Identity and access management (IAM) has become a critical area of focus in security discussions within all organisations. Effective IAM is critical to an organisation’s overall security posture, as improper access and credentials are among the most frequently cited sources of security breaches.
It is important to visualise and understand where the organisation stands from an IAM programme-maturity perspective, and the best way to represent the current state of the IAM programme is to gather and track metrics. An IAM owner can track metrics for coverage, performance and user communities in order to portray the overall health of the organisation’s IAM programme.
Why Do You Need IAM Metrics?
Organisations today make substantial investments in their IAM programme, and initiatives typically span multiple years. It is critical for IAM leaders to establish meaningful ways to measure progress. Well-designed metrics should fill that need, providing simple insights into the business value of the IAM initiatives. IAM directors also need simple measures to understand the IAM landscape in their enterprise to aid in planning and execution.
Metrics, a key part of any effective IAM programme operation, help organisations at all IAM maturity levels.
IAM directors should understand the current state before making resource allocations: Low-maturity IAM programmes benefit from metrics to identify areas that need immediate attention for improvements, and to understand the full scope of work that lies ahead. High-maturity IAM programmes benefit from metrics by setting targets and future-state goals.
Successful IAM programmes maintain mature metrics in three areas: Coverage, performance and user communities.
Coverage metrics measure how well IAM services address enterprise risks and provide insight on the real business impact of the IAM programme. With coverage metrics, the organisation can track enterprise adoption through applications and platforms that use or apply IAM services and controls.
Classifying coverage metrics into risk designations (e.g., SOX, PCI, GDPR) allows the organisation to quickly identify the greatest exposures and drive prioritisation decisions.
A few examples of coverage metrics include:
- Number of applications integrated with enterprise IAM services versus total number of applications.
- Number of applications compliant with enterprise IAM control objectives versus total number of applications.
- Number of privileged accounts protected and managed by enterprise IAM services versus total number of privileged accounts.
A common way to track the current state of IAM systems is monitoring performance metrics, which show how IT assets are performing at the transaction level. These metrics provide insight into the workload and reliability of IAM services.
Some examples of performance metrics include:
- Number of password resets per month
- Number of access requests per week
- Average time it takes to provision/deprovision access for a user per application
Note that many IAM systems have health-related metrics specific to a given technology. For example, metrics on nested groups are important for managing the performance and reliability of Active Directory.
The last bucket of metrics for an IAM owner deals with tracking user communities within the organisation. Different user communities have different authoritative data sources, risk profiles, countries and compliance requirements; thus, it is important that an IAM owner fully understand the user communities needed for planning. These insights can drive more effective decisions on strategies and investments. This can be especially important if certain communities — customers, for example —have a greater business impact than others.
Some examples of user community metrics include:
- Number of identities being served in the organisation: (1) per authoritative data source, and (2) total (human and nonhuman)
- Types of community groupings in the organisation (employees, subsidiaries, contractors, etc.)
- Number of accounts in each risk level (privileged, SOX, PCI, etc.)
Tracking how nonassociate, subsidiary and other nonemployee identities are provisioned and deprovisioned access to IT assets provides visibility into different governance processes. It is critical for organisations to consider nonemployee identities as well as those of employees.
Setting up a metrics programme has other benefits beyond doing just that. It will naturally mature other key processes — for example, maintaining an application inventory, compliance and risk designations, and status reporting. These improvements will drive additional value in the organisation.
Protiviti has proven methodologies for developing an IAM metrics programme. Although a metrics programme can be set up quickly, it will pay dividends over many years. A metrics model will help provide effective decisions and smarter resource allocations, and it is important to actively maintain a manageable set of metrics for effective board-level communications and for driving attention to the improvement of IAM maturity.