Seven Crucial Identity And Access Management Metrics

Bringing a higher level of discipline to enterprise identity and access management (IAM) campaigns can not only help organizations improve the overall security of their system accounts, but doing so can also justify spending on authentication efforts before and after technology or processes have been deployed. This discipline starts with good IAM metrics and applying business intelligence (BI) analysis principles to those numbers.

"A large chunk of our advisory engagements are spent applying BI concepts and technologies to either justify new IAM initiatives or get a co-derive maximum ROI from stalled or problematic implementations," says Ranjeet Vidwans, vice president of marketing at Identropy.

Keeping track of IAM metrics is something many organizations often fail to do on regular basis, but that doesn't make it any less important.

“Many companies think they are ‘done’ once they have implemented IAM systems, but in order for these systems to be effective, you need to measure the efficacy of controls and the system hygiene over time," says Jim Acquaviva, vice president of product strategy for nCircle. "IAM metrics should be part of every comprehensive security risk management program."

Security experts believe that the following seven types of IAM measurable offer some valuable insight into where organizations need improvement.

1. Time To Provision, Authorize, Or Deprovision
"Metrics that focus on provisioning and deprovisioning accounts, with a particular focus on critical systems and users with significant privileges, are critical to IAM effectiveness," Acquaviva says. "It makes sense to gather and review these metrics across the enterprise, but taking the time to categorize critical systems and privileged users brings a sharper focus to high-risk systems."

Keeping track of the amount of average time to deprovision can tell an organization how good it is about sticking to policies around revoking privileges when people leave the organizations. Tracking the trend over time can show improvements or backsliding.

Meanwhile, the average time to provision and authorize can show broken processes in getting people the resources they need to do a good job.

"Nine times out of 10, there are process issues underlying why a person doesn't get access to applications in a timely fashion," Vidwans says. "[These metrics] can flag that a business process needs to be reviewed and possibly adjusted. What if there are three different people that approve stuff, and one person is the bottleneck? [Average time to authorize] can shed light on how to effectively and efficiently organize approvals."

2. Number Of 'Ghost Accounts'
Many organizations don't track the number of ghost accounts -- the number of accounts without a user attached -- floating around an organization, but they should think about doing so, says Scott Crawford, an analyst for Enterprise Management Associates.

"This is obvious: Who wants privileged accounts that don't belong to any one person floating around?" Vidwans agrees.

According to Acquaviva, rooting out active accounts without an owner is a good idea for two reasons.

"These might be a deprovisioning mistake, or they might be a ‘back door’ into your network," he says. "Either way, finding and resolving these issues quickly significantly reduces risk."

Crawford also believes this metric is useful when taken as a function over time.

"Trending of this number over time would indicate progress -- or lack thereof -- in reducing ghost accounts," Crawford says.

Similarly, tracking the number of accounts showing no activity within 30, 60, or 90 days can pinpoint accounts that might need to be shut.

"These are candidates for deprovisioning," Crawford says.

3. Password Hygiene Metrics
Taking stock of the number of accounts with weak passwords, old passwords, and accounts with nonexpiring passwords can start to help organizations put a number on the risk created by poor authentication practices.

"These issues are mostly self-explanatory, but password metrics also provide a feedback mechanism on password policies," Acquaviva says. "If policies are too stringent or being ignored entirely, it shows up very clearly in these metrics.

Next Page: Failed log-ins and other metrics