[BreachExchange] 10 identity management metrics that matter

[Destry Winant]

https://www.csoonline.com/article/2129591/metrics-budgets-10-identity-management-metrics-that-matter.html#tk.rss_news

A changing data landscape, the proliferation of credential-based
threats, and a tougher regulatory environment is creating pressure for
organizations to deploy identity and access management (IAM) systems,
even though the systems can be a bear to get right.

Things that can create hang-ups when deploying an IAM system include:

Ownership and collaboration problems. A successful IAM program
requires identity data to be collected, manipulated and transformed to
perform specific governance and automation functions. "When data
owners do not, or cannot, collaborate and standardize basic attributes
and processes, IAM functions become unclear, complex, and ultimately
dysfunctional," explains Arun Kothanath, chief security strategist at
Clango, an independent cybersecurity advisory firm and provider of
identity and access management solutions.
The breadth of cooperation needed for success. Every constituency in
an organization needs to be involved in the review, approval and
operational deployment of the system. "IAM touches virtually every
facet of an organization from the CEO to the intern, and given how
generally difficult it is to install, integrate and operate, it
requires considerable sustained labor and lengthy periods of
deployment," notes Jack Mannino, CEO of nVisium, an applications
security provider.
A myopic focus on technology. "Organizations tend to quickly focus on
the technology, rather than keeping focus on the humans that will use
it," observes Joseph Carson, a chief security scientist with Thycotic,
a provider of privileged account management solutions. "That will
create employee friction and poor adoption that will hinder
deployments or delay."
A messy infrastructure. The infrastructure of many organizations can
be spread across multiple physical and virtual locations and is often
misunderstood and misconfigured. "IAM initiatives are difficult to
deploy because of the chaos that is the modern-day enterprise. The
foundation IAM needs to stand on is fundamentally broken," maintains
Adam Laub, CMO of Stealthbits, a cybersecurity software company.

The importance of identity governance

Despite these challenges, companies continue to spend on IAM systems.
Market research company IDC estimates the IAM market grew nearly 7%
over the last year to $8 billion and will continue to grow in the low
double digits over the next several years. Among the drivers behind
that growth will be digital transformation. "Despite all the
excitement associated with digital transformation, at least 60% to 70%
of all computing workloads are on-premises," says Jay Bretzmann, IDC
research director for cybersecurity products. "When those workloads
move, they're going to have to change their identity approach."

A fundamental building block of any organization's IAM strategy is
identity governance and administration (IGA). If IGA is working as it
should, it can improve the identity process, make compliance easier
and reduce the risk of unauthorized access. "Without IGA it becomes
very challenging to aggregate and correlate disparate identity and
access rights data that is distributed throughout the IT landscape to
enhance control over user access," says Henrique Teixeira, research
director for identity and access management at Gartner, a research and
advisory company.


"IGA is the discipline responsible for the administration-time
decisions for creation, modification, and suspension of credentials,
which is fundamental piece of enablement of other IAM initiatives,
like access management and privileged access management," he adds.

Often governance is a must have to satisfy regulators. "The main
reason most organizations start implementing IAM is to meet some
compliance or regulatory need," notes Thycotic's Carson.

Fausto Oliveira, principal security architect at Acceptto, a
cybersecurity company focused on cognitive authentication, adds that a
good governance system can contribute to better acceptance of an IAM
solution. "Stakeholders have different views, objectives and problems
when faced with a transformative project, like an IAM system," he
says. "Proper governance ensures that this type of initiative leads to
well-defined outcomes and that the issues and challenges raised by the
various stakeholders are addressed, remediated, or explained in a way
that encourages adoption."


Identity metrics that matter

Once an IAM system has been deployed, it's important to monitor its
effectiveness through the use of metrics. Monitoring is important not
only to the managers of the system, but also to its stakeholders, who
are just about everyone. Here are 10 key metrics to which you should
pay close attention.

Why Your Modernization Push Must Start with Data

Few CIOs believe that running infrastructure is core to the success of
their business. By simplifying and modernizing their environment, they
can smooth the transition to an agile, data-centric...

Password resets

"Next to compliance, password resets are the reason people start
justifying new identity investments," IDC's Bretzmann says. "In some
organizations, you've got seven to ten people resetting their
passwords on a weekly or monthly basis."

He estimates that a reset can cost an organization anywhere from $10
to $70. "Imagine doing that for half your workforce every month," he
observes.

Distinct credentials per user

The more credentials an employee needs to remember, the more likely
they'll take shortcuts that can jeopardize security. "The number of
applications people are dealing with has risen from ten to more than
50," Bretzmann says. "Employees can't juggle all those passwords so
they start reusing them."

"You'll see attackers do credential stuffing," he continues, "and use
a stolen password on a bunch of applications because the chances it
will work more than once are pretty good."


Uncorrelated accounts

Also known as orphan accounts, uncorrelated accounts often occur when
there's a change in an employee's status, typically when they leave
the company. A good IAM system should be able to identify such
accounts because they'll display an abnormal amount of inactivity.
It's important to close them down because they pose a security risk.
"They're ripe for attack if they're not controlled," warns Morey
Haber, CTO of BeyondTrust, a maker of privileged account management
and vulnerability management solutions.

"Many IAM programs have achieved a high level of proficiency in
provisioning access to resources," adds Stealthbits’ Laub. "Few, in
comparison, have achieved the same level of proficiency in removing
access in a complete fashion or transferring access rights when job
assignments change."

Percentage of owned resources

Resources without an owner pose a threat similar to orphan accounts.
"Having identified, assigned and certified ownership over any given
resource is an indication that the resource is actually in a
governable state," explains Laub. "In order to facilitate an
entitlement review or self-service access request, a resource owner
must be present to facilitate the transaction. Resources without
owners represent a gap."

New accounts provisioned

It's important to review these accounts because they're often
over-provisioned. "The reason they do that is that they're not really
sure which systems the employee may need," Bretzmann explains. "If I
hire someone and I prevent them from doing their work, shame on me. We
should allow people to do the tasks that we hired them to do. If you
give them access to nothing, and they have to ask for access all the
time, you overload the help desk. That's expensive and can lead to
delays."

An IAM system can monitor new accounts and determine which privileges
an employee is using and recommend to an administrator those
privileges that are not being used and should be removed.

Average time to provision a user

The longer it takes to provision a new user or a changed user, the
greater the hit on that user's productivity. The longer it takes to
deprovision an employee, the longer a potential attack vector is
exposed. "Deprovisioning employees leaving a company is a huge
problem," BeyondTrust's Haber says. "I recently checked my account
with a company I left 18 years ago, and it was still active."

Automation can help with reducing the time it takes to provision and
deprovision employees. "Once I understand a role tightly, I can have a
robot do all the provisioning or deprovisioning for me," Bretzmann
explains. "But you've got to have your roles defined correctly,
because if you don't, the robot can open your environment to all types
of exposures."

Privileged accounts without an owner

"This a huge problem and a primary attack vector," Haber says. "Once
one of these accounts is compromised, a hacker has the keys to the
kingdom."

Managing privileged accounts has become such a problem, it has spawned
a whole subcategory of solutions. Called privileged access management
(PAM), it seeks to impose tight control and documentation of
privileged access.

A central component to PAM is password vaulting. When a privileged
user needs to exercise their privileges, they check out a password
from the vault and everything done with that password until it's
returned to the vault is logged. "That allows me to know not only who
had administrative access, but what they did, which allows me to pass
compliance audits much easier than if I didn't have a PAM solution,"
Bretzmann explains.

Separation-of-duty violations

Policies should be formulated by one party and approved by another.
Good policy software will flag violations of that rule. "It's a check
and balances thing," Bretzmann says. "You don't want the person
defining the policy to have the ability to approve its execution."

Access privilege reviews

Because access privileges are always in flux and often
over-privileged, it's important to understand which permissions are in
use, which are effective, and which are not used on a regular basis.

"Tracking such permissions on a regular basis and automating analysis
through correlation, notification and proactive protection is
important since most breaches in the cloud occur when attackers are
able to operate with elevated privileges by compromising access keys
or credentials and pivoting laterally through the IT ecosystem," notes
nVisium's Mannino.

Number of machine identities used

A factor contributing to the complexity of modern identity management
is that not only do humans have identities and access to network
resources, machines do, too. "We are somewhat successful protecting
human identities because organizations spend over $10 billion on IAM
programs focused on human identities," says Kevin Bocek, vice
president for security strategy and threat intelligence at Venafi, a
maker of a platform to protect digital keys and certificates.

"However," he continues, "the same organizations spend very little
protecting machine identities. The bad guys know this, and they are
targeting the digital keys and certificates machines use to authorize
machine-to-machine connections and communications."

Key metrics can not only give an organization a good idea how its IAM
solution is performing, but help it plan for the future by allowing it
to continually evaluate its systems. As Tim Wade, the technical
director of CTO team at Vectra Networks, a provider of automated
threat management solutions, notes, "Organizations investing in IAM
must be prepared to iteratively review the effectiveness of the
initiative and adapt to emerging requirements by creating, modifying
and retiring prior processes."