Seven Crucial Identity And Access Management Metrics

Measure identity and access management for improved security
Bringing a higher level of discipline to enterprise identity and access management (IAM) campaigns can not only help organizations improve the overall security of their system accounts, but doing so can also justify spending on authentication efforts before and after technology or processes have been deployed. This discipline starts with good IAM metrics and applying business intelligence (BI) analysis principles to those numbers.

"A large chunk of our advisory engagements are spent applying BI concepts and technologies to either justify new IAM initiatives or get a co-derive maximum ROI from stalled or problematic implementations," says Ranjeet Vidwans, vice president of marketing at Identropy.

Keeping track of IAM metrics is something many organizations often fail to do on regular basis, but that doesn't make it any less important.

“Many companies think they are ‘done’ once they have implemented IAM systems, but in order for these systems to be effective, you need to measure the efficacy of controls and the system hygiene over time," says Jim Acquaviva, vice president of product strategy for nCircle. "IAM metrics should be part of every comprehensive security risk management program."

Security experts believe that the following seven types of IAM measurable offer some valuable insight into where organizations need improvement.

1. Time To Provision, Authorize, Or Deprovision
"Metrics that focus on provisioning and deprovisioning accounts, with a particular focus on critical systems and users with significant privileges, are critical to IAM effectiveness," Acquaviva says. "It makes sense to gather and review these metrics across the enterprise, but taking the time to categorize critical systems and privileged users brings a sharper focus to high-risk systems."

Keeping track of the amount of average time to deprovision can tell an organization how good it is about sticking to policies around revoking privileges when people leave the organizations. Tracking the trend over time can show improvements or backsliding.

Meanwhile, the average time to provision and authorize can show broken processes in getting people the resources they need to do a good job.

"Nine times out of 10, there are process issues underlying why a person doesn't get access to applications in a timely fashion," Vidwans says. "[These metrics] can flag that a business process needs to be reviewed and possibly adjusted. What if there are three different people that approve stuff, and one person is the bottleneck? [Average time to authorize] can shed light on how to effectively and efficiently organize approvals."

2. Number Of 'Ghost Accounts'
Many organizations don't track the number of ghost accounts -- the number of accounts without a user attached -- floating around an organization, but they should think about doing so, says Scott Crawford, an analyst for Enterprise Management Associates.

"This is obvious: Who wants privileged accounts that don't belong to any one person floating around?" Vidwans agrees.

According to Acquaviva, rooting out active accounts without an owner is a good idea for two reasons.

"These might be a deprovisioning mistake, or they might be a ‘back door’ into your network," he says. "Either way, finding and resolving these issues quickly significantly reduces risk."

Crawford also believes this metric is useful when taken as a function over time.

"Trending of this number over time would indicate progress -- or lack thereof -- in reducing ghost accounts," Crawford says.

Similarly, tracking the number of accounts showing no activity within 30, 60, or 90 days can pinpoint accounts that might need to be shut.

"These are candidates for deprovisioning," Crawford says.

3. Password Hygiene Metrics
Taking stock of the number of accounts with weak passwords, old passwords, and accounts with nonexpiring passwords can start to help organizations put a number on the risk created by poor authentication practices.

"These issues are mostly self-explanatory, but password metrics also provide a feedback mechanism on password policies," Acquaviva says. "If policies are too stringent or being ignored entirely, it shows up very clearly in these metrics.

Next Page: Failed log-ins and other metrics 4. Failed Log-Ins
In the same vein, Vidwans says tracking the number of exceptions per access reauthorization cycle -- failed log-in numbers -- can offer clues into number of insights.

"Let’s say there is a spike in people getting locked out of their accounts, and that after four tries the person is locked out. Does that mean people are guessing other people’s passwords?" he says. "Or maybe the password policies are too stringent, and people are forgetting their passwords because they are too long or they change too often."

Tracked over time, Acquaviva says, "it identifies activity spikes above normal levels that may indicate malicious activity.”

5. Manual Password Resets
How often are your users manually resetting passwords or asking for help from the service desk within a given time? If this number seems high, then it could tell you there's a need for a different process to aid users locked out of their accounts.

"It's an indication of where automated password self-service could be useful," Crawford says. "Trending here as well would indicate progress or benefit of implementing password self-service [after deployment]."

6. Anomalous Access Incidents
This is another metric Crawford says isn't likely to be used often, but it could help to spot malicious behavior. Keeping track of users who are accessing information that they don't normally need to do their jobs can head off insider threats more quickly -- and could potentially spot areas where the organization has been too generous in the types of access it affords users.

"This would require fraud or activity anomaly detection to detect variations from a norm of activity monitored over time," he says. "'Why is this user accessing an accounting or source code file system or share if they don’t usually work in those areas? Why is this user in manufacturing browsing an Active Directory namespace?'"

7. Service and Cost Metrics
How good of a job is your security team doing in managing accounts and doing so in a cost-effective way?

Crawford suggests that organizations round out their IAM metrics by not only keeping track of how long it takes to review entitlements (see tip #1), but also the average cost per account across the organization, finding numbers that amortize account provisioning, deprovisioning, and maintenance accounts.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Tara Seals, Managing Editor, News, Dark Reading
Jim Broome, President & CTO, DirectDefense
Nate Nelson, Contributing Writer, Dark Reading