Identity governance is important, right? Everyone agrees, but how can you measure its value?
It looks daunting, but all you need is to have a framework to understand identity governance and a very simple equation: Risk (R$) = likelihood (%) x Impact ($).
I’ll break this down into two parts – the first part is the framework that we’ll use to quantify the value and the second will cover how to calculate the value within that framework.
Identity Governance Framework
- Entitlement Governance
- Fulfilment Governance
- Activity Governance
- Authentication Governance
Entitlement governance is tasked with the important duty of ensuring that people only have appropriate (needful) access to permissions and resources. It is also tasked with ensuring that all resources and permissions (including accounts) are owned with a clearly understood impact ($) should they be abused.
Entitlement governance asks the following questions:
- Is every “account” owned? (orphaned accounts)
- Does each permission or resource have a dollarized impact should it be abused/compromised? (Risk)
- Do we have a methodology or practice to determine the likelihood (%)? (Risk)
- Do we understand the direct cost of each permission? (Decision analytics)
- Does each person actually need each permission they currently hold? (access creep)
These look like intimidating questions, but there are practices (User Access Reviews) and tools to readily answer these questions.
Fulfilment governance is tasked with ensuring that fulfilment actions are completed and done within the approved framework. This is critical to identify rogue administration actions. Not all rogue fulfilment (provisioning / deprovisioning) actions are malicious, but they are all important; e.g. are people avoiding the use of the provisioning system because of poor training, or a bad UI? Each time an ungoverned fulfilment action occurs, it either costs the business extra money or opens a large risk.
Fulfilment governance asks the following questions:
- Was the fulfilment request correctly executed? (rework/risk)
- How many governed fulfilment requests were not done through the approved process or tool?
o What was the cost of this?
o Should this fulfilment be rolled back?
o Why were these happening? (process improvement)
This can be delivered in a “batch” fashion, but the most value is derived from an event driven (near real-time) system; less latency equals less risk exposure and time to correct.
Activity Governance looks at what is and what has happened in an environment. Identity, be it for users, applications or other assets, is critical to link all of the disparate data sources into a coherent story. Being able to map actions or events through time back to a given entity is critically important if there is the desire to answer the following questions:
- When was this entitlement last used and by whom? (Is it “stale”?)
- Entitlement: asset, application, account or permission
- If stale, then trigger entitlement governance processes
- Is the pattern of usage (asset or application) “normal” behaviour? (behavioural analytics)
- How do I provide a full activity history (report) about a user, application or asset?
Typically this is the domain of a SIEM and it requires that it be fed maps to provide appropriate contexts for analysis and action. Typical contexts are time, identity, service and risk.
The purpose of Authentication Governance is to ensure that the authentication controls for a user or application are appropriate for the agreed dollarized risk (R$). Good examples of where this is done intuitively – often forced by legislation – is health; e.g. it is common for the prescription of “controlled substances” to require stepup authentication (usually biometric) to minimise the risk of abuse. Some of the questions authentication governance tries to answer are:
- Given the risk (R$) of an application, what are the appropriate authentication controls required?
- Given the risk (R$) of a user, what authentication controls are required?
- How do the connection attributes impact the risk rating of a user or application?
- What is the “friction” of these controls?
We have tools to do this – attribute based access control (ABAC) and multifactor authentication (MFA) technologies – and I hope to show a way to calculate when we should use these in part II of Measuring the Value of Identity Governance.
Business Continuity Planning
The fortunate part of calculating risk dollars for identity governance is that we can start with the work done by Business Continuity Planning (BCP). BCP uses impact values to work out what functions (including IT services/applications) should be protected. We can use these (BCP) dollarized impact values for each application as the starting point for the identity governance risk calculations. Reviews are required as they measure different
things (outage versus abuse), but we want to reduce the calculation friction.
Whilst the business is usually good at articulating the value of an application or service, most of the arguments in BCP are about annual “likelihood” of a failure. The same is true of identity governance, except we are talking about the likelihood of a breach. In this example, the likelihood ratings I am going to use are based on I’m going to use the data from the 2017 Verizon data breach report. I’ll use the average chance of a user being successfully
attacked via a phishing attack (7.3% – see page 34) as the likelihood that an identity (and associated entitlement) will be compromised in a year. See the following table for industry specific numbers.
When doing these calculations for your organization I’d recommend scaling factor based on local knowledge, e.g.
- Attractiveness – finance is always an attractive target.
- Defences – how much does the organization invest in security training, processes and technology?
- Rogue users – how likely are your internal users to attack? e.g. Universities
The critical thing to note here is that we now have a risk dollar rating for each application. This allows us to make the following risk dollar calculations:
- An entitlement then has a subset of the application’s risk dollars (making it easier to agree on).
- A role’s risk dollars is an aggregation of its entitlements
- A user’s risk dollar value is an aggregation of its entitlements/roles
These risk dollar ratings are foundational for decision analytics/support and authentication governance.
Please note: I’ll provide my estimates of cost (some handwavium) so please consult Kuppinger-Cole, Gartner, Forrester and friends to get industry standard numbers, etc. and customize to your specific situation.
As entitlement governance is charged with ensuring that people/systems only have appropriate (needful) access to permissions and resources. Thus the value proposition is based on the following:
- The risk value of entitlements (permissions/resources) revoked (no longer used/required)
- The risk value of orphaned entitlements (accounts) removed or “owned”
- The direct savings (license or SaaS) from revoking accounts or entitlements
The value calculations are based on the following assumptions:
- Entitlements will have an average impact value of $1,000 and an average annual OpEx of $100
- Username / passwords are used and this implies a likelihood of 7.3%
- Our 1,000 employee organisation has
- 10% staff turnover and 20% of staff change an entitlement each year
- Assume staff have an average of 10 entitlements
- Permission changes apply to only 50% of the 10 entitlements (5)
- Only 70% of revocations are completed successfully
Thus, each year we will accumulate the following risk dollars (R$) and cost reduction:
- Average entitlement risk: $1,000 x 7.3% = R$73
- Average orphaned entitlements: 1,000 x 10% x (1 – 70%) = 30 entitlements
- Average access creep: 1,000 x 20% x 5 x (1 – 70%) = 300 entitlements
- Average risk: R$73 x (30 + 300) = R$24,090
Cost reduction: $100 x (30 + 300) = $33,000
As we can see from this, the real cost savings ($33,000) are significant and the improved risk profile (R$24,090) would help the security team to be a little happier.
Please note that this does not factor in the costs of compliance failure for such things as SOX, HIPAA, PCI-DSS, etc.
Also, you may wish to alter the likelihood of orphaned accounts/entitlements as password compromises can be less likely.
As fulfilment governance is tasked with ensuring that fulfilment actions are completed and done within the approved framework, the value can be measured in two ways:
- When fulfilments occur within the framework, it has a readily measurable cost avoidance aspect – see “Measuring the value of Identity Management” for more details
- When fulfilment occur outside the framework and are:
- Approved, they are considered “orphaned” until entitlement governance picks them up.
- Revoked, then the risk likelihood is calculated based on its “malicious intent”
Let’s consider an exceptional fulfilment that was maliciously created as part of a hacking attempt. We can calculate the risk value based on the following assumptions:
- The entitlement has a financial delegation authority of $100,000
- As we know that this was malicious, we assign a likelihood of 80%
- We are not factoring in time here, but this is where an event driven system is a huge benefit.
From this we can see that:
- Malicious risk: $100,000 x 80% = $R80,000
- Non-malicious risk: $100,000 x 7.3% = $R7,300
We chose a financial delegation authority because it is the easiest to measure, but this applies to many different fields – intelligence, politics, etc.. The same calculation applies, but the impact values become difficult to quantify despite their importance.
As activity governance contextualises what happened (events) in an environment into (contextualised) stories, the obvious value comes from the reduction in costs to complete compliance reports. There is a second significant savings that comes from the detection of “stale” entitlements.
Compliance cost reductions are normally driven by legislation of some description and is easy to quantify based on the following assumptions:
- Compliance reports required per year = 10 hours
- Manual effort to run compliance reports = 100 hours
- Effort to get reports from activity governance = 5
- Average wage of $40/hr
- Thus the cost avoidance for compliance reporting is: 10 x (100 – 5) x $40 = $38,000.
The second benefit from detecting “stale” entitlements is not just the risk reduction, but also the operational expenses for license and/or subscription fees. The detection of “stale” entitlements is important because entitlement reviews (UAR) will normally only be targeted to high risk entitlements (cost vs benefit). Activity governance can close that final gap by triggering as needed entitlement reviews for “stale” entitlements.
We can quantify the savings based on the following assumptions:
- These entitlements are not covered by UAR campaigns
- 10% of employees (100) have a SaaS entitlement they have not used in six months (“stale”).
- 90% of these are confirmed as not required through entitlement governance.
- Entitlements will have an average risk impact value of $1,000 and an average annual OpEx of $100
Thus the direct savings are: 100 x 90% x $100 = $9,000. The risk savings would be 100 x 90% x $1,000 x 7.3% = $6,570.
These benefits are an extension of entitlement governance, but it has the following benefits:
- It covers all entitlements, not just those covered by UAR campaigns.
- It can significantly reduce the time to reduce risk and OpEx.
Activity usage is also an important feed into decision analytics/support.
As authentication governance ensures that the authentication controls for a user or application are appropriate for the agreed dollarized risk (R$), the value delivered is measured by the reduction in likelihood provided by additional controls.
This example is based on a user who has the following attributes:
- Risk rating of R$100,000 (Impact x Likelihood)
- Challenge response authentication has a 80% likelihood multiplier
- SMS authentication has a 50% likelihood multiplier
- Smartphone push notification plus geolocation has a 20% multiplier
- Biometric (fingerprint) has a 10% multiplier.
Thus we can alter the risk rating of the user in the following ways:
- Password + challenge response: R$100,000 x 80% = $80,000
- Password + SMS: R$100,000 x 50% = R$50,000
- Password + Smartphone: R$100,000 x 20% = R$20,000
- Password + Smartphone + fingerprint: R$100,000 x 20% x 10% = R$2,000.00
If you have an organization of 1,000 people with an average dollarized risk rating of R$10,000, just adding smartphone push notifications could save: (1 – 20%) x $R10,000 x 1000 = $R8,000,000 (risk dollars).
As always, this is a trade-off between control friction versus risk, but the proliferation of smart phones with biometric sensors makes these options both affordable and practical (low friction).
Many organisations are focussed on User Access Review (UAR) campaigns as a “tick the box” exercise in governance without quantifying the value delivered. Shifting the perspective to entitlement governance – based on a combination of cost avoidance and risk dollars – allows for more effective and targeted campaigns. It also opens up the paradigm to additional types of identity governance that act as value multipliers for an organization.
I hope I’ve demonstrated that there is a lot more to identity governance than user access reviews (UAR). This also has a significant impact on what you should expect from your identity governance processes and tools:
- Do they allow you to define entitlement risk (and OpEx)? Can you map these to users?
- Do they allow you to address each of the four governance types or do they just do one piece? e.g. UAR