Use IAM to Optimize License Spend

IAMConsider how you can use IAM to make sure you’re getting the most out of your software investments.

IT security leaders perform a multitude of critical IAM functions — everything from simple tasks such as allowing users to reset their passwords to facilitating simple and fast sign-on into all applications and secure APIs. As end user populations increase in size, particularly those that have at least 1,000 human identities, it’s critical to automate how they manage these populations.

Often this means investing in an IAM tool suite like BeyondTrust or Sailpoint. In many cases, the business wants some kind of ROI calculation that goes above and beyond “controlling access” or even “knowing who has access to what.”

Here’s a rarely considered application of IAM that offers a new business case, one for cost management of accounts under license with enterprise software. Think Office365 or CMDB applications, even SaaS applications used from one department to another.

Does Your Disable/Delete Policy Consider License Spend?

Many organizations do not have a formal policy that defines when a user’s account is disabled or deleted. Account deletion carries a higher consequence if done in error, so a path of least resistance for some identity and access management leaders is to disable the account and never address its deletion. The result is increased cost for data storage and software licenses that are not used. A high volume of orphan accounts demonstrates a lack of control and may be wasting user licenses.

Make Your Policies Flexible for Users and the CFO

In many organizations, tracking who needs a software license and for how long is challenging. As a result, IT is always trying to play catch-up, so the business doesn’t end up paying for licenses it doesn’t really need. If employees change roles or leaves the company, access is automatically removed and the license is returned to a pool or canceled. Are your policies written to support this movement efficiently?  Here’s an example of a simple policy that ensures awareness and context necessary for reducing license spend through identity and access management .

A user’s manager or identity access control system must notify all responsible administrators, administrative systems or help desks within one week from the time it is determined that a user no longer has a business need for an account, and no later than one working day following the person’s last day of employment.


The key realization is that the discussion of when to disable, versus when to delete, is actually a business requirement as much as it is a security requirement. IAM leaders must thoroughly review and understand the organization’s information-retention requirements, possibly advising the business in ways to standardize its approach to facilitate automation and compliance by identity and access management tools.