Introduction
There are a million different ways that organizations try to get by without a directory.
When you only have a few employees, it’s fairly doable to manage an IT environment manually. However, around the time that organizations get to 20 employees, the lack of directory services starts to become painfully clear:
- Tasks and processes don’t scale
- IT resource access goes unmanaged and unmonitored
- IT has difficulty in completely onboarding/offboarding employees
- It’s challenging to audit user access, and therefore difficult to achieve compliance
- There is an increased risk of a security incident
Many organizations are still getting by without a directory service – but it’s probably leaving their IT staff unnecessarily frazzled. The hidden cost of going without a true directory can be measured in the time spent managing their 50+ web-based applications by hand1, laboriously tracking 191 passwords per person2, and spending 1,800 hours3 and $61,2004 per year on manually updating just 50 systems. This cost does not solely impact the IT department either. The whole organization is affected by the inefficiencies and lower security that is a byproduct of not implementing a directory service. So what exactly is a directory service, and what does it have to do with security and productivity?
What is a Directory Service?
A directory service is a database that stores information about users and IT resources. Then, with this information, it maps out the relationship between users and IT resources and designates access between the two. An effective directory service will provide one central location where all of this information is stored and mapped, providing users and IT administrators access to computers, printers, servers, applications, files, and other resources on the network.
A directory service will provide a secure way to authorize users to access company resources – and to revoke a user’s access if necessary. Since a directory serves as the authoritative source of identity truth at an organization, it is also called a core identity provider or referred to as identity management.
With centralized management, IT admins can more efficiently and securely manage the environment. When working properly, end users do not even know that directory services exist. They just know that they’re gaining seamless access to the IT resources they need to do their job.
The better the directory, the more productivity and security the company enjoys. Conversely, the absence of an identity provider creates inefficiencies and security risks that can end up costing millions.
A Directory Service’s Impact on Productivity
IT Admin’s Productivity
The absence of an identity provider impacts an IT admin’s ability to streamline management of user information, user access, and the IT resources themselves. As a result, IT admins are left to manage these components manually, costing an organization a considerable amount of money and time.
Managing IT Resources
IT admins are responsible for managing the IT resources themselves, and as mentioned in the introduction, the typical organization uses more than just the 50+ web-based applications. On top of those applications, there is typically as many systems as there are users, a forest of server infrastructure, and several file servers and printers. With each of these resources, IT admins have to do the following:
- Installation and configuration
- Controlling access
- Maintenance, repairs, and upgrades
- Diagnosing and fixing problems
- Monitoring to improve performance
While a directory service cannot automate all of these responsibilities, it can make them more efficient through group-based management of users and resources. This concept was pioneered by Microsoft with their GPOs (Group Policy Objects) for Windows machines, and now the ability for admins to automate tasks or enforce settings across a group of systems (regardless of platform) or users has become an expected capability of a full-fledged directory solution.
If there is no directory service, then IT admins do not have access to this type of capability, and they end up completing many tasks manually — one resource, one user at a time. Take systems, for example. A regular part of managing a group of systems includes enforcing security policies. A feature with GPO-like capabilities enables IT admins to remotely dictate how a whole fleet of systems will behave in their environment. Some of the system behavior IT admins need to manage includes the following: ensuring systems screen lock after an appropriate time period; disabling/enabling Cortana or Siri; assuring all systems are up-to-date; and managing what settings and features users have access to.
GPO-like capabilities empower IT organizations to dictate all of this and more with a few clicks. While Microsoft may have led the way with GPOs for Windows devices, there are now cross-platform alternatives that allow admins to enforce policies with greater ease across Windows, Mac, and Linux devices.
However, no directory service means no access to GPO-like capabilities, so enforcing security policies becomes a tedious, manual undertaking. This means IT admins have to physically go to each system to update it, amounting to high financial costs and time sinks.
In fact, CSO conducted a survey on manually managing system updates, and one IT admin said it took the following:
12 People 20 Hours Each
Once they were able to implement an automated process, it went down to
2 People 6 Hours Each**
Another report concluded that manual updates would take:
50 Systems 150 Hours per Month
In just one year that’s:
$61200 Labor Cost*** 1800 Hours†
At times, employees even had to stop working on their system, so that IT could update it: each employee had to stop working for approximately 3 hours each month. In a 50 person company, that’s 1,800 interrupted user hours per year.8
The high costs associated with manually managing IT resources is just the start though.
Managing User Information
In addition to the pain of manually managing resources, there is another task that is significantly more abundant and more painful when a directory service is not in place – changing user passwords.
Research from Mandylion Labs estimates that 20% to 50% of all help desk calls are for password resets. Additionally, the average help desk labor cost for a single password reset is about $709. For an organization that closes approximately 2,600 IT tickets in one year, that adds up to $91,000 spent just on IT admins changing user passwords.10
These high costs occur when there is no core identity provider because each resource ends up having their own set of user information. As a result, managing user information is convoluted and tedious for IT admins, while daunting to end users. Users in particular find that it is too complicated to make simple adjustments on their own, so IT ends up fielding many requests related to simple tasks (e.g., password changes).
Managing Access to IT Resources
Onboarding and offboarding users is another task that is tedious and prone to human error when an identity provider is not in place. Just like with managing user information, IT admins have to go into each IT resource to add or delete a user. Take the 50+ applications found in the average organization. If these aren’t centrally managed by a directory service, an IT admin has to rely on manual maintenance. A method that is not only time consuming, but also prone to human error. For example, if a user needs access to 20 applications, it’s laborious to touch each resource, and add the appropriate information. When they leave the company, it’s just as time consuming to deprovision them from all of their IT resources.
End User Productivity
In the same way thousands of hours and dollars are spent on IT admins completing less valuable tasks, end user productivity is also negatively affected when unified identity management is not in place. For example, the lack of a directory service means users will likely have separate credentials for each resource. This is a problem because it means they will have to type in a different set of credentials for each digital asset. This results in the following:
- 154: The average amount of credentials that users type out each month
- 14: The average time (in seconds) a user takes to type out a single set of credentials
- 36: The average time (in minutes) a single user spends a month on typing out credentials*
- 360: The average amount of time (in hours) a 50 person company will spend in a year on typing credentials†
- 45: What it costs a 50 person company (in days) to type in credentials each year (based on a 8hr work day)†††
Additionally, 76% of employees report regularly experiencing password usage problems. Consequently, they regularly end up taking more than 14 seconds to gain access to their resource.7
The Cost to Your Bottom Line
We’ve covered a lot of data related to an absent directory service’s impact on productivity. So let’s briefly recap the costs we’ve presented so far and how they would impact your bottom line:
A Directory Service’s Impact on Security
When a directory service is not in place, IT admins are unable to centrally manage the choices users are making, especially when it concerns passwords. This is a particularly scary problem when you realize that 81% of breaches are a result of weak or stolen passwords 17. The likelihood of insecure user identities increases when there is no directory service because a user’s identity is not under an IT admin’s control, and instead winds up being the end user’s responsibility. This is a problem because you simply cannot count on your end users to follow best practices when it comes to security.
Why Security is Best Left Under IT’s Control
When it comes down to it, a user’s curiosity and desire for convenience will outweigh security. This attitude makes the users themselves the biggest security threat at a company. Let’s break down the risk presented by users and how identity management practices can either increase or reduce that risk.
Guarding Against Curiosity
A user’s curiosity tends to get the better of them. For example, a study by the University of Illinois found that 50% of people who find a lost USB drive will insert it into their computer, and 70% of those people do not even take any security precautions. Furthermore, “While users initially connect the drive with altruistic intentions, nearly half are overcome with curiosity and open intriguing files—such as vacation photos—before trying to find the drive’s owner.”18
Countering Tendencies for Convenience
IT admins not only have to worry about a user’s curiosity, but also their tendency to favor convenience over security. A report from LastPass found the following:
- 61% of people use the same or a similar password everywhere
- 91% know that keeping the same password is not a secure practice
- 73% of online accounts are guarded by duplicate passwords*
This behavior is not surprising considering another study discovered 38% of users would rather clean a toilet than create a new password.19
Clearly, users despise coming up with new passwords. In the event that users do create new passwords, the downside is they tend to pick passwords that are easy to remember. In fact, the top 5 most used passwords in 2017 were the following20:
- 123456
- Password
- 12345678
- qwerty
- 12345
Your Greatest Security Risk
Employees are responsible for about 46% of IT security incidents and 40% will try to hide an incident to avoid punishment. The same survey also discovered that employee negligence was responsible for losing highly sensitive customer/employee information among 25% of companies who participated.21
Implementing a directory service can reduce employee negligence with features that can enforce password complexity, multi-factor authentication (MFA), SSH key authentication, security policies on systems, and more.
Nobody thinks they’re going to be breached until they are, and some have paid a heavy price for not taking security more seriously. If you are a small company, it is easy to think attackers will not target you, but in a report from Verizon, 61% of data breach victims were businesses under 1,000 employees.17 So regardless of company size, it’s crucial to reevaluate your security posture and how many decisions are in the hands of the end user. If the results are unsettling, implementing an identity provider is a powerful starting point. Let’s take a look at the data breach costs you would avoid by taking this step.
Cost of a Breach
When considering the cost of a data breach in the United States, Ponemon Institute presents a number of components to consider:22
- Cost to Investigate: On average, $1.07 million is spent to investigate a breach.‡
- Cost to Notify: The average company spend $0.69 million on notifying board members, customers, and anybody else who is involved.‡
- Post Data Breach Costs: $1.56 million is spent of post data breach tasks like help desk activities, inbound communication, special investigations, remediation, legal expenditures, product discounts, identity protection services, and regulatory intervention.‡
- Cost of Lost Business: Customer business loss can amount to $4.03 million when a company experiences a data breach.‡
- Average Total Cost of a Data Breach: When the average cost of all these components are considered, a data breach could mean $7.35 million in losses. Depending on how long it takes you to identify and contain the breach, this cost can significantly increase or decrease.‡
Conclusion
Whether in terms of productivity, security, or simply finances, an organization can pay a high price when they fail to implement a directory service. The absence of a directory service impacts more than just the bottom line, dictating how end users and IT admins spend their time. In fact, thousands of hours can be wasted on tasks that have little-to-no value. Additionally, a directory service assists IT organizations with fortifying security by helping to take security-related decisions out of the hands of risk-prone end users and avoiding the average 7 million dollar expense attached to a data breach.
With the potential monetary and productivity loss that occurs when a directory service is absent, hopefully the question is no longer whether or not you should implement one, but rather, can you afford not to?
Next Steps
So, now that you understand how a directory service can bring tremendous value to your organization, which one do you choose? What makes an effective directory service, and what doesn’t? If you have a cloud-forward IT environment that includes a mix of systems (e.g. Windows®, Mac®, Linux®), platforms (i.e. O365™, G Suite™, Slack, GitHub™), or providers (AWS®, GCP™, Azure®, etc.), consider starting your search with JumpCloud® Directory-as-a-Service®. The customer case studies below offer insight into how JumpCloud has helped organizations solve many of the productivity and security issues mentioned in this report. If you would like to talk to a person about how JumpCloud can centralize your IT environment, don’t hesitate to reach out to us. For specific information on how JumpCloud’s ROI compares to other significant players in the space, mention that you would like to see JumpCloud’s ROI Calculator. Of course, you are also more than welcome to start experiencing our cloud identity provider for yourself by signing up for a free account.
Sources
- Blissfully – SaaS Explosion Creates SaaS Chaos
- *LastPass – The Password Expose
- Average time spend manually patching systems: 120 hr/41 systems = 3 hrs/system ; 3hr x 12 months = 36 hours to patch 1 system ; 36 x 50 systems = 1,800 hrs a year to patch 50 systems
- Average annual salary of a sysadmin: $72,762 ;Working hours in a year: 2087
72,762/2087 = $34/hr ; 1,800 x 34 = $61,200 average IT labor cost for manually patching systems - **CSO Online – Patching Windows is a Major Time Sink for IT
- ***Average annual salary of a sysadmin: $72,762 ;Working hours in a year: 2087
- †Average time spent manually patching systems: 120 hr/41 systems = 3 hrs/system ; 3hr x 50 = 150 hrs/month ; 150 hours x 12 months = 1,800 hours a year on manually patching systems
- 120 hr/ 41 systems = 3 hrs; 3 hrs x 50 people = 150 hrs ; 150 hrs x 12 month = 1,800 hrs
- Mandylion Research Labs
- 2,600 x .5 = 1,300 ; 1,300 x 70 = $91,000 (Based on research that states that the average help desk labor cost for a single password reset is about $70 (Mandylion Labs).)
- ††Average time spend typing credentials for 50 users per year: 154 credentials x 14 seconds = 2,156 second ; 2156 seconds /60 seconds = 36 minutes x 12 months = 432 minutes/ 60 minutes = 7.2
- †††360 hours/ 8 hours (assuming work days are 8 hours) = 45 days/ year/ 50 users
- Average time to patch systems: 120 hours /41 systems = ~ 3 hrs ; 3 hrs x 12 months = 36 hrs/year
- Average annual salary of a sysadmin: $72,762 ;Working hours in a year: 2087
72,762/2087 = $34/hr ; 36 hrs x $34 = $1,224/year on manually patching 1 system - 20 hours /41 systems = ~ 3 hrs ; 3 hrs x 12 months = 36 hrs/year
- Average time typing credentials: 154 credentials x 14 seconds = 2,156 second ; 2156 seconds /60 seconds = 36 minutes x 12 months = 432 minutes/ 60 minutes = 7.2 hours/year/user
- 2017 Verizon Data Breach Investigation Report
- University of Illinois – USB Study
- Symantec – Is Your Data Safe Infographic
- Fortune – 25 Most Used Passwords for 2017
- ‡Kaspersky – The Human Factor in IT Security
- Ponemon – 2017 Cost of a Data Breach Study