How to Measure the Success of IAM Deployment

Technology projects, including identity and access management, or IAM, simply don’t realize their full potential or fail over time. A prime reason for these poor results is a lack of identifying and implementing performance measurements. Here, James Quick, Director, Solutions & Advisory for Simeio Solution, says assigning KPIs can help understand the outcome of the deployment.

To ensure the right users have the appropriate access and authorization to digital resources, organizations buy IAM tools and implement the system. If the deployment was completed on-time and on budget, they may deem the project a success. That’s great. After some months, they may question how the solution is benefiting them or the value it’s delivering.

Unfortunately, without a clear understanding of the goals and objectives behind the deployment, they may never understand its true benefits and value. Without performance indicators to guide them, they won’t have insights into how the system is performing, nor how to optimize it to achieve greater value.  

IAM Opens a new window investments can languish, or fail, without a built-in measurement to manage the intended business outcomes. However, companies can achieve a higher return on their investment when business outcomes are identified and incorporated into key performance indicators (KPIs).

After a project is approved, most IAM initiatives focus on implementing the project work, with a rudimentary understanding of how it will benefit the business. Without quantifying and then qualifying how the project addresses business outcomes and having them signed off by all stakeholders, they can’t know how well it aligns with business goals.

Learn More: How to Get Identity & Access Management (IAM) Right, Finally

Measuring a Technology Solution’s Value

KPIs measure functional performance and match results with business goals. KPIs are used to demonstrate how effective the solution achieves key business objectives measured against targets, metrics and thresholds for specified goals. They track performance levels and determine progress against those values. KPIs can then be associated with identity management SLAs. This capability brings greater visibility, and helps manage outcome-based factors, like security, risk, operations and customer relationships.

Learn More: When Is the Right Time to Move IAM to the Cloud?

Using KPIs to Understand the Value IAM Delivers

An IAM that includes a library of KPIs, with definitions for multiple factors, can be implemented into the dashboard. Additional data from third-party applications, like a help desk, can be integrated into the IAM through APIs. Data is automatically fed into a KPI engine, and the results are reported and analyzed, providing insights to make adjustments to improve business outcomes.

Organizations implement IAM with certain goals and objectives they wish to achieve. Each goal can be measured using KPIs. Below are a few examples:

1. Business Risk: An IAM that includes KPIs with key risk factors can monitor and quantify their effectiveness in reducing risk, such as mitigating against breaches and managing compliance. The time between the date an employee leaves is terminated or laid-off, and when their internal accounts are disabled can present a risk if someone nefariously accesses them. Orphaned accounts provide access to corporate systems and applications, even though they don’t have a valid user. These accounts, like email, Salesforce, social media, and many others, belonged to former employees. An IAM system with a correlation engine can associate KPIs to these accounts to help close the risk gap. A KPI might be monthly monitoring with a metric of less than 1% of orphaned accounts, a threshold of 5% and an overall goal of 0%. This is but one example of how a risk officer can see results from an IAM process and its value by reducing risk.
2. Business Operations: Efficient business operations ensure systems and processes are in place to optimize performance, quality, costs, and continuity. Improving employee productivity is a key objective. KPIs within the IAM can monitor the time between an employee’s start date and when they first log in to their applications. It can show all new employees’ data and the time it takes for them to access applications. Because this can directly attribute to productivity, department managers can better understand how to improve the process and reduce the time it takes for new employees to get login credentials. A KPI can track when users call the help desk to reset their password, versus doing it themselves. This is not only a productivity issue, it is a cost to the company, as an average help desk call costs $60.00 – $80.00. The issue here is making the password system easier for users. A KPI can track how many password resets were handled by the help desk each month versus users doing it themselves. Data analysis can be used to improve the password system.

3. Security: Tracking KPIs for user credentials and privileged accounts – who owns them, what they access, and violations related to your Segregation of Duty (SoD) policies, all contribute to security. Here are some security KPIs you should consider.

• Number of credentials per user – how many accounts does a user need to do their job? The more they have, the easier it is to lose track, and the more likely they are to use weak passwords. This can happen when you don’t have a Master SSO for internal assets or federation for external systems.
• Segregation of Duty violations – if there’s one thing your auditor looks for to give them a strong sense of security in your control’s framework, it’s strong technologies to prevent SoD violations. Tracking and managing SoD violations puts you ahead of internal and external auditors.
• Privileged accounts without an owner – orphaned accounts are bad enough, but when those accounts are privileged, you’re leaving the front door wide open for compromise.
• Privileged access reviews – access reviews are great and are a recurring task for most managers and application owners. But usually, they’re only reviewing access for non-privileged accounts. They should also do the same for privileged access.

4. Customer relationships: A quality user experience can make or break a business relationship. Websites need to eliminate impediments that add difficulty to the customer’s experience. This includes simplifying the login process, whether for consumers purchasing products or employees using applications. If logins are too cumbersome, buyers will go elsewhere, and employees will lose productivity.

Companies with multiple services, like financial services with insurance, loans, checking and savings, need a single view of the user. If customers are required to login separately for each service, that creates friction. A KPI can identify these login issues, so they can be resolved and measure progress to improve the user experience. Customer engagement KPIs can also track falloff rates. This can be accomplished by defining success thresholds for user logins, like the number of failed login attempts versus successful logins.

Learn More: Choosing an Identity & Access Management (IAM) Solution? Top 10 Questions to Ask

Implementing KPIs Empowers IAM Success

KPI measurements are based on specific inputs that let you know when a goal has been reached. This can apply to many business functions, like improving time to market, shortening purchasing decisions, increasing conversion rates, and minimizing help desk calls.

The added visibility and insights derived from combining IAM with KPIs enables incremental changes that bring small innovations with significant competitive advantages. When planning an IAM project, KPIs should be part of the scope. Asking why and understanding how will provide the data necessary to analyze the results, prioritize projects, and understand the actions needed to improve business outcomes. An IAM project scope considers all of the work elements, like gaps a new system needs to fill, automating application provisioning, deploying password and management tools, and implementing security policy enforcement.

Project scope defines project objectives and the expected benefits. It clarifies what will be done and identifies limitations, dependencies, and assumptions. Typically, the project focus is on technology implementation and project inputs. In addition to the “what and how” of a project, we need to know the “why.” This will help us to realize the benefits fully and the value the solution brings to the company.

Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you.