Frank Villavicencio of Identropy is an expert in Identity and Access Management (IAM). In a recent article he produced a list of 10 Identity Management Metrics that will help focus the security aspirations of almost any organisation.
The 10 pieces of advice are below:
1. Password reset volume per month. This one is a classic in identity management, and it’s key to helping organizations measure the effectiveness of their IAM programs. Businesses typically look at password-related help desk calls, account lockouts, and self-service resets per month as good indicators of password-policy effectiveness. This metric should generally trend downward, although there may be peaks and valleys driven by business events. If it doesn’t, your organization’s password policies and management tools require a closer look.
2. Average number of distinct credentials per user. Another IAM classic, and for years, a key business justification for single sign-on (SSO) initiatives. The industry average ranges from 10 to 12 unique accounts per user. Organizations should strive to bring this average down as close to one as possible.
3. Number of uncorrelated accounts. These are accounts that have no owner, and occur most frequently when a change happens, such as a promotion or a termination, and that person’s accounts were not transitioned properly. Too many uncorrelated accounts can lead to unnecessary risks—they are open, live accounts that can be easily hijacked for un-authorized use.
4. Number of new accounts provisioned. This number should closely follow the number of new joiners to the organization. An effective IAM program should always account for any new user who needs to be granted access to systems and applications. If there’s a discrepancy or a significant lag between the number of provisioned accounts and the total number of new joiners for a given period, that indicates inefficient processes or poor identity data.
5. Average time it takes to provision or de-provision a user. This shows how long a new user waits to get access to the resources they need to do their work. It has implicit productivity and ROI ramifications. Nine times out of 10, if someone doesn’t get access to applications in a timely fashion, there are process issues behind the delay. This metric can flag a business process that needs to be reviewed and possibly adjusted.
6. Average time it takes to authorize a change. This metric can provide insight into the efficiency of an organization’s approval processes. For example, if there are four people involved in approving a sales rep’s access to Salesforce.com, but it takes two weeks for that approval to be granted, that’s two weeks the sales rep is limited in his capacity to sell. Knowing how long it takes for approvals to be granted can help identify bottlenecks or out-of-date processes.
7. Number of system or privileged accounts without an owner. These are also known as orphaned accounts. They crop up when people who had the credentials to grant them access to important resources—making them privileged users—no longer need access to those resources but never had their privileges removed. This problem here is obvious—who wants privileged accounts that don’t belong to anyone floating around?
8. Number of exceptions per access re-certification cycle. A high number of exceptions is expected for new applications or user sets being brought under governance, but over time this should trend toward zero. A consistently high number of exceptions is a strong indicator of poor identity data quality (that is, lots of users having access that they should not have), or of process problems (that is, the person requesting re-certification does not have all the information they need to complete the process.)
9. Number of reconciliation exceptions. Reconciliation exceptions are typically caused be the inability of an IAM platform to reliably tie an identity to an account in a target system. This is usually the result of manual entry errors (that is, user names or unique identifiers are not matched), or worse yet, of an account created by backdoor channels. These exceptions should trend toward zero over time, and any spikes should trigger a thorough investigation and further discussion.
10. Separation of duty violations. Examples of separation of duty violations include developers who have admin access to production databases and traders who can submit and approve their own transactions. These are more difficult to catch and measure, given their sophistication and cross-application nature, but are also the riskiest to miss, given the potential damage that could be inflicted if they’re exploited. Exploitations of these problems are the kind that often make headlines. The organization should implement preventive controls to monitor these violations, report them and orchestrate their remediation.
The original article can be found here.