outsourcing suppliers, transaction costs can be considerable. A recent survey performed by Compass showed that the costs of outsourcing could be 36 percent higher than when operations were performed internally (Het Financieele Dagblad, 2007b). A cause for this consequence can be found in higher transaction costs and the higher expenses due to a more complex management approach.

(28)

Hollowing out

Becoming an empty company is on of the risks of outsourcing (Harland et al., 2006; COMPANY X, 2006; Everaert & Sarens, 2005; Gilley & Rasheed, 2000; Quinn & Hilmer, 1995). For example, this occurs when valuable workers and assets are transferred to an outsourcing vendor. Although some companies benefit from being hollowed out (De Vita & Wang, 2006), over-outsourcing can reduce a company’s ability to learn, especially when outsourcing is being used as a substitute for innovation (Gilley & Rasheed, 2000). If a firm becomes to hollow, it has less ability to bringing up weak suppliers to the demanded performance level (Quin & Hilmer, 1995).

Decreased control

Information gives you competitive advantage (Porter & Millar, 1985). When a firm is outsourcing, the risk of being the one with less information in a relationship with the supplier, is present (Quinn & Hilmer, 1995). In case there is a high potential for competitive advantage and in case the strategic risk of outsourcing is relatively high then production should be done internally. At the same time, if the potential for competitive advantage is low and the strategic risk is low as well, then the product could be bought ‘of the shelf’.

Regulations like Sarbanes-Oxley (SOX), Basel II and for example local tax and labor laws at offshore locations have their impact on outsourcing risks (COMPANY X, 2006; Cannon & Growe, 2005). To be able to keep control over financial reporting, management must maintain an effective system to act accordingly. Hollowing out can be seen as a cause of a lost of oversight of IT controls. This is because without sufficient IT knowledge within the firm management cannot assess its IT systems (Hall & Liedtka, 2007). However, section 404 of the SOX regulations requires management annually to certify that its internal controls of financial systems are effective. It is clear that this can be problematic in outsourcing situations, without precautions.

Operational

Security related risks

For several decades, firms find themselves in a position where information technology (IT) is vital for doing business. In this environment, firms are challenged with threats like theft, fraud and vandalism; in short: abuse. Next, not uncommon threats are incompetence and disaster and accidents and disaster (Hawker, 2000). Using IT to conduct business in a safe manner requires putting in place measures to realise effective information security and control.

(29)

2.6.3 Trade-offs

Having numerous risks and opportunities, the choices to make when conducting an outsourcing strategy, show not only relationships between risks and opportunities, but also requires making trade-offs. This paragraph pays attention to these trade-offs.

Higher flexibility versus overdependence on external provider and decreased control

The most eye-catching trade-off of outsourcing is the trade-off between flexibility and control, in which each option has high significance on profits and losses incurred by outsourcing. While outsourcing can provide flexibility to a firm, since contracting out non-core competencies elsewhere frees up space and personnel, it also incurs a diminution of control. This is because of the fact that someone else is performing the outsourced process and possibly at another location.

Reduce investment requirements versus not achieving expected benefits

The benefit of reduction of investment requirements does not exclude the risk of not achieving expected benefits. On the contrary, whereas outsourcing promises to reduce investment requirements since the investments are now to be made by the outsourcing vendor, one would expect certain benefits. However, this expected reduction of investment does not always come forward. Having processes outsourced, incurs a decrease of control, which can lead to unforeseen incidents and costs. Because of such situations anticipation can occur late and lead to extra costs.

Focus on core competencies versus outsourcing competitive advantages

Focusing on core competencies by outsourcing competencies that characterised as non-core competencies can lead to outsourcing competitive advantages. Such a situation can arise when a company has not well defined their core competencies. Also decision makers should bare in mind not only what their core competencies are at this moment but also after a certain amount of time or when changes on the market occur.

Free up assets versus hollowing out

Contracting out non-core competencies means that personnel can be brought Into action on activities that are important to the firm. However, in some cases contracting out processes also implies putting out supporting equipment and staff. This lowers future investment requirements and even generates short-term income to the firm. However, if decided afterwards to insource the previously contracted out activities it may be hard to find skilled employees. Also, even when personnel have been freed from performing less important activities, being able to perform these activities can be of value in the future.

Gain technical expertise versus security related risks

(30)

access information uncontrolled. Whereas the gain of technical knowledge can be seen as one of the main reasons to partner up to fulfil certain business processes, security related risks can be the very main reason not to collaborate with other parties. Therefore, this issue means an important trade-off towards firms who are into outsourcing.

2.7 Conclusion

This chapter examined the concept of outsourcing and answered the first two research questions:

• What is outsourcing and how did this evolve?

outsourcing in general?

After an introduction of the subject, where the definition of outsourcing has been brought under attention, special interest has been laid on its evolution. This evolution has been divided over three generations of outsourcing where shown is that outsourcing developed from situations in which firms outsource their non-core competencies, to situations where outsourcing near-core competencies became usual and finally situations where firms outsource nearly everything, keeping only their most precious assets within the walls of the firm, creating virtual organizations.

Following, the outsourcing process came across, where a look has been made on when to outsource, what to outsource and how to outsource. Delen (2000) depicts the third issue mentioned by using the ‘Outsourcing Cycle’.

For outsourcing can occur in different relational situations, an overview based on work done by Gallivan & Oh (1999) has been used to describe four different connections between client and outsourcing vendor. At studying these different forms of relationships the risk of overdependence came forward. Especially when not more than one outsourcing vendor was in place, this risk proved to be apparent. Next, attention has been paid to locations of outsourcing where the differences between domestic, near shore and offshore outsourcing have been disclosed.

(31)

3 IT aspects of outsourcing

The previous chapter discussed outsourcing in general and glanced briefly at the IT aspects of outsourcing. In this chapter an emphasis will be on the IT aspects of outsourcing and what makes outsourcing of IT different from outsourcing general support activities like human resource management, catering and procurement or outsourcing primary activities like logistics and marketing in which a company like Nike proceeds. The objective of this chapter is to answer the third research question:

outsourcing IT?

To realise an answer to this question, first the definitions of information technology (IT) and IT outsourcing will be discussed. Along with these definitions, the evolutionary stages of development of both IT and IT outsourcing will be taken into account.

In the previous chapter the different variants of relationships between client and outsourcing vendor have been portrayed.

Specific attention on IT outsourcing risks and opportunities will be given by connecting Earl’s 11 risks of IT outsourcing (1996) to the outsourcing risks mentioned in the previous chapter.

Resulting from the risks IT outsourcing comprises, security issues arise. These issues and possibilities to cope with found in performance management of IT form the end of this chapter, by giving attention to and can be seen as a connection towards the topic of Identity & Access Management, which will come forward in the next two chapters.

3.1 Information technology

3.1.1 Definition of Information Technology

Information Technology (IT)7_{is a comprehensive understanding for everything that}

occupies the use of computers, software and telecommunications. Information Technology encompasses the development and management of computers, websites, software and databases. Mostly, these activities are performed in a business setting.

3.1.2 Evolution of Information Technology

After the development of the first electronic computers, the British 1943 Colossus and the U.S. ENIAC which building was completed in 1946, the growth of information technologies started off. According to Moore’s Law (1965) the number of components in circuits on silicon chips, and with that the speed of computers doubles every one and a half years. On computer networks also a large improvement of technologies has been perceptible over the years. Van Zanten and Heil (2007) point

7_{In Europe IT is often indicated as ICT, an abbreviation for Information & Communication}

(32)

out that this steady development of computer networks comes with perils. Where in the beginning of the computer era it was a matter of one central computer in a private space, nowadays computer networks cross the borders of office buildings or even the borders of countries and continents. For example, think of off-shoring situations where accounting departments are being outsourced from its European origin to India. Developments like this require security precautions. This is not only because the network now goes beyond the perimeters of the office building, but also because systems and data are now being accessed by external users.

3.2 IT Outsourcing

3.2.1 Definition of IT outsourcing

Within outsourcing, information technology (IT) takes a unique and important position. However IT itself is usually not a primary process, it is not uncommon that IT is interwoven with several primary proceeses. This stresses that outsourcing IT must be taken care off as a delicate affair.

3.2.2 Evolution of IT outsourcing

Over the years, information technology (IT) evolved from a minor strategic function to an activity of elevated impact (Bragg, 1998). Nevertheless, a tempestuous growth of IT outsourcing is noticeable. For example, the IT outsourcing market almost doubled between 1995 and 2002 to $ 140 billion (Mahnke et al., 2005). Reasons to do so can be found financial, technical, strategic, political motives of a combination of these (Mahnke et al., 2005). Therefore, decisions on outsourcing IT require to be made well considered.

3.3 IT risk aspects of outsourcing

The previous chapter covered risks and opportunities of outsourcing in general. Since IT has a major impact on business process outsourcing, its risks should be taken into account properly. Opportunities and risks of outsourcing in general apply to IT outsourcing. However, there are perils that apply especially to IT outsourcing. In this paragraph, the eleven risks of IT outsourcing defined by Earl (1996), stated in table 3.1 are connected to the risks of outsourcing in general as revealed in paragraph 2.6.2. .

Table 3.1 Eleven risks of IT Outsourcing

Possibility of weak management

Inexperienced staff Business uncertainty Loss of innovative

capacity

Native uncertainty Hidden costs

Lack of organisational

learning Outdated technology skills Dangers of eternal triangle

Technological indivisibility

Fuzzy focus

(Source: Earl, 1996)

(33)

Not achieving expected benefits

Possibility of weak management. Not being able to manage IT sufficiently is not a

good motive to outsource IT. On the contrary. Managing an outsourced activity is more difficult. Outsourcing does not necessarily bring in better management (Earl, 1996).

Outdated technology skills. When outsourcing to a vendor, the client cannot be sure

that the vendor’s skills stay current. This has effect on the cost-reduction potential (Earl, 1996).

Native uncertainty. One of the benefits of outsourcing should be flexibility. However,

outsourcing contracts are not always as flexible as the client would like it to be and certain flexibility comes with a price (Earl, 1996).

Hidden costs. Outsourcing IT comes with setup costs, costs for being offline while

moving IT services to the vendor’s location and costs for managing the outsourced IT services. It is not uncommon that these costs are under estimated when deciding whether or not to outsource (Earl, 1996).

Loss of innovative capacity. When the decision of IT outsourcing had its origins in

cutting costs, the outsourcing vendor usually does not tend to innovate, rather than delivering at a low price (Earl, 1996).

Fuzzy focus. Sometimes the focus of the IT undertaking is about the process of

outsourcing and downsizing in stead of what IT can do for the firm. In this case there is concentrated on the ‘how’ of IT in stead of the ‘what’ (Earl, 1996).

Hollowing out

Business uncertainty. A short-term decision to outsource IT to cut cost or change

focus, might bring induce risks to long-term strategies. By outsourcing IT skills and knowledge are lost (Earl, 1996).

Security related risks

Risk of unintentionally sharing of knowledge. Because an outsourcing is about

working together on specific tasks, certain knowledge needs to be shared. However, caution must be made to prevent that information that is unnecessary for the alliance, but highly valuable to competition, is being shared. Therefore, transparency needs to be limited (Hamel et al., 1989). On the one hand this can be established by contractual agreements; on the other hand a technical solution can be brought in to action. Sharing knowledge unintentionally can lead to abuse of information. For example, if your partner gains access to quotations made to your clients, the partner could make a better offer to the same client and win the contract. Another example is when your partner gains access to reports describing business processes within your firm. With this information the partner can see if you are bluffing about how much you depend on your vendor’s facilities when trying to get a better price for these services at the partner.

Inexperienced staff. Not every outsourcing vendor has experienced staff. Staff at the

(34)

Lack of organisational learning. One of the characteristics of IT is that learning

about the capability is experiential. It is about learning by doing. If IT is outsourced, it is hard to learn from the experiences IT brings along (Earl, 1996). This can also lead to not having IT security skills when needed, for example when a decision of back-sourcing IT has been made (Karyda et al., 2006).

Dangers of eternal triangle. When IT personnel and management needs to

communicate, often a middle man is put in between. On the one hand he conveys business needs to IT; on the other hand he can present the IT specialist’s concerns to the users. However, this can result in lack of communication between the two parties (Earl, 1996). This can lead to misunderstandings on the field of security. For example, if an employee is assigned to wrong user groups he could obtain unwanted user rights, which possibly harms segregation of duties.

Decreased control

Technological indivisibility. Much of IT is not divisible because of integration of or

connections between applications. Therefore, technical or responsibility problems can occur when outsourcing IT towards multiple vendors (Earl, 1996). In such situations organisations can be forced to outsource their systems to a single sourcing vendor, which put limitations on flexibility and creates dependency on this single provider.

3.4 Performance management of IT outsourcing

If processes are outsourced, and in particular IT processes, an optimal deployment of assets is important. To keep performance management in control, requirements like security demands like availability, integrity and confidentiality can be committed to a Service Level Agreement (SLA). To examine if the desired performance level are reached a continuous check needs to be conducted in order to be able to intervene when needed. Because of its relation to availability management, performance management has a relation with security management (Overbeek et al., 2005; Fijneman et al., 2005).

3.4.1 Service Level Agreement

The before mentioned as well as other issues can be anticipated on by having an adequate service level agreement (SLA) between the firm and the outsourcing vendor. Meanwhile, using an SLA as a format for upfront planning disagreement amongst both parties can be averted. An SLA is a written agreement between a service provider and a client of certain services. In such an agreement delivered services are described, along with the rights and obligations of both the service provider as well as the client.

(35)

3.4.2 Third party Announcement

To make sure the outsourcing party complies with the aforementioned security demands formulated in the service level agreement the client can carry out an audit initiated by itself or request a Third Party Announcement. Often such an announcement will be framed into a SAS70 statement.

A SAS70 statement is a report in which a vendor can disclose their control activities and processes towards its clients. This statement is completely under the responsibility of the vendor organisation. Based on this report, an external auditor can give his value judgement by auditing the statement. This can be denoted as an SAS 70 audit (COMPANY X, 2007b).

Two variants of SAS 70 reports exist:

• Type I: a snapshot of the control measures at a certain moment;

• Type II: An opinion expressed on the functioning of control measures over a certain period of time.

The majority of the delivered SAS 70 reports are in the Type II-format. This format offers the most assurance when giving a view on governance and control. Emphasized in these reports is on segregation of duties and an adequate surrounding process organisation. To enforce segregation of duties in an automated manner, Identity & Access Management applications are set in place (Marsman & Ten Houten, 2007).

3.4.3 Information Security

The processes which are arranged to protect the reliability of information systems and the therein-stored data are denoted as information security (Overbeek et al., 2005). Issues in connection with this subject and outsourcing can mostly be observed at the point of the relationship between firm and vendor. In regard to this matter, the following difficulties can be mentioned (Fijneman et al., 2005):

• How can one be ensured that the vendor stays compliant to agreements on difficult visibly provisioning of services, like ensuring confidentiality of corporate data and the continuation of services after a disruption or calamities? • How can the outsourcing organisation stay responsible for the reliability of for example outsourced processing of data while its responsibility cannot be contracted out?

(36)

3.5 Conclusion

This chapter discussed the specific aspects of Outsourcing IT and was aimed to answer the third research question:

outsourcing IT?

By taken specific risks of IT outsourcing into account, the differences in risks and management issues between outsourcing in general and outsourcing IT have been pointed out. To show the relationship between risks and information security, a discussion on how to handle information security issues has been included. Matters like Service Level Agreements and SAS 70 reports have been taken into account and show how they can support to reduce risks mentioned in this and the previous chapter. Shown is that although outsourcing IT incurs risks mainly on control and information leakage, these risks can be kept within margins. Having agreements on service levels including monitoring security risks, parties can preceding and during the contract period both parties know what to expect from each other now and in the future. By regularly performing audits a vendor can give a certain degree of insurance towards its clients. This is often a requisite based on governmental regulations.

Outsourcing in Control with Identity & Access Management

Identity & Access Management

Outsourcing in control with

Identity & Access Management

Acknowledgements

Preface

Management summary

Table of contents

List of figures

List of tables

1

Introduction

1.1

Objective

1.2

Setting and Relevance

1.3

Problem definition and research questions

1.4

Method

1.5

Structure

2

Outsourcing

2.1

Outsourcing defined

2.2

Evolution of outsourcing

2.3

The outsourcing process

2.4

Types of relationships

2.5

Where to outsource

2.6

Opportunities and risks of outsourcing

2.7

Conclusion

3

IT aspects of outsourcing

3.1

Information technology

3.2

IT Outsourcing

3.3

IT risk aspects of outsourcing

3.4

Performance management of IT outsourcing

3.5

Conclusion