As with many other business strategies and solutions, it’s useful to track metrics and get tangible performance measurements. Without metrics, decision-making is slower and you lack proper visibility into the security hazards associated with digital identities. Here are five useful IAM metrics to help monitor the implementation of an IAM system.
In a world of increasing regulations and credential-based information security threats, most organizations recognize the need for IAM solutions. Before diving into specific metrics to track, it’s worth going through some challenges companies face when implementing these solutions.
Whether you’re trying to track the effect on productivity, security, or compliance, here are five useful IAM metrics.
The ideal access provisioning landscape is one in which the gap between the access a user has versus what they should have is minimized. It’s best for this gap to stay as small as possible over the entire lifecycle of each user account. You don’t want a scenario where the only time users have the right levels of access is after periodic certification cycles.
To ensure access correctness over each user’s lifecycle, access correctness metrics are critical to track. An access correctness metric should be able to provide answers to questions around who has the correct access and who doesn’t. One useful metric is the number of access requests per time period because this serves as an indicator of outdated and inefficient provisioning rules that are resulting in insufficient access levels.
You need full and complete data to make informed decisions on your provisioning policy. This data often comes from HR processes. Whether you need to analyze user data or account data, every record needs to have the right set of fields to inform decision-making for identity management. Missing fields and attributes can result in users getting the wrong access levels because the system depends on the underlying data to create effective provisioning rules.
Data completeness is just one metric that should be measured as part of a wider effort to measure data quality. The quality of data also depends on factors such as whether the data you’re using in your IAM process comes from authoritative sources, how up-to-date the data is, and how consistent it is. Ideally, you’ll need a full picture of data quality that incorporates all of these aspects, but completeness is a good starting metric to provide a picture of data quality.
A compelling reason to implement an IAM solution is to quicken provisioning times. Users experience frustration and their productivity suffers when they are left waiting around to get the access they need. This access could be the initial onboarding of a new employee or a role change for an existing employee.
Furthermore, when it takes too long to de-provision employees who leave the company, you increase your security risks. Measuring the average time to provision user access is a useful gauge of how your IAM solution is impacting productivity.
A good IAM solution can automate low-risk provisioning decisions, which should speed things up. If the average time to provision doesn’t change much after implementing automation, it’s worth assessing whether you have properly defined the roles for your organization. Good role mining helps you create logical groupings of access permissions, which should open up more opportunities to automate provisioning.
Unused access serves as another important metric to determine information about your provisioning rules and how access is being used. A high level of unused access increases the surface area for rogue user activities to occur because people have access to applications they don’t use.
Unused access also increases administrative burdens as it tends to accumulate over time. This is an important metric to track so that your organization can better conform to the principle of least privileges, which states that users should have only the access levels they need to do their daily work. Lastly, measuring unused access can inform decisions about what access can be better provided to users temporarily.
An orphaned account is one with no valid business owner. A potentially severe information security risk opens up when a privileged account exists within your network and it doesn’t have an owner. A hacker who gains access to an orphaned privileged account essentially has free reign over the network and can easily propagate ransomware or shut systems down.
Orphaned accounts, in general, aren’t desirable, so measuring the number of these accounts per time period can point to the effectiveness or lack thereof in access provisioning. It’s prudent to measure the number of orphaned accounts at regular intervals and investigate the reasons for any spikes.
How Tuebora Helps
Tuebora’s Identity Discovery and Assessment Tool (IDAT) helps you measure important IAM metrics at your organization. The specific metrics in this article are tracked in IDAT automatically as part of five broad metric categories: Data Quality, Provisioning Anomalies, User Certification Behaviors, Unused Accounts, and Unused Access. Automated analysis provides numbers and percentages for key metrics that you can use to refine and improve the implementation of your IAM program.
Get your demo today.