Quantifying the Value of Directory Services

Introduction

There are a million different ways that organizations try to get by without a directory.

When you only have a few employees, then you can do everything manually. But around the time that organizations get to 20 employees, the lack of directory services starts to become painfully clear:

  • Tasks and processes that don’t scale
  • Unmanaged and unmonitored IT resource access
  • Difficulty for IT to completely onboard/offboard employees
  • Inability to achieve compliance in case of audit
  • Increased risk of a security incident

Many organizations are still getting by without a directory service – but it’s probably leaving their IT staff unnecessarily frazzled. The hidden cost of going without a true directory can be measured in the time spent managing their 50+ web-based applications by hand1, laboriously tracking 191 passwords per person2, and spending 1,800 hours3 and $61,2004 per year on manually updating just 50 systems. This cost does not solely impact the IT department either. The whole organization is affected by the inefficiencies and lower security that is a byproduct of not implementing a directory service. So what exactly is a directory service, and what does it have to do with security and productivity?

What is a Directory Service?

A directory service is a database that stores information about users and IT resources, that maps out the relationship and designates access between the two. An effective directory service will provide one central location where all of this information is stored and mapped, providing users and IT administrators access to computers, printers, servers, applications, files, and other resources on the network.

A directory service will provide a secure way to authorize users to access company resources – and to revoke a user’s access if necessary. Since a directory serves as the authoritative source of identity truth at an organization, it is also called a core identity provider or referred to as identity management.

With centralized management, IT admins can more efficiently and securely manage the environment. When working properly, end users do not even know that directory services exist. They just know that they’re gaining seamless access to the IT resources they need to do their job.

The better the directory, the more productivity and security the company enjoys. Conversely, the absence of an identity provider creates inefficiencies and security risks that can end up costing millions.

A Directory Service’s Impact on Productivity

IT Admin’s Productivity

The absence of an identity provider impacts an IT admin’s ability to streamline management of user information, user access, and the IT resources themselves. As a result, IT admins are left to manage these components manually, costing an organization a considerable amount of money and time.

Managing IT Resources

IT admins are responsible for managing the IT resources themselves, and as mentioned in the introduction, the typical organization uses more than just the 50+ web-based applications. On top of those applications, there is typically as many systems as there are users, a forest of server infrastructure, and several file servers and printers. With each of these resources, IT admins have to do the following:

  • Installation and configuration
  • Controlling access
  • Maintenance, repairs, and upgrades
  • Diagnosing and fixing problems
  • Monitoring to improve performance

While a directory service cannot automate all of these responsibilities, it can make them more efficient through group-based management of users and resources. This concept was pioneered by Microsoft with their GPOs (Group Policy Objects) for Windows machines, and now the ability for admins to automate tasks or enforce settings across a group of systems (regardless of platform) or users has become an expected capability of a full-fledged directory solution.

If there is no directory service, then IT admins do not have access to this type of capability, and they end up completing many tasks manually — one resource, one user at a time. Take systems, for example. A regular part of managing a group of systems includes enforcing security policies. A feature with GPO-like capabilities enables IT admins to remotely dictate how a whole fleet of systems will behave in their environment. Some of the system behavior IT admins need to manage includes the following: ensuring systems screen lock after an appropriate time period; disabling/enabling Cortana or Siri; assuring all systems are up-to-date; and managing what settings and features users have access to.

GPO-like capabilities empower IT organizations to dictate all of this and more with a few clicks. While Microsoft may have led the way with GPOs for Windows devices, there are now cross-platform alternatives that allow admins to enforce policies with greater ease across Windows, Mac, and Linux devices.

However, no directory service means no access to GPO-like capabilities, so enforcing security policies becomes a tedious, manual undertaking. This means IT admins have to physically go to each system to update it, amounting to high financial costs and time sinks.

computer-with-gears_compressed
stopwatch-2

In fact, CSO conducted a survey on manually managing system updates, and one IT admin said it took the following:

0
People
12
Hours Each

Once they were able to implement an automated process, it went down to

0
People
0
Hours Each**

Another report concluded that manual updates would take:

0
Systems
0
Hours per Month

In just one year that’s:

0
Labor Cost***
0
Hours†

At times, employees even had to stop working on their system, so that IT could update it: each employee had to stop working for approximately 3 hours each month. In a 50 person company, that’s 1,800 interrupted user hours per year.8

The high costs associated with manually managing IT resources is just the start though.

Managing User Information

In addition to the pain of manually managing resources, there is another task that is significantly more abundant and more painful when a directory service is not in place – changing user passwords.

Research from Mandylion Labs estimates that 20% to 50% of all help desk calls are for password resets. Additionally, the average help desk labor cost for a single password reset is about $709. For an organization that closes approximately 2,600 IT tickets in one year, that adds up to $91,000 spent just on IT admins changing user passwords.10

These high costs occur when there is no core identity provider because each resource ends up having their own set of user information. As a result, managing user information is convoluted and tedious for IT admins, while daunting to end users. Users in particular find that it is too complicated to make simple adjustments on their own, so IT ends up fielding many requests related to simple tasks (e.g., password changes).

Single Sign-On (SSO)
What is the future of user attributes?

Managing Access to IT Resources

Onboarding and offboarding users is another task that is tedious and prone to human error when an identity provider is not in place. Just like with managing user information, IT admins have to go into each IT resource to add or delete a user. Take the 50+ applications found in the average organization. If these aren’t centrally managed by a directory service, an IT admin has to rely on manual maintenance. A method that is not only time consuming, but also prone to human error. For example, if a user needs access to 20 applications, it’s laborious to touch each resource, and add the appropriate information. When they leave the company, it’s just as time consuming to deprovision them from all of their IT resources.

End User Productivity

In the same way thousands of hours and dollars are spent on IT admins completing less valuable tasks, end user productivity is also negatively affected when unified identity management is not in place. For example, the lack of a directory service means users will likely have separate credentials for each resource. This is a problem because it means they will have to type in a different set of credentials for each digital asset. For each user, this results in the following:

154

The average amount of credentials that users type out each month

14

seconds is the average time a user takes to type out a single set of credentials

36

minutes is the average time a single user spends a month on typing out credentials*

360

hours is the average amount of time a 50 person company will spend in a year on typing credentials††

45

days is what it costs a 50 person company to type in credentials each year (based on a 8hr work day)†††

Additionally, 76% of employees report regularly experiencing password usage problems. Consequently, they regularly end up taking more than 14 seconds to gain access to their resource.7

The Cost to Your Bottom Line

We’ve covered a lot of data related to an absent directory service’s impact on productivity. So let’s briefly recap the costs we’ve presented so far and how they would impact your bottom line:

 


Manually patching systems could cost you the following for one year:

1 System 50 Systems 250 Systems 1000 Systems
$1,224 in IT labor costs14

36 hrs of IT labor13

36 hrs of end user labor15

$61,200 in IT labor costs

1,800 hrs of IT labor

1,800 hrs of end user labor

$306,000 in IT labor costs

9,000 hrs of IT labor

9,000 hrs of end user labor

$1,224,000 in IT labor costs

36,000 hrs of IT labor

36,000 hrs in end user labor

Password reset costs are the following for one year:

1 Password Reset 50 Password Resets 250 Password Resets 1,000 Password Resets
$70 in IT labor costs8 $3,500 in IT labor costs $17,500 in IT labor costs $70,000 in IT labor

Labor spent just on typing out credentials amounts to the following for one year:

1 Employee 50 Employees 250 Employees 1,000 Employees
7.2 hrs of end user labor16 360 hrs of end user labor 1,800 hrs of end user labor 7,200 hrs of end user labor

Clearly, not implementing a directory service can cost you a considerable amount of time and money. However, this is just half of the story. A directory service also plays a crucial role in securing an organization’s digital assets.

A Directory Service’s Impact on Security

When a directory service is not in place, IT admins are unable to centrally manage the choices users are making, especially when it concerns passwords. This is a particularly scary problem when you realize that 81% of breaches are a result of weak or stolen passwords. The likelihood of insecure user identities increases when there is no directory service because a user’s identity is not under an IT admin’s control, and instead winds up being the end user’s responsibility. This is a problem because you simply cannot count on your end users to follow best practices when it comes to security.

Why Security is Best Left Under IT’s Control

When it comes down to it, a user’s curiosity and desire for convenience will outweigh security. This attitude makes the users themselves the biggest security threat at a company. Let’s break down the risk presented by users and how identity management practices can either increase or reduce that risk.

Guarding Against Curiosity

A user’s curiosity tends to get the better of them. For example, a study by the University of Illinois found that 50% of people who find a lost USB drive will insert it into their computer, and 70% of those people do not even take any security precautions. Furthermore, “While users initially connect the drive with altruistic intentions, nearly half are overcome with curiosity and open intriguing files—such as vacation photos—before trying to find the drive’s owner.”12

Countering Tendencies for Convenience

IT admins not only have to worry about a user’s curiosity, but also their tendency to favor convenience over security. A report from LastPass found the following:

61%
of people use the same or a similar password everywhere
91%
know that keeping the same password is not a secure practice
73%
of online accounts are guarded by duplicate passwords*

This behavior is not surprising considering another study discovered 38% of users would rather clean a toilet than create a new password.19

Clearly, users despise coming up with new passwords. In the event that users do create new passwords, the downside is they tend to pick passwords that are easy to remember. In fact, the top 5 most used passwords in 2017 were the following20:

  • 123456
  • Password
  • 12345678
  • qwerty
  • 12345

Your Greatest Security Risk

Employees are responsible for about 46% of IT security incidents and 40% will try to hide an incident to avoid punishment. The same survey also discovered that employee negligence was responsible for losing highly sensitive customer/employee information among 25% of companies who participated.21

Implementing a directory service can reduce employee negligence with features that can enforce password complexity, multi-factor authentication (MFA), SSH key authentication, security policies on systems, and more.

Nobody thinks they’re going to be breached until they are, and some have paid a heavy price for not taking security more seriously. If you are a small company, it is easy to think attackers will not target you, but in a report from Verizon, 61% of data breach victims were businesses under 1,000 employees.12  So regardless of company size, it’s crucial to reevaluate your security posture and how many decisions are in the hands of the end user. If the results are unsettling, implementing an identity provider is a powerful starting point. Let’s take a look at the data breach costs you would avoid by taking this step.

Cost of a Breach

When considering the cost of a data breach in the United States, Ponemon Institute presents a number of components to consider:22

Cost to Investigate

Cost to Investigate

On average, $1.07 million is spent to investigate a breach.‡

Cost to Notify

Cost to Notify

The average company spends $0.69 million on notifying board members, customers, and anybody else who is involved.‡

Post Data Breach Costs

Post Data Breach Costs

$1.56 million is spent on post data breach tasks like help desk activities, inbound communication, special investigations, remediation, legal expenditures, product discounts, identity protection services, and regulatory intervention.‡

Cost of Lost Business

Cost of Lost Business

Customer business loss can amount to $4.03 MM when a company experiences a data breach.‡

Average Total Cost of a Data Breach

Average Total Cost of a Data Breach

When the average cost of all these components are considered, a data breach could mean $7.35 million in losses. Depending on how long it takes you to identify and contain the breach, this cost can significantly increase or decrease.‡

Conclusion

Whether in terms of productivity, security, or simply finances, an organization can pay a high price when they fail to implement a directory service. The absence of a directory service impacts more than just the bottom line, dictating how end users and IT admins spend their time. In fact, thousands of hours can be wasted on tasks that have little-to-no value. Additionally, a directory service assists IT organizations with fortifying security by helping take security-related decisions out of the hands of risk-prone end users, and avoiding the average 7 million dollar expense attached to a data breach.

With the potential monetary and productivity loss that occurs when a directory service is absent, hopefully the question is no longer whether or not you should implement one, but rather, can you afford not to?

Next Steps

So, now that you understand how a directory service can bring tremendous value to your organization, which one do you choose? What makes an effective directory service and what doesn’t? If you have a cloud-forward IT environment that includes a mix of systems (e.g. Windows®, Mac®, Linux®), platforms (i.e. O365™, G Suite™, Slack, GitHub™), or providers (AWS®, GCP™, Azure®, etc.), consider starting your search with JumpCloud® Directory-as-a-Service®. The customer case studies below offer insight into how JumpCloud has helped organizations solve many of the productivity and security issues mentioned in this report. If you would like to talk to a person about how JumpCloud can centralize your IT environment, don’t hesitate to reach out to us. For specific information on how JumpCloud’s ROI compares to other significant players in the space, mention that you would like to see JumpCloud’s ROI Calculator. Of course, your are also more than welcome to start experiencing our cloud identity provider for yourself by signing up for a free account.

Read More

Sources

  1. Blissfully – SaaS Explosion Creates SaaS Chaos
  2. *LastPass – The Password Expose
  3. Average time spend manually patching systems: 120 hr/41 systems = 3 hrs/system ; 3hr x 12 months = 36 hours to patch 1 system ; 36 x 50 systems = 1,800 hrs a year to patch 50 systems
  4. Average annual salary of a sysadmin: $72,762 ;Working hours in a year: 2087
    72,762/2087 = $34/hr ; 1,800 x 34 = $61,200 average IT labor cost for manually patching systems
  5. **CSO Online – Patching Windows is a Major Time Sink for IT
  6. ***Average annual salary of a sysadmin: $72,762 ;Working hours in a year: 2087
  7. Average time spent manually patching systems: 120 hr/41 systems = 3 hrs/system ; 3hr  x 50 = 150 hrs/month ; 150 hours x 12 months =  1,800 hours a year on manually patching systems
  8. 120 hr/ 41 systems = 3 hrs; 3 hrs x 50 people = 150 hrs ; 150 hrs x 12 month = 1,800 hrs
  9. Mandylion Research Labs
  10. 2,600 x .5 = 1,300 ; 1,300 x 70 = $91,000 (Based on research that states that the average help desk labor cost for a single password reset is about $70 (Mandylion Labs).)
  11. ††Average time spend typing credentials for 50 users per year: 154 credentials x 14 seconds = 2,156 second ; 2156 seconds /60 seconds = 36 minutes x 12 months = 432 minutes/ 60 minutes = 7.2
  12. †††360 hours/ 8 hours (assuming work days are 8 hours) = 45 days/ year/ 50 users
  13. Average time to patch systems: 120 hours /41 systems = ~ 3 hrs ; 3 hrs x 12 months = 36 hrs/year
  14. Average annual salary of a sysadmin: $72,762 ;Working hours in a year: 2087
    72,762/2087 = $34/hr ; 36 hrs x $34 = $1,224/year on manually patching 1 system
  15. 20 hours /41 systems = ~ 3 hrs ; 3 hrs x 12 months = 36 hrs/year
  16. Average time typing credentials: 154 credentials x 14 seconds = 2,156 second ; 2156 seconds /60 seconds = 36 minutes x 12 months = 432 minutes/ 60 minutes = 7.2 hours/year/user
  17. 2017 Verizon Data Breach Investigation Report
  18. University of Illinois – USB Study
  19. Symantec – Is Your Data Safe Infographic
  20. Fortune – 25 Most Used Passwords for 2017
  21. Kaspersky – The Human Factor in IT Security
  22. Ponemon – 2017 Cost of a Data Breach Study