Information Security
James Thew - Fotolia
IAM system strategy identifies metrics that work for business
Security professionals are using identity and access management systems to track metrics on password resets, onboarding and offboarding, and employee retention and customer service.
John Wiley & Sons Inc. has one of the more distinguished brand identities in book publishing, having published the likes of Charles Dickens and Edgar Alan Poe since the company was founded in 1807.
Yet, when it came to modern identity management, CIO Pete Sattler said one of his first tasks when he started at Wiley in 2016 was to reduce the number of phone calls the company's help desk received from employees reporting that they had either lost or forgotten their passwords.
The book publisher, based in Hoboken, N.J., had far too many password reset calls coming into the service desk, and, worse, the old identity and access management (IAM) system had a 10-character limit and it did not accept special characters.
"The passwords were just too simple," Sattler said. "Plus, we needed something that would provision a new employee's identity from the first day they started. We needed something that would automate the employee's identity for their PC, office space, phone and company credit card if necessary."
The publishing company, which has operations in Asia, Australia, Canada, Europe and the United States, is upgrading its technology and computer systems. It's part of a digital transformation of its financial operations and processes to support a digital content strategy to further its academic and professional services.
By using Okta Inc.'s identity management service with Active Directory and Lightweight Directory Access Protocol authentication in the background to enable tracking metrics in the ServiceNow cloud platform, Sattler and his team can now view all the calls for password resets and lockouts. In the past two years, they have seen a 90% reduction in service desk calls related to password issues.
They can also track how quickly employees are onboarded and offboarded using the IAM system's provisioning features.
"By automating onboarding, we now know who has access to all of our systems," Sattler said. "Because we are a public company, we are subject to Sarbanes-Oxley requirements, so we need to document that no unauthorized users have access to our systems," he added.
The new system especially works well to authenticate Wiley employees when they are on the road and not working over the corporate network. Users can log on to their laptops, and the IAM system will send a one-time password to their mobile phone that they can use to authenticate the laptop and enter the company's systems.
Pete Sattler
"Our people really love it because they don't have to carry around a hardware token anymore," Sattler said. "They can use that same kind of capability to authenticate whether they are at home, on the road or in the office."
Fewer service calls
Merritt Maxim, a principal analyst at Forrester Research Inc. who works with security and risk professionals, said when it comes to the return on investment for IAM projects, most companies collect metrics that show cost reductions and improvements in productivity and security.
"The 90% John Wiley reports is very good," Maxim said. "Any percentage reduction in service desk calls will help the security team create a business case."
When an IAM system works well, companies often have fewer service calls, take less time onboarding new employees and experience fewer security events caused by lax offboarding processes when someone leaves the company. Developing an effective identity management lifecycle can also improve employee retention rates and customer service levels because people have the tools they need to do their jobs.
A 2018 Forrester report lists the following as typical metrics that companies monitor:
- number of help desk calls related to login and profile management;
- time spent creating, modifying, and disabling or deleting accounts throughout the user's lifecycle;
- duration users wait before they have all their access;
- time and cost to remediate compliance audit findings; and
- cost of a security breach per record.
Other metrics, according to Forrester, include customer IAM related to authentication, such as reset passwords and failed login attempts as well as data on the internet of things and operations technology.
A strong IAM system helps IT administrators track which applications users can access. Armed with application information, security managers can use IAM systems to track how often they get breached, what the breach will cost (based on the cost per lost record) and to what extent they are at risk for a breach.
"You'll never reduce the risk number to zero, but companies will want to reduce it to a manageable level," Maxim said. "It really helps to have numbers you can show management what the company's potential exposure is."
Efficient onboarding can also have a direct impact on employee morale and retention, a metric that most companies track. People come to work for a company with a great deal of enthusiasm and then it diminishes if it takes several days for the company to get the new employee's applications up and running. Poor onboarding can also negatively affect the customer experience.
"If a customer service rep, for example, doesn't have full access to their applications, they may not be in the best position to service customers," Maxim said. "Employees will also grow disgruntled because they are not able to do their jobs properly."
While automated provisioning tools can help companies improve onboarding -- in some cases, reducing a 20-step process to a few clicks -- the offboarding process is often an afterthought that puts companies at risk.
Offboarding in the cloud
Ryan Donnon is the head of IT at venture capital firm First Round Capital, the Philadelphia company known for seeding game-changing technology startups, such as Uber, Mint, Refinery29 and Warby Parker. He joined the company a decade ago after a successful internship. Today, he manages the data and IT systems that support the firm's portfolio of technology entrepreneurs.
Ryan Donnon
"We find that SaaS applications leave us exposed when an employee leaves the company," Donnon said.
First Round Capital uses Okta's single sign-on for most applications, except for Google's G Suite of cloud-based services. When an employee leaves the company, the IT group starts by disabling the individual's Okta account, which, for the most part, cuts off access to all other applications. The venture capital firm also uses BetterCloud's SaaS management and security tool to help enforce policies and automate the offboarding workflow. In the past four years, the IAM metrics the IT team keeps have indicated that automated workflows have cut the company's provisioning and deprovisioning processes significantly -- sometimes to mere minutes.
"For a venture capital firm like ours, ensuring data security is of the utmost importance after employee termination periods," Donnon said. "BetterCloud has helped us offboard users with a couple of clicks while maintaining security."
The company's offboarding process communicates to the disabled user account event as a trigger that kicks off a workflow that immediately removes the user from all Google groups, deactivates two-factor authentication, resets their G Suite password and revokes authentication tokens for all of the third-party Google applications that the employee has connected to their G Suite account.
Then, the same IAM system workflow ensures that auto-reply from Gmail gets setup to run for the next two weeks. The workflow has a two-week "wait duration" period, after which it transfers or deletes recurring calendar events, which often may be consuming shared resources like conference rooms, backs up the Google account, transfers all of their shared Google Docs (typically to their manager) and then deletes their email account.
"With a standard two weeks' notice, the entire offboarding process happens over the course of a month, but it's fully automated between BetterCloud and Okta's integration," Donnon said.
Frank Dickson, a research vice president at IDC who focuses on IAM, noted that offboarding presents a two-fold problem for many companies. First, IT teams are shocked when they do an assessment and learn that an employee who left the company six months to a year ago still has an active account. While the employee may be perfectly trustworthy, the second issue -- exposure to data security threats -- presents an even thornier problem.
"One of the real dangers of accounts that have not been decommissioned properly is that bad threat actors can exploit them to gain access into the corporate network," he said.
An effective identity management lifecycle is about enabling what Dickson calls the good stuff.
"It's all about, how do we make it so people can do their jobs more effectively and do it in an automated, secure fashion?"
