ponemon: managing complexity in iam

Managing Complexity in Identity & Access Management

Sponsored by RSA Aveksa Independently conducted by Ponemon Institute LLC Publication Date: August 2013

Ponemon Institute© Research Report

Ponemon Institute© Research Report Page 1

Managing Complexity in Identity & Access Management Ponemon Institute: August 2013

Part 1. Executive Summary When employees, temporary employees, contractors and partners have inappropriate access rights to information resources – that is, access that violates security policies and regulations or that is far more expansive for their current jobs – companies are subject to serious compliance, business and security risks. Unfortunately, for many organizations the process of ensuring appropriate access to information resources is very complex. Ideally, the appropriate assignment of access rights ensures that users of information resources – which include applications, files and data – have no more or less rights to specific information resources than needed to do their particular job function within an organization. It also helps ensure that end users’ right to use or view business information resources does not violate compliance regulations as required by financial controls legislation, various data protection and privacy regulations, and industry mandates.1 The overall objective of this study conducted by Ponemon Institute and sponsored by Aveksa is to determine how well organizations are managing complexity. To do this, we focused on questions about their current identity and access management (IAM) processes, effectiveness of the processes and factors that contribute to complexity. The following are key findings from this research

Changing access rights is a lengthy and burdensome process. Seventy percent do not believe or are uncertain that their organization typically fulfills access changes in response to new employees, transfers to a new role or terminated employees in a timely manner such as within one day. Only one-third of respondents say that access requests are immediately checked against security policies before access is approved and assigned.

Strict enforcement of IAM policies is seen lacking. Fifty-three percent of respondents see the need for stricter enforcement.

Better Investments in IAM technologies are needed. Fifty-three percent say their organizations don’t make appropriate investments in technologies that manage and govern end-user access to information resources.

The effects of IAM failure can be costly. Respondents report that the three biggest costs caused by the failure of IAM to prevent unauthorized access are: the cost of users’ idle time and lost productivity, lost revenue or income and cost of technical support, including forensics and investigative operations. They estimate that on average the total potential cost exposure that could result from all IAM failures over the course of one year is approximately $105 million.

Access rights are difficult to manage. Sixty-two percent of respondents believe their organizations’ IAM activities are overly complex and difficult to manage. On average, organizations have more than 300 information resources such as applications, databases, networks, servers, hosts, file shares that require the assignment of user access rights. The number of access requests total on average 1,200 each month. These requests include requesting new access, changes to existing access rights or revocation of access due to termination.

Why IAM processes are complex. In addition to the number of information resources requiring

assignment of user access rights and the requests for access rights, organizational changes contribute to complexity. These can range from the use of cloud applications, BYOD and the growth of unstructured data that is difficult to control.

1For example, Sarbanes-Oxley, Euro-SOX, CA 52-313, MAR, GLBA, PCI, HIPAA/HITECH, PIPEDA, MA CMR17, EU Data Protection Directive, Basel II, Solvency II, FFIEC, FERC/NERC, FISMA and others.


Growth of unstructured data is a problem ignored. Less than half of respondents (48 percent) say

they use IAM to manage access to unstructured data despite their belief that the growth of this type of data is making the process of managing access rights more complex. Moreover, if they are currently not using IAM to manage access to unstructured data, most have no plans in the future to do so.

Organizations lack visibility into what end-users are doing. Do organizations have adequate

knowledge and visibility into end-user access? Fifty-six percent of respondents are either not confident or unsure that they can ascertain that user access is compliant with policies. The biggest reason is that they cannot create a unified view of user access across the enterprise.

Certain situations reduce IAM effectiveness. IAM processes are most often affected by the

availability of automated IAM technologies, adoption of cloud-based applications and the constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners.

Access to sensitive data in the cloud is a concern. The majority of organizations are using SaaS

applications to support key business processes. Despite the popularity of these applications, most respondents (78 percent) have some level of concern about end-user access to sensitive data in these applications,

What is your organization’s level of complexity? In this research, respondents were asked to rate the level of IAM complexity and effectiveness in their organizations. In the context of this research, complexity often reflects the size of the organization, number of access requests, growth of unstructured data, higher rates of cloud usage and the number of information resources that require the assignment of user access rights. No organization can avoid complexity. The goal in managing complexity is to have the right mix of people, processes and technologies in place to manage it appropriately and minimize compliance and business risks. Our analysis also shows that respondents who believe their organizations are effective in their IAM processes also have lower complexity. Following are the characteristics of companies experiencing a low, medium and high level of complexity in their IAM processes. Based on these descriptions, it seems that a medium level of complexity is the best approach to IAM. A low level of complexity. These companies tend to have a smaller headcount and are more likely

to use manual or homegrown access certification systems.

A low to medium level of complexity. These companies are better able to estimate the annual cost of IAM systems and/or processes and know the total number of orphan accounts. Again, the headcount size can keep complexity to a lower level.

A medium level of complexity. These companies are better able to know the number of potential

high-risk users, are more likely to use IAM systems or processes to manage and regulate access requests to unstructured data assets, have well-defined policies and procedures relating to access governance across the enterprise and more likely to assign IAM accountability to business unit management (LOBs)

A high level of complexity. These companies are more likely to define their organizations’ access

governance process as a set of disconnected or disjointed activities, assign IAM accountability to the IT organization (CIO), have a higher number of access requests and a higher rate of cloud usage for critical business applications.


Part 2. Key Findings We surveyed 678 experienced US IT and IT security practitioners. To ensure knowledgeable responses, all respondents have a role in providing end-users access to information resources in their organizations. These include: responding to access requests, supporting the delivery of access, supporting the enforcement of access policies, reviewing and certifying access compliance and installing technologies related to access rights management. In this section, we provide an analysis of the key findings according to the following themes. Perceptions about the state of IAM practices State of IAM practices Complexity in managing IAM processes Cloud computing usage and complexity The relationship between complexity and effective IAM processes The majority of respondents believe their organizations’ IAM processes are not very successful or effective. Figure 1, presents the findings of perceptions ranging from strongly agree to unsure about the following IAM practices.

Timeliness of access changes. Seventy percent do not agree or are unsure their organization typically fulfills access changes in response to new employees, transfers to a new role or terminated employees in a timely manner such as within one day.

Verification of access requests with security policies. Two-thirds of respondents say that access requests are not immediately checked against security policies before the access is approved and assigned or are unsure.

Strict enforcement of IAM policies. Fifty-three percent say that IAM policies are not in place and strictly enforced or are unsure. However, 47 percent agree their current policies are effective.

Investment in IAM technologies. Fifty-three percent of respondents say their organizations do not make appropriate investments in technologies that manage and govern end-user access to information resources or they are unsure.

Figure 1. Perceptions about IAM practices

18%

19%

16%

14%

22%

23%

16%

16%

30%

25%

21%

23%

19%

19%

26%

25%

11%

14%

21%

22%

0% 5% 10% 15% 20% 25% 30% 35%

Access changes are typically fulfilled within one business day.

Access requests are immediately checked against security policies before access is approved and

assigned

Identity & access management policies are in-place and are strictly enforced

Investments in technologies are made that manage and govern end-user access to information resources

Strongly agree Agree Disagree Strongly disagree Unsure


State of IAM practices Business unit managers assign access rights. Business unit managers are most involved in determining access to sensitive and confidential information, according to Figure 2. This function is followed by information technology operations. Rarely involved is the IT security function. Figure 2. Responsibility for granting end-user access rights Two responses permitted

Delegating assignment of access rights to business units without their control of IAM policies explains why the process for assigning access to information resources is not well coordinated. As shown in Figure 3, it is most common is to have multiple disconnected processes across the organization. Most organizations do not have well-defined policies that are controlled by the business unit management (10 percent of respondents). Without such control, changes are not often validated to confirm they were performed properly, according to 41 percent of respondents and 5 percent are unsure. Figure 3. Process for granting end-user access rights One response permitted

4%

10%

17%

21%

30%

55%

63%

0% 10% 20% 30% 40% 50% 60% 70%

Unsure

Information security department

Application owners

Human resource department

Compliance department

Information technology operations

Business unit managers

4%

10%

11%

12%

20%

43%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Unsure

Determined by well-defined policies that are controlled by business unit management

A hybrid process that includes IT and business unit management

An “ad hoc” process

Determined by well-defined policies that are centrally controlled by corporate IT

Multiple disconnected processes across the organization


To certify user access to information resources, organizations use homegrown access certification systems followed by manual processes and commercial off-the-shelf automated solutions, according to Figure 4. Figure 4. Processes to certify user access to information resources Two responses permitted

Figure 5 shows that manually-based identity and access controls followed by technology-based identity and access controls are mostly used to detect the sharing of system administration access rights or root level access rights by privileged users. Figure 5. Detection of how privilege users are sharing root level access rights One response permitted

2%

5%

30%

45%

53%

65%

0% 10% 20% 30% 40% 50% 60% 70%

Other

Unsure

IT help desk

Commercial off- the-shelf automated solutions

Manual process

Homegrown access certification systems

3%

9%

10%

18%

21%

39%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Unsure

A combination of technology and manually-based identity and access controls

We are unable to detect

Access to sensitive or confidential information is not really controlled

Technology-based identity and access controls

Manually-based identity and access controls


The complexity of IAM processes The effects of IAM failure can be costly. Respondents report that the three biggest costs caused by the failure of IAM to prevent unauthorized access are: the cost of users’ idle time and lost productivity, lost revenue or income and cost of technical support including forensics and investigative operations. They estimate that on average the total potential cost exposure that could result from all IAM failures over the course of one year is approximately $105 million. The following findings reveal the challenges organizations face in overcoming complexity and achieving effectiveness. Access rights are difficult to manage. Sixty-two percent of respondents believe their organizations’ IAM activities are overly complex and difficult to manage. On average, organizations have more than 300 information resources such as applications, databases, networks, servers, hosts, file shares that require the assignment of user access rights. The number of access requests total on average 1,200 each month. These requests include requesting new access, changes to existing access rights or revocation of access due to termination. Figure 6 reports how respondents rated the complexity of their organizations’ IAM processes on a scale of 1 (low complexity) to 10 (high complexity). The average rating is about 8. Based on this scale, 74 percent rate their organizations as highly complex. Figure 6. Complexity of IAM processes Complexity is measured using a 10-point scale

9% 7% 10%

31%

43%

0% 5%

10% 15% 20% 25% 30% 35% 40% 45% 50%

1 to 2 3 to 4 5 to 6 7 to 8 9 to 10


Uncertainty as to how much is spent on IAM. Another indication of the complexity of IAM is that most respondents do not know what their organizations spend on IAM systems and processes (Figure 7). According to the findings, on average respondents estimate that in the past 12 months companies spent $3.5 million on IAM. Figure 7. Do you know what your organization spends on IAM systems and processes?

Why are IAM processes complex? In addition to the number of information resources requiring assignment of user access rights and the requests for access rights, organizational changes contribute to complexity. These can range from the use of cloud applications, BYOD and the growth of unstructured data that is difficult to control. Figure 8 shows what factors are making the job of managing IAM increasingly difficult. Figure 8. Factors that complicate IAM practices Very significant and significant response

43% 44%

13%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Yes No Unsure

33%

32%

44%

45%

34%

36%

45%

46%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Access to cloud-based applications and data

Expanded regulatory and compliance requirements

Expanded use of mobile devices

Rapid growth of unstructured data

Very significant Significant


Growth of unstructured data is a problem ignored. Less than half of respondents (48 percent) say they use IAM to manage access to unstructured data despite their belief that the growth of this type of data is making the process of managing access rights more complex. Moreover, if they are currently not using IAM to manage access to unstructured data, most have no plans in the future to do so. Organizations lack visibility into what end-users are doing. Do organizations have adequate knowledge and visibility into end-user access? Fifty-six percent of respondents are either not confident or unsure that they can ascertain that user access is compliant with policies. As shown in Figure 9, the biggest reason is that they cannot create a unified view of user access across the enterprise. Figure 9. Why organizations lack visibility about end-users Only one response permitted

Number of orphan accounts and high-risk users are often invisible to IAM. There are other indicators of uncertainty about the state of IAM. Specifically, respondents admit that they do not know or are unsure of the number of orphan accounts in their organization (60 percent of respondents). If they are able to estimate the percentage, it averages almost one-third of all accounts within the organization. Forty-three percent do not know the percentage of high-risk users and 8 percent are unsure. Accordingly, less than half of respondents (49 percent) know the percentage of all users who would be considered high-risk and they estimate it to be 25 percent of all users.

9%

20%

20%

51%

0% 10% 20% 30% 40% 50% 60%

Visibility only into user account information but not entitlement information

Can’t apply controls that span across information resources

Can’t keep up with the changes occurring to our organization’s information resources

Can’t create a unified view of user access across the enterprise


Certain situations reduce IAM effectiveness. As shown in Figure 10, IAM processes are most often affected by the availability of automated IAM technologies, adoption of cloud-based applications and the constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners. Figure 10. Affect on IAM process Very significant and significant response

The situations just described explain the complexity in delivering access to end-users. The problems created by complexity are shown in Figure 11. Specifically, it takes too long to deliver access, the process is burdensome and it is hard to keep pace with access change requests. Figure 11. Key problems in delivering access to end-users Three responses permitted

23%

23%

38%

33%

25%

28%

29%

42%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Constant changes to the organization as a result of mergers and acquisitions, divestitures,

reorganizations and downsizing

Constant turnover of temporary employees, contractors, consultants and partners

Availability of automated IAM technologies

Adoption of cloud-based applications


0%

10%

12%

16%

18%

21%

31%

40%

47%

50%

55%

0% 10% 20% 30% 40% 50% 60%

Other

Delivery of access to users is staggered

No common language exists for how access is requested

Too much staff required

Difficult to audit and validate access changes

Can’t apply access policy controls at point of change request

Too expensive

Lack of a consistent approval process for access and a way to handle exceptions

Cannot keep pace with the number of access change requests

Burdensome process for business users requesting access

Takes too long to deliver access to users


Cloud computing usage and IAM complexity Access to sensitive data in the cloud is a concern. The majority of organizations are using SaaS applications to support key business processes. Despite the popularity of these applications, most respondents (78 percent) have some level of concern about end-user access to sensitive data in these applications, as shown in Figure 12. Figure 12. Concern about using cloud-based SaaS applications for key business processes

The primary obstacles to using a pure cloud-based SaaS IAM solution are shown in Figure 13. Main barriers are the ability to control access to sensitive application data (76 percent) and measure security risk (65 percent). Only 8 percent of respondents do not see any obstacles to adoption. Figure 13. Obstacles to adopting a SaaS IAM solution More than one response permitted

31% 29%

18%

22%

0%

5%

10%

15%

20%

25%

30%

35%

Yes, very concerned Yes, concerned Yes, somewhat concerned

No, not concerned

3%

8%

20%

47%

48%

65%

76%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

None

Ability to obtain approvals from IT and IT security functions

Availability of SaaS solution

Ability to transfer data from on-premise (legacy) systems to the cloud

Ability to measure security risk

Ability to control access to sensitive application data


Significant cross-tabulations on IAM complexity Respondents were asked to rate their organizations in terms of (1) complexity of IAM operations and (2) the effectiveness of IAM systems and controls. Both complexity and effectiveness are measured using a 10-point scale from low (1) to high (10) with a median at 5.5. The distribution of responses shown in Figure 14 allows us to compute overall average values for both variables. The average complexity rating is above the median at 7.8, while the average effectiveness rating is below the median at 4.0. The Figure below reveals that the majority of respondents believe their IAM processes are very complex. Seventy-four percent believe the level of complexity is above the median. Respondents also do not believe their IAM processes are very effective. Again, the majority (55 percent) of respondents rate the effectiveness below the median of 4.0. Figure 14. Respondents’ ratings of IAM complexity and effectiveness Both complexity and effectiveness are measured using a 10-point scale

9% 7% 10%

31%

43%

0% 5%

10% 15% 20% 25% 30% 35% 40% 45% 50%

1 to 2 3 to 4 5 to 6 7 to 8 9 to 10

Level of IAM complexity

15%

41%

28%

11%

5%

0% 5%

10% 15% 20% 25% 30% 35% 40% 45% 50%

1 to 2 3 to 4 5 to 6 7 to 8 9 to 10

Level of IAM effectiveness


Figure 15 shows the average effectiveness rating according to five ascending complexity levels. We see an inverted U-shape relationship, where organizations reporting the lowest effectiveness level at 3.12 also have the lowest level of complexity. In contrast, organizations at the highest level of effectiveness (5.53) are in the middle range of the 10-point complexity scale. This pattern suggests complexity has a negative impact on the deployment of IAM, but only for highly effective users. Figure 15. Interrelationship between IAM complexity and effectiveness Both complexity and effectiveness are measured using a 10-point scale

Figure 16 shows the average complexity rating according to six ascending headcount (size) levels. As can be seen, there is a positive relationship between organizational size and IAM complexity. Organizations with less than 500 employees report the lowest average complexity level at 6.52. Organizations with headcount above 25,000 and 75,000 employees have the highest levels of complexity levels at 9.23. Figure 16. Interrelationship between IAM complexity and organizational headcount (size) Complexity is measured using a 10-point scale

3.12

4.29

5.53

3.94 3.84

0.00

1.00

2.00

3.00

4.00

5.00

6.00

1 to 2 3 to 4 5 to 6 7 to 8 9 to 10

Leve

l of I

AM

effe

ctiv

enes

s

Level of IAM complexity

6.52

7.78 7.75 8.58

9.23

0.00

1.00

2.00

3.00

4.00

5.00

6.00

7.00

8.00

9.00

10.00

Less than 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000

Average level of IAM complexity


Part 3. Conclusion: Managing complexity and achieving effectiveness Our findings suggest that IT staffs cannot keep up with the constant change to information resources, regulations and user access requirements. Many organizations are facing significant information risks because the process of delivering access is lengthy and burdensome and access rights are not current. In addition, the approaches to access management tend to be ad hoc or inconsistent and contribute to ineffectiveness. The following are suggestions for overcoming complexity and reducing IAM failures. Implement a well-managed enterprise-wide access governance process that keeps employees,

temporary employees and contractors from having too much access to information assets. At the same time, do not hinder individuals’ access to information resources critical to their productivity. To do this, organizations must understand what role-based access individuals need. Further, changes to users’ roles must be managed to ensure they have current and correct access rights.

Create well-defined business policies for the assignment of access rights. These policies should be

centrally controlled to ensure they are enforced in a consistent fashion across the enterprise. They also should encourage collaboration among different internal groups.

Track and measure the ability to enforce user access policies. This includes measuring the

effectiveness of processes to manage changes to users’ roles; revoking access rights upon an individual’s termination; monitoring access rights of privileged users’ accounts; and monitoring segregation of duties.

Ensure that accountability for access rights is assigned to the business unit that has domain

knowledge of the users’ role and responsibility.

Become proactive in managing access rights. Instead of making decisions on an ad hoc basis based on decentralized procedures, build a process that enables the organization to have continuous visibility into all user access across all information resources and entitlements to those resources. Technologies that automate access authorization, review and certification will limit the risk of human error and negligence.

Bridge the language gap between IT staff and business managers to encourage a common

understanding of how to express access rights and entitlements. This is especially important for the access request and access certification processes, in which gaps can cause unnecessary delays in access delivery or allows inappropriate access.

Pursue extending controls over access to all information resources similar to those required under

regulations (SOX, PCI, etc). This entails organizations broadening their view of risk management beyond compliance with specific regulations. Organizations need to go beyond the minimum requirements for compliance and think about risk in the broadest terms with the widest coverage. This is especially true because the loss of corporate IP is typically not covered under regulations or industry mandates.

Extend the organizational access governance framework beyond the firewall to cloud computing and

other IT outsourcing/software-as-a-service (SaaS) providers.


Part 4. Methods A random sampling frame of 19,005 experienced US IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. All respondents have a role in providing end-users access to information resources in their organizations. As shown in Table 1, 753 respondents completed the survey. Screening and reliability checks removed 75 surveys. The final sample was 678 surveys (or a 3.6 percent response rate). Table 1. Sample response Freq Pct% Sampling frame 19,005 100% Total returns 753 4.0% Rejected and screened surveys 75 0.4% Final sample 678 3.6%

Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, 55 percent of respondents are at or above the supervisory levels.

Pie Chart 1. Current position within the organization

3% 3%

14%

20%

15%

31%

8% 2% 3% 2%

C-level SVP/VP Director Manager Supervisor Technician Architect Staff Contractor Other


Pie Chart 2 reports the industry segments of respondents’ organizations. This chart identifies financial services (16 percent) as the largest segment, followed by government (13 percent) and healthcare and retail, both at 10 percent.

Pie Chart 2. Industry distribution of respondents’ organizations

As shown in pie chart 3, 58 percent of respondents are from organizations with a global headcount of 1,000 or more employees.

Pie chart 3. Worldwide headcount of the organization

16%

13%

10%

10% 7% 6%

6%

6%

4%

3%

3%

2% 2%

2% 2% 2% 4% Financial services

Government Healthcare Retail Services Consumer products Manufacturing Technology Pharmaceuticals Energy & utilities Telecom Insurance Education & research Entertainment & media Hospitality Transportation Other

18%

24%

29%

17%

8% 4%

Less than 500

500 to 1,000

1,001 to 5,000

5,001 to 25,000

25,001 to 75,000

More than 75,000


Part 5. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys

to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is

representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings.

0BSelf-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.


Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey 678 responses were captured in June 2013.

Sample response Freq Pct% Sampling frame 19,005 100% Total returns 753 4.0% Rejected and screened surveys 75 0.4% Final sample 678 3.6% Part 1. Screening S1. What best describes your role in providing end-users access to information resources in your organization? Please check all that apply. Pct% Respond to access requests 56% Support the delivery of access 37% Support the enforcement of access policies 61% Responsible for review and certification of access compliance 36% Install technologies relating to access rights management 39% Other (please describe) 2% None of the above (stop) 0% Total 231% Part 2. Attributions. Please rate Q1a to Q1d using the scale provided below each statement.

Strongly agree Agree

Q1a. Identity & access management policies are in-place and are strictly enforced in my organization. 21% 26% Q1b. My organization’s Identity & access management activities are overly complex and difficult to manage. 29% 33% Q1c. My organization makes appropriate investments in technologies that manage and govern end-user access to information resources. 22% 25% Q1d. My organization typically fulfills access changes (i.e. new employees, transfers to a new role, terminated employees, etc.) within one business day. 11% 19% Q1e. In my organization, access requests are immediately checked against security policies before the access is approved and assigned. 14% 19% Part 3. Complexity of identity & access management practices Q2. Please rate your organization’s identity & access management processes in terms of its level of complexity, where 1 = low complexity to 10 = high complexity Pct% 1 to 2 9% 3 to 4 7% 5 to 6 10% 7 to 8 31% 9 to 10 43% Total 100% How do the following factors contribute to the complexity of identity & access management practices within your organization? Very significant impact to no impact


Q3a. Access to cloud-based applications and data 33% 34% Q3b. Expanded use of mobile devices (including BYOD) 44% 45% Q3c. Expanded regulatory and compliance requirements 32% 36% Q3d. Rapid growth of unstructured data 45% 46%


Q4. Approximately, how many information resources (applications, databases, networks, servers, hosts, file shares) within your organization require the assignment of user access rights? Pct% Less than 5 1% Between 5 and 25 3% Between 26 and 50 23% Between 51 and 100 36% Between 101 and 1,000 25% More than 1,000 12% Total 100% Q5. On a monthly basis, how many access requests are made (i.e. requesting new access, changes to existing access rights or revocation of access due to termination)? Pct% Less than 50 1% Between 51 and 200 15% Between 201 and 500 32% Between 501 and 1,000 28% Between 1001 and 5,000 19% More than 5,000 5% Total 100% Q6a. Do you know the total annual costs of IAM systems and/or processes incurred by your organization? Pct% Yes 43% No 44% Unsure 13% Total 100% Q6b. Please estimate the total cost of IAM incurred by your organization over the past 12 months. Please include all costs including licensing and maintenance fees, personnel costs, software solutions and other tools. Pct% Zero 0% Less than $10,000 2% $10,001 to $100,000 3% $100,001 to $250,000 17% $250,001 to $500,000 31% $500,001 to $1,000,000 22% $1,000,001 to $5,000,000 12% $5,000,001 to $10,000,000 6% $10,000,001 to $25.000,000 5% $25,000,001 to $50,000,000 1% $50,00,001 to $100,000,000 0% More than $100,000,000 1% Total 100% Q7a. Do you know the number of orphan accounts within your organization today? Pct% Yes 40% No 54% Unsure 6% Total 100%


Q7b. If yes, please estimate the percentage of orphan accounts relative to total (all) accounts within your organization. Pct% Less than 1% 0% 1% to 5% 3% 6% to 10% 8% 11% to 20% 11% 21% to 30% 13% 31% to 40% 25% 41% to 50% 19% More than 50% 11% Cannot determine 10% Total 100% Q8a. Do you know the number or percentage of high-risk users? Pct% Yes 49% No 43% Unsure 8% Total 100% Q8b. If yes, please estimate the percentage of high-risk users relative to all users within your organization. Pct% Less than 1% 0% 1% to 5% 6% 6% to 10% 8% 11% to 20% 20% 21% to 30% 22% 31% to 40% 24% 41% to 50% 9% More than 50% 2% Cannot determine 9% Total 100% Q9. Please rate the relative success or effectiveness of your organization’s IAM processes where 1 = not effectiveness to 10 = very effective. Pct% 1 to 2 15% 3 to 4 41% 5 to 6 28% 7 to 8 11% 9 to 10 5% Total 100% Q10. Do you presently use IAM to manage access to unstructured data? Pct% Yes 48% No 43% Unsure 9% Total 100% Q11. If no, do you plan to use IAM to understand apps and unstructured data? Pct% Yes, within the next 12 months 19% Yes, more than 12 months 13% Yes, within 24 months 11% Yes, more than 24 months 3% No 54%


Total 100% Q12. What IT infrastructure do you want your organization’s IAM to support? Pct% IT security management (ITSM) 83% Security information and event management (SIEM) 61% Network & traffic intelligence 55% Data loss prevention (DLP) 55% Intrusion prevention (IPS) & detection (IDS) systems 40% Governance, risk management and compliance (GRC) tools 44% Other (please specify) 4% Total 342% Q13. What best describes the process for assigning access to information resources in your organization today? Please select one best choice. Pct% An “ad hoc” process 12% Determined by well-defined policies that are centrally controlled by corporate IT 20% Determined by well-defined policies that are controlled by business unit management 10% A hybrid process that includes IT and business unit management 11% Multiple disconnected processes across the organization 43% Unsure 4% Total 100% Q14. Who is responsible for making the decision to grant an end-user access to information resources? Please select the top two choices. Pct% Information technology operations 55% Information security department 10% Compliance department 30% Business unit managers 63% Application owners 17% Human resource department 21% Unsure 4% Total 200% Q15. What processes are used for certifying user access to information resources. Please select the top two choices. Pct% Manual process 53% Homegrown access certification systems 65% Commercial off- the-shelf automated solutions 45% IT help desk 30% Unsure 5% Other 2% Total 200% Q16. Are changes to access validated to confirm they were performed properly? Pct% Yes, all changes 11% Yes, most changes 28% Yes, some changes 15% No 41% Unsure 5% Total 100%


Q17. How do you detect the sharing of system administration access rights or root level access rights by privileged users? Please select only one top choice. Pct% Technology-based identity and access controls 21% Manually-based identity and access controls 39% A combination of technology and manually-based identity and access controls 9% Access to sensitive or confidential information is not really controlled 18% Unsure 3% We are unable to detect 10% Total 100% Q18a. Are you confident your organization can ascertain that user access is compliant with policies? Pct% Yes, very confident 18% Yes, confident 26% No, not confident 50% Unsure 6% Total 100% Q18b. If no, please select one main reason. Pct% We can’t create a unified view of user access across the enterprise 51% We only have visibility into user account information but not entitlement information 9% We can’t apply controls that span across information resources 20% We can’t keep up with the changes occurring to our organization’s information resources (on-boarding, off- boarding and outsourcing for management) 20% Total 100% Part 4. Cloud computing Q19. Does your organization use SaaS applications to support key business processes? Pct% Yes 71% No 25% Unsure 4% Total 100%

Q20. Approximately, what proportion of your organization’s key business applications are SaaS-based? Pct% None 5% Less than 10% 31% 11% to 50% 32% 51% to 75% 10% 76 % to 99% 11% All (100%) 2% Cannot determine 9% Total 100% Q21. From an IAM perspective, are you concerned using cloud-based SaaS applications for key business processes? Pct% Yes, very concerned 31% Yes, concerned 29% Yes, somewhat concerned 18% No, not concerned 22% Total 100%


Q22. What obstacles, if any, does your organization face if it decided to use a pure cloud-based SaaS IAM solution? Please select all that apply. Pct% Ability to obtain approvals from IT and IT security functions 20% Ability to measure security risk 65% Ability to control access to sensitive application data 76% Ability to transfer data from on-premise (legacy) systems to the cloud 48% Availability of SaaS solution 47% Other (please specify) 3% None (no obstacles) 8% Total 267% Part 5. Problems & remedies Q23. What are the key problems you face in delivering access to end-users within your organization? Please select the top three choices. Pct% Takes too long to deliver access to users (not meeting our SLAs with the business) 55% Too expensive 31% Too much staff required 16% Can’t apply access policy controls at point of change request 21% Delivery of access to users is staggered (not delivered at the same time) 10% Cannot keep pace with the number of access change requests that come in on a regular basis 47% Lack of a consistent approval process for access and a way to handle exceptions 40% Difficult to audit and validate access changes 18% Burdensome process for business users requesting access 50% No common language exists for how access is requested that will work for both IT and the business 12% Other 0% Total 300% How will each of the following situations affect your organization’s IAM process? Please use the scale provided below each item from very significant impact to no affect. Very significant impact to no impact


Q24a. Adoption of cloud-based applications 33% 42% Q24b. The constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners 23% 28% Q24c. Availability of automated IAM technologies 38% 29% Q24d. Constant changes to the organization as a result of mergers and acquisitions, divestitures, reorganizations and downsizing 23% 25% Part 6. Cost exposure estimation Q25. Following are six cost categories caused by the failure of IAM to prevent unauthorized access to systems and/or secure places. Please rank each category based on the financial impact to your organization. 1 = most significant financial impact and 6 = least significant financial impact. Average rank Rank order Cost of technical support including forensics and investigative operations 3.24 3 Cost of users’ idle time and lost productivity because of IAM failure 1.88 1 Cost resulting from the organization’s response to information misuse or theft 4.45 5 Cost associated with legal and regulatory actions 5.26 6 Revenues or income lost because of IAM failure 2.51 2 Cost associated with reputation and brand damage because of IAM failure 3.67 4 Average 3.50


Q26. Please approximate the total potential cost exposure that could result from all IAM failures over the course of one year. Pct% Less than $1,000,000 5% $1,000,001 to $5,000,000 8% $5,000,001 to $10,000,000 10% $10,000,001 to $25.000,000 12% $25,000,001 to $50,000,000 16% $50,00,001 to $100,000,000 12% $100,000,001 to $250,000,000 13% $250,000,001 to $500,000,000 11% More than $500,000,000 2% Cannot determine 11% Total 100% Part 7. Your role D1. What organizational level best describes your current position? Pct% C-level 3% SVP/VP 3% Director 14% Manager 20% Supervisor 15% Technician 31% Architect 8% Staff 2% Contractor 3% Other (please specify) 2% Total 100% D2. What industry best describes your organization’s industry focus? Pct% Agriculture & food service 1% Chemicals 0% Consumer products 6% Defense 1% Education & research 2% Energy & utilities 3% Entertainment & media 2% Financial services 16% Government 13% Healthcare 10% Hospitality 2% Insurance 2% Manufacturing 6% Medical devices 1% Non-profit 1% Pharmaceuticals 4% Retail 10% Services 7% Technology 6% Telecom 3% Transportation 2% Other (please specify) 0% Total 100%


D3. What is the worldwide headcount of your organization? Pct% Less than 500 18% 500 to 1,000 24% 1,001 to 5,000 29% 5,001 to 25,000 17% 25,001 to 75,000 8% More than 75,000 4% Total 100%

Ponemon Institute

Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

ponemon: managing complexity in iam

Technology

access changes

access requests

unauthorized access

enduser access

inappropriate access

users of information

specific information

iam technologies