More Related Content
Similar to Ponemon: Managing Complexity in IAM (20)
Ponemon: Managing Complexity in IAM
- 1.
Independently conducted by Ponemon Institute LLC
Publication Date: August 2013
Managing Complexity in Identity &
Access Management
Sponsored by RSA Aveksa
Ponemon Institute© Research Report
- 2.
Managing Complexity in Identity & Access Management
Ponemon Institute: August 2013
Part 1. Executive Summary
When employees, temporary employees, contractors and partners have inappropriate access rights to
information resources – that is, access that violates security policies and regulations or that is far more
expansive for their current jobs – companies are subject to serious compliance, business and security
risks. Unfortunately, for many organizations the process of ensuring appropriate access to information
resources is very complex.
Ideally, the appropriate assignment of access rights ensures that users of information resources – which
include applications, files and data – have no more or less rights to specific information resources than
needed to do their particular job function within an organization. It also helps ensure that end users’ right
to use or view business information resources does not violate compliance regulations as required by
1
financial controls legislation, various data protection and privacy regulations, and industry mandates.
The overall objective of this study conducted by Ponemon Institute and sponsored by Aveksa is to
determine how well organizations are managing complexity. To do this, we focused on questions about
their current identity and access management (IAM) processes, effectiveness of the processes and
factors that contribute to complexity.
The following are key findings from this research
Changing access rights is a lengthy and burdensome process. Seventy percent do not believe or
are uncertain that their organization typically fulfills access changes in response to new employees,
transfers to a new role or terminated employees in a timely manner such as within one day. Only onethird of respondents say that access requests are immediately checked against security policies
before access is approved and assigned.
Strict enforcement of IAM policies is seen lacking. Fifty-three percent of respondents see the
need for stricter enforcement.
Better Investments in IAM technologies are needed. Fifty-three percent say their organizations
don’t make appropriate investments in technologies that manage and govern end-user access to
information resources.
The effects of IAM failure can be costly. Respondents report that the three biggest costs caused by
the failure of IAM to prevent unauthorized access are: the cost of users’ idle time and lost productivity,
lost revenue or income and cost of technical support, including forensics and investigative operations.
They estimate that on average the total potential cost exposure that could result from all IAM failures
over the course of one year is approximately $105 million.
Access rights are difficult to manage. Sixty-two percent of respondents believe their organizations’
IAM activities are overly complex and difficult to manage. On average, organizations have more than
300 information resources such as applications, databases, networks, servers, hosts, file shares that
require the assignment of user access rights. The number of access requests total on average 1,200
each month. These requests include requesting new access, changes to existing access rights or
revocation of access due to termination.
Why IAM processes are complex. In addition to the number of information resources requiring
assignment of user access rights and the requests for access rights, organizational changes
contribute to complexity. These can range from the use of cloud applications, BYOD and the growth
of unstructured data that is difficult to control.
1
For example, Sarbanes-Oxley, Euro-SOX, CA 52-313, MAR, GLBA, PCI, HIPAA/HITECH, PIPEDA, MA CMR17, EU
Data Protection Directive, Basel II, Solvency II, FFIEC, FERC/NERC, FISMA and others.
Ponemon Institute© Research Report
Page 1
- 3.
Growth of unstructured data is a problem ignored. Less than half of respondents (48 percent) say
they use IAM to manage access to unstructured data despite their belief that the growth of this type of
data is making the process of managing access rights more complex. Moreover, if they are currently
not using IAM to manage access to unstructured data, most have no plans in the future to do so.
Organizations lack visibility into what end-users are doing. Do organizations have adequate
knowledge and visibility into end-user access? Fifty-six percent of respondents are either not
confident or unsure that they can ascertain that user access is compliant with policies. The biggest
reason is that they cannot create a unified view of user access across the enterprise.
Certain situations reduce IAM effectiveness. IAM processes are most often affected by the
availability of automated IAM technologies, adoption of cloud-based applications and the constant
turnover (ebb and flow) of temporary employees, contractors, consultants and partners.
Access to sensitive data in the cloud is a concern. The majority of organizations are using SaaS
applications to support key business processes. Despite the popularity of these applications, most
respondents (78 percent) have some level of concern about end-user access to sensitive data in
these applications,
What is your organization’s level of complexity?
In this research, respondents were asked to rate the level of IAM complexity and effectiveness in their
organizations. In the context of this research, complexity often reflects the size of the organization,
number of access requests, growth of unstructured data, higher rates of cloud usage and the number of
information resources that require the assignment of user access rights. No organization can avoid
complexity. The goal in managing complexity is to have the right mix of people, processes and
technologies in place to manage it appropriately and minimize compliance and business risks.
Our analysis also shows that respondents who believe their organizations are effective in their IAM
processes also have lower complexity. Following are the characteristics of companies experiencing a low,
medium and high level of complexity in their IAM processes. Based on these descriptions, it seems that a
medium level of complexity is the best approach to IAM.
A low level of complexity. These companies tend to have a smaller headcount and are more likely
to use manual or homegrown access certification systems.
A low to medium level of complexity. These companies are better able to estimate the annual cost
of IAM systems and/or processes and know the total number of orphan accounts. Again, the
headcount size can keep complexity to a lower level.
A medium level of complexity. These companies are better able to know the number of potential
high-risk users, are more likely to use IAM systems or processes to manage and regulate access
requests to unstructured data assets, have well-defined policies and procedures relating to access
governance across the enterprise and more likely to assign IAM accountability to business unit
management (LOBs)
A high level of complexity. These companies are more likely to define their organizations’ access
governance process as a set of disconnected or disjointed activities, assign IAM accountability to the
IT organization (CIO), have a higher number of access requests and a higher rate of cloud usage for
critical business applications.
Ponemon Institute© Research Report
Page 2
- 4.
Part 2. Key Findings
We surveyed 678 experienced US IT and IT security practitioners. To ensure knowledgeable responses,
all respondents have a role in providing end-users access to information resources in their organizations.
These include: responding to access requests, supporting the delivery of access, supporting the
enforcement of access policies, reviewing and certifying access compliance and installing technologies
related to access rights management. In this section, we provide an analysis of the key findings according
to the following themes.
Perceptions about the state of IAM practices
State of IAM practices
Complexity in managing IAM processes
Cloud computing usage and complexity
The relationship between complexity and effective IAM processes
The majority of respondents believe their organizations’ IAM processes are not very successful or
effective. Figure 1, presents the findings of perceptions ranging from strongly agree to unsure about the
following IAM practices.
Timeliness of access changes. Seventy percent do not agree or are unsure their organization
typically fulfills access changes in response to new employees, transfers to a new role or terminated
employees in a timely manner such as within one day.
Verification of access requests with security policies. Two-thirds of respondents say that access
requests are not immediately checked against security policies before the access is approved and
assigned or are unsure.
Strict enforcement of IAM policies. Fifty-three percent say that IAM policies are not in place and
strictly enforced or are unsure. However, 47 percent agree their current policies are effective.
Investment in IAM technologies. Fifty-three percent of respondents say their organizations do not
make appropriate investments in technologies that manage and govern end-user access to
information resources or they are unsure.
Figure 1. Perceptions about IAM practices
22%
Investments in technologies are made that manage and
govern end-user access to information resources
25%
23%
16%
14%
21%
Identity & access management policies are in-place
and are strictly enforced
21%
16%
16%
14%
Access requests are immediately checked against
security policies before access is approved and
assigned
19%
Access changes are typically fulfilled within one
business day.
19%
18%
0%
Strongly agree
Ponemon Institute© Research Report
Agree
25%
23%
19%
11%
Disagree
5%
10%
15%
Strongly disagree
20%
26%
22%
25%
30%
30%
35%
Unsure
Page 3
- 5.
State of IAM practices
Business unit managers assign access rights. Business unit managers are most involved in
determining access to sensitive and confidential information, according to Figure 2. This function is
followed by information technology operations. Rarely involved is the IT security function.
Figure 2. Responsibility for granting end-user access rights
Two responses permitted
Business unit managers
63%
55%
Information technology operations
Compliance department
30%
Human resource department
21%
Application owners
17%
Information security department
10%
Unsure
4%
0%
10%
20%
30%
40%
50%
60%
70%
Delegating assignment of access rights to business units without their control of IAM policies explains
why the process for assigning access to information resources is not well coordinated. As shown in
Figure 3, it is most common is to have multiple disconnected processes across the organization. Most
organizations do not have well-defined policies that are controlled by the business unit management (10
percent of respondents). Without such control, changes are not often validated to confirm they were
performed properly, according to 41 percent of respondents and 5 percent are unsure.
Figure 3. Process for granting end-user access rights
One response permitted
Multiple disconnected processes across the
organization
43%
Determined by well-defined policies that are centrally
controlled by corporate IT
20%
An “ad hoc” process
12%
A hybrid process that includes IT and business unit
management
11%
Determined by well-defined policies that are controlled
by business unit management
10%
Unsure
4%
0%
Ponemon Institute© Research Report
5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Page 4
- 6.
To certify user access to information resources, organizations use homegrown access certification
systems followed by manual processes and commercial off-the-shelf automated solutions, according to
Figure 4.
Figure 4. Processes to certify user access to information resources
Two responses permitted
Homegrown access certification systems
65%
Manual process
53%
45%
Commercial off- the-shelf automated solutions
IT help desk
30%
Unsure
5%
2%
Other
0%
10%
20%
30%
40%
50%
60%
70%
Figure 5 shows that manually-based identity and access controls followed by technology-based identity
and access controls are mostly used to detect the sharing of system administration access rights or root
level access rights by privileged users.
Figure 5. Detection of how privilege users are sharing root level access rights
One response permitted
Manually-based identity and access controls
39%
Technology-based identity and access controls
21%
Access to sensitive or confidential information is not
really controlled
18%
We are unable to detect
10%
A combination of technology and manually-based
identity and access controls
9%
Unsure
3%
0%
Ponemon Institute© Research Report
5% 10% 15% 20% 25% 30% 35% 40% 45%
Page 5
- 7.
The complexity of IAM processes
The effects of IAM failure can be costly. Respondents report that the three biggest costs caused by the
failure of IAM to prevent unauthorized access are: the cost of users’ idle time and lost productivity, lost
revenue or income and cost of technical support including forensics and investigative operations. They
estimate that on average the total potential cost exposure that could result from all IAM failures over the
course of one year is approximately $105 million.
The following findings reveal the challenges organizations face in overcoming complexity and achieving
effectiveness.
Access rights are difficult to manage. Sixty-two percent of respondents believe their organizations’ IAM
activities are overly complex and difficult to manage. On average, organizations have more than 300
information resources such as applications, databases, networks, servers, hosts, file shares that require
the assignment of user access rights. The number of access requests total on average 1,200 each
month. These requests include requesting new access, changes to existing access rights or revocation of
access due to termination.
Figure 6 reports how respondents rated the complexity of their organizations’ IAM processes on a scale
of 1 (low complexity) to 10 (high complexity). The average rating is about 8. Based on this scale, 74
percent rate their organizations as highly complex.
Figure 6. Complexity of IAM processes
Complexity is measured using a 10-point scale
50%
43%
45%
40%
35%
31%
30%
25%
20%
15%
10%
9%
7%
10%
5%
0%
1 to 2
Ponemon Institute© Research Report
3 to 4
5 to 6
7 to 8
9 to 10
Page 6
- 8.
Uncertainty as to how much is spent on IAM. Another indication of the complexity of IAM is that most
respondents do not know what their organizations spend on IAM systems and processes (Figure 7).
According to the findings, on average respondents estimate that in the past 12 months companies spent
$3.5 million on IAM.
Figure 7. Do you know what your organization spends on IAM systems and processes?
50%
45%
44%
43%
40%
35%
30%
25%
20%
13%
15%
10%
5%
0%
Yes
No
Unsure
Why are IAM processes complex? In addition to the number of information resources requiring
assignment of user access rights and the requests for access rights, organizational changes contribute to
complexity. These can range from the use of cloud applications, BYOD and the growth of unstructured
data that is difficult to control. Figure 8 shows what factors are making the job of managing IAM
increasingly difficult.
Figure 8. Factors that complicate IAM practices
Very significant and significant response
Rapid growth of unstructured data
45%
Expanded use of mobile devices
46%
44%
45%
Expanded regulatory and compliance requirements
32%
36%
Access to cloud-based applications and data
33%
34%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Very significant
Ponemon Institute© Research Report
Significant
Page 7
- 9.
Growth of unstructured data is a problem ignored. Less than half of respondents (48 percent) say
they use IAM to manage access to unstructured data despite their belief that the growth of this type of
data is making the process of managing access rights more complex. Moreover, if they are currently not
using IAM to manage access to unstructured data, most have no plans in the future to do so.
Organizations lack visibility into what end-users are doing. Do organizations have adequate
knowledge and visibility into end-user access? Fifty-six percent of respondents are either not confident or
unsure that they can ascertain that user access is compliant with policies. As shown in Figure 9, the
biggest reason is that they cannot create a unified view of user access across the enterprise.
Figure 9. Why organizations lack visibility about end-users
Only one response permitted
Can’t create a unified view of user access across the
enterprise
51%
Can’t keep up with the changes occurring to our
organization’s information resources
20%
Can’t apply controls that span across information
resources
20%
Visibility only into user account information but not
entitlement information
9%
0%
10%
20%
30%
40%
50%
60%
Number of orphan accounts and high-risk users are often invisible to IAM. There are other
indicators of uncertainty about the state of IAM. Specifically, respondents admit that they do not know or
are unsure of the number of orphan accounts in their organization (60 percent of respondents). If they are
able to estimate the percentage, it averages almost one-third of all accounts within the organization.
Forty-three percent do not know the percentage of high-risk users and 8 percent are unsure. Accordingly,
less than half of respondents (49 percent) know the percentage of all users who would be considered
high-risk and they estimate it to be 25 percent of all users.
Ponemon Institute© Research Report
Page 8
- 10.
Certain situations reduce IAM effectiveness. As shown in Figure 10, IAM processes are most often
affected by the availability of automated IAM technologies, adoption of cloud-based applications and the
constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners.
Figure 10. Affect on IAM process
Very significant and significant response
Adoption of cloud-based applications
33%
Availability of automated IAM technologies
42%
38%
Constant turnover of temporary employees,
contractors, consultants and partners
23%
Constant changes to the organization as a result of
mergers and acquisitions, divestitures,
reorganizations and downsizing
29%
23%
0%
10%
Very significant
28%
25%
20%
30%
40%
50%
60%
70%
80%
Significant
The situations just described explain the complexity in delivering access to end-users. The problems
created by complexity are shown in Figure 11. Specifically, it takes too long to deliver access, the process
is burdensome and it is hard to keep pace with access change requests.
Figure 11. Key problems in delivering access to end-users
Three responses permitted
55%
Takes too long to deliver access to users
Burdensome process for business users requesting
access
Cannot keep pace with the number of access change
requests
Lack of a consistent approval process for access and a
way to handle exceptions
50%
47%
40%
31%
Too expensive
Can’t apply access policy controls at point of change
request
21%
Difficult to audit and validate access changes
18%
16%
Too much staff required
No common language exists for how access is
requested
12%
10%
Delivery of access to users is staggered
Other
0%
0%
Ponemon Institute© Research Report
10%
20%
30%
40%
50%
60%
Page 9
- 11.
Cloud computing usage and IAM complexity
Access to sensitive data in the cloud is a concern. The majority of organizations are using SaaS
applications to support key business processes. Despite the popularity of these applications, most
respondents (78 percent) have some level of concern about end-user access to sensitive data in these
applications, as shown in Figure 12.
Figure 12. Concern about using cloud-based SaaS applications for key business processes
35%
31%
29%
30%
25%
22%
18%
20%
15%
10%
5%
0%
Yes, very concerned
Yes, concerned
Yes, somewhat
concerned
No, not concerned
The primary obstacles to using a pure cloud-based SaaS IAM solution are shown in Figure 13. Main
barriers are the ability to control access to sensitive application data (76 percent) and measure security
risk (65 percent). Only 8 percent of respondents do not see any obstacles to adoption.
Figure 13. Obstacles to adopting a SaaS IAM solution
More than one response permitted
Ability to control access to sensitive application data
76%
65%
Ability to measure security risk
Ability to transfer data from on-premise (legacy)
systems to the cloud
48%
47%
Availability of SaaS solution
Ability to obtain approvals from IT and IT security
functions
20%
None
8%
Other
3%
0%
Ponemon Institute© Research Report
10%
20%
30%
40%
50%
60%
70%
80%
Page 10
- 12.
Significant cross-tabulations on IAM complexity
Respondents were asked to rate their organizations in terms of (1) complexity of IAM operations and (2)
the effectiveness of IAM systems and controls. Both complexity and effectiveness are measured using a
10-point scale from low (1) to high (10) with a median at 5.5. The distribution of responses shown in
Figure 14 allows us to compute overall average values for both variables. The average complexity rating
is above the median at 7.8, while the average effectiveness rating is below the median at 4.0.
The Figure below reveals that the majority of respondents believe their IAM processes are very complex.
Seventy-four percent believe the level of complexity is above the median. Respondents also do not
believe their IAM processes are very effective. Again, the majority (55 percent) of respondents rate the
effectiveness below the median of 4.0.
Figure 14. Respondents’ ratings of IAM complexity and effectiveness
Both complexity and effectiveness are measured using a 10-point scale
50%
50%
43%
45%
40%
45%
41%
40%
35%
35%
31%
30%
25%
25%
20%
20%
15%
15%
28%
30%
10%
9%
7%
10%
15%
11%
10%
5%
5%
5%
0%
0%
1 to 2
3 to 4
5 to 6
7 to 8
Level of IAM complexity
Ponemon Institute© Research Report
9 to 10
1 to 2
3 to 4
5 to 6
7 to 8
9 to 10
Level of IAM effectiveness
Page 11
- 13.
Figure 15 shows the average effectiveness rating according to five ascending complexity levels. We see
an inverted U-shape relationship, where organizations reporting the lowest effectiveness level at 3.12
also have the lowest level of complexity. In contrast, organizations at the highest level of effectiveness
(5.53) are in the middle range of the 10-point complexity scale. This pattern suggests complexity has a
negative impact on the deployment of IAM, but only for highly effective users.
Figure 15. Interrelationship between IAM complexity and effectiveness
Both complexity and effectiveness are measured using a 10-point scale
Level of IAM effectiveness
6.00
5.53
5.00
4.00
4.29
3.94
3.84
7 to 8
9 to 10
3.12
3.00
2.00
1.00
0.00
1 to 2
3 to 4
5 to 6
Level of IAM complexity
Figure 16 shows the average complexity rating according to six ascending headcount (size) levels. As
can be seen, there is a positive relationship between organizational size and IAM complexity.
Organizations with less than 500 employees report the lowest average complexity level at 6.52.
Organizations with headcount above 25,000 and 75,000 employees have the highest levels of complexity
levels at 9.23.
Figure 16. Interrelationship between IAM complexity and organizational headcount (size)
Complexity is measured using a 10-point scale
10.00
8.58
9.00
7.78
7.75
500 to 1,000
1,001 to 5,000
8.00
7.00
9.23
6.52
6.00
5.00
4.00
3.00
2.00
1.00
0.00
Less than 500
5,001 to 25,000
25,001 to 75,000
Average level of IAM complexity
Ponemon Institute© Research Report
Page 12
- 14.
Part 3. Conclusion: Managing complexity and achieving effectiveness
Our findings suggest that IT staffs cannot keep up with the constant change to information resources,
regulations and user access requirements. Many organizations are facing significant information risks
because the process of delivering access is lengthy and burdensome and access rights are not current.
In addition, the approaches to access management tend to be ad hoc or inconsistent and contribute to
ineffectiveness. The following are suggestions for overcoming complexity and reducing IAM failures.
Implement a well-managed enterprise-wide access governance process that keeps employees,
temporary employees and contractors from having too much access to information assets. At the
same time, do not hinder individuals’ access to information resources critical to their productivity. To
do this, organizations must understand what role-based access individuals need. Further, changes to
users’ roles must be managed to ensure they have current and correct access rights.
Create well-defined business policies for the assignment of access rights. These policies should be
centrally controlled to ensure they are enforced in a consistent fashion across the enterprise. They
also should encourage collaboration among different internal groups.
Track and measure the ability to enforce user access policies. This includes measuring the
effectiveness of processes to manage changes to users’ roles; revoking access rights upon an
individual’s termination; monitoring access rights of privileged users’ accounts; and monitoring
segregation of duties.
Ensure that accountability for access rights is assigned to the business unit that has domain
knowledge of the users’ role and responsibility.
Become proactive in managing access rights. Instead of making decisions on an ad hoc basis based
on decentralized procedures, build a process that enables the organization to have continuous
visibility into all user access across all information resources and entitlements to those resources.
Technologies that automate access authorization, review and certification will limit the risk of human
error and negligence.
Bridge the language gap between IT staff and business managers to encourage a common
understanding of how to express access rights and entitlements. This is especially important for the
access request and access certification processes, in which gaps can cause unnecessary delays in
access delivery or allows inappropriate access.
Pursue extending controls over access to all information resources similar to those required under
regulations (SOX, PCI, etc). This entails organizations broadening their view of risk management
beyond compliance with specific regulations. Organizations need to go beyond the minimum
requirements for compliance and think about risk in the broadest terms with the widest coverage. This
is especially true because the loss of corporate IP is typically not covered under regulations or
industry mandates.
Extend the organizational access governance framework beyond the firewall to cloud computing and
other IT outsourcing/software-as-a-service (SaaS) providers.
Ponemon Institute© Research Report
Page 13
- 15.
Part 4. Methods
A random sampling frame of 19,005 experienced US IT and IT security practitioners located in all regions
of the United States were selected as participants to this survey. All respondents have a role in providing
end-users access to information resources in their organizations. As shown in Table 1, 753 respondents
completed the survey. Screening and reliability checks removed 75 surveys. The final sample was 678
surveys (or a 3.6 percent response rate).
Table 1. Sample response
Freq
Sampling frame
19,005
100%
753
4.0%
75
0.4%
678
3.6%
Total returns
Rejected and screened surveys
Final sample
Pct%
Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, 55
percent of respondents are at or above the supervisory levels.
Pie Chart 1. Current position within the organization
2% 3%
2% 3%
3%
8%
14%
C-level
SVP/VP
Director
Manager
Supervisor
Technician
Architect
31%
20%
Staff
Contractor
Other
15%
Ponemon Institute© Research Report
Page 14
- 16.
Pie Chart 2 reports the industry segments of respondents’ organizations. This chart identifies financial
services (16 percent) as the largest segment, followed by government (13 percent) and healthcare and
retail, both at 10 percent.
Pie Chart 2. Industry distribution of respondents’ organizations
2%
2%
2%
2%
2%
4%
16%
3%
3%
13%
4%
6%
10%
6%
6%
7%
10%
Financial services
Government
Healthcare
Retail
Services
Consumer products
Manufacturing
Technology
Pharmaceuticals
Energy & utilities
Telecom
Insurance
Education & research
Entertainment & media
Hospitality
Transportation
Other
As shown in pie chart 3, 58 percent of respondents are from organizations with a global headcount of
1,000 or more employees.
Pie chart 3. Worldwide headcount of the organization
4%
8%
18%
Less than 500
500 to 1,000
17%
1,001 to 5,000
5,001 to 25,000
24%
25,001 to 75,000
More than 75,000
29%
Ponemon Institute© Research Report
Page 15
- 17.
Part 5. Caveats to this study
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most web-based
surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent surveys
to a representative sample of individuals, resulting in a large number of usable returned responses.
Despite non-response tests, it is always possible that individuals who did not participate are
substantially different in terms of underlying beliefs from those who completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is
representative of individuals who are IT or IT security practitioners. We also acknowledge that the
results may be biased by external events such as media coverage. We also acknowledge bias
caused by compensating subjects to complete this research within a holdout period. Finally, because
we used a web-based collection method, it is possible that non-web responses by mailed survey or
telephone call would result in a different pattern of findings.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into the
survey process, there is always the possibility that a subject did not provide a truthful response.
0B
Ponemon Institute© Research Report
Page 16
- 18.
Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey questions
contained in this study. All survey 678 responses were captured in June 2013.
Sample response
Sampling frame
Total returns
Rejected and screened surveys
Final sample
Freq
19,005
753
75
678
Part 1. Screening
S1. What best describes your role in providing end-users access to information
resources in your organization? Please check all that apply.
Respond to access requests
Support the delivery of access
Support the enforcement of access policies
Responsible for review and certification of access compliance
Install technologies relating to access rights management
Other (please describe)
None of the above (stop)
Total
Pct%
56%
37%
61%
36%
39%
2%
0%
231%
Part 2. Attributions. Please rate Q1a to Q1d using the scale provided below each
statement.
Q1a. Identity & access management policies are in-place and are strictly enforced in
my organization.
Q1b. My organization’s Identity & access management activities are overly complex
and difficult to manage.
Q1c. My organization makes appropriate investments in technologies that manage and
govern end-user access to information resources.
Q1d. My organization typically fulfills access changes (i.e. new employees, transfers to
a new role, terminated employees, etc.) within one business day.
Q1e. In my organization, access requests are immediately checked against security
policies before the access is approved and assigned.
Part 3. Complexity of identity & access management practices
Q2. Please rate your organization’s identity & access management processes in terms
of its level of complexity, where 1 = low complexity to 10 = high complexity
1 to 2
3 to 4
5 to 6
7 to 8
9 to 10
Total
How do the following factors contribute to the complexity of identity & access
management practices within your organization? Very significant impact to no impact
Q3a. Access to cloud-based applications and data
Q3b. Expanded use of mobile devices (including BYOD)
Q3c. Expanded regulatory and compliance requirements
Q3d. Rapid growth of unstructured data
Ponemon Institute© Research Report
Strongly
agree
Pct%
100%
4.0%
0.4%
3.6%
Agree
21%
26%
29%
33%
22%
25%
11%
19%
14%
19%
Pct%
9%
7%
10%
31%
43%
100%
Very
significant
33%
44%
32%
45%
Significant
34%
45%
36%
46%
Page 17
- 19.
Q4. Approximately, how many information resources (applications, databases,
networks, servers, hosts, file shares) within your organization require the assignment of
user access rights?
Less than 5
Between 5 and 25
Between 26 and 50
Between 51 and 100
Between 101 and 1,000
More than 1,000
Total
Q5. On a monthly basis, how many access requests are made (i.e. requesting new
access, changes to existing access rights or revocation of access due to termination)?
Less than 50
Between 51 and 200
Between 201 and 500
Between 501 and 1,000
Between 1001 and 5,000
More than 5,000
Total
Q6a. Do you know the total annual costs of IAM systems and/or processes incurred by
your organization?
Yes
No
Unsure
Total
Q6b. Please estimate the total cost of IAM incurred by your organization over the past
12 months. Please include all costs including licensing and maintenance fees,
personnel costs, software solutions and other tools.
Zero
Less than $10,000
$10,001 to $100,000
$100,001 to $250,000
$250,001 to $500,000
$500,001 to $1,000,000
$1,000,001 to $5,000,000
$5,000,001 to $10,000,000
$10,000,001 to $25.000,000
$25,000,001 to $50,000,000
$50,00,001 to $100,000,000
More than $100,000,000
Total
Q7a. Do you know the number of orphan accounts within your organization today?
Yes
No
Unsure
Total
Ponemon Institute© Research Report
Pct%
1%
3%
23%
36%
25%
12%
100%
Pct%
1%
15%
32%
28%
19%
5%
100%
Pct%
43%
44%
13%
100%
Pct%
0%
2%
3%
17%
31%
22%
12%
6%
5%
1%
0%
1%
100%
Pct%
40%
54%
6%
100%
Page 18
- 20.
Q7b. If yes, please estimate the percentage of orphan accounts relative to total (all)
accounts within your organization.
Less than 1%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 40%
41% to 50%
More than 50%
Cannot determine
Total
Q8a. Do you know the number or percentage of high-risk users?
Yes
No
Unsure
Total
Q8b. If yes, please estimate the percentage of high-risk users relative to all users
within your organization.
Less than 1%
1% to 5%
6% to 10%
11% to 20%
21% to 30%
31% to 40%
41% to 50%
More than 50%
Cannot determine
Total
Pct%
0%
3%
8%
11%
13%
25%
19%
11%
10%
100%
Pct%
49%
43%
8%
100%
Pct%
0%
6%
8%
20%
22%
24%
9%
2%
9%
100%
Q9. Please rate the relative success or effectiveness of your organization’s IAM
processes where 1 = not effectiveness to 10 = very effective.
1 to 2
3 to 4
5 to 6
7 to 8
9 to 10
Total
Pct%
15%
41%
28%
11%
5%
100%
Q10. Do you presently use IAM to manage access to unstructured data?
Yes
No
Unsure
Total
Pct%
48%
43%
9%
100%
Q11. If no, do you plan to use IAM to understand apps and unstructured data?
Yes, within the next 12 months
Yes, more than 12 months
Yes, within 24 months
Yes, more than 24 months
No
Pct%
19%
13%
11%
3%
54%
Ponemon Institute© Research Report
Page 19
- 21.
Total
100%
Q12. What IT infrastructure do you want your organization’s IAM to support?
IT security management (ITSM)
Security information and event management (SIEM)
Network & traffic intelligence
Data loss prevention (DLP)
Intrusion prevention (IPS) & detection (IDS) systems
Governance, risk management and compliance (GRC) tools
Other (please specify)
Total
Pct%
83%
61%
55%
55%
40%
44%
4%
342%
Q13. What best describes the process for assigning access to information resources in
your organization today? Please select one best choice.
An “ad hoc” process
Determined by well-defined policies that are centrally controlled by corporate IT
Determined by well-defined policies that are controlled by business unit management
A hybrid process that includes IT and business unit management
Multiple disconnected processes across the organization
Unsure
Total
Pct%
12%
20%
10%
11%
43%
4%
100%
Q14. Who is responsible for making the decision to grant an end-user access to
information resources? Please select the top two choices.
Information technology operations
Information security department
Compliance department
Business unit managers
Application owners
Human resource department
Unsure
Total
Pct%
55%
10%
30%
63%
17%
21%
4%
200%
Q15. What processes are used for certifying user access to information resources.
Please select the top two choices.
Manual process
Homegrown access certification systems
Commercial off- the-shelf automated solutions
IT help desk
Unsure
Other
Total
Pct%
53%
65%
45%
30%
5%
2%
200%
Q16. Are changes to access validated to confirm they were performed properly?
Yes, all changes
Yes, most changes
Yes, some changes
No
Unsure
Total
Pct%
11%
28%
15%
41%
5%
100%
Ponemon Institute© Research Report
Page 20
- 22.
Q17. How do you detect the sharing of system administration access rights or root level
access rights by privileged users? Please select only one top choice.
Technology-based identity and access controls
Manually-based identity and access controls
A combination of technology and manually-based identity and access controls
Access to sensitive or confidential information is not really controlled
Unsure
We are unable to detect
Total
Pct%
21%
39%
9%
18%
3%
10%
100%
Q18a. Are you confident your organization can ascertain that user access is compliant
with policies?
Yes, very confident
Yes, confident
No, not confident
Unsure
Total
Pct%
18%
26%
50%
6%
100%
Q18b. If no, please select one main reason.
We can’t create a unified view of user access across the enterprise
We only have visibility into user account information but not entitlement information
We can’t apply controls that span across information resources
We can’t keep up with the changes occurring to our organization’s information
resources (on-boarding, off- boarding and outsourcing for management)
Total
Part 4. Cloud computing
Q19. Does your organization use SaaS applications to support key business
processes?
Yes
No
Unsure
Total
Q20. Approximately, what proportion of your organization’s key business applications
are SaaS-based?
None
Less than 10%
11% to 50%
51% to 75%
76 % to 99%
All (100%)
Cannot determine
Total
Q21. From an IAM perspective, are you concerned using cloud-based SaaS
applications for key business processes?
Yes, very concerned
Yes, concerned
Yes, somewhat concerned
No, not concerned
Total
Ponemon Institute© Research Report
Pct%
51%
9%
20%
20%
100%
Pct%
71%
25%
4%
100%
Pct%
5%
31%
32%
10%
11%
2%
9%
100%
Pct%
31%
29%
18%
22%
100%
Page 21
- 23.
Q22. What obstacles, if any, does your organization face if it decided to use a pure
cloud-based SaaS IAM solution? Please select all that apply.
Ability to obtain approvals from IT and IT security functions
Ability to measure security risk
Ability to control access to sensitive application data
Ability to transfer data from on-premise (legacy) systems to the cloud
Availability of SaaS solution
Other (please specify)
None (no obstacles)
Total
Part 5. Problems & remedies
Q23. What are the key problems you face in delivering access to end-users within your
organization? Please select the top three choices.
Takes too long to deliver access to users (not meeting our SLAs with the business)
Too expensive
Too much staff required
Can’t apply access policy controls at point of change request
Delivery of access to users is staggered (not delivered at the same time)
Cannot keep pace with the number of access change requests that come in on a
regular basis
Lack of a consistent approval process for access and a way to handle exceptions
Difficult to audit and validate access changes
Burdensome process for business users requesting access
No common language exists for how access is requested that will work for both IT and
the business
Other
Total
How will each of the following situations affect your organization’s IAM process? Please
use the scale provided below each item from very significant impact to no affect. Very
significant impact to no impact
Q24a. Adoption of cloud-based applications
Q24b. The constant turnover (ebb and flow) of temporary employees, contractors,
consultants and partners
Q24c. Availability of automated IAM technologies
Q24d. Constant changes to the organization as a result of mergers and acquisitions,
divestitures, reorganizations and downsizing
Pct%
20%
65%
76%
48%
47%
3%
8%
267%
Pct%
55%
31%
16%
21%
10%
47%
40%
18%
50%
12%
0%
300%
Very
significant
33%
Significant
42%
23%
38%
28%
29%
23%
25%
Part 6. Cost exposure estimation
Q25. Following are six cost categories caused by the failure of IAM to prevent
unauthorized access to systems and/or secure places. Please rank each category
based on the financial impact to your organization. 1 = most significant financial impact
and 6 = least significant financial impact.
Cost of technical support including forensics and investigative operations
Cost of users’ idle time and lost productivity because of IAM failure
Cost resulting from the organization’s response to information misuse or theft
Cost associated with legal and regulatory actions
Revenues or income lost because of IAM failure
Cost associated with reputation and brand damage because of IAM failure
Average
Ponemon Institute© Research Report
Average rank
3.24
1.88
4.45
5.26
2.51
3.67
3.50
Rank order
3
1
5
6
2
4
Page 22
- 24.
Q26. Please approximate the total potential cost exposure that could result from all
IAM failures over the course of one year.
Less than $1,000,000
$1,000,001 to $5,000,000
$5,000,001 to $10,000,000
$10,000,001 to $25.000,000
$25,000,001 to $50,000,000
$50,00,001 to $100,000,000
$100,000,001 to $250,000,000
$250,000,001 to $500,000,000
More than $500,000,000
Cannot determine
Total
Part 7. Your role
D1. What organizational level best describes your current position?
C-level
SVP/VP
Director
Manager
Supervisor
Technician
Architect
Staff
Contractor
Other (please specify)
Total
D2. What industry best describes your organization’s industry focus?
Agriculture & food service
Chemicals
Consumer products
Defense
Education & research
Energy & utilities
Entertainment & media
Financial services
Government
Healthcare
Hospitality
Insurance
Manufacturing
Medical devices
Non-profit
Pharmaceuticals
Retail
Services
Technology
Telecom
Transportation
Other (please specify)
Total
Ponemon Institute© Research Report
Pct%
5%
8%
10%
12%
16%
12%
13%
11%
2%
11%
100%
Pct%
3%
3%
14%
20%
15%
31%
8%
2%
3%
2%
100%
Pct%
1%
0%
6%
1%
2%
3%
2%
16%
13%
10%
2%
2%
6%
1%
1%
4%
10%
7%
6%
3%
2%
0%
100%
Page 23
- 25.
D3. What is the worldwide headcount of your organization?
Less than 500
500 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
Total
Pct%
18%
24%
29%
17%
8%
4%
100%
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to
conduct high quality, empirical studies on critical issues affecting the management and security of
sensitive information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data
confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or organization identifiable information in our business research).
Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant
or improper questions.
Ponemon Institute© Research Report
Page 24