Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Friday, February 12, 2010

HPL Technical Reports – Economics of Identity and Access Management: Providing Decision Support for Investments

I recently published (jointly with a few HPL colleagues) two HPL Technical Reports on the topic of “Economics of Identity and Access Management (IAM)”: HPL-TR-11 (executive summary) and HPL-TR-12 (detailed description of the case study)

These two documents discuss a case study aiming at integrating economics to security analytics methodologies, to provide strategic decision support in the IAM space:

“Identity and Access Management (IAM) is a key enabler of enterprise businesses: it supports automation, security enforcement and compliance. However, most enterprises struggle with their Identity and Access Management strategy. Discussions on IAM primarily focus at the IT operational level, rather than targeting strategic decision makers' issues, at the business level. Organisations are experiencing an increasing number of internal and external threats and risks: there is scarcity of resources and budget to address them all. Decision makers (e.g. CIOs, CISOs) need to prioritise their choices and motivate their requests for investments. This applies for investments in IAM vs. other possible security or business investments that could be made by the organisation. In this context, a range of possible IAM investment options has an effect on multiple strategic outcomes of interest, such as assurance, agility, security, compliance, productivity and empowerment. We have developed a repeatable approach and methodology to help organizations work through this complex problem space and determine an appropriate strategy, by providing them with decision support capabilities. The proposed approach, validated in collaboration with security and IAM experts, couples economic modeling (which explores decision makers' preferences between the different outcomes) with system modeling & simulations to predict the consequences (likely outcomes) associated with different investment choices and map them against decision makers' preferences, in order to identify the most suitable investment options. We illustrate how this methodology has been applied in an IAM case study, in a business-driven context with core enterprise services. This work is in progress. We discuss current results and next steps.”

A related paper discussing this work has recently been accepted at the 5th IEEE/IFIP Business Driven IT Management Workshop, BDIM 2010.

In addition to current engagements with HP customers, I am also looking for additional (interesting/unusual) case studies involving IAM aspects where to further refine this approach.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

No comments: