IAM Sprint: Identity Analytics

21 May, 2024, by Simon Young

Everyone loves a dashboard. They look pretty and a picture tells a thousand words. Apparently.

Your identity governance platform should allow you to automate your user onboarding, provisioning, and life-cycling but this is not enough. You need also to prove how effective those processes are and how that effectiveness can be compared against your Key Performance Indicators (KPIs).

Out-of-the-box reporting ought to go a long way in helping you better understand your identity posture. Indeed, the IBM Security Verify Governance platform ships with over 100 such reports out-of-the-box with a Report & Dashboard Designer module enabling you to create bespoke reports for your data and audience.

With this you should have all the data that you are likely to require to produce effective reporting against your KPIs.

Warm Up

The Warm Up

What information might you need to delight your key stakeholders and auditors?

What information are you currently exposing to your stakeholders? It is likely that the following reports are being generated:

  • User Metrics: Number of active/inactive users by user type
  • Orphan Metrics: Number of unmatched or orphan accounts by provisioning target
  • Dormancy Details: Active accounts that are seemingly no longer used
  • Status Mismatches: Details of inactive or suspended users who continue to have active accounts
  • Entitlement Details: A breakdown of entitlements and the business unit within which they are available
  • Expiring Users: A list of those users who will shortly have no further relationship with your business

If you find that you are not currently generating (or acting upon) these reports, then do so immediately. They ought to be very straightforward to create, publish, and act upon.

These reports should be considered baseline reports and should be available in your identity arsenal by default.

Warm Up

The Sprint

Re-enforcing your identity armoury over a two-week sprint should be within your capabilities. For most IGA tools reporting can be added to as a BAU process. You should think seriously about tackling the following:

Timeliness KPIs

  • Average time to onboard: the time it takes between an identity record appearing, the relevant downstream accounts being created, and the correct entitlements being assigned should be captured and reported on. For a fully automated platform, the timeliness is likely to be recorded in minutes and seconds but more important is the capture of the time taken for those processes requiring manual intervention.
  • Offboarding effectiveness: the time it takes to ensure that all downstream accounts have been either disabled (and entitlements removed) or deleted following a user’s end date being reached. Access should, in theory, be revoked on the same day that the user leaves the organisation.

Cost Reduction KPIs

  • Automation v Manual Fulfilment: The automatic assignment of entitlements because of some birth-right entitlement rule is much more cost-efficient than having someone on the Service Desk responding to an entitlement request ticket. Now is a good time to gain insight into how entitlement fulfilment is being achieved. Break down the analysis by automatic fulfilment, manual fulfilment via the IGA tool, or (heaven forbid) manual assignment in the provisioning target.

Risk Analysis KPIs

  • Entitlement drag analysis: Many organisations have historically allowed users to move around the organisation without reviewing the entitlements they take with them. It should be easy to run analysis on the effect of that drag and at least begin the process of drag remediation. For example, why is there someone in the Marketing Division entitled to ‘Close the General Ledger’?
  • Peer analysis: The ability to identify those people who have unusual assignments compared to their peers could be crucial in minimising the attack surface in your organisation.
  • Approver analysis: Was access to systems approved by someone who no longer works in your organisation? If so, maybe it is time for that access to be reviewed.
  • Status mismatch analysis: Just because an identity record is flagged as being inactive doesn’t mean that the accounts associated with that identity record are also inactive. They ought to be. But what happens if they are not?
  • Entitlement assignment frequency: If someone is having their assigned entitlements updated frequently, should that sound the alarm bells? Probably. Most users in an organisation ought to have a consistent set of entitlements after all.

The IBM Verify Identity Analytics platform can rapidly add comprehensive dashboarding capabilities regardless of the IGA suite that you have managing your identities. In other words, you don’t have to be an IBM Security Verify Governance customer to get benefit from the analytics platform.

The dashboarding includes:

  • Recommended actions
  • Top Violations
  • Top Risky Users
  • Top Risky Applications

Warm Up

The Warm Down

With the relevant reports to hand, now is the time to review the information you have and determine its relevance. You can make tweaks as needed and work out a mechanism of delivering the information to your key stakeholders, equipping them to make better informed decisions.

Download Six Sprints to IAM Success

© Copyright 2024 Madigan Solutions UK Limited
Madigan Solutions UK Limited is a company registered in Northern Ireland with Company Number NI675324. VAT Number 368 3929 47.

Home | Services | About | Blog | Contact

Terms & Conditions | Privacy Policy | Disclaimer