How to establish IAM metrics within the Zero Trust framework

Start by identifying the strategic goals of the IAM program. IAM strategic goals should align with the broader objectives of the organization, such as enhancing security, improving user experience and achieving regulatory compliance. Examples of strategic goals for IAM could include reducing the risk of unauthorized access, streamlining user provisioning processes or enhancing identity governance. 

Once strategic goals are identified, then define supporting goals. These supporting goals represent specific areas or aspects that contribute to achieving the strategic objectives. For instance, if the strategic goal is to reduce the risk of unauthorized access, supporting goals could include strengthening authentication mechanisms, implementing role-based access controls or enhancing privileged access management.

Using the M-22-09 Identity strategic goal above, supporting goals could be “Agency staff use enterprise-managed identities to govern authorization to applications they use in their work” and “Agency staff use phishing-resistant MFA to access Agency resources.” There can be multiple layers of supporting goals, if needed.

After supporting goals have been defined, establish specific IAM KPIs that measure the progress and effectiveness of the IAM program. KPIs should be specific and measurable and expressed as a proportion (percentage) so that various dimensions (departments, branches, regions, time periods, etc.) can be compared against each other. KPIs indicate the success or areas of improvement for each supporting goal. Examples of IAM KPIs could include the average time taken to provision user accounts, access policy violation rate, percentage of failed authentication attempts or MFA adoption rate.

In the example above, KPIs include “Percentage of employees with a centralized digital identity” and “Percentage of cloud resources that require phishing-resistant MFA to authenticate.”