Identity and access management (IAM) has become a critical area of focus in security discussions within all organizations. Effective IAM is critical to an organization’s overall security posture, as improper access and credentials are among the most frequently cited sources of security breaches.
It is important to visualize and understand where the organization stands from an IAM program-maturity perspective, and the best way to represent the current state of the IAM program is to gather and track metrics. An IAM owner can track metrics for coverage, performance and user communities in order to portray the overall health of the organization’s IAM program.
Why Do You Need IAM Metrics?
Organizations today make substantial investments in their IAM program, and initiatives typically span multiple years. It is critical for IAM leaders to establish meaningful ways to measure progress. Well-designed metrics should fill that need, providing simple insights into the business value of the IAM initiatives. IAM directors also need simple measures to understand the IAM landscape in their enterprise to aid in planning and execution.
Metrics, a key part of any effective IAM program operation, help organizations at all IAM maturity levels.
IAM directors should understand the current state before making resource allocations: Low-maturity IAM programs benefit from metrics to identify areas that need immediate attention for improvements, and to understand the full scope of work that lies ahead. High-maturity IAM programs benefit from metrics by setting targets and future-state goals.
Successful IAM programs maintain mature metrics in three areas: Coverage, performance and user communities.
Coverage metrics measure how well IAM services address enterprise risks and provide insight on the real business impact of the IAM program. With coverage metrics, the organization can track enterprise adoption through applications and platforms that use or apply IAM services and controls.
Classifying coverage metrics into risk designations (e.g., SOX, PCI, GDPR) allows the organization to quickly identify the greatest exposures and drive prioritization decisions.
A few examples of coverage metrics include:
- Number of applications integrated with enterprise IAM services versus total number of applications.
- Number of applications compliant with enterprise IAM control objectives versus total number of applications.
- Number of privileged accounts protected and managed by enterprise IAM services versus total number of privileged accounts.
A common way to track the current state of IAM systems is monitoring performance metrics, which show how IT assets are performing at the transaction level. These metrics provide insight into the workload and reliability of IAM services.
Some examples of performance metrics include:
- Number of password resets per month
- Number of access requests per week
- Average time it takes to provision/deprovision access for a user per application
Note that many IAM systems have health-related metrics specific to a given technology. For example, metrics on nested groups are important for managing the performance and reliability of Active Directory.
The last bucket of metrics for an IAM owner deals with tracking user communities within the organization. Different user communities have different authoritative data sources, risk profiles, countries and compliance requirements; thus, it is important that an IAM owner fully understand the user communities needed for planning. These insights can drive more effective decisions on strategies and investments. This can be especially important if certain communities — customers, for example —have a greater business impact than others.
Some examples of user community metrics include:
- Number of identities being served in the organization: (1) per authoritative data source, and (2) total (human and nonhuman)
- Types of community groupings in the organization (employees, subsidiaries, contractors, etc.)
- Number of accounts in each risk level (privileged, SOX, PCI, etc.)
Tracking how nonassociate, subsidiary and other nonemployee identities are provisioned and deprovisioned access to IT assets provides visibility into different governance processes. It is critical for organizations to consider nonemployee identities as well as those of employees.
Setting up a metrics program has other benefits beyond doing just that. It will naturally mature other key processes — for example, maintaining an application inventory, compliance and risk designations, and status reporting. These improvements will drive additional value in the organization.
Protiviti has proven methodologies for developing an IAM metrics program. Although a metrics program can be set up quickly, it will pay dividends over many years. A metrics model will help provide effective decisions and smarter resource allocations, and it is important to actively maintain a manageable set of metrics for effective board-level communications and for driving attention to the improvement of IAM maturity.