Applying HP Labs Identity Analytics to the IAM area

In two recent posts of mine, I provided additional information about what the HP Labs Identity Analytics is and how it relates to the Security Analytics initiative.

In the past three years we have been doing a lot of work in applying this methodology and approach (along with out tools) to different IAM areas.

At this stage, I thought it would be of interest to share additional details about some of these areas of relevance where HP Labs Identity Analytics has been successfully used and how this has been achieved. This includes:

• Access Management area: in a few case studies carried out with customers we explored their current access management processes, inclusive of their provisioning and deprovisioning processes. We investigated aspects of concerns, such as their risk exposure and productivity – by agreeing specific metrics. We kept into accounts tradeoffs of relevance to the customers. We considered risk exposure due to: privileged hanging accounts generated by process failures, misbehaviours by employees and managers, steps that could be easily bypassed. We factored in the implications due to specific threat environments. We used modelling and simulations to deal with “what-if” analysis, for example by adding more IAM automation or changing some of the existing processes, etc.
• Compliance Checking and Auditing area: we explored the effectiveness of an organisation compliance checking teams, their capabilities in identifying and remediating violations and failures (e.g. SOX compliance), based on assumptions coming from the fields, such as applications and services involved, population of users and their accounts, likelihood of failures in the process of managing access rights, etc. We used modelling and simulations to compare and contrast the outcomes of these compliance checking processes against auditing processes, to identify ways of further improvements
• Data Leakage: we used modelling and simulation to investigate how employees use, store, handle and disclose confidential data and the overall impact in terms of data leakage. We considered the organisational data flows, involving people, systems and organisational groups. We factored in the risk mitigation introduced by existing organisational controls (e.g. DRM, encryption, interception and filtering of emails). We explored how changes in processes, behaviours and control points affect the organisational data leakage. Specific areas of investigation have been around the adoption of (1) social networking by employees and (2) usage of collaborative/sharing tools and the impact on data leakage.
• Job Design: we used modelling and simulations to explore the implications of specific job designs, i.e. the impact that the definition of roles and the association of access rights (for a population of workers) has on an organisation, under different assumptions and hypothesis. Specifically we investigated the impact in terms of risks and how changes can affect this risk – by keeping into account operational constraints, people skills and potential threats
• Password Management: we used social studies, coupled with modelling and simulations to explore the impact that people’s behaviours, system constraints and organisational policies have on passwords and their management. We investigated the risk exposure that organisations have, as a consequence of this, and how this risk could vary by changing some of the involved factors, such as password policies and IT control points.
  

Additional areas I am currently exploring (from an R&D perspective) include:

• Cloud computing, impact and effectiveness of related IAM solutions in managing accounts and protecting resources - from the perspective of different stakeholders
• Identity and Privacy assurance: which most suitable approach to adopt to increase the level on assurance on how identities, credentials and personal data are used, managed and disclosed – from the perspective of different stakeholders
• Role of Federated Identity Management, within and across organisations. Impact on productivity, costs and risk exposure
• Role of different Authentication mechanisms and their actual impact both in terms of mitigating risks and dealing with productivity & costs aspects
• Economics of IAM
  

Again, various case studies, investigations and analysis have been carried out with a top-down approach, driven by customers’ needs, their questions/problems and an understanding of the involved business and IT processes, people behaviours and threat environment.

Additional public material on our HP Labs Identity Analytics work can be found here.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On Security Analytics: Putting the Science into Security Management

In a previous post of mine, I mentioned the Security Analytics initiative. I promised to provide more details. Here they are.

I attach a datasheet called “Security Analytics: Putting the Science into Security Management”, by Vistorm (an HP Company).

The IAM area (and the HP Labs Identity Analytics activity) is covered in Security Analytics. Hopefully the datasheet will provide more details.

Here is an extract from the introduction:

“As the pressure on business increases so does the complexity of the security challenges. As a result security teams are finding it increasingly harder to achieve, measure and communicate a measurable reduction in business risk.

So how should a security team determine the best possible strategy: How much should be spent; what should be prioritised; what trades-offs to accept between lowered risk and business disruption; how to champion and justify security decisions to the business?

Vistorm, an HP Company and HP Labs have a shared vision for next generation security management: one that helps our clients achieve a measurable reduction in business risk along with a lower long term investment in information security.

Security Analytics is at the heart of this vision and is about creating tools and methodologies to address rigorously the challenges that security teams face in driving more effective security strategies. …”

Here are more details about the currently available Packaged Security Analytics:

“By combining Vistorm’s expertise in security governance with HP Labs’ expertise in security research we are able to offer a packaged consulting engagement featuring repeatable, short term engagements to address security management challenges (people, process, policy and technology) in two key areas:

• Vulnerability and threat management (VTM), and
• Identity and access management (IAM).

The value of these engagements is:

• a rigorous exploration of your (VTM or IAM) system, with prediction and ‘what-if’ capabilities
• shared multi-stakeholder understanding of the business and security trade-offs
• justified decision making
• the introduction of science into your information security management system (ISMS), and the opportunity to expand.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Labs Identity Analytics – What is this all about?

Thanks to the readers that sent me many comments and questions about my recent post about HP Labs Identity Analytics.

An interesting request I received was to provide more details about HP Labs Identity Analytics and compare and contrast it against other initiatives using a similar “label”.

Indeed, the “Identity Analytics” label is becoming more and more a buzzword, with different meanings depending on who uses it.

In the context of HP Labs (HPL), Identity Analytics is part of the wider Security Analytics R&D project and initiative aiming at providing strategic decision support in the (information) security space.

In a coming post I will describe, in more details, how HP Labs are currently transferring Security Analytics (inclusive of Identity Analytics), its approach, methodology and related tools to HP business groups and the kind of services to be provided to customers.

However, in this post, I am going to address the request mentioned above.

So what is “HPL Identity Analytics” all about? How is it different from other initiatives?

Let’s start by discussing what HPL Identity Analytics is about.

As mentioned in past blogs, HPL Identity Analytics aims at providing strategic decision support to security decision makers (e.g. CISOs) in the space of IAM.

HPL Identity Analytics has so far used in case studies and customer engagements.

We start by understanding customers’ problems and their key questions. For example: what is the risk exposure of my company, related to the management of access control and access rights? How effective are my IAM provisioning and deprovisioning processes? What are the implications of increasing/decreasing my IAM investments, in terms of productivity, security risks, compliance and costs? Which degree of risk mitigation is actually introduced? Which IAM investment trade-offs should I consider?

By using modelling techniques we represent, with a rigorous and scientific approach, current organisational IAM processes (e.g. access management processes, provisioning/deprovisioning, authentication and authorization approaches, compliance management, auditing, etc.) their impact on underlying IT infrastructures, people behaviours and various implications due to internal and external threats. We capture the core cause-effect relationships that are at the base of process failures and of relevance to a variety of concerns, including risk exposure, productivity, costs, etc.

We jointly define the metrics and measures with the customers to ensure that we can convey the relevant findings and outcomes in a way that actually address their questions and problems.

We develop models in collaboration with the customers, by understanding their processes and operational contexts. We iterate models and use simulations to ensure they are representative of the reality.

Then, we use our modelling to carry out what-if analysis, i.e. to explore different scenarios, where, for example, we simulate the introduction of new IAM controls or process changes. We convey the outcomes to the customers by means of report, to create awareness of the implications of their potential choices.

For more information, please read some of the technical reports and documentation available here.

So how is HP Labs Identity Analytics different?

Our approach is top down.

Most of the other approaches are bottom-up. They aim at collecting and processing large amounts of data from the IT infrastructure and IAM solutions. They use business intelligence to aggregate data and present it.

These approaches are definitely valuable and work fine if you have full control of the IT infrastructure, if all your systems are instrumented and if the deployed solution is pervasive. However, my personal experience (based on some evidence gathered from customers …) is that most organisational realities are far from this ideal situation. Different organisational groups within enterprises can have different IAM processes in place, ranging from ad-hoc to automated ones. Different IAM solutions might have been deployed. There is scarcity of information. Processes can be broken, bypassed or adapted to needs. Furthermore, in many cases only coarse grained assumptions are made about the potential (internal and external) threats, their actual impacts and how the current controls effectively address them, on ongoing bases.

In these cases, I believe that it might be problematic making sense of what actually happens in the organisation just with a bottom-up approach. As an analogy, it would be like trying to understand what a complex, distributed solution does at the business level, by trying to analyse snippets of assembler code …

With the top-down Identity Analytics approach, developed at HP Labs, we focus on the root causes; we capture the essence of the involved processes, people behaviours and threats. We model the cause-effect relationships that are of relevance to answer the problems highlighted by the decision makers.

We indeed need data coming from the field (empirical data), however this data consists of very specific information, relevant to describe the processes and modelled entities. In absence of data, various hypotheses are explored, with “what-if” analysis.

In summary, we are talking about two different approaches to Identity Analytics, the HP Labs’ one being the only one (I am aware of) that comes from a top-down perspective.

I personally believe that the best of the two approaches (top-down and bottom up) should be combined and dynamically tuned together, to fully address customers’ needs, based on their specific contexts and organisational situations.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

URGENT: Looking for Public data, Statistics and Surveys about Insider Threats related to Misuses of User Accounts within Enterprises

I am urgently looking for public data, statistics and any information that provide a quantitative analysis of threats related to insider attack and misuses of employees’ user accounts (within organisations).

For example, I found a survey by Cyber-Ark – the annual “Trust, Security and Password” survey - where 400 IT professional (working for UK and US enterprises) were interviewed. This survey revealed that 33% of interviewed people had access to resources and data that was not relevant to their role, When asked if they would consider taking a form of sensitive data from their present employer if they ever left, over 85% said they would.

Other statistics of some interest: here, here and here.

I have been looking for this kind information on the web but so far I found only a few solid analysis of the problem and surveys. Just a lot of words and common sense statements …

I need this kind of information to add references to a set of reports aiming at exploring and analysing the impact of IAM automation on enterprise access management processes.

Any help, consisting in links and references to publicly available information, would really be appreciated.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

If “Identity Management is a Pain in the Backside” is Identity Analytics the Cure?

I fully agree with the content of this article, called “Identity management is a pain in the backside”.

The IAM area is complex. It requires huge investments (often millions of $) and usually it ends up with expensive deployed IAM solutions that only partially address the needs and mitigate the risk exposure of organisations.

In particular the provisioning and deprovisioning processes are critical as they expose organisations at many security risks. I have been hearing this message from many customers.

Part of the problem is that it is difficult, even for expert decision makers, to understand what the implications (and the impact) are of making decisions and investments in IAM. Various aspects should to be taken into account, including the relevant IAM and business processes, people behaviours, the threat environment, current IT infrastructure and systems, etc.

This is why at HP Labs are exploring approaches to address this type of issues, broadly in the context of security and, more specifically, in the context of IAM.

Our HP Labs Security and Identity Analytics methodology (and modelling & simulation tools) has already been validated in a few core case studies with customers from the financial and government environment.
I would like to remind that this Security and Identity Analytics approach is a top-down approach, based on a rigorous scientific methodology, to provide decision support to strategic decision makers: modelling and simulation techniques are applied to represent the involved processes, IT systems, people behaviours and threats. What-if analysis is carried out to explore options. This is different from more traditional bottom-up analytic approaches, aiming at providing support by analysing and correlating wide sets of low-level data.
As discussed in this blog post of mine, I am interested in applying Identity Analytics in a few additional case studies with customers.

Thanks to the many organisations and people that have already stated their interest in engaging in a case study. I am planning to wait 1-2 additional weeks and then I’ll choose 1-2 companies to start engaging with.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On Cloud Security Analytics

In previous posts of mine I discussed the work we are doing at HP Labs in the space of Security and Identity Analytics.

Cloud Computing is an area where Security (and Identity) Analytics can help to explore hot questions and tension points. Specifically, it can be used to analyse the implications of moving IT processes and applications/services in the cloud, the impact on Identity and Access Management processes and the involved risks.

In this context, Security Analytics can help to explore trade-offs (e.g. security risks vs. cost cutting) and analyse various decision options, by keeping into account the relevant security and business risks … Economics are going to play a key role here, too, to better understand decision makers’ strategic business priorities and security preferences and provide targeted decision support.

I would like to remind that our Security Analytics approach is a top-down approach, based on a rigorous scientific methodology, to provide decision support to strategic decision makers: modelling and simulation techniques are applied to represent the involved processes, IT systems, people behaviours and threats. What-if analysis is carried out to explore options. This is different from more traditional bottom-up analytic approaches, aiming at providing support by analysing and correlating wide sets of low-level data.

So here is a new buzzword: “Cloud Security Analytics” ...

More to come …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

From “Static” Personal Web Pages to a Personal and Dynamic Information Hub?

I eventually managed to updated my personal web page …

Now I can see how traditional, static personal web pages are rapidly getting out of fashion, compared to the up-to-date information you can share with your personal social networking sites, blogs, etc. On the other hand, these pages still enable the owner to have degrees of control on the structure and the organisation of the information – thing that is hard to achieve with other social networking sites …

So, I am running an experiment i.e. exploring an hybrid approach to personal web pages, where in addition to almost “static pages” there are feeds from various “more dynamic” personal sites, such as blogs and twitter.

In other words a personal web page becomes the hub of various personal feeds along with some clever manipulation and mapping of the information … Of course by keeping into account basic privacy aspects …

From a technological perspective nothing new, but I guess the challenge is how to organise and mash-up these personal feeds to provide some sense and a controlled structure to the information …

For the time being, I just wanted to add to my personal web page a “blog feed widget” but so far I haven’t yet found anything satisfactory. Any link or suggestion is welcome … Of course I had no such problem to find and add a Twitter feed from my Twitter account …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Papers accepted at TrustBus 2010 and SECRYPT 2010 Conferences

Two papers that I co-authored with colleagues have been accepted at two International Conferences:

TrustBus 2010:
Authors: Gina Kounga, Marco Casassa Mont, Pete Bramhall
Title: Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation

SECRYPT 2010:
Authors: Nick Papanikolaou, Sadie Creese, Michael Goldsmith, Marco Casassa Mont and Siani Pearson
Title: ENCORE: TOWARDS A HOLISTIC APPROACH TO PRIVACY

Both papers discuss recent R&D work and activities carried out in the context of the EnCoRe project (Ensuring Consent and Revocation).

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Looking for a customer engagement (case study) in Security Analytics – IAM, Access Management & Provisioning/Deprovisioning Processes

I am in the process of successfully finalising a case study with a major HP customer, in the government area, in collaboration with Vistorm (an HP company).
The customer was interested in better understanding their current risk exposure due to their access management processes and the impact of adopting IAM automation.
An IAM case study has been jointly run to:
1. Identify suitable metrics to convey their risk exposure (e.g. in terms of verall time to provision/deprovision user accounts, impact of hanging accounts, shared accounts, super user accounts, etc.)
2. Model their current access management processes (specifically their provisioning and deprovisioning processes) and run simulations
3. Convey to the customer an estimate of their current risk exposure, based on shared assumptions
4. Model and simulate the impact on the risk exposure in case IAM automation were adopted
In this case study I used our HPL Security and Identity Analytics methodology, jointly with our modelling and simulation tools.
It really helped us to refine our approach, get a template of IAM provisioning/deprovisioning processes and the customer to have a better understanding of their risk exposure and impact of various investment options.
I am now looking for another “customer” (medium-large organisation, possibly), interested in running a similar case study, to have a second validation point and get further input, possibly in a different business context. As counterpart, you will an assessment of your IAM processes and a “what-if” analysis.
Please do not hesitate to contact me for any question and/or to get more details about engaging in a Security Analytics case study with HP Labs.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Part II: Looking for Case studies and information about (Security) Compliance Management Processes with Organisations

In a previous post of mine, I wrote that: “In the context of the HP Labs Security and Identity Analytics projects, I am interested in exploring how to use modelling and simulations to support decision makers in making strategic decisions on compliance management, within their organisations. …”

Thanks to all the people who provided their input and feedback.

I would like to clarify also a few points:

1. I am indeed looking for different case studies involving compliance management, e.g. for SOX, PCI, etc.

2. My specific interest is on the actual organisational processes and steps that have been put in place to deal with the compliance requirements.

The goal is to use our modelling and simulation approach to represent these processes and make further deductions, based on what-if analysis.

Of course, public case studies and/or non-confidential information is welcome in the context mentioned above.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Next W3C PLING Phone Conference – 13 July 2010 – Invited Talk by Pete Bramhall, EnCoRe Director

The next W3XPLING Teleconference is July, 13th: http://www.w3.org/Policy/pling/wiki/2010-07-13

Exciting news. This time we have an Invited Talk.

Pete Bramhall (Senior Project Manager at HP Labs and EnCoRe Director) will present: "On the UK Collaborative EnCoRe Project: Ensuring Consent and Revocation".

Here is an abstract of the talk:
“EnCoRe – Ensuring Consent and Revocation – is a research project, being undertaken by UK industry and academia, to give individuals more control over their personal information. This Invited Talk provides an overview of the project, its goals and requirements and its current achievements in the space of privacy management, policies and privacy-aware access control. Additional information: http://www.encore-project.info/”

I encourage this audience to attend and interact with Pete in a Q&A session after the presentation.

Here are some articles related to a recent press and media event about the EnCoRe project:
http://www.economist.com/blogs/babbage/2010/06/personal_data
http://www.v3.co.uk/v3/news/2265665/hp-working-privacy-tool
http://finchannel.com/Main_News/B_Schools/66174_LSE%3A_Turning_off_the_tap_for_online_personal_data_-_prototype_system_unveiled_by_EnCoRe_/

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---