10 identity management metrics that matter

Within the IT security community, identity- and access-management (IAM) initiatives are considered high value, but are notoriously problematic to deploy. Yet despite IAM's complexity, it represents 30 percent or more of the total information security budget of most large institutions, according to IDC (a sister company to CSO's publisher).

Ironically, the deployment difficulties stem from having to reconcile the very people and process breakdowns IAM automation is meant to solve, such as too many or too few people involved in authorizing requests, a lack of documentation for access requests and approvals, connecting to target systems with "dirty" or obsolete data, and so on. This conundrum has led to the rise of what is called identity governance.

Identity governance involves defining and executing the identity-related business processes that are most critical to the organization. For example, an engineer needs root access to the server hosting an ERP system--who needs to approve that request? Who is the one who actually takes the action that grants that access? How does that process get documented? Where is it stored, and for how long? How can we report on it during an audit?

[Also read Too much access? Privileged identity management to the rescue]

Getting your organization's governance processes locked in is a tall order, but well worth it. One of the many benefits of proper identity governance is that it pinpoints which identity-related processes are most in need of attention. Here are 10 of the most common measurements for gauging the effectiveness of identity governance.

1. Password reset volume per month. This one is a classic in identity management, and it's key to helping organizations measure the effectiveness of their IAM programs. Businesses typically look at password-related help desk calls, account lockouts, and self-service resets per month as good indicators of password-policy effectiveness. This metric should generally trend downward, alhough there may be peaks and valleys driven by business events. If it doesn't, your organization's password policies and management tools require a closer look.

2. Average number of distinct credentials per user. Another IAM classic, and for years, a key business justification for single sign-on (SSO) initiatives. The industry average ranges from 10 to 12 unique accounts per user. Organizations should strive to bring this average down as close to one as possible.

3. Number of uncorrelated accounts. These are accounts that have no owner, and occur most frequently when a change happens, such as a promotion or a termination, and that person's accounts were not transitioned properly. Too many uncorrelated accounts can lead to unnecessary risks--they are open, live accounts that can be easily hijacked for un-authorized use.

4. Number of new accounts provisioned. This number should closely follow the number of new joiners to the organization. An effective IAM program should always account for any new user who needs to be granted access to systems and applications. If there's a discrepancy or a significant lag between the number of provisioned accounts and the total number of new joiners for a given period, that indicates inefficient processes or poor identity data.

5. Average time it takes to provision or de-provision a user. This shows how long a new user waits to get access to the resources they need to do their work. It has implicit productivity and ROI ramifications. Nine times out of 10, if someone doesn't get access to applications in a timely fashion, there are process issues behind the delay. This metric can flag a business process that needs to be reviewed and possibly adjusted.

6. Average time it takes to authorize a change. This metric can provide insight into the efficiency of an organization's approval processes. For example, if there are four people involved in approving a sales rep's access to Salesforce.com, but it takes two weeks for that approval to be granted, that's two weeks the sales rep is limited in his capacity to sell. Knowing how long it takes for approvals to be granted can help identify bottlenecks or out-of-date processes.

7. Number of system or privileged accounts without an owner. These are also known as orphaned accounts. They crop up when people who had the credentials to grant them access to important resources--making them privileged users--no longer need access to those resources but never had their privileges removed. This problem here is obvious--who wants privileged accounts that don't belong to anyone floating around?

8. Number of exceptions per access re-certification cycle. A high number of exceptions is expected for new applications or user sets being brought under governance, but over time this should trend toward zero. A consistently high number of exceptions is a strong indicator of poor identity data quality (that is, lots of users having access that they should not have), or of process problems (that is, the person requesting re-certification does not have all the information they need to complete the process.)

9. Number of reconciliation exceptions. Reconciliation exceptions are typically caused be the inability of an IAM platform to reliably tie an identity to an account in a target system. This is usually the result of manual entry errors (that is, user names or unique identifiers are not matched), or worse yet, of an account created by backdoor channels. These exceptions should trend toward zero over time, and any spikes should trigger a thorough investigation and further discussion.

10. Separation of duty violations. Examples of separation of duty violations include developers who have admin access to production databases and traders who can submit and approve their own transactions. These are more difficult to catch and measure, given their sophistication and cross-application nature, but are also the riskiest to miss, given the potential damage that could be inflicted if they're exploited. Exploitations of these problems are the kind that often make headlines. The organization should implement preventive controls to monitor these violations, report them and orchestrate their remediation.

It's often hard to understand the scope and ramifications of these kinds of people and process breakdowns until you take concrete steps to address them. That is part of the reason IAM and identity governance are perceived as daunting and, at times, painful. But only with metrics can the organization measure its effectiveness and success in efficiently managing user access, and make the necessary adjustments to reap significant security, compliance and operational benefits. If you have started an identity governance initiative, do your best to track some of these metrics--you'll be glad you did.

Frank Villavicencio leads Identropy's Managed Identity Services business.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about IDC AustraliaIT SecuritySalesforce.com

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Frank Villavicencio

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place