WWT Identity Maturity Model
A step-by-step guide for CISOs to reduce risk and deliver business value.
In This Research Report
The Need to Mature Identity
Addressing risks of an expanded ecosystem
Organizations must be able to provide fast and seamless access to their corporate assets. Unfortunately, this access can create opportunities that bad actors are happy to exploit. When organizations don’t have an identity strategy that accounts for their current ecosystems of employees, customers, contractors and connected devices, they leave themselves exposed to inappropriate access and enterprise-wide risks.
In 2020, 5 percent of corporate revenue was lost to fraud, and 86 percent of insider threats were the result of malicious employees and employee negligence. The good news is that guarding against these risks doesn’t require combating highly sophisticated attacks. It does, however, require a close look at where your identity posture stands today.
Many organizations are operating from an identity strategy that is years old. While their identity posture might have protected against attacks and compliance violations in the past, it doesn’t allow them to identify and evaluate risk across their current identity ecosystem.
Organizations commonly find themselves struggling with:
- Identity silos that prohibit a comprehensive view of all users and access.
- Operational inefficiencies when trying to manage tens of millions of access privileges spread across different platforms.
- Integrating complex legacy technology solutions with enterprise platforms.
In this report, we detail how organizations can build the identity capabilities they need to mitigate inappropriate access and deliver value to the business. It’s not an easy road, but it is one that needs to be taken. And our maturity model will guide you along the way.
We developed our identity maturity model to help organizations grow their identity capabilities related to people, process and technology. This model will help you understand where your organization stands today and the steps you can take to level up.
- Governance is ad hoc and informal; tools are put into place on a piecemeal basis; responsibilities are poorly defined.
- Tactical priorities are set based on certain business drivers; technology projects are discreet; technology redundancy is likely; business value is tactical.
- Identity program management is established; an identity architecture is defined; identity vision is defined; multi-year projects align with vision and strategy.
- Identity governance structure is defined; key stakeholders are actively involved in identity program; identity performance targets are actualized; identity architecture aligns with enterprise architecture.
- Performance is continuously monitored; identity program is dynamic and adaptive to changes in business conditions; transformational value is being delivered.
Level 1: Initial Identity
Organizations at this stage have little to no visibility into how entities within their environments are behaving. Identity policies don’t account for organizations’ current ecosystems of employees, customers, contractors and connected devices. Level 1 organizations rely on technology narrowly designed to protect legacy systems from external attacks.
Risks of initial identity:
- Employees can bypass security controls.
- Terminated employees retain access to critical data.
- No separation of duties gives staff too much access to critical data.
- Promotions leave staff with excessive privileges.
- Onboarding doesn’t give staff the access they need to do their jobs.
- Lack of data security increases audit violations.
Moving past Level 1
By taking the following steps, organizations can move from initial identity (Level 1) to developing identity (Level 2).
- Recognize hoc and informal governance – Focus on identifying who designs access rules. This step requires reaching out to IT and business leaders. Identify business leaders within your organization who can detail the level of access each role in their department needs. Business stakeholders having a foundational understanding of identity and access will pay dividends as you align identity controls to business goals.
- Identify piecemeal tools – Start documenting how IT and business owners document identities and handle access requests. What service level agreements are operations working against? How long does it take application owners to review entitlement changes? Where does documentation reside? Not only will these questions reveal where you can gain efficiencies, but they will also clue you in to important technology features for your organization.
- Define responsibilities – Pinpoint who is responsible for each stage of the identity lifecycle. What role do different staff play in the approval process? Who is handling leads and backups? When organizations dig in, they often find a lack of responsibility or overlapping job functions.
- Determine if identity supports business goals – Identity is all about the right people having access to the right resources at the right time for the right reasons. However, many don’t square their identity efforts with this principle. Start to think about whether your identity efforts are mitigating organizational risks, aiding with compliance and increasing productivity. This will help you when you begin to formalize an identity strategy and vision.
Level 2: Developing Identity
Organizations at this stage have some visibility into their current ecosystems of employees, customers, contractors and connected devices. However, they struggle to grant or deny access in a timely manner. Level 2 organizations often experience technology redundancy and rely on manual approaches to manage identity.
Shortcomings of developing identity:
- Identity controls don’t meet compliance expectations.
- C-level and board are skeptical of new technology requests.
- Business owners are frustrated at the time it takes to process access changes.
- Management of application entitlements is time-consuming and prone to errors.
- Identity lifecycle management is inefficient.
- Help desk is overburdened.
Moving past Level 2
By taking the following steps, organizations can move from developing identity (Level 2) to defined identity (Level 3).
- Rationalize identity tools – Many organizations have redundant identity technologies in their environment. Usually this stems from buying point solutions to solve problems that may no longer be an issue. Take an inventory of your technology investments. Where do feature sets overlap? Do you have the expertise to fully leverage the tools in your environment? Does the technology you have provide you with the scalability and software as a service (Saas) integrations you need as your business grows?
- Move from delivering tactical to strategic value – Many organizations at this stage are delivering tactical value. Often, they are optimizing existing controls, however they can’t articulate the business impact of these controls. Are your identity efforts improving market trust, increasing availability and performance, improving compliance, reducing costs, and assuring business continuity? Once you answer these questions, you can determine what control gaps will deliver the most strategic value for the business.
- Define user groups and least privileged access – It’s time to begin to create a common directory of users that includes all job titles and current responsibilities. Not only that, but it’s imperative to ask each business owner why responsibilities are required. And it’s critical that they provide a proper justification. It’s a tall order but absolutely necessary to confidently move forward with defining user groups and least privileged access.
- Identify processes that can be automated – This is the step everyone gets excited about. After all, who doesn’t love automation? Just don’t try to automate everything in one go. When producing viable, automated workflows that reduce identity risks and increase performance, there are many starting places. They include employee onboarding and offboarding, new access workflows, application requests, account access reviews, and identity risk checks. Try automating in one of these areas based on where you’re most mature today.
Level 3: Defined Identity
Organizations at this stage have full visibility into their current ecosystems of employees, customers, contractors and connected devices. Identity policies have been updated to reflect these ecosystems, making it easy to execute and document access changes. Level 3 organizations are focused on implementing identity controls that align to business goals.
Benefits of defined identity:
- Receive buy-in from C-suite and board on new technology investments.
- Meet audit requirements, even if requirements become more stringent.
- Manage access across environments, including cloud environments, from a centralized location.
- Eliminate risk of terminated employees retaining unauthorized access.
- Quickly execute access changes thanks to defined user groups.
Moving past Level 3
By taking the following steps, organizations can move from defined identity (Level 3) to managed identity (Level 4).
- Define your identity vision – At this point, you’ve gained a better understanding of some of the major capabilities around the identity tool of your choosing. Now you’ll want to lay out your identity vision. Ask yourself: How do you see the busines and your security organization growing in the next few years? How do you want to automate reports? What are the major insights you want into current and future identities to reduce business risk?
- Define your identity architecture – During the design of your identity architecture, you should keep future goals in mind. Your design should reduce vulnerabilities, so that you can confidently take on new risk such as acquisitions, divestitures and mergers. These business amendments can amplify risk, such as data loss, outages, information disclosure and failure to achieve return on investment.
- Establish identity program management – It’s important to look at the security of the organization as a program. Yes, IT will drive the day-to-day grunt work, but you will also need to make sure you keep business leaders involved. Main components of effective identity program management include company awareness programs, creating policies related to multi-factor authentication, routine access audits and establishing security baselines. Ownership must lie within your identity team, not your organization’s project management office.
- Think through user experience – At the end of the year in school, the major test was finals. For IT professionals, we like to call the final test user experience. It’s important to set aside time to lay out how users will access their data. When doing so, you’ll want to think how user engagement plays out with lifecycle management, network access controls, single sign-on and multi-factor authentication.
Level 4: Managed Identity
Organizations at this stage have a full picture of the employees, customers, contractors and connected devices within their environments. They know how these entities are behaving and can predictively model that behavior. Level 4 organizations have automated approximately 50 percent of their identity operations.
Benefits of managed identity:
- Know when brute force attacks are happening.
- Defend against variants of brute force attacks like password spraying.
- Examine the entire kill chain to identity accounts that have been compromised in the wild.
- Spot anomalous access through predictive modeling and automation.
Moving past Level 4
By taking the following steps, organizations can move from managed identity (Level 4) to optimized identity (Level 5).
- Define and audit identity policies and procedures – This is key to successful identity lifecycle and governance. Clearly document policies and procedures related every aspect of a user’s lifecycle, including joiner, mover and leaver phases. Once in place, make sure periodic audits are performed in every department of the organization. Audits will help you identity users with inappropriate access, terminated users who no longer require access and instances in which users have access that violates segregation of duties.
- Actively involve key stakeholders in your identity program – Remember that identity is a user-centric capability, touching people, processes and technology. As such, it’s important to get buy-in early from multiple stakeholders. Consider establishing an identity governance council made up of those responsible for creating identity policies as well business unit leaders. The council should be broad and visible enough to exert authority throughout the organization. This will help establish policies that mitigate pressing business risks.
- Actualize your identity performance targets – Once you’ve set the right identity policies and procedures, how do you measure your success? To determine if your identity efforts are adding value, establish key performance indicators. Some good places to start include measuring the number of violations of critical identity policies, policy utilization, the number of policy exceptions, and the relevance or removal of exceptions. This also will help you refine policies and procedures as the business changes.
- Align your identity architecture to your enterprise architecture – Enterprise architecture (EA) offers a comprehensive view of an organization, its mission, strategic vision, and supporting business processes, data and technology. Aligning your identity architecture with your organization’s EA breeds an analytical approach to assessing and improving the enterprise’s identity risk posture. It also ensures your identity efforts are reducing technical and governance debt, as well as furthering your organization’s technological vision.
Level 5: Optimized Identity
Organizations at this stage are continuously monitoring the performance of identity controls. They are focused on delivering transformational value to the organization and can adapt identity programs to meet changing business requirements. Level 5 organizations have automated approximately 85 percent of their identity operations.
Benefits of optimized identity:
- Lowered risk managements costs.
- Comprehensive, seamless identity protection and governance.
- Visibility into all separation of duties, including preprovisioning risk simulations across applications.
- Streamlined governance, access, review and emergency access management processes.
- Reduced audit deficiencies and compliance violations.
- Ability to demonstrate the positive business impact of identity investment.
Maintaining Level 5
By taking the following steps, organizations can maintain optimized identity (Level 5).
- Grow automation capabilities – Automated solutions that govern the ownership of policies and controls can give you needed audit documentation. With automated tools that continuously monitor for anomalous access requests or use, you can prove continuous assurance over your program. They can also scale and streamline access-related operations such as on-off boarding, reviews and entitlement management. Strong automation capabilities also make it possible to reap these benefits across complex multicloud environments.
- Minimize business disruption – Most identity projects fail due to lack of user acceptance. Because identity modernization cuts across a wide variety of enterprise stakeholders, it’s critical to ensure a consistent and seamless end-user experience, whether for your employees, customers or contractors. Make sure users feel a sense of ownership as new solutions are deployed. This can be accomplished by working with your organization’s communications team to push out helpful emails, videos and virtual training.
- Reduce complexity – Reduce the need for high operational oversight while still having clear visibility into usage patterns by considering SaaS solutions. SaaS solutions take less time to deploy and maintain and can reduce infrastructure and infrastructure as a service costs. Rapidly available patches and updates make it easier to remediate known vulnerabilities. Organizations also benefit from outsourcing application risks in addition to not having to worry about hardware failures or capacity issues.
- Maximize return on investment – There’s substantial financial benefit to reduced skill, training and support requirements related to managing onboarding. Time savings for identity access administrators can translate into millions in savings over time. Make sure to track administrators’ onboarding times to demonstrate the true cost savings of investments in identity.
The path to identity maturity
Ecosystems of employees, customers, contractors and connected devices will continue to expand as organizations pursue digital transformation. Do you have an identity strategy that can keep up?
It’s okay if the answer is no — few organizations can say they do. It’s also okay if you haven’t documented an identity strategy or if you’re operating from one that doesn’t align to your business’ current goals. What’s not okay is to ignore the question entirely. If you don’t begin to mature identity now, it will be exponentially harder to do so in the coming years as more identities and levels of access are needed for your business to grow.
We encourage you to share our Identity Mature Model with your employees and peers. Assess where you stand today and review the steps you can take to level up. Don’t try to tackle everything at once. Start slow, focus on a few key areas and begin the path to identity maturity.