🏥Identity Posture Score
Overview
The Identity Posture Score is a single score calculated for your organization to help you quickly and easily determine areas of focus that will improve your organization's overall identity security hygiene. Scores range from 0 to 100, and from very weak to very good - the higher the score, the better your organization's security posture.
Additionally, recommendations on how to improve your organization's identity posture are provided in order of impact to the score, so you can easily determine which identity security hygiene gaps to prioritize.
The Identity Posture Score is determined based on a number of criteria including integrations connected, number of users impacted by a check, check severity, user context and other factors. See Calculation of Identity Posture Score for detailed information on how the score is determined and the thresholds associated with each score category.
You can see more information about your organization's current Identity Posture Score, as well as the score's trends over time, on your Dashboard.
There are no settings related to the Identity Posture Score and it cannot be customized directly. To learn more about tuning checks, which can impact the number of users failing a check and thus, indirectly the Identity Posture Score, please refer to our documentation on customizing checks.
Why should I fix my organization's identity posture?
Identity attacks are really similar to home burglaries
Think of your organization as a house. You make sure all the doors are closed and locked before you go out to run an errand. While you're away, someone decides to break into your house. They will try to get in through the doors first because that's easiest. When they realize all your doors are locked, they don't give up - they try the windows next. But wait... you didn't check the windows! If you can't get the basics of closing and locking all your doors and windows down, it wouldn't make sense to install fancy video cameras or alarm systems to monitor your house while you're away because the burglar will still get in! Although these tools can be helpful to identify the burglar later on, or shorten the amount of time they have to take your valuables, it doesn't stop them from getting into your house in the first place and causing damage.
This house example, though simplified, depicts why it is so critical to address postural issues within your organization.
Just like a burglar, a bad actor will try to use the easiest path first, like guessing the password of accounts with no MFA configured. If that doesn't work, they'll try cleverer approaches, like MFA phishing or session theft, to try and gain access to your system. One thing is for certain - while the attack technique might change, the attacks themselves will not stop.
With good identity security posture, when a threat comes in (because we know they will come in), you have some peace of mind knowing that the basic protections are in place to ensure your organization is less likely to get "broken into". You've made sure all the doors AND windows are locked, by requiring basic MFA methods and cleaning up inactive accounts. As your organization's identity security posture matures, you then take more advanced steps to protect it, like enforcing stronger MFA methods and reducing session lengths.
Improving your organization's identity posture won't stop the attacks from coming, nor will it stop a very determined bad actor who is willing to try everything possible to gain access. But it does ensure that the attacks that come in are generally less risky because the right precautions and measures were put into place. With Cisco Identity Intelligence, you get both sides - Posture Score and posture checks act as the voice in the back of your head reminding you to lock your doors and windows. While User Trust Levels and threat checks act as the fancy security system to monitor and alert on potentially malicious behavior or threats that should be investigated, and help clean up as soon as possible if someone does slip through the cracks.
Dashboard widgets
Two widgets related to Identity Posture score can be found on the Dashboard. To read more about the widgets, please see our Dashboard documentation for detailed information about each visualization.
Calculation of Identity Posture Score
Cisco Identity Intelligence weighs several factors together in a proprietary algorithm to produce an Identity Posture Score for each organization, which ranges from 0 to 100 and is categorized in distinct thresholds, where a score of:
0 - 39 is considered Very Weak
40-59 is considered Weak
60-79 is considered Neutral
80-89 is considered Good
90-100 is considered Very Good
An Identity Posture Score will be calculated based on the data available in your organization's tenant. The more data available from different integration instances, the more accurate your score will be. The factors used in this algorithm include the following:
Severity levels of specific failed checks: Check severity levels are based on the severity assigned by known attack frameworks such as NIST, MITRE ATT&CK, etc and the potential risk associated with particular hygiene issues. Critical severity issues are weighted more heavily than low severity issues
Scale of a specific posture issue: Determined by looking at the number of users failing specific posture based checks
User Context: Specific checks related to MFA were split into subcategories to assign higher priority to posture issues among Priority users, who are higher risk and more sensitive than other users. Priority users are those listed as Integration Instance Admins and/or Executives based on job titles from the HRIS or IdP (ex: Chiefs, VPs, President, etc)
Other factors also impact your Identity Posture score such as:
Disabled checks: Checks that are included as part of the Identity Posture Score calculation but have been disabled in your tenant will negatively impact your score. A perfect score (100) cannot be achieved without enabling all checks that are part of the Identity Posture score calculation
Integration Instance configuration:
As mentioned above, the more integration instances that are connected in your tenant, the more data that is available to contribute to the Identity Posture score calculation. The more data available, the more accurate your organization's score will be. For this reason it is important to set up all available integration instances that exist for your environment. To learn more about what data integrations are available and how to configure them, refer to Integrations
It is important to connect your organization's HRIS data to your tenant, as it is a critical component of the Identity Posture Score. A perfect score (100) cannot be achieved without connecting an HRIS system (Workday) or manually uploading HRIS data in your tenant, as this data is critical to identity mapping, data hygiene and enables specific checks that are part of the overall score calculation
Because of Identity Intelligence's data ingestion methods, connecting a new integration to your tenant will temporarily increase your score for 7 days while the new data collection settles. After the data has collected and normalized, you may notice a decrease in your score based on the new data collected and the associated posture issues of your users
Cisco Identity Intelligence is continuously refining its posture algorithm to include new factors, and/or modify the weighting of factors, to provide the most up-to-date and accurate portrayal of identity posture as possible. Any updates to the calculation will be reflected on this page
How can I improve my organization's Identity Posture Score?
To improve your organization's score you should refer to the recommended actions, which can be found in the widget with your organization's current Identity Posture Score. Each recommended action will provide high level guidance on what step(s) needs to be taken to review and/or remediate each user that is detracting from your organization's score because of check failures.
Click the number of users in this widget to go to the Users page where you can review each user that is impacting your posture score to determine if:
the end user needs to make a change to their account (Ex: configure any form of MFA, stop forwarding emails, externally, etc) so that you can contact them directly and remediate the problem
the end user's account(s) should be deleted (Ex: this user no longer exists or needs this account)
there is a specific mitigating control in place that can allow an end user to be excluded from a particular check so that they are no longer failing the check for a specified window of time
a check's configuration settings need to be tuned to better align with your organization's processes and policies (Ex: the default setting for the Inactive Users check is 30 days, when your organization's process is 90 days)
To configure a check's settings, navigate to the check you'd like to modify. If Check Settings are available for that particular check, it will be located in the top right corner of the Check page, and select Custom Detection Settings. Note that not all checks have settings that can be modified
the Sensitive Applications list in Identity intelligence needs to be modified to better align with your organization's list of important applications. By default, the "Unused Application for a User" check settings are set to only consider sensitive apps, which are pulled from a pre-configured list set by Identity Intelligence
You can either modify the list of Sensitive Apps via the Tenant Settings to add or remove sensitive apps, or you can modify the checks settings for this check to analyze all applications, not just sensitive ones, as described in the bullet above. Note: once you add one Sensitive App to the list, it will erase the entire Identity Intelligence default list, so if you want like to keep any of the default apps, be sure take a screenshot of the Sensitive App Usage widget on the Dashboard before making any changes
Last updated