I was wondering if anybody in this community could share references to relevant material/links/documents/research projects illustrating the current status of:
(1) Risk Analysis and Management in the space of Identity Management
(2) Identity Analytics
My current search and assessment of this space has identified various technologies, solutions and work coming from a “compliance management” perspective i.e. (a) assessing events and evidence (e.g. logs) against expected processes/policies and (b) providing results that indicate the level of compliance and risk exposure. This is what I call the “bottom-up” approach where the “risk assessment” is done against predefined policies and/or well defined situations.
So far I have not found good examples of “top-down” solutions that help decision makers (e.g. CIOs, CISOs, etc.) to explore trade-offs in the Identity Management space (e.g. making investments in education vs IT solutions vs outsourcing vs etc.) to understand the impact on factor of relevance for an organisation (e.g. costs, reputation, losses, trust, etc.), make compelling decisions and potentially help them to define suitable policies.
A specific example would be decision support solutions that help understanding the trade-offs between adopting (in an organisation) the usage of strong passwords, SSO, multi-factor authentication, etc. against involved costs, the value of the assets to be protected, the kind of involved users and the actual benefits in terms of security. More in general these solutions should provide insights about potential trade-offs between various possible choices in the IdM space (in terms of authentication, authorization, provisioning, federation/SSO, privacy, etc.) against complex organisational realities and their business objectives. Modelling and simulation might be required to cope with the involved complexity …
Is anybody aware of specific research/work/solutions in this space?
CIOs/CISOs are increasingly asked to justify the reasons behind their security investments and/or have to make investment choices that must “maximise” their “expected outcomes” based on ever-shrinking budgets. I see the opportunity for “top-down” decision support, modelling and simulation solutions that can effectively help these decision makers, specifically in the Identity Management space …
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment