Measuring the Value of Identity Governance (Part II)
Measuring the Value of Identity Governance (Part II)
In this article, we discuss the benefits that adding different types of identity governance (entitlement, fulfillment, and authentication) has on development.
Join the DZone community and get the full member experience.Join For Free
Protect your applications against today's increasingly sophisticated threat landscape.
In Part I, we covered the framework that we'll use as the basis for calculating the value of identity governance.
The framework consists of the following elements:
- Entitlement Governance
- Fulfilment Governance
- Activity Governance
- Authentication Governance
And we use the old faithful "Risk = Likelihood x Impact" to calculate the value within each section. Unlike the previous value calculations for identity and access, we will be using "risk dollars" (R$) instead of cost avoidance ($). It is important to acknowledge that risk dollars are different because they are a subjective measure of a potential. By acknowledging that risk dollars are different to "real" cost avoidance dollars, we defuse much of the anxiety around this practice whilst retaining the benefits.
The fortunate part of calculating risk dollars for identity governance is that we can start with the work done by Business Continuity Planning (BCP). BCP uses impact values to work out what functions (including IT services/applications) should be protected. We can use these (BCP) dollarized impact values for each application as the starting point for the identity governance risk calculations. Reviews are required as they measure different things (outage versus abuse), but we want to reduce the calculation friction.
Whilst the business is usually good at articulating the value of an application or service, most of the arguments in BCP are about annual "likelihood" of a failure. The same is true of identity governance, except we are talking about the likelihood of a breach. In this example, the likelihood ratings I am going to use are based the data from the 2017 Verizon data breach report. I'll use the average chance of a user being successfully attacked via a phishing attack (7.3% - see page 34) as the likelihood that an identity (and associated entitlement) will be compromised in a year. See the following table for industry-specific numbers.
When doing these calculations for your organization I'd recommend scaling factor based on local knowledge, e.g.:
- Attractiveness - finance is always an attractive target.
- Defences - how much does the organization invest in security training, processes, and technology?
- Rogue users - how likely are your internal users to attack?
The critical thing to note here is that we now have a risk dollar rating for each application. This allows us to make the following risk dollar calculations:
- An entitlement then has a subset of the application's risk dollars (making it easier to agree on).
- A role's risk dollars is an aggregation of its entitlements.
- A user's risk dollar value is an aggregation of its entitlements/roles.
These risk dollar ratings are foundational for decision analytics/support and authentication governance.
Please note: I'll provide my estimates of cost (some handwavium) so please consult Kuppinger-Cole, Gartner, Forrester, and friends to get industry standard numbers, etc. and customize to your specific situation.
Entitlement governance is charged with ensuring that people/systems only have appropriate (needful) access to permissions and resources. Thus the value proposition is based on the following:
- The risk value of entitlements (permissions/resources) revoked (no longer used/required).
- The risk value of orphaned entitlements (accounts) removed or "owned."
- The direct savings (license or SaaS) from revoking accounts or entitlements.
The value calculations are based on the following assumptions:
- Entitlements will have an average impact value of $1,000 and an average annual OpEx of $100.
- Usernames/passwords are used and this implies a likelihood of 7.3%.
- Our 1,000 employee organization has:
- 10% staff turnover and 20% of staff change an entitlement each year.
- Assume staff members have an average of 10 entitlements.
- Permission changes apply to only 50% of the 10 entitlements (5).
- Only 70% of revocations are completed successfully.
Thus, each year we will accumulate the following risk dollars (R$) and cost reduction:
- Average entitlement risk: $1,000 x 7.3% = R$73
- Average orphaned entitlements: 1,000 x 10% x (1 - 70%) = 30 entitlements
- Average access creep: 1,000 x 20% x 5 x (1 - 70%) = 300 entitlements
- Average risk: R$73 x (30 + 300) = R$24,090
- Cost reduction: $100 x (30 + 300) = $33,000
As we can see from this, the real cost savings ($33,000) are significant and the improved risk profile (R$24,090) would help the security team to be a little happier.
Please note that this does not factor in the costs of compliance failure for such things as SOX, HIPAA, PCI-DSS, etc.
Also, you may wish to alter the likelihood of orphaned accounts/entitlements as password compromises can be less likely.
As fulfillment governance is tasked with ensuring that fulfillment actions are completed and done within the approved framework, the value can be measured in two ways:
- When fulfilments occur within the framework, it has a readily measurable cost avoidance aspect - see "Measuring the value of Identity Management" for more details.
- When fulfillment occurs outside the framework and:
- Approved, they are considered "orphaned" until entitlement governance picks them up.
- Revoked, then the risk likelihood is calculated based on its "malicious intent."
Let's consider an exceptional fulfillment that was maliciously created as part of a hacking attempt. We can calculate the risk value based on the following assumptions:
- The entitlement has a financial delegation authority of $100,000.
- As we know that this was malicious, we assign a likelihood of 80%.
- We are not factoring in time here, but this is where an event-driven system is a huge benefit.
From this we can see that:
- Malicious risk: $100,000 x 80% = $R80,000
- Non-malicious risk: $100,000 x 7.3% = $R7,300
We chose a financial delegation authority because it is the easiest to measure, but this applies to many different fields - intelligence, politics, etc. The same calculation applies, but the impact values become difficult to quantify despite their importance.
As activity governance contextualizes what happened (events) in an environment into (contextualized) stories, the obvious value comes from the reduction in costs to complete compliance reports. There is a second significant set of savings that comes from the detection of "stale" entitlements.
Compliance cost reductions are normally driven by legislation of some description and are easy to quantify based on the following assumptions:
- Compliance reports required per year = 10 hours.
- Manual effort to run compliance reports = 100 hours.
- Effort to get reports from activity governance = 5.
- Average wage of $40/hr.
- Thus the cost avoidance for compliance reporting is: 10 x (100 - 5) x $40 = $38,000.
The second benefit from detecting "stale" entitlements is not just the risk reduction, but also the operational expenses for license and/or subscription fees. The detection of "stale" entitlements is important because entitlement reviews (UAR) will normally only be targeted to high-risk entitlements (cost vs benefit). Activity governance can close that final gap by triggering as needed entitlement reviews for "stale" entitlements.
We can quantify the savings based on the following assumptions:
- These entitlements are not covered by UAR campaigns.
- 10% of employees (100) have a SaaS entitlement they have not used in six months ("stale").
- 90% of these are confirmed as not required through entitlement governance.
- Entitlements will have an average risk impact value of $1,000 and an average annual OpEx of $100.
Thus, the direct savings are: 100 x 90% x $100 = $9,000. The risk savings would be 100 x 90% x $1,000 x 7.3% = $6,570.
These benefits are an extension of entitlement governance, but it has the following benefits:
- It covers all entitlements, not just those covered by UAR campaigns.
- It can significantly reduce the time to reduce risk and OpEx.
As authentication governance ensures that the authentication controls for a user or application are appropriate for the agreed dollarized risk (R$), the value delivered is measured by the reduction in likelihood provided by additional controls.
This example is based on a user who has the following attributes:
- Risk rating of R$100,000 (Impact x Likelihood).
- Challenge response authentication has an 80% likelihood multiplier.
- SMS authentication has a 50% likelihood multiplier.
- Smartphone push notification plus geolocation has a 20% multiplier.
- Biometric (fingerprint) has a 10% multiplier.
Thus we can alter the risk rating of the user in the following ways:
- Password + challenge response: R$100,000 x 80% = $80,000
- Password + SMS: R$100,000 x 50% = R$50,000
- Password + Smartphone: R$100,000 x 20% = R$20,000
- Password + Smartphone + fingerprint: R$100,000 x 20% x 10% = R$2,000.00
If you have an organization of 1,000 people with an average dollarized risk rating of R$10,000, just adding smartphone push notifications could save: (1 - 20%) x $R10,000 x 1000 = $R8,000,000 (risk dollars).
As always, this is a trade-off between control friction versus risk, but the proliferation of smartphones with biometric sensors makes these options both affordable and practical (low friction).
Many organizations are focussed on User Access Review (UAR) campaigns as a "tick the box" exercise in governance without quantifying the value delivered. Shifting the perspective to entitlement governance - based on a combination of cost avoidance and risk dollars - allows for more effective and targeted campaigns. It also opens up the paradigm to additional types of identity governance that act as value multipliers for an organization.
Published at DZone with permission of Marcus Vogt , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.