IBM Security Verify

 View Only

HOW DO YOU MEASURE YOUR IAM CAPABILITY

By Stephen Swann posted 30 days ago

  

I had the honour of attending the Gartner Identity and Access Management summit recently. The great and the good were in attendance and it was wonderful to be amongst people in a three-dimensional way once again.

One of the presentations given by a Gartner Analyst was entitles "Defining Meaningful Metrics for IAM". More interestingly, however, I did meet with the owner of an IAM service at a very large organisation based in the UK who was particularly interested in the ability to measure the effectiveness of his IAM stack.

Many IAM vendors talk about how IAM solutions can be an enabler for productivity. Many will also talk about the ROI that can be achieved after successfully rolling out an IAM strategy. They all talk about reduction in friction improving users' perception of the value of the IAM platform.

But how do you measure business enablement? Is the cost of a Service Desk call really the $75 you say it is? And how do you measure customer satisfaction during an authentication journey?

IAM programmes tend to penetrate the entire organisation resulting in many stakeholders bringing disparate requirements to the table. Talking to those stakeholders in technical terms is a sure-fire why of getting them to switch off and disengage. Statements like "OIDC SSO followed by FIDO2 auth will revolutionise your user journeys" will be returned with a blank expression (at best). A re-framing of the message such as "re-use of existing credentials in order to reduce the footprint of passwords combined with a simple fingerprint swipe will remove user frustration and improve your security standpoint" may be more meaningful, but can also be measured.

WHAT SHOULD WE MEASURE?

Like everything in life, doing a good job is not enough. You have to be seen to be doing a good job.

Capturing the reduction in number of password reset calls received by the Help Desk is a good start, but there are other simple metrics that can be determined from an IAM platform including:

  • Timeliness of identity life-cycle activities (particularly Joiner & Leaver actions)
  • Speed of onboarding applications into both IGA and AM integration patterns
  • Number of successful automated provisioning/de-provisioning actions based on policy rather than manual requests
  • Certification/Attestation campaign effectiveness including speed of reviewer responses, number of deprovisioning actions executed, and the overall reduction in security exposure as a result of entitlements being removed
  • Number of failed registration attempts (or put more positively, the increased effectiveness of onboarding and registering new users)
  • The overall number of entitlements assigned before and after rollout of the IAM service (with the hope that there is a reduction in entitlement drag because policies, mover processes, and certification campaigns are effective)
  • Risks identified, categorised by mitigating controls assigned, and the speed of remediation

Dashboard

These metrics, combined with basic measurements, can provide real insight into the effectiveness of the IAM platform and can provide a visual representation that will be meaningful to stakeholders.

Note: Basic measurements include total number of accounts, accounts split by owner type, accounts split by active/inactive state, account dormancy levels, logins, logoffs, number of visits, number of pages visited per session, number of journey abandonments, etc.

Of course, there is always room for non-tangible measurements such as user satisfaction across the various user communities whether that is end-user, stakeholder, administrator, or application developer.

SUMMARY

IAM platforms don't come cheap (although they are definitely cheaper than they used to be). The ROI might be quantifiable for certain user actions but the likelihood is that the benefit of a great IAM platform may be more difficult to quantify in monetary terms. Determining the measurements that are critical for your business and your stakeholders should be done prior to any investment in technology - how else will you know that you have achieved your aims?


#Spotlight
#Featured-area-1
#Featured-area-1-home
0 comments
1984 views

Permalink