Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Wednesday, March 4, 2009

Identity Management and the IT Monoculture

A recent article (called “IT Monoculture: Security Risks and Defenses”) published by the IEEE Security and Privacy magazine, discusses pros and cons of having an IT Monoculture, i.e. where no diversity is introduced for specific IT solutions deployed within organizations.

Quite interestingly this applies also for Identity Management. On one side deploying the same Identity Management (IAM) solutions across an organization increases efficiency, central control and uniformity. On the other hand, it might potentially increases the exposure of the organization to threats and related risks.

I guess that, at the end, it is a matter of economics, involving trade-offs between involved costs, security and productivity.

This is an area where modeling and simulation (see Security and Identity Analytics ) might be of some help, to explore, predict and identify the most suitable approach for an organization, given the organization profile and the underlying threat environment.

Just wondering if there is any recent, official study (I have not yet found it …) exploring the current level of “IAM-diversity” within organizations. Any pointer/link would be welcome …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

No comments: