Document

Download Report

Transcript Document 

Economics of Identity and Access
Management: Providing Decision
Support for Investments
Marco Casassa Mont ([email protected])
Yolanta Beres, David Pym, Simon Shiu
HP Labs, Systems Security Lab, Bristol, UK
IEEE IFIP BDIM 2010
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Presentation Outline
•
Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy
•
Economics of Identity an Access Management (IAM)
•
Methodology for Strategic Decision Support
•
IAM Case Study
•
Elicitation of Strategic Preferences
•
Exploring the Impact of IAM Investment by means of Modelling and Simulation
•
Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support
•
Discussion and Conclusions
Complexity of Identity and Access
Management
•
Identity and Access
Management (IAM) Solutions
are widely adopted by
Organisations
•
Common IAM Capabilities:
−
−
−
−
−
•
Business enabler
Support user management
Access control
Compliance
Security Risk Mitigation
However, most Organisations
Struggle with their IAM
Strategies
IAM Investments vs Other Investments
•
Enterprises are experiencing an Increasing Number of
Internal and External Threats
•
Scarcity of Resources and Budget to address them all
•
Decision Makers (CIOs, CISOs etc.) need to Prioritize and
Motivate their Requests for Investments
•
IAM Investments vs
Other Possible Security or Business Investments
Addressed Problem
Problem: How to enable Decision Makers to make Informed
Decisions about their IAM Strategies and Investments?
IAM Strategy affects Organisations’ Business in terms of Agility, Productivity,
User Experience, Security Risks, …
Challenging task:
• Very Difficult to determine how different combinations of technology and process
affects business outcomes
• Little knowledge of future Business Needs and Threat Landscape
• Multiple attributes, choices, outcomes and high degree of uncertainty
Cost constraints dictate a more and more rigorous approach to:
• Making the case for specific investments
• Showing due Diligence
On Providing Strategic Decision Support
Decision Makers would Love to get Decision Support
Capabilities to Simplify their Work
Traditional Approaches:
• Techniques based on RoSI: Accountancy
 Limited as it does not address operational and dynamic aspects
• Risk Assessment and Security Practices (ISO 2700x)
 Generic, high-level assessment
• Solution Providers’ agenda to sell IAM products
We argue it is a matter of Understanding and Dealing with
IAM Economics …
Presentation Outline
•
Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy
•
Economics of Identity an Access Management (IAM)
•
Methodology for Strategic Decision Support
•
IAM Case Study
•
Elicitation of Strategic Preferences
•
Exploring the Impact of IAM Investment by means of Modelling and Simulation
•
Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support
•
Discussion and Conclusions
On IAM Economics
•
[1/2]
Decision Makers operating in IAM Space must:
− Cope with different Tension Points at the Business, Security and
Governance Levels
− Worry about Trade-offs
− Make Informed IT Investment Decisions in an Ever Changing World
To Provide Decision Support we need to
Understand the Economics that are at the base of
these Strategic IT Investments
On IAM Economics
[2/2]
•
We assume there is an Economic Framework where the Value
of Different Investment Outcomes can be Explored and
Discussed
•
Need to:
− Identify Business and Strategic Outcomes of Concern
− Determine different Decision Makers’ Intuitive Views of how these tradeoff and preferences for overall outcomes
− Traditional IT Metrics can help to Ground the Analysis
•
Multiple Decision Makers with Different Worries and Priorities:
− CISO
 Security Risks and IT costs
− Business and Application Manager  User Productivity
− Governance Manager
 Compliance to Regulations
IAM: Strategic Outcomes of Interest
Decision Makers’ Strategic Outcomes of Interest in the IAM
Space:
−
−
−
−
−
Security
Productivity
Compliance to Regulation
Costs
…
These multiple Objectives Trade-off to each other:
− Security Risks vs Productivity
− Compliance vs Productivity
− All have implications in terms of Budget
Need to Identify Decision Makers’ Preferences for Achieving
these Objectives
IAM Economics and Utility Functions [1/2]
Ideally we could determine a Utility Function of the Decision
Maker so that a comparative value can be applied for each
outcomes:
U = ω1 f1 (T1–T1)+ω2 f2 (T2 –T2)+ … +ωn fn (Tn –Tn)
Ti: Outcome of Interest
Ti: Desired Target
ωi: Weight
fi: function representing decision maker’s tolerance for variance from targets
Quadratic Function vs Linex Function to capture diminishing marginal utility
IAM Economics and Utility Functions [2/2]
In case of IAM Economics an Example of this Utility
Function is:
U = ω1 (SR–SR)2+ω2 (P –P)2+ ω3 f3 (Co –Co)2 + ω3 f3 (C –C)2
SR: Security Risks
P: Productivity
Co: Compliance
C: Costs
In Practice it is hard to Identify this Utility Function purely from an Abstract
Analytic approach – without taking into account the Impact of
IAM Investments on:
• operational and business processes
• people behaviour
• underlying IT systems
• security threats
Overview of Our Approach to Provide
Strategic Decision Support
Explore Decision Makers’ Preferences on
Strategic Aspects of Relevance
Use System Modelling and Simulation to
Predict Impact of Different IAM
Investments/Choices
Map Predicted Outcomes against Strategic
Preferences to Identify Suitable Options
- Exploring Impact of various Options
- Enables Discussions at Business Level
Presentation Outline
•
Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy
•
Economics of Identity an Access Management (IAM)
•
Methodology for Strategic Decision Support
•
IAM Case Study
•
Elicitation of Strategic Preferences
•
Exploring the Impact of IAM Investment by means of Modelling and Simulation
•
Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support
•
Discussion and Conclusions
Methodology for Decision Support [1/4]
Integrating two Key Aspects:
•
Methods from Economics
•
Executable Mathematical Models of:
− Underlying IT Systems and Processes
− Dynamic Threat Environments
Methodology for Decision Support [2/4]
Stakeholders’
Preference
Elicitation
System
Modelling &
Analytics
Empirical Data
Collection
Cross
Fertilisation
Model System
Processes
Utility
Function
Mapping
Outcomes
(proxies)
To Preferences
Evaluate &
Recommend
Simulate &
Analyse
Validation
Economic
Analysis
Characterise
Key questions/
problems
Methodology for Decision Support [3/4]
Strategic Preferences are Elicited from Decision Makers by
using Targeted Questionnaires to Identify Priorities and Trade-off
Executable Mathematical Models keep into account:
•
•
•
•
•
Strategic Preferences
Architectural
Policies
Business and IT Processes
Dynamic Threat Environments
Predictions of Models can be Validated against the Targets
and Preferences of Decision Makers
Methodology for Decision Support [4/4]
Predictions are seen as Proxies to Utility Functions’ Components:
Utility
Function
Security Risks
Productivity
Compliance
Costs
Model
Predictions
(Proxies)
Model
The Model can be refined as Decision Makers’ understanding
of Targets and Preferences might itself be subject to
reassessment and refinement
Presentation Outline
•
Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy
•
Economics of Identity an Access Management (IAM)
•
Methodology for Strategic Decision Support
•
IAM Case Study
•
Elicitation of Strategic Preferences
•
Exploring the Impact of IAM Investment by means of Modelling and Simulation
•
Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support
•
Discussion and Conclusions
IAM Case Study
•
Carried out in Collaboration with 3 Security and IAM Experts
•
Presentation focus is on the Outcomes of 1 Expert that played
the CIO/CISO Role for a Major Customer
•
Case Study based on Large Organisation
•
Decision Maker had to make Strategic IAM Investment
decisions to Support Core Enterprise Business Services,
Underpinned by SAP Applications
•
Decision Maker confirmed that their core Concerns (Strategic
Outcomes of Interest) are:
− Productivity, Compliance, Security Risks, Costs
IAM Case Study: Targeted Environment
HR
HR
CRM
CRM
SCM
SCM
…
…
SRM
SRM
PLM
PLM
Business
Services
Business
Users
SAP
SAP
Application
Application
SAP
SAP
Application
Application
SAP
SAP
Application
Application
SAP
SAP
Application
Application
IT System
Admin
Systems &
IT Infrastructure
IAM Case Study: Relevant Aspects
•
Users can Join, Leave or Change
their Roles within the Organisation
•
Aspects of relevance:
User Joining,
Leaving and
Changing Roles
− Accurate Management of User
Accounts and Rights
− Ensure Compliance to Laws
− Mitigate Security Risks
− Enhance Productivity
− Cope with Limited Budgets
Organisation
•
Investment Choices are determined
by Priorities and Strategic issues of
Relevance to Decision Makers
IAM Investment Options
•
IAM Investments can be Classified in terms of:
− Provisioning
− Compliance
− Enforcement
•
IAM Investments have different Impacts on
Strategic Outcomes of Interest:
− Provisioning  Productivity and Security
− Compliance  Governance and Security
− Enforcement  Security
Classes of IAM Investments
[1/2]
We Identified 5 Classes of IAM Investment Levels, in the [1,5]
Range, with an increasing Impact in term of Effectiveness of
Involved Control Points, Policies and Costs:
Productivity
1
2
3
4
5
1
2
3
4
5
1
2
3
4
5
Compliance
Enforcement
Ad-hoc Processes
and Manual
Approaches
Hybrid Approaches
Degrees of Automation
and Policy Definition
Strong Automation
and Integration with
Security and Business
Policies
Classes of IAM Investments
Type of IAM Investment
[2/2]
Investment Levels
Provisioning
1. Ad-hoc, manual approaches both for approval and deployment steps.
CP Technologies: NONE
2. Manual approach to deal with approval and deployment but driven by common/centralised policies
CP Technologies: email (notifications)
3. Automated approval approach and manual deployment, driven by centralised policies. Hybrid approach to user account removal
CP Technologies: web service-based approval notifications, integration with enterprise LDAP directory
4. Automated approval and deployment approach (driven by common/centralised policies)
CP Technologies: general purpose
Oracle/SUN/etc. IAM provisioning solutions
5. Automated approval and deployment approach along with tools supporting further compliance controls, such as SoD, SOX
compliance, etc. (driven by common/centralised policies)
CP Technologies: SAPNetweaver (integrated SAP IAM), VIRSA (SoD conflict management and provisioning), APPROVA Access
Manager
Compliance
1. Ad-hoc, manual auditing and compliance-checking approach. Ad-hoc remediation activities.
CP Technologies: NONE
2. Manual internal compliance-checking approach but driven by centralised/common policies. Mainly ad-hoc remediation activities.
CP Technologies: Self-assessment forms
3. Hybrid approach involving manual and degrees of automation of internal compliance checking. Mainly ad-hoc remediation
activities.
CP Technologies: SAP KPI management, SAP reporting tools
4. Automation of internal compliance checking. Degrees of automations of remediation activities.
CP Technologies: APPROVA and SAP KPI management
5. Automation of internal compliance checking and remediation activities.
CP Technologies: VIRSA (automated, total remediation)
Enforcement
1. Ad-hoc security practices and enforcement (authentication, access control/authorization, vulnerability threat management, etc.).
Ad-hoc choices for control points and security approaches
2. Security practice based on common sense/good practice. General security policies. Ad-hoc interpretation and deployments of
policies.
3. General security policies and guidelines on how to interpret and deploy them.
4. General security policies and guidelines on how to interpret and deploy them. Guidelines on recommended control points
and IT security technologies. Degrees of reassessment of policies and control points.
5. General security policies and guidelines on how to interpret and deploy them. Guidelines on recommended control points and IT s
security technologies. Methodological reassessment of policies and control points.
Assumptions
•
The Interviewed IAM Experts stated that Enforcement was
not a Major Concern for their organisations as:
− Relatively mature area
− Implications are reasonably understood
− Investments have already been made
•
We estimated that available Enforcement Investments are
comparable to Level 4 in our classifications
•
IAM Case Study focusing on Exploring Investment options
and Trade-offs in the space of Compliance and
Provisioning to achieve Strategic Outcomes of Relevance
Presentation Outline
•
Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy
•
Economics of Identity an Access Management (IAM)
•
Methodology for Strategic Decision Support
•
IAM Case Study
•
Elicitation of Strategic Preferences
•
Exploring the Impact of IAM Investment by means of Modelling and Simulation
•
Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support
•
Discussion and Conclusions
Elicitation of Strategic Preferences
[1/5]
Approach Consisting of Three Phases:
PHASE I
• Eliciting Set of Strategic Aspects/Outcomes of Relevance to Decision Makers
• Decision Maker confirmed top Strategic Concerns about:
• Security Risks
• Productivity
• Compliance
• Costs
• Clear Semantic of These Strategic Outcomes along with meaningful
IT Metrics (Proxies) to Estimate them:
Security Risks
Predicted number of breaches/incidents (e.g. exploitations of credentials, unauthorised accesses, etc. due to
internal/external attacks) that happens in 1 year timeframe. We looked for the max number of incidents the decision
maker accepts happening and the min number of incidents they would be reasonably comfortable with
Productivity
Predicted ratio (percentage) of all user accounts (& related access rights) that the organisation would have liked to
have been provisioned in 1 year. A productivity of 70% means that only 70% of all the accounts that should have been
correctly provisioned actually have been provisioned.
Compliance
Predicted number of audit findings/violations (e.g. # SOX compliance audit violations) in 1 year. The lower the number,
the higher is compliance.
Costs
Approximated costs in terms of budget ($) to be invested in IAM initiatives in 1 year timeframe.
Elicitation of Strategic Preferences
[2/5]
PHASE II
• For each Strategic Outcomes asked the Decision Maker about
which “Values” were “Good Enough” and which were “Just Acceptable”:
• Min Value: not willing to spend additional money to achieve more
• Max Value: level below which Decision Makers get concerned and willing to act on
• The Decision Maker Identified a set of Value Ranges:
• Security Risks:
• Productivity:
• Compliance:
• Costs:
Min: 1
Min: 100%
Min: 1
Min: 500K$
Max: 3
Max: 100%
Max: 1
Max: 10M$
• Decision Maker biased towards Productivity: key Priority
• Costs are not a major issue for this Decision Maker
• Some degree of tolerance in terms of Security Risks and Compliance
Elicitation of Strategic Preferences
[3/5]
PHASE III
• Asked Decision Maker for their Relative Preferences between
values of Paired Outcomes to highlight Tension Points and
quantify Trade-offs:
Security Risks vs. Productivity
Exploring how much the decision maker is willing to compromise security in order to improve productivity (or the
way around)
Productivity vs. Compliance
Lack of compliance can sometime be acceptable to increase productivity and the way around (due to stronger
controls and bureaucratic processes)
Productivity vs. Costs
Exploring how much the decision maker is willing to compromise in terms of productivity, based on the involved
costs
Security Risks vs. Compliance
Exploring the relative preferences between security risks and compliance. Strong preferences in the compliance area
indicate the attitude at accepting low security risks especially the ones causing audit failures
• Created 4 questionnaires and populated with values elicited in Phase II and
by introducing outliers
• Asked the Decision to State their priorities in the [1,5] Range
• Used Graphical Diagrams to achieve this
Elicitation of Strategic Preferences
[4/5]
PHASE III
Examples of Instantiated Questionnaires with Decision Makers’ Priorities:
Security Risks
1
2
2
3
2
1
3
3
2
3
7
5
4
5
4
5
6
4
2
1
Productivity
100%
99%
98%
98%
100%
99%
97%
100%
97%
96%
95%
90%
98%
97%
100%
100%
98%
97%
95%
90%
Priority [1,5]
1
1
3
5
1
1
5
1
3
5
5
5
5
5
1
1
5
5
3
4
Productivity
100%
99%
98%
97%
96%
95%
100%
99%
98%
98%
97%
95%
100%
99%
Compliance
1
1
2
3
5
7
2
2
1
3
4
5
3
3
Priority [1,5]
1
1
2
3
5
5
3
3
2
3
4
5
3
3
Elicitation of Strategic Preferences
[5/5]
PHASE III - Results
Productivity vs. Compliance
(A)
102%
8
100%
7
(B)
6
98%
Priority 1
96%
Priority 3
Priority 4
94%
Priority 5
Compliance
Productivity
Security Risks vs. Productivity
Priority 1
5
Priority 3
3
Priority 4
92%
2
90%
1
0
88%
88%
0
1
2
3
4
5
6
7
8
Priority 2
4
Priority 5
90%
92%
94%
96%
98%
100%
102%
Productivity
Security Risks
(C)
Costs
Priority
[1,5]
100%
Very high ( >10 M)
1
98%
Very high ( ~10 M )
2
97%
High (5-1 0M )
3
95%
Medium (1- 5 M)
4
94%
Low- Medium (1- 2 M)
5
(D)
Security Risks vs Compliance
9
8
7
Compliance
Productivity
Priority 1
6
Priority 2
5
Priority 3
4
Priority 4
3
Priority 5
2
1
0
92%
Low- Medium (1 M)
5
90%
Low (< 1M )
5
0
2
4
6
8
10
12
Security Risks
• Decision Maker confirmed bias towards Productivity
• Willing to accept Security Risks as long as Productivity is achieved
• Compliance has high importance too
Presentation Outline
•
Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy
•
Economics of Identity an Access Management (IAM)
•
Methodology for Strategic Decision Support
•
IAM Case Study
•
Elicitation of Strategic Preferences
•
Exploring the Impact of IAM Investment by means of Modelling and Simulation
•
Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support
•
Discussion and Conclusions
Usage of Modelling and Simulation [1/2]
•
Use Modelling and Simulation Techniques to make
Predictions about the Impact of Investment Options
− Rigorous Scientific Approach
− Enables Next Step – i.e. Mapping Predicted Outcomes to Strategic
Preferences to Identify suitable Investments
•
Approach based on Predictive System Modelling:
− Discrete Event Modelling
•
Systems viewed as having following Components:
−
−
−
−
Environment
Location
Resource
Process
Usage of Modelling and Simulation [2/2]
•
HP Labs’ Toolset for Modelling and Simulation
based on Mathematical foundations:
− GNOSIS
(http://www.hpl.hp.com/research/systems_security/gnosis.html)
•
Advantages over Traditional Analytics approaches
− Explicitly represents dynamic dependencies and interactions among
Entities, Processes and Decisions
•
Relevant for IAM Scenario because of the involved
variety of Events, Business Processes, Systems
and Human Interactions
High-level IAM Model
[1/2]
•
General Model built as a result of our Analysis of IAM
Processes
•
Model Validated by our Security and IAM Experts
•
Model characterised by:
− Status of the System
− Set of Processes
− Events
•
Model Parametric to 3 Types of Investments, in the [1,5] Range:
− Provisioning, Compliance, Enforcement (Assumption: Level=4)
High-level IAM Model
User Joining
Event
User Changing
Role(s)
Provisioning
Process
User Leaving
Event
Audit Event
User leaving
Provisioning
Process
Auditing
Process
Internal
Attack Event
External
Attack Event
Attack
Processes
Status
Access Status:
# BIZ Access
# NONBIZ Access
# BAD Access
# NON Access
# Other Access
(hanging accounts)
- Provisioning Level
- Compliance Level
- Enforcement Level
Investment Options [Parameters]
User Joining
Provisioning
Process
User Changing
Role(s) Event
[2/2]
Apps Status:
Apps Status: #Weak,
#Medium, #Strong
Compliance
Checking &
Remediation
Process
Compliance
Check Event
Measures:
# Incidents
# Access & Security
Compliance Findings
# Access & Security
Remediation
# Access & Security
Audit Failures
% Productivity
Application
Security
Weakening
Process
App. Security
Weakening Event
Application
Security
Strengthening
Process
App. Security
Strengthening
Event
Ex-Employee
Attack
Explicit Modelling of Users’ Access
Rights
•
Model explicitly tracks the Users’ Access Rights for all
Managed SAP Applications to:
− Capture the Access Posture of the Organisation
− Determine the Impact on Strategic Outcomes of Interest
•
Wrongly Allocated Access Rights encourage
Threats/Attacks
 Negative Impact on Productivity and Compliance
Expected
Access
Expected No
Access
+
Access Actually
Granted
Biz Access
Access Actually
Not Granted
No Biz Access
Bad Access
No Access
“Other Access” (Hanging Accounts)
Impact of IAM Investments
•
IAM Investments are Parameters in the Model:
− Provisioning, Compliance Levels in [1,5] Range
− Enforcement Level = 4
•
The Impacts of IAM Investments are:
− Factored in the various Modelled Processes
− Represented by keeping into Account the Cause-Effects
Relationships that are at the base of Failures, Mistakes and
Successes
− Driven by Probability Distributions that Depends on these
Investments
Modelled Process: User Joining the Organisation
User Joining
Event
Notify SysAdmin/
IAM Provisioning
System
Require Manager1
For Passive
Approval
Create User
Account on SAP Application
if it Does Not Exist
(No Access Rights yet added)
Require Manager2
For Active
Approval
NO
Received Both
Authorizations after
time period T?
Non Business
Access
YES
Authorize Access
Rights
Has
SysAdmin/IAM Provisioning
System Received
Authorizations?
YES
No Configuration
Problem?
Non Business
Access
YES
NO
NO
User Joining
Provisioning
Process
YES
Bad Access
Authorization
Process
Bypassed?
Mis-configuration
Problem?
NO
Non Business
Access
Bad Access
YES
NO
Add Access Rights
To SAP Application
Business
Access
Modelled Process: User Leaving the Organisation
User Leaving
Event
Get User Information
From Enterprise
Directory/HR
Notify SysAdmin/
IAM Provisioning
System
Has
SysAdmin/IAM Provisioning
System Received
Notification?
YES
Removal of User
Account & Access
Rights
NO
Hanging
Account
Mis-configuration
Problem?
YES
User Leaving
Provisioning
Process
Hanging
Account
NO
User Account &
Rights Removed
Modelled Process: Compliance Checking and
Remediation Process
Compliance
Check Event
Select Number of
Apps to Checks
Select Number of User
Accounts to Checks
For all Selected Apps:
Deal with another Compliance Check
for App?
YES
Check
Application
Security
Found
Security
Issue?
NO
YES
NO
Compliance Checking:
Security Issue Finding
Security
Remediation
Process
Finished
For all
Selected Accounts in the App:
Deal with another
Compliance Check?
Check
Account
Found
Access
Issue?
YES
Compliance Checking
& Remediation Process
Access
Remediation
Process
NO
Compliance Checking:
Access Issue Finding
Modelled Process: Auditing Process
Audit Event
Select Number of
Apps to Checks
Select Number of User
Accounts to Checks
For all Selected Apps:
Deal with another Audit Activity
for App?
Check
Application
Security
YES
Found
Security
Failure?
NO
YES
NO
Audit:
Security Failure
Finished
For all
Selected Accounts in the App:
Deal with another
Audit Activity?
Check
Account
Found
Access
Issue?
YES
Auditing
Process
Audit:
Access Failure
NO
Modelled Processes: Application Security Status
App. Security
Weakening
Event
App. Security
Strengthening
Event
Select Application
YES
Is there any Application with
“Strong Security”?
Application Security
has degraded to
“Weak Security” due to time
Update number of
Strong and Weak Apps
Has the Application
“Weak Security”?
YES
Application Security
Strengthened to
“Medium Security”
Update number of
Medium and Weak Apps
NO
NO
YES
Is there any Application with
“Medium Security”?
Application Security
has degraded to
“Weak Security” due to time
Update number of
Medium and Weak Apps
YES
Is there any Application with
“Medium Security”?
Application Security
Strengthened to
“Strong Security”
NO
NO
Finished
Finished
Application Security Weakening Process
Application Security Strengthening Process
Update number of
Strong and Weak Apps
Modelled Processes: Types of Attacks
Ex-Worker Attack
Event
Internal Attack
Event
Has a
“Bad Access” or a
“Business Access”
Been Exploited?
Is the
Ex-Worker’s Skills
High?
YES
Access Incident
NO
NO
Has a
“Weak Security” Application
Been Targeted?
YES
YES
Has the
Intranet Protection
Been Bypassed?
Has an Hanging
Account been Exploited
By the Ex-Worker?
YES
Access Incident
NO
Incident Prevention
YES
Security Incident
YES
NO
Is the Intranet Protection
Level Low?
NO
Has an Hanging Account
Been Exploited by somebody
Else in the Organisation?
Incident Prevention
Incident Prevention
NO
NO
Incident Prevention
Incident Prevention
Ex-Worker Attack Process
Internal Attack Process
External Attack
Event
Is the
Ex-Employee’s Skills
High?
YES
NO
Has an Hanging
Account been Exploited
By the Ex-Employee?
YES
Access Incident
NO
Incident Prevention
YES
Is the Intranet Protection
Level Low?
Has an Hanging Account
Been Exploited by somebody
Else in the Organisation?
NO
NO
Incident Prevention
Incident Prevention
Ex-Worker Attack Process
YES
Access Incident
YES
Access Incident
Modelled Measures
•
Processes Impact the Status of the Model by modifying the
Values of Various Measures, Including:
−
−
−
−
•
Number of Occurred Incidents
Number of Access and Security Compliance Findings and Remediation
Number of Access and Security Audit Failures
Productivity
Productivity defined as:
− (#BizAccess + #BadAccess)/(#BizAccess + noBizAccess + #BadAccess)
•
The Above Measures are Proxies to Utility Function’s
Components
•
Cost represented as a function of the Provisioning and
Compliance Investment Levels
Assumptions and Parameters
•
[1/2]
Model driven by a Set of Parameters:
−
−
−
−
−
Provisioning, Compliance and Enforcement Investment Levels
Status Initialization
Threat Environment
Events
Processes
•
Probability Distributions associated to these Parameters
derived from audit logs, discussions with IAM Experts and IT
Teams
•
Probabilities related to Events modelled as Negative
Exponentials
•
Probabilities related to Likelihood of Mistakes, Faults, etc. vary
depending on Levels of IAM Investments, in the [1,5] Range
Assumptions and Parameters
[2/2]
• Examples of a few Parameters:
User Events Frequency
Attack Events Frequency
New user: negexp (3.5 days), Leaving user: negexp(7 days),
User change: negexp(30 days)
Internal attack: negexp (10days),
External attack: negexp (10days),
Ex-worker attack: negexp (25days)
Provisioning
Process
sysAdminFailureRate[1,5]=[1/50,1/150,1/250, 1/800,1/1000]
bypassProvisioningApprovalRate[1,5]=[1/50,1/100,1/500,1/
1000,1/1200]
Audit Freq.
Audit activity: negexp (180*days)
• Considered a Population of 60 SAP Applications
• Model Initialised with a small set of Users (10) to explore Impact of
Organisational Changes
Simulations: Predicting the Impact of
Investment Choices
•
Carried out Monte Carlo Simulations for a Simulated Period of 1
year
•
Considered all Combinations of Provisioning and Compliance
Investment Levels:
− Provisioning [1,5] * Compliance [1,5]  25 Options
− Enforcement Level = 4
•
For Each Combination the Model has been run 100 times to get
Statistically Relevant Results
•
Graphically represented the Predicted Average Values of the
Proxy Measures associated to the Strategic Outcomes of Interes
− Productivity
(Proxy: Productivity)
− Security Risks (Proxy: Security Incidents)
− Compliance
(Proxy: Audit Failures)
Simulation: Outcomes for Productivity
Productivity
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0.9-1
0.8-0.9
0.7-0.8
0.6-0.7
0.5-0.6
0.4-0.5
5
3
1
2
3
4
1
Provisioning
Investment
5
Compliance
Investment Level
• Productivity Increases almost 30% for Provisioning Investment
Levels in the [2,4] Range. Saturates to 100% for Level =5
• Marginal Impact of Compliance
0.3-0.4
0.2-0.3
0.1-0.2
0-0.1
Simulation: Outcomes for Audit Failures and
Security Incidents
Audit - Access Failures
(A)
6
5
4
5-6
3
4-5
2
3-4
1
2-3
5
3
0
1
2
3
4
1
Provisioning
Investment
1-2
0-1
5
Compliance
Investment Level
T otal Security Incidents
(B)
3
2.5
2
2.5-3
1.5
2-2.5
1
1.5-2
0.5
1-1.5
5
3
0
1
2
3
4
1
Provisioning
Investment
0.5-1
0-0.5
5
Compliance
Investment Level
• The number of Access Failures Decreases by Increasing Investments in
IAM Compliance or Provisioning
 Investment Trade-offs are potentially available
• Investments in IAM Compliance and Provisioning reduce Incidents
Presentation Outline
•
Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy
•
Economics of Identity an Access Management (IAM)
•
Methodology for Strategic Decision Support
•
IAM Case Study
•
Elicitation of Strategic Preferences
•
Exploring the Impact of IAM Investment by means of Modelling and Simulation
•
Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support
•
Discussion and Conclusions
Mapping Predicted Outcomes Against
Decision Maker’s Preferences
•
Aiming at Identifying the Most Suitable IAM Investment
Options for Provisioning and Compliance
•
Mapping Predicted Outcomes (obtained from Simulations)
against Decision Maker’s Elicited Preferences
•
Focus on Top Decision Makers’ Preferences – 1 or 2/3
Priority
•
Mapping Predicted Outcomes in the Elicited Preference
Graphs, along with Associated Compliance and
Provisioning Investment Levels
Mapping Activity
[1/2]
Security Risks vs. Productivity
102%
Productivity
100%
Security Risks vs. Productivity
98%
Priority 1
96%
Priority 3
94%
Priority 4
Priority 5
Increasing
Costs
1.01
92%
90%
88%
0
1
2
3
4
5
6
7
(2,5)
(3,5)
1
8
(5,5)
Security Risks
(4,5)
(1,5)
Elicited Preferences
Productivity
0.99
Predicted Outcomes
0.98
Priority 1
0.97
Priority 3
(3,4)
0.96
(X,Y):
X: Compliance
Level
Y: Provisioning
Level
0.95
0.94
0.9
1.1
1.3
1.5
1.7
1.9
2.1
Security Risks
• To Achieve Decision Maker’s Priority 1’s Prefs  Provisioning Level =5
• Actually, any Compliance Investment Level would be Suitable
Mapping Activity
Productivity vs. Compliance
[2/2]
Productivity vs Compliance
(A)
8
2.5
7
Priority 1
5
2
Priority 2
4
Priority 3
3
Priority 4
Priority 5
2
1
0
88%
90%
92%
94%
96%
98%
100%
Compliance
Compliance
6
1.5
Predicted Outcomes
Priority 1
1
Priority 2
102%
Productivity
(X,Y):
X: Compliance
Level
Y: Provisioning
Level
0.5
0
0.94
Security Risks vs Compliance
(2,5)
(1,5)
(4,5)
(3,5)
(5,5)
(1,4)
(2,4)
(3,4)
(4,4)(5,4)
0.95
0.96
0.97
9
0.98
0.99
1
1.01
Increasing
Costs
Productivity
8
Compliance
7
Priority 1
6
Priority 2
5
Priority 3
4
(B)
Security Risks vs Compliance
Priority 4
3
3.5
Priority 5
2
3
1
0
2
4
6
8
10
2.5
12
Security Risks
Elicited Preferences
Compliance
0
(5,1)
(4,1)
2
(3,2)
1.5
Predicted Outcomes
Priority 1
(2,2)
Priority 2
1
(5,2)
(2,3) (4,2)
0.5
(5,3)
0
(X,Y):
X: Compliance
Level
Y: Provisioning
Level
(1,3)
(3,3)
(4,3) (2,4)
(3,4)
(5,4) (5,5)
0.5
Increasing
Costs
1
1.5
2
2.5
Security Risks
• Figure (A) shows that to Achieve Decision Maker’s Priority 1 Preferences
it is required to have Provisioning Investment Level = 5
• Figure (B) shows Acceptable Investment Options:
• Provisioning Investment Levels = [2,5]
• Compliance Investment Levels = [4,5]
Analysis: Required IAM Investment Levels [1/2]
•
To Achieve Decision Maker’s Priority 1
Preferences, the required IAM Investments are:
− Provisioning Investment Level = 5
− Compliance Investment Level = 4
•
These Results are not Surprising:
− Decision Maker biased with High Productivity
− This can be achieved with high Investment Levels for
Compliance and Provisioning, at high costs
Analysis: Required IAM Investment Levels [2/2]
•
Conclusions Validated by Decision Maker
 Feasible and Realistic
•
Enabled Decision Maker to Reassess their Preferences and
Priorities
•
Follow-up Refinement currently in Progress
•
Encouraging Results, as it provided the Decision Maker
with New Ground for Analysis and Decisions at the
Business Level to act on
Presentation Outline
•
Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy
•
Economics of Identity an Access Management (IAM)
•
Methodology for Strategic Decision Support
•
IAM Case Study
•
Elicitation of Strategic Preferences
•
Exploring the Impact of IAM Investment by means of Modelling and Simulation
•
Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support
•
Discussion and Conclusions
Discussion
•
In this IAM Case Study the Decision Maker had a Clear
Idea of their Priorities and a Large IAM Budget. This is not
always the case …
•
In Real World situations, Multiple Decision Makers might be
involved
Further Complexity and need to identify Trade-offs …
•
Our approach can be used to Explore these different
Viewpoints
•
Additional work necessary to instantiate Decision Makers’
Utility Functions
Our current Work only Provides and Empirical Estimate
Conclusions
•
We Presented an Approach to Support Decision Makers in
defining their IAM Strategies
• Methodology involving:
− Exploring and Eliciting Decision Makers’ Preferences for Strategic
Outcomes
− Using System Modelling and Simulation to Predict and Analyse the
Impact of IAM Investments
− Mapping these Predicted Outcomes to Identify the Most Suitable
Investment Options
•
•
•
Methodology successfully Applied in an IAM Case Study
Results validated by Senior Security and IAM Expert
Further Refinement and Work Required. Work in Progress
…
Thanks and Q&A
Contact: Marco Casassa Mont,
HP Labs, [email protected]
62
7/17/2015