Managing Complexity in Identity & Access Management

Managing Complexity in Identity & Access Management Sponsored by RSA Aveksa Independently conducted by Ponemon Institute LLC Publication Date: August 2013 Ponemon Institute Research Report

Part 1. Executive Summary Managing Complexity in Identity & Access Management Ponemon Institute: August 2013 When employees, temporary employees, contractors and partners have inappropriate access rights to information resources that is, access that violates security policies and regulations or that is far more expansive for their current jobs companies are subject to serious compliance, business and security risks. Unfortunately, for many organizations the process of ensuring appropriate access to information resources is very complex. Ideally, the appropriate assignment of access rights ensures that users of information resources which include applications, files and data have no more or less rights to specific information resources than needed to do their particular job function within an organization. It also helps ensure that end users right to use or view business information resources does not violate compliance regulations as required by financial controls legislation, various data protection and privacy regulations, and industry mandates. 1 The overall objective of this study conducted by Ponemon Institute and sponsored by Aveksa is to determine how well organizations are managing complexity. To do this, we focused on questions about their current identity and access management (IAM) processes, effectiveness of the processes and factors that contribute to complexity. The following are key findings from this research Changing access rights is a lengthy and burdensome process. Seventy percent do not believe or are uncertain that their organization typically fulfills access changes in response to new employees, transfers to a new role or terminated employees in a timely manner such as within one day. Only onethird of respondents say that access requests are immediately checked against security policies before access is approved and assigned. Strict enforcement of IAM policies is seen lacking. Fifty-three percent of respondents see the need for stricter enforcement. Better Investments in IAM technologies are needed. Fifty-three percent say their organizations don t make appropriate investments in technologies that manage and govern end-user access to information resources. The effects of IAM failure can be costly. Respondents report that the three biggest costs caused by the failure of IAM to prevent unauthorized access are: the cost of users idle time and lost productivity, lost revenue or income and cost of technical support, including forensics and investigative operations. They estimate that on average the total potential cost exposure that could result from all IAM failures over the course of one year is approximately $105 million. Access rights are difficult to manage. Sixty-two percent of respondents believe their organizations IAM activities are overly complex and difficult to manage. On average, organizations have more than 300 information resources such as applications, databases, networks, servers, hosts, file shares that require the assignment of user access rights. The number of access requests total on average 1,200 each month. These requests include requesting new access, changes to existing access rights or revocation of access due to termination. Why IAM processes are complex. In addition to the number of information resources requiring assignment of user access rights and the requests for access rights, organizational changes contribute to complexity. These can range from the use of cloud applications, BYOD and the growth of unstructured data that is difficult to control. 1 For example, Sarbanes-Oxley, Euro-SOX, CA 52-313, MAR, GLBA, PCI, HIPAA/HITECH, PIPEDA, MA CMR17, EU Data Protection Directive, Basel II, Solvency II, FFIEC, FERC/NERC, FISMA and others. Ponemon Institute Research Report Page 1

Growth of unstructured data is a problem ignored. Less than half of respondents (48 percent) say they use IAM to manage access to unstructured data despite their belief that the growth of this type of data is making the process of managing access rights more complex. Moreover, if they are currently not using IAM to manage access to unstructured data, most have no plans in the future to do so. Organizations lack visibility into what end-users are doing. Do organizations have adequate knowledge and visibility into end-user access? Fifty-six percent of respondents are either not confident or unsure that they can ascertain that user access is compliant with policies. The biggest reason is that they cannot create a unified view of user access across the enterprise. Certain situations reduce IAM effectiveness. IAM processes are most often affected by the availability of automated IAM technologies, adoption of cloud-based applications and the constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners. Access to sensitive data in the cloud is a concern. The majority of organizations are using SaaS applications to support key business processes. Despite the popularity of these applications, most respondents (78 percent) have some level of concern about end-user access to sensitive data in these applications, What is your organization s level of complexity? In this research, respondents were asked to rate the level of IAM complexity and effectiveness in their organizations. In the context of this research, complexity often reflects the size of the organization, number of access requests, growth of unstructured data, higher rates of cloud usage and the number of information resources that require the assignment of user access rights. No organization can avoid complexity. The goal in managing complexity is to have the right mix of people, processes and technologies in place to manage it appropriately and minimize compliance and business risks. Our analysis also shows that respondents who believe their organizations are effective in their IAM processes also have lower complexity. Following are the characteristics of companies experiencing a low, medium and high level of complexity in their IAM processes. Based on these descriptions, it seems that a medium level of complexity is the best approach to IAM. A low level of complexity. These companies tend to have a smaller headcount and are more likely to use manual or homegrown access certification systems. A low to medium level of complexity. These companies are better able to estimate the annual cost of IAM systems and/or processes and know the total number of orphan accounts. Again, the headcount size can keep complexity to a lower level. A medium level of complexity. These companies are better able to know the number of potential high-risk users, are more likely to use IAM systems or processes to manage and regulate access requests to unstructured data assets, have well-defined policies and procedures relating to access governance across the enterprise and more likely to assign IAM accountability to business unit management (LOBs) A high level of complexity. These companies are more likely to define their organizations access governance process as a set of disconnected or disjointed activities, assign IAM accountability to the IT organization (CIO), have a higher number of access requests and a higher rate of cloud usage for critical business applications. Ponemon Institute Research Report Page 2

Part 2. Key Findings We surveyed 678 experienced US IT and IT security practitioners. To ensure knowledgeable responses, all respondents have a role in providing end-users access to information resources in their organizations. These include: responding to access requests, supporting the delivery of access, supporting the enforcement of access policies, reviewing and certifying access compliance and installing technologies related to access rights management. In this section, we provide an analysis of the key findings according to the following themes. Perceptions about the state of IAM practices State of IAM practices Complexity in managing IAM processes Cloud computing usage and complexity The relationship between complexity and effective IAM processes The majority of respondents believe their organizations IAM processes are not very successful or effective. Figure 1, presents the findings of perceptions ranging from strongly agree to unsure about the following IAM practices. Timeliness of access changes. Seventy percent do not agree or are unsure their organization typically fulfills access changes in response to new employees, transfers to a new role or terminated employees in a timely manner such as within one day. Verification of access requests with security policies. Two-thirds of respondents say that access requests are not immediately checked against security policies before the access is approved and assigned or are unsure. Strict enforcement of IAM policies. Fifty-three percent say that IAM policies are not in place and strictly enforced or are unsure. However, 47 percent agree their current policies are effective. Investment in IAM technologies. Fifty-three percent of respondents say their organizations do not make appropriate investments in technologies that manage and govern end-user access to information resources or they are unsure. Figure 1. Perceptions about IAM practices Investments in technologies are made that manage and govern end-user access to information resources Identity & access management policies are in-place and are strictly enforced Access requests are immediately checked against security policies before access is approved and assigned Access changes are typically fulfilled within one business day. 22% 25% 23% 16% 14% 21% 26% 21% 16% 16% 14% 19% 25% 23% 19% 11% 19% 22% 18% 30% 0% 5% 15% 20% 25% 30% 35% Strongly agree Agree Disagree Strongly disagree Unsure Ponemon Institute Research Report Page 3

State of IAM practices Business unit managers assign access rights. Business unit managers are most involved in determining access to sensitive and confidential information, according to Figure 2. This function is followed by information technology operations. Rarely involved is the IT security function. Figure 2. Responsibility for granting end-user access rights Two responses permitted Business unit managers 63% Information technology operations 55% Compliance department 30% Human resource department Application owners 17% 21% Information security department Unsure 4% Delegating assignment of access rights to business units without their control of IAM policies explains why the process for assigning access to information resources is not well coordinated. As shown in Figure 3, it is most common is to have multiple disconnected processes across the organization. Most organizations do not have well-defined policies that are controlled by the business unit management (10 percent of respondents). Without such control, changes are not often validated to confirm they were performed properly, according to 41 percent of respondents and 5 percent are unsure. Figure 3. Process for granting end-user access rights One response permitted 0% 20% 30% 40% 50% 60% 70% Multiple disconnected processes across the organization 43% Determined by well-defined policies that are centrally controlled by corporate IT 20% An ad hoc process A hybrid process that includes IT and business unit management Determined by well-defined policies that are controlled by business unit management 11% 12% Unsure 4% 0% 5% 15% 20% 25% 30% 35% 40% 45% 50% Ponemon Institute Research Report Page 4

To certify user access to information resources, organizations use homegrown access certification systems followed by manual processes and commercial off-the-shelf automated solutions, according to Figure 4. Figure 4. Processes to certify user access to information resources Two responses permitted Homegrown access certification systems 65% Manual process 53% Commercial off- the-shelf automated solutions 45% IT help desk 30% Unsure 5% Other 2% 0% 20% 30% 40% 50% 60% 70% Figure 5 shows that manually-based identity and access controls followed by technology-based identity and access controls are mostly used to detect the sharing of system administration access rights or root level access rights by privileged users. Figure 5. Detection of how privilege users are sharing root level access rights One response permitted Manually-based identity and access controls 39% Technology-based identity and access controls Access to sensitive or confidential information is not really controlled 18% 21% We are unable to detect A combination of technology and manually-based identity and access controls 9% Unsure 3% 0% 5% 15% 20% 25% 30% 35% 40% 45% Ponemon Institute Research Report Page 5

The complexity of IAM processes The effects of IAM failure can be costly. Respondents report that the three biggest costs caused by the failure of IAM to prevent unauthorized access are: the cost of users idle time and lost productivity, lost revenue or income and cost of technical support including forensics and investigative operations. They estimate that on average the total potential cost exposure that could result from all IAM failures over the course of one year is approximately $105 million. The following findings reveal the challenges organizations face in overcoming complexity and achieving effectiveness. Access rights are difficult to manage. Sixty-two percent of respondents believe their organizations IAM activities are overly complex and difficult to manage. On average, organizations have more than 300 information resources such as applications, databases, networks, servers, hosts, file shares that require the assignment of user access rights. The number of access requests total on average 1,200 each month. These requests include requesting new access, changes to existing access rights or revocation of access due to termination. Figure 6 reports how respondents rated the complexity of their organizations IAM processes on a scale of 1 (low complexity) to 10 (high complexity). The average rating is about 8. Based on this scale, 74 percent rate their organizations as highly complex. Figure 6. Complexity of IAM processes Complexity is measured using a 10-point scale 50% 45% 40% 35% 30% 25% 20% 15% 5% 0% 9% 7% 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 31% 43% Ponemon Institute Research Report Page 6

Uncertainty as to how much is spent on IAM. Another indication of the complexity of IAM is that most respondents do not know what their organizations spend on IAM systems and processes (Figure 7). According to the findings, on average respondents estimate that in the past 12 months companies spent $3.5 million on IAM. Figure 7. Do you know what your organization spends on IAM systems and processes? 50% 45% 40% 35% 30% 25% 20% 15% 5% 0% 43% 44% 13% Yes No Unsure Why are IAM processes complex? In addition to the number of information resources requiring assignment of user access rights and the requests for access rights, organizational changes contribute to complexity. These can range from the use of cloud applications, BYOD and the growth of unstructured data that is difficult to control. Figure 8 shows what factors are making the job of managing IAM increasingly difficult. Figure 8. Factors that complicate IAM practices Very significant and significant response Rapid growth of unstructured data 45% 46% Expanded use of mobile devices 44% 45% Expanded regulatory and compliance requirements 32% 36% Access to cloud-based applications and data 33% 34% 0% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very significant Significant Ponemon Institute Research Report Page 7

Certain situations reduce IAM effectiveness. As shown in Figure 10, IAM processes are most often affected by the availability of automated IAM technologies, adoption of cloud-based applications and the constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners. Figure 10. Affect on IAM process Very significant and significant response Adoption of cloud-based applications 33% 42% Availability of automated IAM technologies 38% 29% Constant turnover of temporary employees, contractors, consultants and partners Constant changes to the organization as a result of mergers and acquisitions, divestitures, reorganizations and downsizing 23% 23% 28% 25% 0% 20% 30% 40% 50% 60% 70% 80% Very significant Significant The situations just described explain the complexity in delivering access to end-users. The problems created by complexity are shown in Figure 11. Specifically, it takes too long to deliver access, the process is burdensome and it is hard to keep pace with access change requests. Figure 11. Key problems in delivering access to end-users Three responses permitted Takes too long to deliver access to users Burdensome process for business users requesting access Cannot keep pace with the number of access change requests Lack of a consistent approval process for access and a way to handle exceptions Too expensive Can t apply access policy controls at point of change request Difficult to audit and validate access changes Too much staff required No common language exists for how access is requested Delivery of access to users is staggered 21% 18% 16% 12% 31% 40% 47% 50% 55% Other 0% 0% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 9

Cloud computing usage and IAM complexity Access to sensitive data in the cloud is a concern. The majority of organizations are using SaaS applications to support key business processes. Despite the popularity of these applications, most respondents (78 percent) have some level of concern about end-user access to sensitive data in these applications, as shown in Figure 12. Figure 12. Concern about using cloud-based SaaS applications for key business processes 35% 30% 31% 29% 25% 22% 20% 18% 15% 5% 0% Yes, very concerned Yes, concerned Yes, somewhat concerned No, not concerned The primary obstacles to using a pure cloud-based SaaS IAM solution are shown in Figure 13. Main barriers are the ability to control access to sensitive application data (76 percent) and measure security risk (65 percent). Only 8 percent of respondents do not see any obstacles to adoption. Figure 13. Obstacles to adopting a SaaS IAM solution More than one response permitted Ability to control access to sensitive application data 76% Ability to measure security risk 65% Ability to transfer data from on-premise (legacy) systems to the cloud Availability of SaaS solution 48% 47% Ability to obtain approvals from IT and IT security functions 20% None 8% Other 3% 0% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 10

Significant cross-tabulations on IAM complexity Respondents were asked to rate their organizations in terms of (1) complexity of IAM operations and (2) the effectiveness of IAM systems and controls. Both complexity and effectiveness are measured using a 10-point scale from low (1) to high (10) with a median at 5.5. The distribution of responses shown in Figure 14 allows us to compute overall average values for both variables. The average complexity rating is above the median at 7.8, while the average effectiveness rating is below the median at 4.0. The Figure below reveals that the majority of respondents believe their IAM processes are very complex. Seventy-four percent believe the level of complexity is above the median. Respondents also do not believe their IAM processes are very effective. Again, the majority (55 percent) of respondents rate the effectiveness below the median of 4.0. Figure 14. Respondents ratings of IAM complexity and effectiveness Both complexity and effectiveness are measured using a 10-point scale 50% 45% 40% 35% 30% 25% 20% 15% 5% 0% 43% 31% 9% 7% 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 50% 45% 40% 35% 30% 25% 20% 15% 5% 0% 41% 28% 15% 11% 5% 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Level of IAM complexity Level of IAM effectiveness Ponemon Institute Research Report Page 11

Figure 15 shows the average effectiveness rating according to five ascending complexity levels. We see an inverted U-shape relationship, where organizations reporting the lowest effectiveness level at 3.12 also have the lowest level of complexity. In contrast, organizations at the highest level of effectiveness (5.53) are in the middle range of the 10-point complexity scale. This pattern suggests complexity has a negative impact on the deployment of IAM, but only for highly effective users. Figure 15. Interrelationship between IAM complexity and effectiveness Both complexity and effectiveness are measured using a 10-point scale 6.00 5.53 Level of IAM effectiveness 5.00 4.00 3.00 2.00 1.00 3.12 4.29 3.94 3.84 0.00 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Level of IAM complexity Figure 16 shows the average complexity rating according to six ascending headcount (size) levels. As can be seen, there is a positive relationship between organizational size and IAM complexity. Organizations with less than 500 employees report the lowest average complexity level at 6.52. Organizations with headcount above 25,000 and 75,000 employees have the highest levels of complexity levels at 9.23. Figure 16. Interrelationship between IAM complexity and organizational headcount (size) Complexity is measured using a 10-point scale 10.00 9.00 8.00 7.00 6.00 5.00 4.00 3.00 2.00 1.00 0.00 9.23 8.58 7.78 7.75 6.52 Less than 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 Average level of IAM complexity Ponemon Institute Research Report Page 12

Part 3. Conclusion: Managing complexity and achieving effectiveness Our findings suggest that IT staffs cannot keep up with the constant change to information resources, regulations and user access requirements. Many organizations are facing significant information risks because the process of delivering access is lengthy and burdensome and access rights are not current. In addition, the approaches to access management tend to be ad hoc or inconsistent and contribute to ineffectiveness. The following are suggestions for overcoming complexity and reducing IAM failures. Implement a well-managed enterprise-wide access governance process that keeps employees, temporary employees and contractors from having too much access to information assets. At the same time, do not hinder individuals access to information resources critical to their productivity. To do this, organizations must understand what role-based access individuals need. Further, changes to users roles must be managed to ensure they have current and correct access rights. Create well-defined business policies for the assignment of access rights. These policies should be centrally controlled to ensure they are enforced in a consistent fashion across the enterprise. They also should encourage collaboration among different internal groups. Track and measure the ability to enforce user access policies. This includes measuring the effectiveness of processes to manage changes to users roles; revoking access rights upon an individual s termination; monitoring access rights of privileged users accounts; and monitoring segregation of duties. Ensure that accountability for access rights is assigned to the business unit that has domain knowledge of the users role and responsibility. Become proactive in managing access rights. Instead of making decisions on an ad hoc basis based on decentralized procedures, build a process that enables the organization to have continuous visibility into all user access across all information resources and entitlements to those resources. Technologies that automate access authorization, review and certification will limit the risk of human error and negligence. Bridge the language gap between IT staff and business managers to encourage a common understanding of how to express access rights and entitlements. This is especially important for the access request and access certification processes, in which gaps can cause unnecessary delays in access delivery or allows inappropriate access. Pursue extending controls over access to all information resources similar to those required under regulations (SOX, PCI, etc). This entails organizations broadening their view of risk management beyond compliance with specific regulations. Organizations need to go beyond the minimum requirements for compliance and think about risk in the broadest terms with the widest coverage. This is especially true because the loss of corporate IP is typically not covered under regulations or industry mandates. Extend the organizational access governance framework beyond the firewall to cloud computing and other IT outsourcing/software-as-a-service (SaaS) providers. Ponemon Institute Research Report Page 13

Part 4. Methods A random sampling frame of 19,005 experienced US IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. All respondents have a role in providing end-users access to information resources in their organizations. As shown in Table 1, 753 respondents completed the survey. Screening and reliability checks removed 75 surveys. The final sample was 678 surveys (or a 3.6 percent response rate). Table 1. Sample response Freq Sampling frame 19,005 100% Total returns 753 4.0% Rejected and screened surveys 75 0.4% Final sample 678 3.6% Pie Chart 1 reports the respondent s organizational level within participating organizations. By design, 55 percent of respondents are at or above the supervisory levels. Pie Chart 1. Current position within the organization 31% 8% 2% 3% 2% 3% 3% 14% 20% C-level SVP/VP Director Manager Supervisor Technician Architect Staff Contractor Other 15% Ponemon Institute Research Report Page 14

Pie Chart 2 reports the industry segments of respondents organizations. This chart identifies financial services (16 percent) as the largest segment, followed by government (13 percent) and healthcare and retail, both at 10 percent. Pie Chart 2. Industry distribution of respondents organizations 3% 4% 6% 3% 2% 2% 6% 2% 2% 2% 4% Financial services 16% Government 6% 7% As shown in pie chart 3, 58 percent of respondents are from organizations with a global headcount of 1,000 or more employees. Pie chart 3. Worldwide headcount of the organization 13% Healthcare Retail Services Consumer products Manufacturing Technology Pharmaceuticals Energy & utilities Telecom Insurance Education & research Entertainment & media Hospitality Transportation Other 8% 4% 18% Less than 500 17% 500 to 1,000 1,001 to 5,000 5,001 to 25,000 24% 25,001 to 75,000 More than 75,000 29% Ponemon Institute Research Report Page 15

Part 5. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. 0BSelf-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Ponemon Institute Research Report Page 16

Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey 678 responses were captured in June 2013. Sample response Freq Sampling frame 19,005 100% Total returns 753 4.0% Rejected and screened surveys 75 0.4% Final sample 678 3.6% Part 1. Screening S1. What best describes your role in providing end-users access to information resources in your organization? Please check all that apply. Respond to access requests 56% Support the delivery of access 37% Support the enforcement of access policies 61% Responsible for review and certification of access compliance 36% Install technologies relating to access rights management 39% Other (please describe) 2% None of the above (stop) 0% Total 231% Part 2. Attributions. Please rate Q1a to Q1d using the scale provided below each statement. Strongly agree Agree Q1a. Identity & access management policies are in-place and are strictly enforced in my organization. 21% 26% Q1b. My organization s Identity & access management activities are overly complex and difficult to manage. 29% 33% Q1c. My organization makes appropriate investments in technologies that manage and govern end-user access to information resources. 22% 25% Q1d. My organization typically fulfills access changes (i.e. new employees, transfers to a new role, terminated employees, etc.) within one business day. 11% 19% Q1e. In my organization, access requests are immediately checked against security policies before the access is approved and assigned. 14% 19% Part 3. Complexity of identity & access management practices Q2. Please rate your organization s identity & access management processes in terms of its level of complexity, where 1 = low complexity to 10 = high complexity 1 to 2 9% 3 to 4 7% 5 to 6 7 to 8 31% 9 to 10 43% How do the following factors contribute to the complexity of identity & access management practices within your organization? Very significant impact to no impact Very significant Significant Q3a. Access to cloud-based applications and data 33% 34% Q3b. Expanded use of mobile devices (including BYOD) 44% 45% Q3c. Expanded regulatory and compliance requirements 32% 36% Q3d. Rapid growth of unstructured data 45% 46% Ponemon Institute Research Report Page 17

Q4. Approximately, how many information resources (applications, databases, networks, servers, hosts, file shares) within your organization require the assignment of user access rights? Less than 5 1% Between 5 and 25 3% Between 26 and 50 23% Between 51 and 100 36% Between 101 and 1,000 25% More than 1,000 12% Q5. On a monthly basis, how many access requests are made (i.e. requesting new access, changes to existing access rights or revocation of access due to termination)? Less than 50 1% Between 51 and 200 15% Between 201 and 500 32% Between 501 and 1,000 28% Between 1001 and 5,000 19% More than 5,000 5% Q6a. Do you know the total annual costs of IAM systems and/or processes incurred by your organization? Yes 43% No 44% Unsure 13% Q6b. Please estimate the total cost of IAM incurred by your organization over the past 12 months. Please include all costs including licensing and maintenance fees, personnel costs, software solutions and other tools. Zero 0% Less than $10,000 2% $10,001 to $100,000 3% $100,001 to $250,000 17% $250,001 to $500,000 31% $500,001 to $1,000,000 22% $1,000,001 to $5,000,000 12% $5,000,001 to $10,000,000 6% $10,000,001 to $25.000,000 5% $25,000,001 to $50,000,000 1% $50,00,001 to $100,000,000 0% More than $100,000,000 1% Q7a. Do you know the number of orphan accounts within your organization today? Yes 40% No 54% Unsure 6% Ponemon Institute Research Report Page 18

Q7b. If yes, please estimate the percentage of orphan accounts relative to total (all) accounts within your organization. Less than 1% 0% 1% to 5% 3% 6% to 8% 11% to 20% 11% 21% to 30% 13% 31% to 40% 25% 41% to 50% 19% More than 50% 11% Cannot determine Q8a. Do you know the number or percentage of high-risk users? Yes 49% No 43% Unsure 8% Q8b. If yes, please estimate the percentage of high-risk users relative to all users within your organization. Less than 1% 0% 1% to 5% 6% 6% to 8% 11% to 20% 20% 21% to 30% 22% 31% to 40% 24% 41% to 50% 9% More than 50% 2% Cannot determine 9% Q9. Please rate the relative success or effectiveness of your organization s IAM processes where 1 = not effectiveness to 10 = very effective. 1 to 2 15% 3 to 4 41% 5 to 6 28% 7 to 8 11% 9 to 10 5% Q10. Do you presently use IAM to manage access to unstructured data? Yes 48% No 43% Unsure 9% Q11. If no, do you plan to use IAM to understand apps and unstructured data? Yes, within the next 12 months 19% Yes, more than 12 months 13% Yes, within 24 months 11% Yes, more than 24 months 3% No 54% Ponemon Institute Research Report Page 19

Q12. What IT infrastructure do you want your organization s IAM to support? IT security management (ITSM) 83% Security information and event management (SIEM) 61% Network & traffic intelligence 55% Data loss prevention (DLP) 55% Intrusion prevention (IPS) & detection (IDS) systems 40% Governance, risk management and compliance (GRC) tools 44% Other (please specify) 4% Total 342% Q13. What best describes the process for assigning access to information resources in your organization today? Please select one best choice. An ad hoc process 12% Determined by well-defined policies that are centrally controlled by corporate IT 20% Determined by well-defined policies that are controlled by business unit management A hybrid process that includes IT and business unit management 11% Multiple disconnected processes across the organization 43% Unsure 4% Q14. Who is responsible for making the decision to grant an end-user access to information resources? Please select the top two choices. Information technology operations 55% Information security department Compliance department 30% Business unit managers 63% Application owners 17% Human resource department 21% Unsure 4% Total 200% Q15. What processes are used for certifying user access to information resources. Please select the top two choices. Manual process 53% Homegrown access certification systems 65% Commercial off- the-shelf automated solutions 45% IT help desk 30% Unsure 5% Other 2% Total 200% Q16. Are changes to access validated to confirm they were performed properly? Yes, all changes 11% Yes, most changes 28% Yes, some changes 15% No 41% Unsure 5% Ponemon Institute Research Report Page 20

Q17. How do you detect the sharing of system administration access rights or root level access rights by privileged users? Please select only one top choice. Technology-based identity and access controls 21% Manually-based identity and access controls 39% A combination of technology and manually-based identity and access controls 9% Access to sensitive or confidential information is not really controlled 18% Unsure 3% We are unable to detect Q18a. Are you confident your organization can ascertain that user access is compliant with policies? Yes, very confident 18% Yes, confident 26% No, not confident 50% Unsure 6% Q18b. If no, please select one main reason. We can t create a unified view of user access across the enterprise 51% We only have visibility into user account information but not entitlement information 9% We can t apply controls that span across information resources 20% We can t keep up with the changes occurring to our organization s information resources (on-boarding, off- boarding and outsourcing for management) 20% Part 4. Cloud computing Q19. Does your organization use SaaS applications to support key business processes? Yes 71% No 25% Unsure 4% Q20. Approximately, what proportion of your organization s key business applications are SaaS-based? None 5% Less than 31% 11% to 50% 32% 51% to 75% 76 % to 99% 11% All (100%) 2% Cannot determine 9% Q21. From an IAM perspective, are you concerned using cloud-based SaaS applications for key business processes? Yes, very concerned 31% Yes, concerned 29% Yes, somewhat concerned 18% No, not concerned 22% Ponemon Institute Research Report Page 21

Q22. What obstacles, if any, does your organization face if it decided to use a pure cloud-based SaaS IAM solution? Please select all that apply. Ability to obtain approvals from IT and IT security functions 20% Ability to measure security risk 65% Ability to control access to sensitive application data 76% Ability to transfer data from on-premise (legacy) systems to the cloud 48% Availability of SaaS solution 47% Other (please specify) 3% None (no obstacles) 8% Total 267% Part 5. Problems & remedies Q23. What are the key problems you face in delivering access to end-users within your organization? Please select the top three choices. Takes too long to deliver access to users (not meeting our SLAs with the business) 55% Too expensive 31% Too much staff required 16% Can t apply access policy controls at point of change request 21% Delivery of access to users is staggered (not delivered at the same time) Cannot keep pace with the number of access change requests that come in on a regular basis 47% Lack of a consistent approval process for access and a way to handle exceptions 40% Difficult to audit and validate access changes 18% Burdensome process for business users requesting access 50% No common language exists for how access is requested that will work for both IT and the business 12% Other 0% Total 300% How will each of the following situations affect your organization s IAM process? Please use the scale provided below each item from very significant impact to no affect. Very significant impact to no impact Very significant Significant Q24a. Adoption of cloud-based applications 33% 42% Q24b. The constant turnover (ebb and flow) of temporary employees, contractors, consultants and partners 23% 28% Q24c. Availability of automated IAM technologies 38% 29% Q24d. Constant changes to the organization as a result of mergers and acquisitions, divestitures, reorganizations and downsizing 23% 25% Part 6. Cost exposure estimation Q25. Following are six cost categories caused by the failure of IAM to prevent unauthorized access to systems and/or secure places. Please rank each category based on the financial impact to your organization. 1 = most significant financial impact and 6 = least significant financial impact. Average rank Rank order Cost of technical support including forensics and investigative operations 3.24 3 Cost of users idle time and lost productivity because of IAM failure 1.88 1 Cost resulting from the organization s response to information misuse or theft 4.45 5 Cost associated with legal and regulatory actions 5.26 6 Revenues or income lost because of IAM failure 2.51 2 Cost associated with reputation and brand damage because of IAM failure 3.67 4 Average 3.50 Ponemon Institute Research Report Page 22

Q26. Please approximate the total potential cost exposure that could result from all IAM failures over the course of one year. Less than $1,000,000 5% $1,000,001 to $5,000,000 8% $5,000,001 to $10,000,000 $10,000,001 to $25.000,000 12% $25,000,001 to $50,000,000 16% $50,00,001 to $100,000,000 12% $100,000,001 to $250,000,000 13% $250,000,001 to $500,000,000 11% More than $500,000,000 2% Cannot determine 11% Part 7. Your role D1. What organizational level best describes your current position? C-level 3% SVP/VP 3% Director 14% Manager 20% Supervisor 15% Technician 31% Architect 8% Staff 2% Contractor 3% Other (please specify) 2% D2. What industry best describes your organization s industry focus? Agriculture & food service 1% Chemicals 0% Consumer products 6% Defense 1% Education & research 2% Energy & utilities 3% Entertainment & media 2% Financial services 16% Government 13% Healthcare Hospitality 2% Insurance 2% Manufacturing 6% Medical devices 1% Non-profit 1% Pharmaceuticals 4% Retail Services 7% Technology 6% Telecom 3% Transportation 2% Other (please specify) 0% Ponemon Institute Research Report Page 23

D3. What is the worldwide headcount of your organization? Less than 500 18% 500 to 1,000 24% 1,001 to 5,000 29% 5,001 to 25,000 17% 25,001 to 75,000 8% More than 75,000 4% Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 24