Measuring identity governance and administration – Five practical steps

(Image credit: Image Credit: Dom J / Pexels)

You probably aren’t measuring your organisation’s identity governance and administration (IGA) effectiveness. And if you are, it’s probably via an indirect measure, such as the risk of data breaches or even “have I been breached”? For the purposes of this article, let us define the three functional pillars of IGA as privileged identity management, access management and identity lifecycle management. These important facets of modern business give users, wherever and whoever they are, justifiable access to the systems and tools that they need to work, while properly mitigating risk, delays and/or other inefficiencies.

That said, IGA is more than just ensuring compliance to the next audit that’s rapidly approaching. Organisations need a frictionless operating environment to lead the business towards growth and, properly implemented, that is exactly what IGA should provide - whilst reducing your exposure to risk.

IGA is an ongoing programme of defining, implementing and monitoring the effectiveness of controls that are put in place. Without monitoring and reporting the effect of such controls, it can be difficult to maintain the right level of corporate sponsorship and resulting investment for ongoing investment into IGA. Your role as the company’s IGA “hero” is never done.

IGA’s effects, especially in the area of risk-based governance, can’t always be easily quantified using traditional “cost-saving” ROI methods. Yet, it is vital to put in place means of measuring their success so that there is a clear business case for IGA initiatives.

Many companies simply don’t know what they don’t know when it comes to measuring the effects of identity governance. Often, the first indication that something’s wrong is a nasty surprise like a failed audit, process inefficiencies or, worse still, security vulnerabilities that could lead to loss of data and potentially regularity financial penalties.

To avoid such surprises, here are five actions organisations can take as an easy, practical starting point:

A fresh perspective

Assess your organisation’s IGA maturity. Determine what is and isn’t feasible within your current posture.  Failing to do so will lead to frustration, misspent money and wasted time – and subsequently stalled or failed projects. ‘Maturity models’ can be a help. But since every company has a different IGA journey, it’s likely you’ll have to develop a highly personalised version to truly reflect the situation. Perhaps you’re embarking on the company’s first IGA initiative or deciding where to invest next - what investments is the company making into digital acceleration, how can IGA help here? And how likely, given the potential investment into IGA, is your company positioned to move up the maturity model to your intended target? You can find a simple maturity assessment here but this is just a start, a true assessment will be much more detailed and personalised.

Prepare a complete picture of the status quo. This will be vital in determining what your Key Risk Indicators are. Risk derived from operational controls such as inconsistencies (efficiencies), availability (lack of), redundancies and compliance, can all have negative potential for the company. Include all categories of user persona and provide a risk landscape to evaluate. This may be the most intensive “inwards” looking part of the process. Take, for example, a current problem du jour that most organisations experience, which is that of how to tackle the growing adoption of SaaS applications within the workplace? Many organisations have hundreds of SaaS products live at any one time and no clear processes defined or implemented for identity lifecycle around these SaaS applications. 

Identify ‘access silos’ that operate by different rules. Consider the privileged identity management pillar, and how IGA applies to elevated system administration functions within key business applications, such as finance and the nature of this access from outsourced contractors and vendors. Define how new accounts must be created and accessed in the future to resolve problems whilst reducing your risk exposure. Model the risks inherent in your approach. And don’t be afraid to call in the experts when you lack the internal skills to make these calls. Often, a fresh set of eyes provides a different perspective.

Establishing the right goals

Fill the gaps. Work with your teams to build an approach that irons out these inconsistencies whilst defining and implementing controls that are enforced by and reported by the IGA program. Depending upon the nature of the company and the prioritised problems from step 2, this approach may be policy or technology based. In either case, you’ll need to ensure appropriate controls are in place and these controls can be measured. Controls such as ‘separation of duty’ to make sure no combinations or type of access pose a security risk. Assign ownership to key apps and privileged identities with a unified ‘centre’ for access that includes the necessary two factor approval, monitoring and recording of access. Putting in place a process for requesting, escalating, and approving access needn’t be an administrative IT burden, rather one that works for the entire business.

Establish, monitor and socialise key IGA goals and key IGA performance indicators. Ensuring that your IGA controls are working and you’re on your way to meeting your goals is essential to not only what you’re planning on doing but knowing where to stop as you progress towards your goal. Socialising these results with your sponsors will also help to ensure the longevity of investment into the phased IGA program of work. There are many ways and many perspectives when measuring the success of an IGA project. KPIs need not be hard to define, some are very tangible, whilst others are likely to be trends, is the trend increasing or decreasing, what is a justifiable and acceptable steady state to the trend? Just a short handful of well agreed examples could include: passing your IT audit; reducing number of orphan/dormant accounts; providing secure access request/release for privileged system accounts; establishing end-user authentication including two factor authentication; increasing the number of systems supporting SSO so as to reduce number of passwords; reducing the number of separation of duty failures by effective access request. Determining which KPIs to measure to prove your progress towards your goal. This step may also require an outside eye to act as an effective guide.

Governance is about improvement

Regularly monitor and review your approach, managed by risk. IGA should be considered an ongoing explorative journey of continual refinement of the KPIs as the business goals inevitably change over time. IGA is not a one-off program with a beginning, middle, and end. Stops and route changes must occasionally be observed to ensure the organisation is deriving as much value as possible from the endeavour.

Governance is about improvement, accountability, and responsibility.  Organisations are exposed to continually shifting operating environments and as such an IGA programme is a continual process of refinement. That means regularly providing evidence of controls, proving that the business is on the right track to reduce its risk profile while supporting new digital business efforts. There are clear and quantifiable benefits to be had from effective IGA that deliver so much more than protection against the cost of crime and data breaches. A risk-aware enterprise that provides secure and effective access puts itself in the very best position to be competitive and innovative in an increasingly aggressive global marketplace.

Paul Walker, Technical Director, EMEA, One Identity