Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Friday, March 20, 2009

The Economics of Identity and Access Management (IAM)

What are the Economics of Identity and Access Management (IAM)? This is a key area that needs to be explored, to really understand, from an economic perspective, the actual value that IAM provides to organizations based on its impact on aspects of relevance to decision makers (such as loss prevention and risk mitigation) and the threat landscape.

A few core aspects need to be researched:

1) What are the key “aspects/metrics” that characterize the impact of IAM investments on an enterprise, for example in terms of preventing/reducing losses? In a first analysis important “macro” aspects include: security breaches (B), productivity loss (P), compliance violations (C) and costs (K)…

2) How do these aspects/metrics relate to the basic IAM “levers” that decision makers (e.g. CIO/CISO/Risk Managers) can act on i.e. configuration, enforcement and audit reporting tools (compliance checking tools)? We need to capture the relevant causal dependencies, for example: what are the consequences and the impact of investing more on audit/compliance checking, rather than in configuration or enforcement? What are the consequences of acting on enforcement in terms of productivity and costs?

3) Which utility functions, U(B,P,C,K) can effectively model the impact of IAM (e.g. in terms of losses) on security breaches, productivity loss, compliance violations and costs by factoring in the investments in the “configuration, enforcement and audit” levers?

4) How to effectively use systems modeling to estimate these utility functions, by animating the causal dependencies and inter-relationships among these “levers” and their impact on metrics, inclusive of assumptions on the threat landscape?

So far I found very little literature and related work in this space – I would be keen to get any reference or link, if available.

I am going to pursue research in this space, in the context of the Identity Analytics activity (HP Labs Security Analytics project, Systems Security Lab), as I believe this (as for the Economics of Privacy and the Economics of Information Security) can:
- provide a more rational way to describe and analyse the impact and value that IAM actually offers to organizations;
- provide key decision makers with a decision support tool that operates at their level of abstraction.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Wednesday, March 18, 2009

Do Enterprises know where they store personal data?

Apparently most of enterprises don’t, at least based on this survey, called “Safeguarding the Currency of Business”, where they found that "71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored".

This has strong implications (among other things …) from a privacy perspective, in particular from a consent and revocation management angle – as also currently highlighted in a recent HP Labs report of ours (“On the Management of Consent and Revocation in Enterprises: Setting the Context”).

Hopefully we will explore how to tackle some of the related issues in the UK TSB EnCoRe project.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Thursday, March 12, 2009

Twitter and its Privacy and Identity Management Implications

I recently started using Twitter (my link: http://twitter.com/MCasassaMont).

Twitter it getting more and more popular within (and across) organisations in particular for geographically distributed teams, to share their activities and whereabouts.

I am interested to better understand this tool, in particular in terms of its identity and privacy implications and long term repercussions for individuals and organisations.

I see some interesting research to be potentially carried out in the context of the Identity Analytics R&D project at HP Labs and UK TSB EnCoRe project.


--- Posted by Marco Casassa Mont (here and here) ---


--- NOTE: my original HP blog can be found here ---

Wednesday, March 4, 2009

Identity Management and the IT Monoculture

A recent article (called “IT Monoculture: Security Risks and Defenses”) published by the IEEE Security and Privacy magazine, discusses pros and cons of having an IT Monoculture, i.e. where no diversity is introduced for specific IT solutions deployed within organizations.

Quite interestingly this applies also for Identity Management. On one side deploying the same Identity Management (IAM) solutions across an organization increases efficiency, central control and uniformity. On the other hand, it might potentially increases the exposure of the organization to threats and related risks.

I guess that, at the end, it is a matter of economics, involving trade-offs between involved costs, security and productivity.

This is an area where modeling and simulation (see Security and Identity Analytics ) might be of some help, to explore, predict and identify the most suitable approach for an organization, given the organization profile and the underlying threat environment.

Just wondering if there is any recent, official study (I have not yet found it …) exploring the current level of “IAM-diversity” within organizations. Any pointer/link would be welcome …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---