One of the drivers and motivations of this blog is to debate and explore the evolution of Security and Identity and Access Management (IAM) – beyond the current solutions and approaches – and identify new trends and opportunities.
Let’s focus on the IAM area – at least in this blog post.
I must say that in the last 5 years there has been a strong consolidation of the IAM offerings and suites available on the market. They are pretty much equivalent as they offer similar functionalities in a well defined set of areas.
A promising area (perceive as the next big thing, 3-5 years ago), Identity Federation Management, has not really (yet) taken off, as far as I know, outside enterprise environments and for low-risk transactions on the web. New challenges posed by access control and identity management in the Cloud might indeed revamp this area, but it has to be fully proven …
Is “classic” IAM rapidly commoditising? I really think so … Are there major margins of growth for traditional IAM solution providers? I am not convinced (but I’ll like to hear about rigorous and substantiated market forecasts …).
So, what is the next big thing in this space? What is really going to change the IAM landscape and differentiate from what is currently out there?
This is a question open to all readers. Feel free to send your views and opinions.
Here are my initial thoughts.
First of all, it would be more correct to think about what “the next big thing” is going to be for specific verticals (e.g. consumers, enterprises, etc.) …
In the context of enterprises, I am currently reflecting on various inputs and experience that I am maturing by interacting with customers and consultants.
Organisations are increasingly questioning the large and expensive investments in the IAM space. The classic message that “you should buy this IAM suite and related service as it will help you reduce costs & risks and increase productivity (trust us)” is not going down so well anymore. From what I understand, customers increasingly want a clear assessment and evidence underpinning these statements.
This is more and more reflected by an approach to IAM driven by rigorous Risk Assessment – driven by business awareness, knowledge of suitable trade-offs and an understanding of the risk appetite of the organisation as well as the threat landscape. Decision makers in this space are moving up the management ladder, from the lower-level IT/CISO office to Risk Managers and/or CIOs.
Today risk assessment and investment decisions are achieved with ad-hoc approaches by using (effective but) general purpose Risk Assessment frameworks, such as ISO 2700x and equivalent. How to simplify this process? How to provide fine-grained risk assessment that takes into account the analysis of various options and scenarios as well as providing what-if analysis? How to evaluate the actual appropriateness and impact in investing on specific IAM controls? How to package all this as a service to be offered (among others) for making informed decisions in the IAM space?
I am more and more convinced that one of the next big things in IAM will be in addressing this gap, i.e. providing a simplified, rigorous and scientific approach to evaluate risks in organisations and pinning down (among other security aspects) to the suitable IAM investments and solutions, tailored to the specific organisational realities.
This is what we are exploring at HP Labs, in the broader space of security, with Security Analytics and, for IAM, in the specific context of HP Labs Identity Analytics.
I am very interested in your opinion and the (inevitable) different views of what the next big thing in IAM is going to be …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Thursday, September 30, 2010
Monday, September 27, 2010
Enterprise Job Design: What are the current Risks for the Organisation?
An important question that a few customers have been asking us to explore is the following: “What are the Risks associated to our current definition of Job Activities and Roles?”. In other words, “Have we done a good work in our Job Design”?
In a previous blog post of mine, I discussed some of the ideas about how to approach this problem, in terms of exploring and providing an indication of the variability of the risk for an organisation and the impact of different “Job Design” choices.
I am now revamping this study and very keen in doing further progress.
I would be interested in getting more insights (public information) about how different organisations (private and governmental ones) are currently tackling this problem and how they effectively assess their risks.
I would like to compare and contrast these approaches against the approach we used in our Identity and Security Analytics work.
Here is the abstract of the HPL Technical Report documenting some of our initial work:
"Strategic decision makers need to organize their workforce and define policies on how to allocate roles and rights to individuals allowing them to work effectively for the organization, whilst minimizing security risks. Many organizations have a separation of duty matrix specifying certain toxic combinations of access rights that they generally understand present an extreme risk. These matrices do not always contain some of the less understood or smaller risks. The flip side of the rights allocation problem is the need for an organization to keep systems running under various pressures including reducing headcounts. This tension often leads to a practice of providing skilled individuals with wide access rights to many systems. We describe this tension as the Job Design Problem. That is how to manage the trade-offs between allocating roles allowing for flexibility and the possible security impacts. It is not just a matter of technical "role engineering", access right allocation and Identity & Access Management (IAM) provisioning processes. Decision makers need tools that help them understand how to give guidance and set policies associated with role allocations and mechanisms to enable a debate between various stakeholders within the business, IT and Audit concerning the appropriate level of tradeoff and acceptable risk. In this paper, we aim at making progress in this field by presenting an approach and methodology to provide strategic decision support capabilities for the definition and assessment of policies in the context of Job Design. We focus on a problem provided by an IT department within a large organization, where employees (primarily IT admins and IT support staff) operate on sensitive and critical business systems and services. In this context, security risks are a major concern and need to be fully understood. Depending on the motivations and skills of the workforce, accidental or deliberate misuses of access rights and capabilities might take place and have huge economical and reputational consequences for the organizations. The decision makers (e.g. CIOs, CISOs) need to understand the implications and trade-offs of making job design decisions as wells as investing in additional/complementary controls, such as monitoring/auditing systems, IAM solutions, education or vetting/clearance programs. We describe a decision support solution based on modeling and simulation, to provide this kind of policy-decision support. This is work in progress. We present our current results and next steps."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
In a previous blog post of mine, I discussed some of the ideas about how to approach this problem, in terms of exploring and providing an indication of the variability of the risk for an organisation and the impact of different “Job Design” choices.
I am now revamping this study and very keen in doing further progress.
I would be interested in getting more insights (public information) about how different organisations (private and governmental ones) are currently tackling this problem and how they effectively assess their risks.
I would like to compare and contrast these approaches against the approach we used in our Identity and Security Analytics work.
Here is the abstract of the HPL Technical Report documenting some of our initial work:
"Strategic decision makers need to organize their workforce and define policies on how to allocate roles and rights to individuals allowing them to work effectively for the organization, whilst minimizing security risks. Many organizations have a separation of duty matrix specifying certain toxic combinations of access rights that they generally understand present an extreme risk. These matrices do not always contain some of the less understood or smaller risks. The flip side of the rights allocation problem is the need for an organization to keep systems running under various pressures including reducing headcounts. This tension often leads to a practice of providing skilled individuals with wide access rights to many systems. We describe this tension as the Job Design Problem. That is how to manage the trade-offs between allocating roles allowing for flexibility and the possible security impacts. It is not just a matter of technical "role engineering", access right allocation and Identity & Access Management (IAM) provisioning processes. Decision makers need tools that help them understand how to give guidance and set policies associated with role allocations and mechanisms to enable a debate between various stakeholders within the business, IT and Audit concerning the appropriate level of tradeoff and acceptable risk. In this paper, we aim at making progress in this field by presenting an approach and methodology to provide strategic decision support capabilities for the definition and assessment of policies in the context of Job Design. We focus on a problem provided by an IT department within a large organization, where employees (primarily IT admins and IT support staff) operate on sensitive and critical business systems and services. In this context, security risks are a major concern and need to be fully understood. Depending on the motivations and skills of the workforce, accidental or deliberate misuses of access rights and capabilities might take place and have huge economical and reputational consequences for the organizations. The decision makers (e.g. CIOs, CISOs) need to understand the implications and trade-offs of making job design decisions as wells as investing in additional/complementary controls, such as monitoring/auditing systems, IAM solutions, education or vetting/clearance programs. We describe a decision support solution based on modeling and simulation, to provide this kind of policy-decision support. This is work in progress. We present our current results and next steps."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Applied HPL Identity Analytics: Personnel Vetting Processes
In the context of our Security Analytics work (in particular of HP Labs Identity Analytics) I am looking for public documentation, links and information about how personnel vetting processes are currently carried out in the industry.
Some interesting examples (discussing at high level the steps to get different degrees of security clearance), of relevance to governmental environments, are the following:
The vetting process is indeed very important in reducing organisational risks and in making informed decisions on which credentials and access rights to give to personnel. It complements other two aspects that have been previously discussed in this blog:
- Operational aspects: provisioning and deprovisioning processes
- Governance aspects: monitoring, compliance checking and audit
The idea is to use our HP Labs Identity Analytics methodology and tools to model this process and explore the involved risks as well as tension points between business managers/stakeholders (requiring personnel as fast as possible to deal with their business needs) and risk/security assessors (requiring that full due diligence is carried out before granting any access to personnel) – by identifying suitable metrics.
We believe our analytic models can be used not only to explore potential policy compromises (what happens if we relax our vetting policies on certain aspects) and their impact on risk, but also to assess how realistic some of these policies are (i.e. how likely, given the current processes, that they are going to be violated).
Any input on documentation and references is really welcome.
In addition, we are keen in identifying 1-2 potential serious candidates (medium/large organisations) that would be interested in trialling this Identity Analytics activity, in a joint case study with HP Labs.
Saturday, September 18, 2010
Identity Analytics as a Service: Packaging Solutions for Risk Assessment in IAM
As I mentioned in a previous blog post of mine, we successfully delivered an analytic assessment of the risk related to the IAM operational processes for a major HP customer. This provided good insights and key taking points to the customer as well as useful feedback for our Security Analytics work, in particular in the context of HP Labs Identity Analytics.
On one hand we are now liaising with HP businesses in order to transfer this as a service, by packaging our IAM analytic solutions. Some exciting activities are happening with Vistorm and other HP businesses in this space.
On the other hand, I am interested in further expanding the Identity Analytics offering, beyond the risk assessment for provisioning and deprovisioning processes.
More specifically, I aim at creating “various analytic” templates for different critical IAM areas which will be part of the overall “Identity Analytics as a Service” offering and will be used to address specific customer needs.
Based on various inputs received from customers (and from our analysis), a few critical areas have already emerged as relevant for a full assessment of the associated risks. This includes:
Vetting and accreditation processes, specifically for critical users
Compliance checking and governance processes
SoD assessment processes
Of course these three areas go beyond IAM, but they have a specific and important impact on this area.
I am in the process of gathering insights about these key processes, various involved steps and potential failure points. The aim is to model them, define metrics to convey the involved risks and provide decision support to customers by means of “what-if” analysis (simulations).
Your help would be appreciated if you could provide input and/or any public information/links/documents/requirements about:
The above three areas. Which types of process steps are currently in place? Any case study?
Additional areas, related to IAM, you believe you/your customers might be interested in assessing in order to determine their risk exposure
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
On one hand we are now liaising with HP businesses in order to transfer this as a service, by packaging our IAM analytic solutions. Some exciting activities are happening with Vistorm and other HP businesses in this space.
On the other hand, I am interested in further expanding the Identity Analytics offering, beyond the risk assessment for provisioning and deprovisioning processes.
More specifically, I aim at creating “various analytic” templates for different critical IAM areas which will be part of the overall “Identity Analytics as a Service” offering and will be used to address specific customer needs.
Based on various inputs received from customers (and from our analysis), a few critical areas have already emerged as relevant for a full assessment of the associated risks. This includes:
Vetting and accreditation processes, specifically for critical users
Compliance checking and governance processes
SoD assessment processes
Of course these three areas go beyond IAM, but they have a specific and important impact on this area.
I am in the process of gathering insights about these key processes, various involved steps and potential failure points. The aim is to model them, define metrics to convey the involved risks and provide decision support to customers by means of “what-if” analysis (simulations).
Your help would be appreciated if you could provide input and/or any public information/links/documents/requirements about:
The above three areas. Which types of process steps are currently in place? Any case study?
Additional areas, related to IAM, you believe you/your customers might be interested in assessing in order to determine their risk exposure
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
HP Labs Presentation at European Commission and RAND EUROPE event on “The Cloud: understanding the Security, Privacy and Trust Aspects”
As mentioned in a previous blog post, I recently attended an event, organised by RAND EUROPE, as a part of an EU project and study commissioned to RAND, time.lex and IDL Warwick:
“This study has undertaken a review of the literature and a number of real-life case studies to identify how challenges in respect of the privacy, security and trust issues were overcome in various implementations of cloud computing.”
It has been a very interesting meeting with key discussions on the implications of privacy, trust and security for Cloud Computing and input from various stakeholders. A full report will be provided RAND, time.lex and IDL Warwick.
In this context I gave a presentation on "Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors” from an Industrial and R&D perspective.
I believe the presentation went very well, with interesting questions and follow-up debates.
Thanks to all the people that provide me with their input, material and suggestions on topics to cover in this presentation.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
“This study has undertaken a review of the literature and a number of real-life case studies to identify how challenges in respect of the privacy, security and trust issues were overcome in various implementations of cloud computing.”
It has been a very interesting meeting with key discussions on the implications of privacy, trust and security for Cloud Computing and input from various stakeholders. A full report will be provided RAND, time.lex and IDL Warwick.
In this context I gave a presentation on "Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors” from an Industrial and R&D perspective.
I believe the presentation went very well, with interesting questions and follow-up debates.
Thanks to all the people that provide me with their input, material and suggestions on topics to cover in this presentation.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Paper Accepted at 2nd ICST Conference on Cloud Computing – CloudComp 2010
An HP Labs paper has been accepted at the 2nd International ICST Conference on Cloud Computing (CloudComp 2010):
“Information StewardShip in The Cloud: A model-based approachDavid Pym, Martin Sadler, Simon Shiu, and Marco Casassa Mont”
This paper provides an overview of key R&D research happening at HP Labs Bristol, Systems Security Lab in collaboration with various UK partners, in the UK TSB project called “Cloud Stewardship Economics”.
In this work, aspects of Economics theory and HP Labs Security Analytics have been applied to provide decision support to strategic decision makers when exploring the opportunity to migrate their IT infrastructures and services to the cloud.
More information will be posted both on this TSB project and the presentation that will be given at the conference.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
“Information StewardShip in The Cloud: A model-based approachDavid Pym, Martin Sadler, Simon Shiu, and Marco Casassa Mont”
This paper provides an overview of key R&D research happening at HP Labs Bristol, Systems Security Lab in collaboration with various UK partners, in the UK TSB project called “Cloud Stewardship Economics”.
In this work, aspects of Economics theory and HP Labs Security Analytics have been applied to provide decision support to strategic decision makers when exploring the opportunity to migrate their IT infrastructures and services to the cloud.
More information will be posted both on this TSB project and the presentation that will be given at the conference.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
EnCoRe Presentation at W3C PLING Phone Conference
Pete Bramhall, Senior Research Manager at HP Labs and coordinator of the collaborative UK EnCoRe Project (Ensuring Consent and Revocation), has given an invited talk at the last W3C PLING (Policy Language Interest Group) phone conference.
His presentation his available online, here: it provides a good overview of the objectives, works and current status of the EnCoRe project, as well as a list of needs and requirements to be addressed in the space of privacy management.
This was the first of a series of invited talks we are planning to host in the context of the monthly W3C PLING phone meetings. More to come.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
His presentation his available online, here: it provides a good overview of the objectives, works and current status of the EnCoRe project, as well as a list of needs and requirements to be addressed in the space of privacy management.
This was the first of a series of invited talks we are planning to host in the context of the monthly W3C PLING phone meetings. More to come.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)