Earlier this week I posted an article that provided the Top Reasons to Implement Identity Management. This article started quite a bit of offline debate and I thought I would follow this up by quantify the various categories of identity management projects through assigning some of the top identity management metrics that you should care about (within each of the categories).
Identity Management Metrics
The idea behind this article is to discuss and classify specific metrics that indicate the need to adopt identity management practices and solutions. Although this list will not be exhaustive, it will provide most of the top identity management metrics that most companies will benefit from. Again we will break down the metric in the main drives for identity management as defined by my Top Reasons to Implement Identity Management.
Note that for the purpose of this exercise we will cover drivers across identity provisioning as well as governance solutions, and the metrics are technology and platform agnostic.
Operational Efficiency – Identity Management Metrics
- Number of high-to-medium prioritized systems: Face it, deploying identity management platforms is a journey that should include a roadmap; you cannot hit ALL systems in phase 1. Thus a good approach would be to identify and categorize all systems according to priority. This categorization should include various factors including number of users in system, risk associated with the system, etc. (You should add specific adoption metrics that fits our specific company or customer to create your own system adoption matrix). This categorized list will give you an indication of the scope of management and the extent of authorization / authentication silos within the business. A realistic first phase would easily include between 3-12 systems. Just removing the most menial administrative tasks (information update, provisioning, etc) associated with these systems would provide great levels of efficiency.
- Average number of distinct credentials per user (across prioritized systems): When looking at the potential business impact of automation (information synchronization, provisioning and de-provisioning) – even just at the object/account level – a great indication of efficiency gained can be extrapolated from the number of identities being managed across the various prioritized systems (excluding the amount of change in each repository). If these systems contains the entire population of users (e.g. Active Directory, physical access and similar) efficiency can immediately be gained from even quite broad automation policies. As a simple guideline the industry average for the number of accounts be users range between 10 and 12, although I have come across companies with values much higher than this.
- Average number of updates / changes per user or per prioritized system: An additional metric that can be explored is the number of service desk requests of each type, associated with the specific system. Note that it sometimes very difficult to accurately determine impact of these service desk requests across all the systems due to the often segmented nature of how these systems are managed. One important consideration to take into account is the data discrepancies that never reach the service desk. Many systems have quite stale information that is never effectively managed. Although this does not pose a risk in systems of low priority, there is always efficiency to be gained by automating information updates across all integrated systems (e.g. surname changes during marriage, job description and logical location during transitions, etc).
- Number of password reset requests per month: One of the biggest return of investment (ROI) metrics that drive identity management technologies is the automation of high service desk impact (and assurance risk) areas such as password resets. The automation of password resets also include security efficiencies since the level of assurance regarding the initiating party is increased (due to the authorization process that often includes second factor authentication technologies vs. a voice on a phone). According to Gartner and Burton Group research, password resets request represent 30% – 40% of all services desk requests. Additionally the META Group estimates that each service desk request costs an average of $25. The automation of a simple task such as password reset request (removing this burden from Level 1 support activities) can have a huge ROI. This ROI is often enough to justify the platform expense as well as the initial professional services engagement; while adding the benefit of sinking the cost for the establishment of an identity management capability.
- Number of new accounts provisioned in a specific period (e.g. month): Many companies or types of businesses have high staff turn-around (many times for valid business reasons). The ability to automate such a high level of staff provisioning (and de-provisioning for security reasons) can hugely reduce the overhead on administrative staff that have to manage the change in the various authentication silos within the company.
- Average time it takes to provision or de-provision a user in all required systems: Another great metric (that can be measured and calculated towards an actual cost) is the amount of man hours lost due to simple back-end administration process inefficiencies. Follow a typical provisioning and de-provisioning cycle to determine the average time it takes for a new employee to gain access to all high priority systems (directory, email, document repositories and line-of-business apps). Reducing this time provides efficiency on multiple levels. In the past I have worked with companies that had manual provisioning processes that took in the order of three weeks to get a base user operational within the company. This case was easily addressed through the deployment of a simple integrated provisioning platform.
- Average time it takes to authorize any request for change: Many companies follow a request process to drive the ad-hoc requesting of accounts and entitlement. The ability to accurately measure and escalate such processes provides efficiency to the end-user, the department as well as within the service desk environment.
Take the time to calculate the cost of administration resources or an outsource contract when it comes to the administration metrics described above. You might find a compelling business case or you may find the cost of implementing and operating an identity provisioning platform is not justified based on your current operational model. Should the business case not be clear it is highly likely that your primary driver does not lay with efficiency, but (possibly) rather with security or governance.
In the next article we will explore security drivers in greater detail.