The IAM Metrics That Really Matter

Digital transformation has become one of the main drivers for IAM. In a recent article* Jay Bretzmann, IDC Research Director for cybersecurity products states that; “Despite all the excitement associated with digital transformation, at least 60% to 70% of all computing workloads are on-premises. When those workloads move, they’re going to have to change their identity approach.”*

Many organizations are operating in a hybrid IT environment of on-premises and cloud-based applications, which make it difficult to get transparent overview of who has access to which IT systems and applications in an organization and why. As organizations will continuously move more workloads to digital services, they will need a more solid approach to identity management. Identity Governance and Administration (IGA) has become a cornerstone of solid IT security, allowing organizations to implement processes for controlling, managing, and auditing access to data, which is an important prerequisite to reduce the security risk.

“Without IGA it becomes very challenging to aggregate and correlate disparate identity and access rights data that is distributed throughout the IT landscape to enhance control over user access,” says Henrique Teixeira, research director for identity and access management at Gartner, a research and advisory company in a recent article on CSO online*. “IGA is the discipline responsible for the administration-time decisions for creation, modification, and suspension of credentials, which is fundamental piece of enablement of other IAM initiatives, like access management and privileged access management,” he adds.

Deploying an IAM system including IGA can be a daunting task as a lot of stakeholders are involved throughout the organization. To show continuous value it is important to monitor and be able to document the effectiveness by using the right metrics.

Identity metrics that really matter

The featured article “10 identity management metrics that matter” in CSO, written by John Mello former managing editor of the Boston Business Journal and Boston Phoenix, highlights 10 key metrics you should pay close attention to:

• Password resets – it is estimated that every reset costs between $10 to $70.
• Distinct credentials per user – a lot of credentials for an employee to remember, can jeopardize security
• Uncorrelated accounts – changes in an employee’s status, can leave accounts open and pose a security risk
• Percentage of owned resources – without an owner, resources like orphan accounts pose a threat
• New accounts provisioned – lack of review can course over-provisioned accounts or to limited access
• Average time to provision a user – time to provisioning a new user or change a user can hit productivity
• Privileged accounts without an owner – if a privileged account is hacked you give away the keys to the kingdom
• Separation-of-duty violations – ensure that policies are not formulated and approve by the same person
• Access privilege reviews – tracking of permission as access privileges are always in flux and often over-privileged
• Number of machine identities used – in modern identity management identities go beyond only humans having to network resources, machines do too

With the right key metrics, you will get a real understanding of the performance of your IAM solution and it provides you with the ability to continually evaluate the system. In that way it is possible to review and document the effectiveness of your IAM and create, modify, or retire current as new requirements emerge.

Read the full article here

*Source: The feature article “10 identity management metrics that matter” on CSO online.

Learn more

Find out much more about how identity management and access governance processes match evolving business needs for governance and compliance or get in touch with us to learn more about how we have helped organizations like yours.