Companies must consider these top identity and access management metrics to measure how well their IAM functions and improve their IAM capabilities to better protect customer information, reduce the number of breaches, and improve identity-related processes across the organization. By considering and using these top IAM metrics, companies can know how well their existing processes and controls are working and quantify the effectiveness of the IAM measures in some key areas. This article will cover 12 top identity and access management metrics that companies may consider when assessing their IAM capabilities.
12 Top Identity and Access Management Metrics
1. Password Reset Requests
Password reset is one of the most common reasons for users calling into customer service. The more employees who need help with their password reset, the larger the number of calls into service desk. Tracking this metric can help companies spot potential issues in this area to assess which aspect of their password management is not working properly and make the necessary changes and investments to improve.
2. Number of Users with Access to Sensitive Data
A surprisingly large number of employees might have access to sensitive information without the necessary business needs. For example, this could be because they no longer need access due to a role change or are no longer working for the company.
This access creep could pose a security risk. Tracking this metric can help assess the risk exposure and ensure that only the right people have access to sensitive information.
3. Authentication Factors
Authentication factors include PINs, passwords, tokens, and more. The number of authentication factors in place can help companies ensure that users are taking advantage of multiple measures to reduce the chance for a single-point security failure (e.g., password theft). Furthermore, authentication factors must be regularly tested to ensure they are working properly. Tracking this metric can help companies discover areas where authentication measures may need to be improved or adjusted.
4. New Account Provisioned
Every time an employee joins the company, a new account may be created for them. The number of new accounts being created per day can provide information on whether your company is growing – and thus why internal systems may need to be scaled or updated to support them. This information can help companies understand the rate at which employees are joining and leaving the organization – allowing them to adjust their headcount or security levels accordingly. The growing number of new accounts provisioned is important to consider, as they will need to be managed over time.
5. Average Time to Provision a User Account
The time it takes to provision a user account can be an extremely important metric for IAM, especially when critical transactions are involved. Faster speeds mean employees will have access to the applications they need to do their jobs. This information is crucial for areas where multiple clients might require accounts to be provisioned in a short timeframe. Time-to-provision can help companies identify areas where they need to speed up processes.
6. Expansion Rate
An expansion is an addition of a new application, data, location, users, or business unit for which employees need additional access. The number of expansions per month can show what kind of growth your company is experiencing – helping you plan headcount accordingly. These metrics are also helpful to keep an eye on for audit purposes.
7. Number of Privileged Accounts
Privileged accounts hold administrative access to various network components, including Active Directory, servers, and more. These accounts need to be regularly audited to ensure only the correct users have elevated access privileges. Furthermore, companies should track the number of privileged accounts to ensure they are not growing too quickly. It is recommended that companies limit the total number of privileged accounts in their environments. Any account that does not have a legitimate business purpose should be disabled as soon as possible.
8. Number of Service Accounts
Companies are constantly creating new service accounts which are often embedded within application programs to perform automated tasks. While service accounts are sometimes needed, they can pose a security risk as some service accounts may not have a password expiry date. Tracking service accounts can help prevent potential security breaches.
9. Offboarding and Access Removal
How often do employees leave the organization or change roles while they unnecessarily retain system access? Measuring the percentage of departed employees who continue to retain their system access can help improve offboarding flaws and the access termination process to remove access on a timely basis.
10. Number of Inactive Accounts
While organizations create new accounts on a daily basis, some of these accounts become inactive overtime which must be assessed periodically and disabled.
11. Number of Orphan Accounts
An orphan account refers to the lack of ownership of an account. A clear account ownership ensures accountability and helps with activity tracking. If an account owner is not properly identified, the account activities can not be traced back to a particular person. Sometimes, orphan accounts are shared accounts which can cause a serious issue when investigating a security breach associated with the orphan account while no one can be held accountable.
12. Incident Response Time
It is important for companies to know how quickly they respond to issues reported by users, or an incident discovered during an audit or security monitoring. The incident response time is an indication of how quickly an organization closes an IAM gap to ensure continued operations and security.
These top identity and access management metrics provide a snapshot of your IAM capabilities as well as risks associated with users, applications, data, and network. Paying attention to these numbers regularly can help you reduce the total cost of ownership (TCO) and keep track of whether or not your IAM implementation is working properly and, if not, highlight areas for security and operational improvement.