Yesterday I provided more details about my view of the “Enterprise Identity Registry” Service (a.ka. “Enterprise Identity Census” Service, a.k.a. “Enterprise Identity Tracing” Service, …). As discussed, this service (leveraging a mixture of manual and automated processes) stores and manages a rich (hopefully up-to-date …) set of metadata about data repositories (of various types) that contains identity and personal information.
As anticipated, this service provides the foundation for the “Enterprise IdM Risk Management” Service. More in general, the “Enterprise IdM Risk Management” Service is fed with the following information:
- Metadata about identity information stored in various data repositories;
- Other events/logs of relevance, collected directly from controlled data repositories and/or other solutions already dealing with this aggregation of information;
- Knowledge base consisting of policies (rules) on how data should be used/processed/managed, dictated by security, privacy and business constraints;
- Representation of Risks for identity information (based on known contexts and processes), related Threats and mitigation information: this information is linked to the policy-driven knowledge base mentioned above;
- Exceptional cases/situations to be handled in specific ways.
In my view, the “IdM Risk Management” Service should provide (at least) two basic types of functionalities:
- Risk Detection and Management: identity metadata and collected events are periodically checked against the knowledge base, to identify potential risks and threats, sent alerts and propose mitigation steps. For example, this functionality should be able to detect that a “copy” of a set of identity data has been done in a location or place where this data cannot be stored (let’s say due to privacy policies) or that some content of a data repository should be deleted because of its expiration date, identify related risks and alert administrators/responsible people;
- What-if Risk Analysis/Decision Support: this service can provide decision support (based on what-if analysis) based on contextual information provided by the user, existing knowledge-base and risk/threats models. For example, a user/administrator/etc. might ask what happens if it makes a copy of a data repository from a location to another location or if it stores personal data in their laptop, etc. This service should highlight potential risks/threats and suggest mitigation.
This service is quite interesting from a R&D perspective and the potential (business) value it can provide. Of course much work has already been done (and technologies developed) in the areas of Risk Management, Decision Support Systems and What-if Analysis.
However, I believe there is an opportunity (and R&D challenge) in applying these techniques (and potentially related technologies) in the specific context of Enterprise Identity Management and providing simple-to-use services, accessible to employees and eventually to business partners and end-users.
No comments:
Post a Comment