How to prove that you are in control
Reporting about your current identity status and identifying potential risks or gaps remains a challenge.
Elimity provides you with the essential guide on how to prove you are in control.
👉 8 Categories of identity indicators;
👉 How to choose the right indicators?
👉 Indicators based on the ISO27001-framework;
Introduction
Over the last decade, IT complexity has grown to challenging levels. Almost every company now has to manage a large amount of applications in a complex IT infrastructure consisting of large amounts of accounts and permissions.
Having control over who can access which data in such an environment is crucial for privacy, compliance and protecting against cyber threats.
The traditional answer to this challenge is introducing human governance processes, typically for requesting, approving and reviewing employees' accesses. Those processes are crucial for your operational efficiency and having them checks the necessary compliance boxes, but they don’t necessarily lead to actually being in control of the users and their access.
How do you know if you’re in control? And how can you prove it?
Those questions are exactly why we wrote this guide. Because reporting about your current identity status and identifying potential risks or gaps remains a challenge.
Based on our own experience and frameworks such as ISO 27001, we bundled a set of crucial indicators that you should measure in order to know whether you are in control - and to prove that you are.
💡KPI? KRI? KCI?
Key performance indicators (KPIs) measure performance - the achievement of identified goals. Key risk indicators (KRIs) measure risk exposure - they are an early warning to potential threats. Key control indicators (KCIs) measure the effectiveness of controls that are put in place.
One of the main goals of identity management is, however, reducing risk. And the performance of identity management is translated for a large part into the effectiveness of processes, the output. As such, there is not always a clear or strict distinction between a KPI, KRI and KCI within identity management. In this guide, we use the term key identity indicator.
What does it mean to be in control?
There are 4 aspects of being in control of your identities: security, risk, operational efficiency and compliance. The key identity indicators described next often provide evidence for multiple aspects at once. This is illustrated in the figure below.
The right choice of indicators
For most of the organizations the same set of key identity indicators is relevant. Nevertheless, no two organizations are exactly the same. Depending on their focus areas of being in control, some indicators will be more relevant than others. Answering questions that matter and getting support from management will be much easier if the indicators are aligned with your focus areas.
It’s important to understand that the choice and priority of indicators is not set in stone for all time. There are several factors that could influence what it means to be in control for your organization. Think about strategies and goals that develop over time, more information that becomes available, changes in the regulatory landscape, etcetera.
In the following pages we’ll take a closer look at each of these categories.
Prove that you are in control
1. Orphaned Accounts
What: Accounts that are no longer active or have no owner.
Why: SECURITY + OPERATIONAL EFFICIENCY
Details:
Orphaned accounts form an interesting path for hackers to gain access to organization resources, applications or systems. Organizations that fail to take the necessary steps to close these entry points leave the door on a jar for attackers, and expose themselves to unnecessary risk. By identifying and cleaning up these accounts, security risk is reduced significantly.
Moreover, tracking orphaned accounts can provide insights to improve operational efficiency. When an employee leaves the organization or when a contractor’s project has ended, their accounts must be deactivated (i.e. disabled). This should be part of the typical offboarding process. However, in practice, it happens that those accounts are incorrectly deactivated or not deactivated at all. By finding out why these accounts were not deactivated, the offboarding processes can be improved.
Metrics:
- Accounts for which the user has not logged in for quite some time. Accounts that have not been used for a certain period of time are also known as dormant accounts. What that time period should be exactly can vary for different types of accounts and between organizations. Often 90 days is considered for standard accounts.
- Accounts for which the user has not logged in since they got the account, also called ignored accounts.
- Uncorrelated accounts, also known as ghost accounts. These are accounts that do not belong to any employee or accounts that belong to an employee that is not active anymore. So in other words, accounts without an active owner.
- Accounts with a status indicating inactivity. Think for example about an employment status ‘retired’ or an activity status ‘inactive’. The clue is to look at the user characteristics in the identity system that could indicate inactivity of a user.
👍 Rule of Thumb
A rule of thumb about when an account can be identified as having a high number of roles or permissions: the total number of roles or permissions exceeds twice the average.
Download the full guide to take action yourself!
8 Categories of Key Identity Indicators
- Orphaned Accounts
- Privileged Accounts
- Access Accumulation
- Identity Hygiene
- Role Hygiene
- Data Quality
- Segregations of Duties
- Business-specific Indicators