In the same vein, Vidwans says tracking the number of exceptions per access reauthorization cycle -- failed log-in numbers -- can offer clues into number of insights.
"Let’s say there is a spike in people getting locked out of their accounts, and that after four tries the person is locked out. Does that mean people are guessing other people’s passwords?" he says. "Or maybe the password policies are too stringent, and people are forgetting their passwords because they are too long or they change too often."
Tracked over time, Acquaviva says, "it identifies activity spikes above normal levels that may indicate malicious activity.”
5. Manual Password Resets
How often are your users manually resetting passwords or asking for help from the service desk within a given time? If this number seems high, then it could tell you there's a need for a different process to aid users locked out of their accounts.
"It's an indication of where automated password self-service could be useful," Crawford says. "Trending here as well would indicate progress or benefit of implementing password self-service [after deployment]."
6. Anomalous Access Incidents
This is another metric Crawford says isn't likely to be used often, but it could help to spot malicious behavior. Keeping track of users who are accessing information that they don't normally need to do their jobs can head off insider threats more quickly -- and could potentially spot areas where the organization has been too generous in the types of access it affords users.
"This would require fraud or activity anomaly detection to detect variations from a norm of activity monitored over time," he says. "'Why is this user accessing an accounting or source code file system or share if they don’t usually work in those areas? Why is this user in manufacturing browsing an Active Directory namespace?'"
7. Service and Cost Metrics
How good of a job is your security team doing in managing accounts and doing so in a cost-effective way?
Crawford suggests that organizations round out their IAM metrics by not only keeping track of how long it takes to review entitlements (see tip #1), but also the average cost per account across the organization, finding numbers that amortize account provisioning, deprovisioning, and maintenance accounts.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.