• Share
  • Email
  • Embed
  • Like
  • Private Content
Managing complexity in IAM
 

Managing complexity in IAM

on

  • 382 views

: Etat de l’art des pratiques IAM développées et les conséquences que ces dernières peuvent avoir

: Etat de l’art des pratiques IAM développées et les conséquences que ces dernières peuvent avoir

Statistics

Views

Total Views
382
Views on SlideShare
382
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Managing complexity in IAM Managing complexity in IAM Document Transcript

    •                                 Independently conducted by Ponemon Institute LLC   Publication Date: August 2013               Managing Complexity in Identity & Access Management Sponsored by RSA Aveksa Ponemon Institute© Research Report
    •     Managing Complexity in Identity & Access Management Ponemon Institute: August 2013 Part 1. Executive Summary When employees, temporary employees, contractors and partners have inappropriate access rights to information resources – that is, access that violates security policies and regulations or that is far more expansive for their current jobs – companies are subject to serious compliance, business and security risks. Unfortunately, for many organizations the process of ensuring appropriate access to information resources is very complex. Ideally, the appropriate assignment of access rights ensures that users of information resources – which include applications, files and data – have no more or less rights to specific information resources than needed to do their particular job function within an organization. It also helps ensure that end users’ right to use or view business information resources does not violate compliance regulations as required by 1 financial controls legislation, various data protection and privacy regulations, and industry mandates. The overall objective of this study conducted by Ponemon Institute and sponsored by Aveksa is to determine how well organizations are managing complexity. To do this, we focused on questions about their current identity and access management (IAM) processes, effectiveness of the processes and factors that contribute to complexity. The following are key findings from this research  Changing access rights is a lengthy and burdensome process. Seventy percent do not believe or are uncertain that their organization typically fulfills access changes in response to new employees, transfers to a new role or terminated employees in a timely manner such as within one day. Only onethird of respondents say that access requests are immediately checked against security policies before access is approved and assigned.  Strict enforcement of IAM policies is seen lacking. Fifty-three percent of respondents see the need for stricter enforcement.  Better Investments in IAM technologies are needed. Fifty-three percent say their organizations don’t make appropriate investments in technologies that manage and govern end-user access to information resources.  The effects of IAM failure can be costly. Respondents report that the three biggest costs caused by the failure of IAM to prevent unauthorized access are: the cost of users’ idle time and lost productivity, lost revenue or income and cost of technical support, including forensics and investigative operations. They estimate that on average the total potential cost exposure that could result from all IAM failures over the course of one year is approximately $105 million.  Access rights are difficult to manage. Sixty-two percent of respondents believe their organizations’ IAM activities are overly complex and difficult to manage. On average, organizations have more than 300 information resources such as applications, databases, networks, servers, hosts, file shares that require the assignment of user access rights. The number of access requests total on average 1,200 each month. These requests include requesting new access, changes to existing access rights or revocation of access due to termination.  Why IAM processes are complex. In addition to the number of information resources requiring assignment of user access rights and the requests for access rights, organizational changes contribute to complexity. These can range from the use of cloud applications, BYOD and the growth of unstructured data that is difficult to control.                                                                                                                           1 For example, Sarbanes-Oxley, Euro-SOX, CA 52-313, MAR, GLBA, PCI, HIPAA/HITECH, PIPEDA, MA CMR17, EU Data Protection Directive, Basel II, Solvency II, FFIEC, FERC/NERC, FISMA and others. Ponemon Institute© Research Report Page 1  
    •      Growth of unstructured data is a problem ignored. Less than half of respondents (48 percent) say they use IAM to manage access to unstructured data despite their belief that the growth of this type of data is making the process of managing access rights more complex. Moreover, if they are currently not using IAM to manage access to unstructured data, most have no plans in the future to do so.  Organizations lack visibility into what end-users are doing. Do organizations have adequate knowledge and visibility into end-user access? Fifty-six percent of respondents are either not confident or unsure that they can ascertain that user access is compliant with policies. The biggest reason is that they cannot create a unified view of user access across the enterprise.  Certain situations reduce IAM effectiveness. IAM processes are most often affected by the availability of automated IAM technologies, adoption of cloud-based applications and the constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners.  Access to sensitive data in the cloud is a concern. The majority of organizations are using SaaS applications to support key business processes. Despite the popularity of these applications, most respondents (78 percent) have some level of concern about end-user access to sensitive data in these applications, What is your organization’s level of complexity? In this research, respondents were asked to rate the level of IAM complexity and effectiveness in their organizations. In the context of this research, complexity often reflects the size of the organization, number of access requests, growth of unstructured data, higher rates of cloud usage and the number of information resources that require the assignment of user access rights. No organization can avoid complexity. The goal in managing complexity is to have the right mix of people, processes and technologies in place to manage it appropriately and minimize compliance and business risks. Our analysis also shows that respondents who believe their organizations are effective in their IAM processes also have lower complexity. Following are the characteristics of companies experiencing a low, medium and high level of complexity in their IAM processes. Based on these descriptions, it seems that a medium level of complexity is the best approach to IAM.  A low level of complexity. These companies tend to have a smaller headcount and are more likely to use manual or homegrown access certification systems.  A low to medium level of complexity. These companies are better able to estimate the annual cost of IAM systems and/or processes and know the total number of orphan accounts. Again, the headcount size can keep complexity to a lower level.  A medium level of complexity. These companies are better able to know the number of potential high-risk users, are more likely to use IAM systems or processes to manage and regulate access requests to unstructured data assets, have well-defined policies and procedures relating to access governance across the enterprise and more likely to assign IAM accountability to business unit management (LOBs)  A high level of complexity. These companies are more likely to define their organizations’ access governance process as a set of disconnected or disjointed activities, assign IAM accountability to the IT organization (CIO), have a higher number of access requests and a higher rate of cloud usage for critical business applications. Ponemon Institute© Research Report Page 2  
    •     Part 2. Key Findings We surveyed 678 experienced US IT and IT security practitioners. To ensure knowledgeable responses, all respondents have a role in providing end-users access to information resources in their organizations. These include: responding to access requests, supporting the delivery of access, supporting the enforcement of access policies, reviewing and certifying access compliance and installing technologies related to access rights management. In this section, we provide an analysis of the key findings according to the following themes.      Perceptions about the state of IAM practices State of IAM practices Complexity in managing IAM processes Cloud computing usage and complexity The relationship between complexity and effective IAM processes The majority of respondents believe their organizations’ IAM processes are not very successful or effective. Figure 1, presents the findings of perceptions ranging from strongly agree to unsure about the following IAM practices.  Timeliness of access changes. Seventy percent do not agree or are unsure their organization typically fulfills access changes in response to new employees, transfers to a new role or terminated employees in a timely manner such as within one day.  Verification of access requests with security policies. Two-thirds of respondents say that access requests are not immediately checked against security policies before the access is approved and assigned or are unsure.  Strict enforcement of IAM policies. Fifty-three percent say that IAM policies are not in place and strictly enforced or are unsure. However, 47 percent agree their current policies are effective.  Investment in IAM technologies. Fifty-three percent of respondents say their organizations do not make appropriate investments in technologies that manage and govern end-user access to information resources or they are unsure. Figure 1. Perceptions about IAM practices 22% Investments in technologies are made that manage and govern end-user access to information resources 25% 23% 16% 14% 21% Identity & access management policies are in-place and are strictly enforced 21% 16% 16% 14% Access requests are immediately checked against security policies before access is approved and assigned 19% Access changes are typically fulfilled within one business day. 19% 18% 0% Strongly agree Ponemon Institute© Research Report Agree 25% 23% 19% 11% Disagree 5% 10% 15% Strongly disagree 20% 26% 22% 25% 30% 30% 35% Unsure Page 3  
    •     State of IAM practices Business unit managers assign access rights. Business unit managers are most involved in determining access to sensitive and confidential information, according to Figure 2. This function is followed by information technology operations. Rarely involved is the IT security function. Figure 2. Responsibility for granting end-user access rights Two responses permitted Business unit managers 63% 55% Information technology operations Compliance department 30% Human resource department 21% Application owners 17% Information security department 10% Unsure 4% 0% 10% 20% 30% 40% 50% 60% 70% Delegating assignment of access rights to business units without their control of IAM policies explains why the process for assigning access to information resources is not well coordinated. As shown in Figure 3, it is most common is to have multiple disconnected processes across the organization. Most organizations do not have well-defined policies that are controlled by the business unit management (10 percent of respondents). Without such control, changes are not often validated to confirm they were performed properly, according to 41 percent of respondents and 5 percent are unsure. Figure 3. Process for granting end-user access rights One response permitted Multiple disconnected processes across the organization 43% Determined by well-defined policies that are centrally controlled by corporate IT 20% An “ad hoc” process 12% A hybrid process that includes IT and business unit management 11% Determined by well-defined policies that are controlled by business unit management 10% Unsure 4% 0% Ponemon Institute© Research Report 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Page 4  
    •     To certify user access to information resources, organizations use homegrown access certification systems followed by manual processes and commercial off-the-shelf automated solutions, according to Figure 4. Figure 4. Processes to certify user access to information resources Two responses permitted Homegrown access certification systems 65% Manual process 53% 45% Commercial off- the-shelf automated solutions IT help desk 30% Unsure 5% 2% Other 0% 10% 20% 30% 40% 50% 60% 70% Figure 5 shows that manually-based identity and access controls followed by technology-based identity and access controls are mostly used to detect the sharing of system administration access rights or root level access rights by privileged users. Figure 5. Detection of how privilege users are sharing root level access rights One response permitted Manually-based identity and access controls 39% Technology-based identity and access controls 21% Access to sensitive or confidential information is not really controlled 18% We are unable to detect 10% A combination of technology and manually-based identity and access controls 9% Unsure 3% 0% Ponemon Institute© Research Report 5% 10% 15% 20% 25% 30% 35% 40% 45% Page 5  
    •     The complexity of IAM processes The effects of IAM failure can be costly. Respondents report that the three biggest costs caused by the failure of IAM to prevent unauthorized access are: the cost of users’ idle time and lost productivity, lost revenue or income and cost of technical support including forensics and investigative operations. They estimate that on average the total potential cost exposure that could result from all IAM failures over the course of one year is approximately $105 million. The following findings reveal the challenges organizations face in overcoming complexity and achieving effectiveness. Access rights are difficult to manage. Sixty-two percent of respondents believe their organizations’ IAM activities are overly complex and difficult to manage. On average, organizations have more than 300 information resources such as applications, databases, networks, servers, hosts, file shares that require the assignment of user access rights. The number of access requests total on average 1,200 each month. These requests include requesting new access, changes to existing access rights or revocation of access due to termination. Figure 6 reports how respondents rated the complexity of their organizations’ IAM processes on a scale of 1 (low complexity) to 10 (high complexity). The average rating is about 8. Based on this scale, 74 percent rate their organizations as highly complex. Figure 6. Complexity of IAM processes Complexity is measured using a 10-point scale 50% 43% 45% 40% 35% 31% 30% 25% 20% 15% 10% 9% 7% 10% 5% 0% 1 to 2 Ponemon Institute© Research Report 3 to 4 5 to 6 7 to 8 9 to 10 Page 6  
    •       Uncertainty as to how much is spent on IAM. Another indication of the complexity of IAM is that most respondents do not know what their organizations spend on IAM systems and processes (Figure 7). According to the findings, on average respondents estimate that in the past 12 months companies spent $3.5 million on IAM. Figure 7. Do you know what your organization spends on IAM systems and processes? 50% 45% 44% 43% 40% 35% 30% 25% 20% 13% 15% 10% 5% 0% Yes No Unsure Why are IAM processes complex? In addition to the number of information resources requiring assignment of user access rights and the requests for access rights, organizational changes contribute to complexity. These can range from the use of cloud applications, BYOD and the growth of unstructured data that is difficult to control. Figure 8 shows what factors are making the job of managing IAM increasingly difficult. Figure 8. Factors that complicate IAM practices Very significant and significant response Rapid growth of unstructured data 45% Expanded use of mobile devices 46% 44% 45% Expanded regulatory and compliance requirements 32% 36% Access to cloud-based applications and data 33% 34% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very significant Ponemon Institute© Research Report Significant Page 7  
    •     Growth of unstructured data is a problem ignored. Less than half of respondents (48 percent) say they use IAM to manage access to unstructured data despite their belief that the growth of this type of data is making the process of managing access rights more complex. Moreover, if they are currently not using IAM to manage access to unstructured data, most have no plans in the future to do so. Organizations lack visibility into what end-users are doing. Do organizations have adequate knowledge and visibility into end-user access? Fifty-six percent of respondents are either not confident or unsure that they can ascertain that user access is compliant with policies. As shown in Figure 9, the biggest reason is that they cannot create a unified view of user access across the enterprise. Figure 9. Why organizations lack visibility about end-users Only one response permitted Can’t create a unified view of user access across the enterprise 51% Can’t keep up with the changes occurring to our organization’s information resources 20% Can’t apply controls that span across information resources 20% Visibility only into user account information but not entitlement information 9% 0% 10% 20% 30% 40% 50% 60% Number of orphan accounts and high-risk users are often invisible to IAM. There are other indicators of uncertainty about the state of IAM. Specifically, respondents admit that they do not know or are unsure of the number of orphan accounts in their organization (60 percent of respondents). If they are able to estimate the percentage, it averages almost one-third of all accounts within the organization. Forty-three percent do not know the percentage of high-risk users and 8 percent are unsure. Accordingly, less than half of respondents (49 percent) know the percentage of all users who would be considered high-risk and they estimate it to be 25 percent of all users. Ponemon Institute© Research Report Page 8  
    •     Certain situations reduce IAM effectiveness. As shown in Figure 10, IAM processes are most often affected by the availability of automated IAM technologies, adoption of cloud-based applications and the constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners. Figure 10. Affect on IAM process Very significant and significant response Adoption of cloud-based applications 33% Availability of automated IAM technologies 42% 38% Constant turnover of temporary employees, contractors, consultants and partners 23% Constant changes to the organization as a result of mergers and acquisitions, divestitures, reorganizations and downsizing 29% 23% 0% 10% Very significant 28% 25% 20% 30% 40% 50% 60% 70% 80% Significant The situations just described explain the complexity in delivering access to end-users. The problems created by complexity are shown in Figure 11. Specifically, it takes too long to deliver access, the process is burdensome and it is hard to keep pace with access change requests. Figure 11. Key problems in delivering access to end-users Three responses permitted 55% Takes too long to deliver access to users Burdensome process for business users requesting access Cannot keep pace with the number of access change requests Lack of a consistent approval process for access and a way to handle exceptions 50% 47% 40% 31% Too expensive Can’t apply access policy controls at point of change request 21% Difficult to audit and validate access changes 18% 16% Too much staff required No common language exists for how access is requested 12% 10% Delivery of access to users is staggered Other 0% 0% Ponemon Institute© Research Report 10% 20% 30% 40% 50% 60% Page 9  
    •     Cloud computing usage and IAM complexity Access to sensitive data in the cloud is a concern. The majority of organizations are using SaaS applications to support key business processes. Despite the popularity of these applications, most respondents (78 percent) have some level of concern about end-user access to sensitive data in these applications, as shown in Figure 12. Figure 12. Concern about using cloud-based SaaS applications for key business processes 35% 31% 29% 30% 25% 22% 18% 20% 15% 10% 5% 0% Yes, very concerned Yes, concerned Yes, somewhat concerned No, not concerned The primary obstacles to using a pure cloud-based SaaS IAM solution are shown in Figure 13. Main barriers are the ability to control access to sensitive application data (76 percent) and measure security risk (65 percent). Only 8 percent of respondents do not see any obstacles to adoption. Figure 13. Obstacles to adopting a SaaS IAM solution More than one response permitted Ability to control access to sensitive application data 76% 65% Ability to measure security risk Ability to transfer data from on-premise (legacy) systems to the cloud 48% 47% Availability of SaaS solution Ability to obtain approvals from IT and IT security functions 20% None 8% Other 3% 0% Ponemon Institute© Research Report 10% 20% 30% 40% 50% 60% 70% 80% Page 10  
    •     Significant cross-tabulations on IAM complexity Respondents were asked to rate their organizations in terms of (1) complexity of IAM operations and (2) the effectiveness of IAM systems and controls. Both complexity and effectiveness are measured using a 10-point scale from low (1) to high (10) with a median at 5.5. The distribution of responses shown in Figure 14 allows us to compute overall average values for both variables. The average complexity rating is above the median at 7.8, while the average effectiveness rating is below the median at 4.0. The Figure below reveals that the majority of respondents believe their IAM processes are very complex. Seventy-four percent believe the level of complexity is above the median. Respondents also do not believe their IAM processes are very effective. Again, the majority (55 percent) of respondents rate the effectiveness below the median of 4.0. Figure 14. Respondents’ ratings of IAM complexity and effectiveness Both complexity and effectiveness are measured using a 10-point scale 50% 50% 43% 45% 40% 45% 41% 40% 35% 35% 31% 30% 25% 25% 20% 20% 15% 15% 28% 30% 10% 9% 7% 10% 15% 11% 10% 5% 5% 5% 0% 0% 1 to 2 3 to 4 5 to 6 7 to 8 Level of IAM complexity Ponemon Institute© Research Report 9 to 10 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Level of IAM effectiveness Page 11  
    •     Figure 15 shows the average effectiveness rating according to five ascending complexity levels. We see an inverted U-shape relationship, where organizations reporting the lowest effectiveness level at 3.12 also have the lowest level of complexity. In contrast, organizations at the highest level of effectiveness (5.53) are in the middle range of the 10-point complexity scale. This pattern suggests complexity has a negative impact on the deployment of IAM, but only for highly effective users. Figure 15. Interrelationship between IAM complexity and effectiveness Both complexity and effectiveness are measured using a 10-point scale Level of IAM effectiveness 6.00 5.53 5.00 4.00 4.29 3.94 3.84 7 to 8 9 to 10 3.12 3.00 2.00 1.00 0.00 1 to 2 3 to 4 5 to 6 Level of IAM complexity Figure 16 shows the average complexity rating according to six ascending headcount (size) levels. As can be seen, there is a positive relationship between organizational size and IAM complexity. Organizations with less than 500 employees report the lowest average complexity level at 6.52. Organizations with headcount above 25,000 and 75,000 employees have the highest levels of complexity levels at 9.23. Figure 16. Interrelationship between IAM complexity and organizational headcount (size) Complexity is measured using a 10-point scale 10.00 8.58 9.00 7.78 7.75 500 to 1,000 1,001 to 5,000 8.00 7.00 9.23 6.52 6.00 5.00 4.00 3.00 2.00 1.00 0.00 Less than 500 5,001 to 25,000 25,001 to 75,000 Average level of IAM complexity Ponemon Institute© Research Report Page 12  
    •       Part 3. Conclusion: Managing complexity and achieving effectiveness Our findings suggest that IT staffs cannot keep up with the constant change to information resources, regulations and user access requirements. Many organizations are facing significant information risks because the process of delivering access is lengthy and burdensome and access rights are not current. In addition, the approaches to access management tend to be ad hoc or inconsistent and contribute to ineffectiveness. The following are suggestions for overcoming complexity and reducing IAM failures.         Implement a well-managed enterprise-wide access governance process that keeps employees, temporary employees and contractors from having too much access to information assets. At the same time, do not hinder individuals’ access to information resources critical to their productivity. To do this, organizations must understand what role-based access individuals need. Further, changes to users’ roles must be managed to ensure they have current and correct access rights. Create well-defined business policies for the assignment of access rights. These policies should be centrally controlled to ensure they are enforced in a consistent fashion across the enterprise. They also should encourage collaboration among different internal groups. Track and measure the ability to enforce user access policies. This includes measuring the effectiveness of processes to manage changes to users’ roles; revoking access rights upon an individual’s termination; monitoring access rights of privileged users’ accounts; and monitoring segregation of duties. Ensure that accountability for access rights is assigned to the business unit that has domain knowledge of the users’ role and responsibility. Become proactive in managing access rights. Instead of making decisions on an ad hoc basis based on decentralized procedures, build a process that enables the organization to have continuous visibility into all user access across all information resources and entitlements to those resources. Technologies that automate access authorization, review and certification will limit the risk of human error and negligence. Bridge the language gap between IT staff and business managers to encourage a common understanding of how to express access rights and entitlements. This is especially important for the access request and access certification processes, in which gaps can cause unnecessary delays in access delivery or allows inappropriate access. Pursue extending controls over access to all information resources similar to those required under regulations (SOX, PCI, etc). This entails organizations broadening their view of risk management beyond compliance with specific regulations. Organizations need to go beyond the minimum requirements for compliance and think about risk in the broadest terms with the widest coverage. This is especially true because the loss of corporate IP is typically not covered under regulations or industry mandates. Extend the organizational access governance framework beyond the firewall to cloud computing and other IT outsourcing/software-as-a-service (SaaS) providers. Ponemon Institute© Research Report Page 13  
    •     Part 4. Methods A random sampling frame of 19,005 experienced US IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. All respondents have a role in providing end-users access to information resources in their organizations. As shown in Table 1, 753 respondents completed the survey. Screening and reliability checks removed 75 surveys. The final sample was 678 surveys (or a 3.6 percent response rate). Table 1. Sample response Freq Sampling frame 19,005 100% 753 4.0% 75 0.4% 678 3.6% Total returns Rejected and screened surveys Final sample Pct% Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, 55 percent of respondents are at or above the supervisory levels. Pie Chart 1. Current position within the organization 2% 3% 2% 3% 3% 8% 14% C-level SVP/VP Director Manager Supervisor Technician Architect 31% 20% Staff Contractor Other 15% Ponemon Institute© Research Report Page 14  
    •     Pie Chart 2 reports the industry segments of respondents’ organizations. This chart identifies financial services (16 percent) as the largest segment, followed by government (13 percent) and healthcare and retail, both at 10 percent. Pie Chart 2. Industry distribution of respondents’ organizations 2% 2% 2% 2% 2% 4% 16% 3% 3% 13% 4% 6% 10% 6% 6% 7% 10% Financial services Government Healthcare Retail Services Consumer products Manufacturing Technology Pharmaceuticals Energy & utilities Telecom Insurance Education & research Entertainment & media Hospitality Transportation Other As shown in pie chart 3, 58 percent of respondents are from organizations with a global headcount of 1,000 or more employees. Pie chart 3. Worldwide headcount of the organization 4% 8% 18% Less than 500 500 to 1,000 17% 1,001 to 5,000 5,001 to 25,000 24% 25,001 to 75,000 More than 75,000 29% Ponemon Institute© Research Report Page 15  
    •     Part 5. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.    Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. 0B Ponemon Institute© Research Report Page 16  
    •     Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey 678 responses were captured in June 2013. Sample response Sampling frame Total returns Rejected and screened surveys Final sample Freq 19,005 753 75 678 Part 1. Screening S1. What best describes your role in providing end-users access to information resources in your organization? Please check all that apply. Respond to access requests Support the delivery of access Support the enforcement of access policies Responsible for review and certification of access compliance Install technologies relating to access rights management Other (please describe) None of the above (stop) Total Pct% 56% 37% 61% 36% 39% 2% 0% 231% Part 2. Attributions. Please rate Q1a to Q1d using the scale provided below each statement. Q1a. Identity & access management policies are in-place and are strictly enforced in my organization. Q1b. My organization’s Identity & access management activities are overly complex and difficult to manage. Q1c. My organization makes appropriate investments in technologies that manage and govern end-user access to information resources. Q1d. My organization typically fulfills access changes (i.e. new employees, transfers to a new role, terminated employees, etc.) within one business day. Q1e. In my organization, access requests are immediately checked against security policies before the access is approved and assigned. Part 3. Complexity of identity & access management practices Q2. Please rate your organization’s identity & access management processes in terms of its level of complexity, where 1 = low complexity to 10 = high complexity 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Total How do the following factors contribute to the complexity of identity & access management practices within your organization? Very significant impact to no impact Q3a. Access to cloud-based applications and data Q3b. Expanded use of mobile devices (including BYOD) Q3c. Expanded regulatory and compliance requirements Q3d. Rapid growth of unstructured data Ponemon Institute© Research Report Strongly agree Pct% 100% 4.0% 0.4% 3.6% Agree 21% 26% 29% 33% 22% 25% 11% 19% 14% 19% Pct% 9% 7% 10% 31% 43% 100% Very significant 33% 44% 32% 45% Significant 34% 45% 36% 46% Page 17  
    •       Q4. Approximately, how many information resources (applications, databases, networks, servers, hosts, file shares) within your organization require the assignment of user access rights? Less than 5 Between 5 and 25 Between 26 and 50 Between 51 and 100 Between 101 and 1,000 More than 1,000 Total Q5. On a monthly basis, how many access requests are made (i.e. requesting new access, changes to existing access rights or revocation of access due to termination)? Less than 50 Between 51 and 200 Between 201 and 500 Between 501 and 1,000 Between 1001 and 5,000 More than 5,000 Total Q6a. Do you know the total annual costs of IAM systems and/or processes incurred by your organization? Yes No Unsure Total Q6b. Please estimate the total cost of IAM incurred by your organization over the past 12 months. Please include all costs including licensing and maintenance fees, personnel costs, software solutions and other tools. Zero Less than $10,000 $10,001 to $100,000 $100,001 to $250,000 $250,001 to $500,000 $500,001 to $1,000,000 $1,000,001 to $5,000,000 $5,000,001 to $10,000,000 $10,000,001 to $25.000,000 $25,000,001 to $50,000,000 $50,00,001 to $100,000,000 More than $100,000,000 Total Q7a. Do you know the number of orphan accounts within your organization today? Yes No Unsure Total Ponemon Institute© Research Report Pct% 1% 3% 23% 36% 25% 12% 100% Pct% 1% 15% 32% 28% 19% 5% 100% Pct% 43% 44% 13% 100% Pct% 0% 2% 3% 17% 31% 22% 12% 6% 5% 1% 0% 1% 100% Pct% 40% 54% 6% 100% Page 18  
    •       Q7b. If yes, please estimate the percentage of orphan accounts relative to total (all) accounts within your organization. Less than 1% 1% to 5% 6% to 10% 11% to 20% 21% to 30% 31% to 40% 41% to 50% More than 50% Cannot determine Total Q8a. Do you know the number or percentage of high-risk users? Yes No Unsure Total Q8b. If yes, please estimate the percentage of high-risk users relative to all users within your organization. Less than 1% 1% to 5% 6% to 10% 11% to 20% 21% to 30% 31% to 40% 41% to 50% More than 50% Cannot determine Total Pct% 0% 3% 8% 11% 13% 25% 19% 11% 10% 100% Pct% 49% 43% 8% 100% Pct% 0% 6% 8% 20% 22% 24% 9% 2% 9% 100% Q9. Please rate the relative success or effectiveness of your organization’s IAM processes where 1 = not effectiveness to 10 = very effective. 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Total Pct% 15% 41% 28% 11% 5% 100% Q10. Do you presently use IAM to manage access to unstructured data? Yes No Unsure Total Pct% 48% 43% 9% 100% Q11. If no, do you plan to use IAM to understand apps and unstructured data? Yes, within the next 12 months Yes, more than 12 months Yes, within 24 months Yes, more than 24 months No Pct% 19% 13% 11% 3% 54% Ponemon Institute© Research Report Page 19  
    •     Total 100% Q12. What IT infrastructure do you want your organization’s IAM to support? IT security management (ITSM) Security information and event management (SIEM) Network & traffic intelligence Data loss prevention (DLP) Intrusion prevention (IPS) & detection (IDS) systems Governance, risk management and compliance (GRC) tools Other (please specify) Total Pct% 83% 61% 55% 55% 40% 44% 4% 342% Q13. What best describes the process for assigning access to information resources in your organization today? Please select one best choice. An “ad hoc” process Determined by well-defined policies that are centrally controlled by corporate IT Determined by well-defined policies that are controlled by business unit management A hybrid process that includes IT and business unit management Multiple disconnected processes across the organization Unsure Total Pct% 12% 20% 10% 11% 43% 4% 100% Q14. Who is responsible for making the decision to grant an end-user access to information resources? Please select the top two choices. Information technology operations Information security department Compliance department Business unit managers Application owners Human resource department Unsure Total Pct% 55% 10% 30% 63% 17% 21% 4% 200% Q15. What processes are used for certifying user access to information resources. Please select the top two choices. Manual process Homegrown access certification systems Commercial off- the-shelf automated solutions IT help desk Unsure Other Total Pct% 53% 65% 45% 30% 5% 2% 200% Q16. Are changes to access validated to confirm they were performed properly? Yes, all changes Yes, most changes Yes, some changes No Unsure Total Pct% 11% 28% 15% 41% 5% 100% Ponemon Institute© Research Report Page 20  
    •       Q17. How do you detect the sharing of system administration access rights or root level access rights by privileged users? Please select only one top choice. Technology-based identity and access controls Manually-based identity and access controls A combination of technology and manually-based identity and access controls Access to sensitive or confidential information is not really controlled Unsure We are unable to detect Total Pct% 21% 39% 9% 18% 3% 10% 100% Q18a. Are you confident your organization can ascertain that user access is compliant with policies? Yes, very confident Yes, confident No, not confident Unsure Total Pct% 18% 26% 50% 6% 100% Q18b. If no, please select one main reason. We can’t create a unified view of user access across the enterprise We only have visibility into user account information but not entitlement information We can’t apply controls that span across information resources We can’t keep up with the changes occurring to our organization’s information resources (on-boarding, off- boarding and outsourcing for management) Total Part 4. Cloud computing Q19. Does your organization use SaaS applications to support key business processes? Yes No Unsure Total Q20. Approximately, what proportion of your organization’s key business applications are SaaS-based? None Less than 10% 11% to 50% 51% to 75% 76 % to 99% All (100%) Cannot determine Total Q21. From an IAM perspective, are you concerned using cloud-based SaaS applications for key business processes? Yes, very concerned Yes, concerned Yes, somewhat concerned No, not concerned Total Ponemon Institute© Research Report Pct% 51% 9% 20% 20% 100% Pct% 71% 25% 4% 100% Pct% 5% 31% 32% 10% 11% 2% 9% 100% Pct% 31% 29% 18% 22% 100% Page 21  
    •       Q22. What obstacles, if any, does your organization face if it decided to use a pure cloud-based SaaS IAM solution? Please select all that apply. Ability to obtain approvals from IT and IT security functions Ability to measure security risk Ability to control access to sensitive application data Ability to transfer data from on-premise (legacy) systems to the cloud Availability of SaaS solution Other (please specify) None (no obstacles) Total Part 5. Problems & remedies Q23. What are the key problems you face in delivering access to end-users within your organization? Please select the top three choices. Takes too long to deliver access to users (not meeting our SLAs with the business) Too expensive Too much staff required Can’t apply access policy controls at point of change request Delivery of access to users is staggered (not delivered at the same time) Cannot keep pace with the number of access change requests that come in on a regular basis Lack of a consistent approval process for access and a way to handle exceptions Difficult to audit and validate access changes Burdensome process for business users requesting access No common language exists for how access is requested that will work for both IT and the business Other Total How will each of the following situations affect your organization’s IAM process? Please use the scale provided below each item from very significant impact to no affect. Very significant impact to no impact Q24a. Adoption of cloud-based applications Q24b. The constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners Q24c. Availability of automated IAM technologies Q24d. Constant changes to the organization as a result of mergers and acquisitions, divestitures, reorganizations and downsizing Pct% 20% 65% 76% 48% 47% 3% 8% 267% Pct% 55% 31% 16% 21% 10% 47% 40% 18% 50% 12% 0% 300% Very significant 33% Significant 42% 23% 38% 28% 29% 23% 25% Part 6. Cost exposure estimation Q25. Following are six cost categories caused by the failure of IAM to prevent unauthorized access to systems and/or secure places. Please rank each category based on the financial impact to your organization. 1 = most significant financial impact and 6 = least significant financial impact. Cost of technical support including forensics and investigative operations Cost of users’ idle time and lost productivity because of IAM failure Cost resulting from the organization’s response to information misuse or theft Cost associated with legal and regulatory actions Revenues or income lost because of IAM failure Cost associated with reputation and brand damage because of IAM failure Average Ponemon Institute© Research Report Average rank 3.24 1.88 4.45 5.26 2.51 3.67 3.50 Rank order 3 1 5 6 2 4 Page 22  
    •       Q26. Please approximate the total potential cost exposure that could result from all IAM failures over the course of one year. Less than $1,000,000 $1,000,001 to $5,000,000 $5,000,001 to $10,000,000 $10,000,001 to $25.000,000 $25,000,001 to $50,000,000 $50,00,001 to $100,000,000 $100,000,001 to $250,000,000 $250,000,001 to $500,000,000 More than $500,000,000 Cannot determine Total Part 7. Your role D1. What organizational level best describes your current position? C-level SVP/VP Director Manager Supervisor Technician Architect Staff Contractor Other (please specify) Total D2. What industry best describes your organization’s industry focus? Agriculture & food service Chemicals Consumer products Defense Education & research Energy & utilities Entertainment & media Financial services Government Healthcare Hospitality Insurance Manufacturing Medical devices Non-profit Pharmaceuticals Retail Services Technology Telecom Transportation Other (please specify) Total Ponemon Institute© Research Report Pct% 5% 8% 10% 12% 16% 12% 13% 11% 2% 11% 100% Pct% 3% 3% 14% 20% 15% 31% 8% 2% 3% 2% 100% Pct% 1% 0% 6% 1% 2% 3% 2% 16% 13% 10% 2% 2% 6% 1% 1% 4% 10% 7% 6% 3% 2% 0% 100% Page 23  
    •       D3. What is the worldwide headcount of your organization? Less than 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 More than 75,000 Total Pct% 18% 24% 29% 17% 8% 4% 100% Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.   Ponemon Institute© Research Report Page 24