Maturity models are the key to improving organizational performance by identifying gaps, setting benchmarks, and establishing priorities—and identity and access management (IAM) is no exception. Increasing your organization’s IAM maturity level means not only understanding your overall position, but also within each tenet of IAM.

Please complete the assessment to evaluate your organization’s maturity within each IAM tenet and receive actionable steps to take your strategy to the next level.

Federation Federation

Please select the option that best describes your organization’s level of Federation maturity.

Multi-Factor Authentication Multi-Factor Authentication

Please select the option that best describes your organization’s level of Multi-Factor Authentication maturity.

Single Sign-On Single Sign-On

Please select the option that best describes your organization’s level of Single Sign-On maturity.

Delegated Administration Delegated Administration

Please select the option that best describes your organization’s level of Delegated Administration maturity.

Identity Lifecycle Management Identity Lifecycle Management

Please select the option that best describes your organization’s level of Identity Lifecycle Management maturity.

Access Management Access Management

Please select the option that best describes your organization’s level of Access Management maturity.

Identity Governance Identity Governance

Please select the option that best describes your organization’s level of Identity Governance maturity.

Your Assessment Results

This report has been made especially for [First Name] at [Company Name] and has been forwarded to your email address as well.

Print

Your IAM maturity score is out of 4

Your organization is early in your identity and access management journey. By focusing on some key areas of IAM, you can help to secure your resources and build a foundation to grow the maturity of your IAM practice. If deciding where to start, focus on identity lifecycle management, followed by federation and single sign-on. With identity lifecycle management at level 3 and the others at level 2 or better, you will have a robust foundation to introduce the other tenants.

Below you will find a radar graph of your results, which provides a visual representation of your place on the IAM maturity model. The ultimate goal is to track along the outer edges of the web for those tenets most important to your organization. Focus on those tenets closest to the center as these are low hanging fruit.

Further down, you’ll find our specific recommendations and resources for each of the seven core tenets.

To receive more insight into your scores, click the Discuss Results button below to schedule time with one of our experts (don’t worry, there’s not another form!) for a complete evaluation and in-depth recommendations on your organization's IAM strategy.

Your organization is early in your identity and access management journey. By focusing on some key areas of IAM, you can help to secure your resources and build a foundation to grow the maturity of your IAM practice. If deciding where to start, focus on identity lifecycle management, followed by federation and single sign-on. With identity lifecycle management at level 3 and the others at level 2 or better, you will have a robust foundation to introduce the other tenants.

Below you will find a radar graph of your results, which provides a visual representation of your place on the IAM maturity model. The ultimate goal is to track along the outer edges of the web for those tenets most important to your organization. Focus on those tenets closest to the center as these are low hanging fruit.

Further down, you’ll find our specific recommendations and resources for each of the seven core tenets.

To receive more insight into your scores, click the Discuss Results button below to schedule time with one of our experts (don’t worry, there’s not another form!) for a complete evaluation and in-depth recommendations on your organization's IAM strategy.

Your organization is moving along the IAM maturity path nicely.  Focus on the areas that are less mature and help to improve the security, usability, and accountability of IAM in your organization. With a score in this range, you have a good foundation that needs a little boost in a few areas to become a strong, comprehensive Identity and Access program with the beginning focus on governance. The next step is to ensure that lifecycle management is fully automated, an entitlement repository exists and access can be reconciled against the repository, and that identity authentication and authorization are a key focus.

Below you will find a radar graph of your results, which provides a visual representation of your place on the IAM maturity model. The ultimate goal is to track along the outer edges of the web for those tenets most important to your organization. Focus on those tenets closest to the center as these are low hanging fruit.

Further down, you’ll find our specific recommendations and resources for each of the seven core tenets.

To receive more insight into your scores, click the Discuss Results button below to schedule time with one of our experts (don’t worry, there’s not another form!) for a complete evaluation and in-depth recommendations on your organization's IAM strategy.

Your organization has embraced a high maturity level in many of the tenants. With a score in this range, you have established a robust foundation for identity and access management, and are focused on ensuring that the identities are being authenticated securely and are authorized to resources as determined by business policies and rules. You have a foundational governance oversight of the entitlements and their associations, role management, and reporting and auditing capability. The next step is to look at the tenants that are not as mature, and determine if moving to the next level makes sense for your organization.

Below you will find a radar graph of your results, which provides a visual representation of your place on the IAM maturity model. The ultimate goal is to track along the outer edges of the web for those tenets most important to your organization. Focus on those tenets closest to the center as these are low hanging fruit.

Further down, you’ll find our specific recommendations and resources for each of the seven core tenets.

To receive more insight into your scores, click the Discuss Results button below to schedule time with one of our experts (don’t worry, there’s not another form!) for a complete evaluation and in-depth recommendations on your organization's IAM strategy.

Your organization has reached the highest level of maturity in most of the tenants of identity and access management. At this score, the focus should be on building artificial intelligence (AI) and machine learning into the tenants and evolving your IAM practice to become focused on evaluating risk-based authentication and authorization in real time using patterns and data. Additionally, the focus on governance is to allow AI to begin to make educated decisions on access certification based on historical patterns and eliminating manual tasks where capable. 

Below you will find a radar graph of your results, which provides a visual representation of your place on the IAM maturity model. The ultimate goal is to track along the outer edges of the web for those tenets most important to your organization. Focus on those tenets closest to the center as these are low hanging fruit.

Further down, you’ll find our specific recommendations and resources for each of the seven core tenets.

To receive more insight into your scores, click the Discuss Results button below to schedule time with one of our experts (don’t worry, there’s not another form!) for a complete evaluation and in-depth recommendations on your organization's IAM strategy.

Get more insight from an IAM Expert

Focus Area Results & Recommended Steps

Based on your assessment, here are your scores for each IAM tenet, along with explanations of each and suggestions for elevating your strategy to the next level. We’ve also provided resources we think you’ll find helpful for expanding your knowledge in each of these areas.

Federation

Federation

A level 0 score indicates that an organization has not implemented any federation capabilities. Focus on implementing an identity provider (IdP) and begin to inventory applications (service providers -- SP) that support the Security Assertion Markup Language (SAML) federation protocol and configure them to federate against your IdP.

A level 1 score indicates a company has deployed an Identity Provider (IDP) and is in the process of integrating it with all services that provide Service Provider capability. The IDP in use supports SAML and likely at least one other federation protocol. For next steps, we recommend taking inventory of your SaaS ecosystem as any disconnected SaaS service results in orphan accounts and backdoor access.

A level 2 score indicates an organization has selected an IDP that supports the multiple federation protocols required for current and future needs. The integration of the different protocols is made seamless to the end user. For next steps, we recommend bringing your MFA strategy to your federation strategy and applying strong, yet readily available, authentication methods to mitigate risks.

A level 3 score indicates an organization recognizes risks associated with federating systems and require MFA for their IDP. Additionally, the organization's Federation strategy is expanded to include Just-In-Time provisioning. For next steps, we recommend a mesh of B2E, B2B, and B2C will result in more Service Providers and Identity Providers alike. Build your strategy to mitigate these additional risks.

A level 4 score indicates an organization must trust 3rd party IDPs as required by their complex mesh of end user communities. Session management becomes paramount. More Service Providers support the concept of virtual users. For next steps, we recommend the biggest barrier to achieving this level of federation is that it largely depends on each Service Provider implementing all the features your organization requires. Be diligent in your SaaS selections.

Resources On This Area

Multi-Factor Authentication

Multi-Factor Authentication

A level 0 score indicates that an organization has not implemented any multi-factor authentication capabilities. Focus on adding an additional method into the authentication process that consists of something a person has (tokens, cards) or something that they are (biometric) to provide a minimum of two factors.

A Level 1 score indicates an organization, at a minimum, provides end users with authentication methods beyond passwords. At least two factors of authentication are in place to protect high risk access. For next steps, we recommend creating risk profiles for your organization’s user types, building a plan to progress to stronger, but readily available, authentication methods, and planning for a move away from the use of passwords for all end-users.

A level 2 score indicates an organization has completely removed the use of passwords in their environments. Authentication policies are flexible and fine grained, providing users with options to not disrupt productivity. For next steps, work to ensure that high-risk users or access is protected with the highest risk mitigating authentication policies, and require even stronger policies based on context, time of day, day of the week, network origin, trusted device, etc.

A level 3 score indicates an organization has protected all high-risk systems and privileged access. Risks are further mitigated by implementing adaptive authentication policies that take into account contextual criteria. For next steps, determine your organization's artificial intelligence (AI) strategy (build vs. buy). If buying, take AI into consideration. Multi-Factor Authentication products provide logs that can be consumed by models, but you should find a Multi-Factor Authentication vendor that provides AI capability out of the box.

A level 4 score indicates an organization is fully vested in implementing contextual authentication policies on all end user devices. Artificial intelligence is used to monitor all login events for anomaly detection. It isn't easy achieving Level 4 on the Multi-Factor Authentication Maturity Model. However, technology is finally at a point where organizations of any type or size can absolutely achieve it.

Resources On This Area

Single Sign-On

Single Sign-On

A level 0 score indicates that an organization has not implemented any single sign-on capabilities. Focus on using directory services to reduce the number of separate credentials that are required by users. When applications cannot be integrated with directory services, use password management applications to allow secure storage of credentials.

A level 1 score indicates an organization has integrated many of their applications via LDAP to reduce the number of credentials an end user needs to remember. Very little in the way of SSO has been implemented. For next steps, organizations should be careful. Implementing RSO is convenient for users, but it puts organizations at higher risk of a breach. Look to technology that increases usability while also decreasing risk.

A level 2 score indicates an organization recognizes the need for SSO, especially for the ever-growing SaaS implementations. Federation should be the primary method for Web SSO, but form fill technologies are also in use to handle exceptions. If all organization-managed web applications are integrated with SSO, then you are in a great place. For next steps, an organization should continue to improve by looking at other risk gaps, like Windows clients and VDI deployments. And always remember, removing passwords reduces risk.

An organization from certain markets, especially healthcare, needs SSO to streamline access to legacy client/server applications. As such, a level 3 indicates the organization invests in VDI to reduce end-point management but still requires SSO. For the next steps toward achieving "Universal SSO", more than just an SSO strategy is required. A solid federation and identity lifecycle management strategy are also needed. Additionally, look for vendors with strong mobile and other native OS options for SSO.

A level 4 score indicates an organization supports SSO on every endpoint including MacOS, iOS, Android, ChromeOS, Linux and Thin Clients. End users are now able to add their own applications with SSO and share them. It is unlikely your organization will achieve Universal SSO for every application or service accessed by your end-users. However, this could become a possibility as SSO products continue to improve, particularly in usability.

Resources On This Area

Delegated Administration

Delegated Administration

A level 0 score indicates that an organization has not implemented any delegated administration capabilities. Focus on allowing users to manage their own profiles and reset their own passwords and on providing the capability for administrators to reset user passwords.

A level 1 score indicates an organization provides self service capabilities to end users to remove the bottleneck of calling Support. Administrators have capability to perform simple delegation tasks such as reset passwords. For next steps, an organization should look to managing accounts for users who aren't documented by Human Resources, which is a struggle for many organizations. Such a tool must be user-friendly for non-technical staff, while also enabling constraints that prevent orphan accounts.

A level 2 score indicates an organization expands on self service capabilities and provide tools that empower business users to manage external user accounts. With the subsequent adoption of identity lifecycle management maturity of level 3+, all self-service and delegation actions now flow through to all connected systems. For next steps, delegation should go beyond resetting passwords. The organization should embrace delegation and implement fine-grained delegation policies. This means granting specific actions to a specific group of users for a specific group of users.

A level 3 score indicates an organization is able to empower end users to assist others based on birthright relationships (e.g. department, project or class). Access is centralized so application owners are empowered to manage application role definition and membership. For next steps, consider this: you are the manager of Accounts Payable. The financials system is maintained by IT. How do you know who has access to AP data right now Organizations can empower business owners with access insights, along with controls to provide and revoke access?

A level 4 score indicates an organization implements governance level 1+ and business owners gain insights into who has access to their systems and how they were granted that access. End users are able to define their own delegation policies. At Level 4, an organization is running at maximum efficiency. Help Desk calls are dramatically reduced. End-user relationships with IT change from "necessary evil" to genuine partnership.

Resources On This Area

Identity Lifecycle Management

Identity Lifecycle Management

A level 0 score indicates that an organization has not implemented any identity lifecycle management capabilities. Focus on using scripting tools to automate directory account creation at a minimum, and generation of bulk import files for other applications.

A level 1 score indicates an organization has accumulated scripts over time focused on basic account creation. Expertise fluctuates with normal turnover putting organization into situations where they have no ability to support what's there. For next steps, management should review their organization's risk of any current homegrown solutions. Organizations can get into a bind when personnel with knowledge of these solutions are no longer employed.

A level 2 score indicates an organization deploys vendor provided tools to manage their accounts. These tools only work for one product, have rigid implementation options and do not provide complete lifecycle management. For next steps, an organization should focus on mitigating the risk of a data breach by ensuring every application or service containing sensitive data is actively managed. Singular vendor tools are not enough. Inventory your systems and assign a risk score to each. This will help prioritize further steps.

A level 3 score indicates an organization takes a centralized, holistic approach to lifecycle management. The logic engine is flexible enough to support the desired business processes. For next steps, work toward handling inbound requests in real-time, which is a must for organizations to keep up. Legacy IAM products are sufficient when working with other legacy systems. However, the future direction of technology, driven by topics, like AI and IoT, requires scale like never before.

A level 4 score indicates an organization employs an API-driven mentality to support organic and M&A growth. Internal and 3rd party developers gain real-time access to identity and other business data. Consumer products, such as Zapier, show how to integrate disparate systems without being a developer. Bringing this level of simplicity to complex business flows is no small task. Only products that enable vendors to manage integrations will suffice.

Resources On This Area

Access Management

Access Management

A level 0 score indicates that an organization has not implemented any access management capabilities. Moving to level 1 requires that a robust engine for identity lifecycle management is in place and that a basic level of governance with an inventory of entitlements exists. Focus on automating birthright access using attribute-based access controls and assigning identities to roles statically and dynamically.

A level 1 score indicates an organization has implemented a level of identity lifecycle management (ILM) to support birthright access management. Access management is based on Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC). For next steps, an organization can fully automate birthright access with ILM, but organizations need approvals and certification to handle exceptions. Take steps to protect your organization by not allowing privileged access 24/7.

A level 2 score indicates an organization uses workflow to handle exceptional access requests. Individuals can request elevated privileges only for the time necessary. For next steps, take inventory of system level privileged accounts. Protect those accounts using best practices, such as password rotation and vaulting, and provide authorization APIs to centralize access management.

A level 3 score indicates an organization is protecting all privileged access by limiting user privileges and implementing password vaulting for service accounts. An authorization service is put in place to centrally manage access policies. Applications can now externalize authorization. For next steps, expand your AI strategy to include monitoring audit events to detect access anomalies, and automate response to high-risk detected events. Let your SIEM detect and IAM respond.

A level 4 score indicates an organization integrates IAM and SIEM tools to enable event correlation with greater context. IAM provides Authorization-as-a-Service via RESTful APIs which adds support for Risk-Based Access Control. Good planning and time to deploy, the "Intelligent" level of the Access Management Maturity Model is achievable with today's technology. Start with the most important systems and keep expanding.

Resources On This Area

Identity Governance

Identity Governance

A level 0 score indicates that an organization has not implemented any identity governance capabilities. Focus on creating an repository of entitlements to act as an authoritative source for access across the ecosystem. Build reporting capabilities that allow for an audit trail of entitlement associations. Create certification of access capabilities for entitlements that are not associated with birthright access.

A level 1 score indicates an organization has implemented a level of identity lifecycle management to support birthright access management. Access management is based on Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC). For next steps, an organization can fully automate birthright access with identity lifecycle management, but organizations need approvals and certification to handle exceptions. Take steps to protect your organization by not allowing privileged access 24/7.

A level 2 score indicates an organization uses workflow to handle exceptional access requests. Individuals can request elevated privileges only for the time necessary. For next steps, take inventory of system level privileged accounts. Protect those accounts using best practices, such as password rotation and vaulting, and provide authorization APIs to centralize access management.

A level 3 score indicates an organization is protecting all privileged access by limiting user privileges and implementing password vaulting for service accounts. An authorization service is put in place to centrally manage access policies. Applications can now externalize authorization. For next steps, expand your AI strategy to include monitoring audit events to detect access anomalies, and automate response to high-risk detected events. Let your SIEM detect and IAM respond.

A level 4 score indicates an organization integrates IAM and SIEM tools to enable event correlation with greater context. IAM provides Authorization-as-a-Service via RESTful APIs which adds support for Risk-Based Access Control. Good planning and time to deploy, the "Intelligent" level of the Access Management Maturity Model is achievable with today's technology. Start with the most important systems and keep expanding.

Resources On This Area

Retake Quiz

Thanks for Your Interest!

We will contact you within 24-hours to set up a time to talk. In the meantime, check out our webinar series on the topic of IAM maturity:

WEBINAR RECORDING

IAM Maturity Model Overview: Understanding the 7 Tenets of Identity and Access Management

Maturity models are the key to identifying gaps, setting benchmarks, and establishing priorities—and IAM is no exception.