Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Monday, July 19, 2010

HP Labs Identity Analytics – What is this all about?

Thanks to the readers that sent me many comments and questions about my recent post about HP Labs Identity Analytics.

An interesting request I received was to provide more details about HP Labs Identity Analytics and compare and contrast it against other initiatives using a similar “label”.

Indeed, the “Identity Analytics” label is becoming more and more a buzzword, with different meanings depending on who uses it.

In the context of HP Labs (HPL), Identity Analytics is part of the wider Security Analytics R&D project and initiative aiming at providing strategic decision support in the (information) security space.

In a coming post I will describe, in more details, how HP Labs are currently transferring Security Analytics (inclusive of Identity Analytics), its approach, methodology and related tools to HP business groups and the kind of services to be provided to customers.

However, in this post, I am going to address the request mentioned above.

So what is “HPL Identity Analytics” all about? How is it different from other initiatives?

Let’s start by discussing what HPL Identity Analytics is about.

As mentioned in past blogs, HPL Identity Analytics aims at providing strategic decision support to security decision makers (e.g. CISOs) in the space of IAM.

HPL Identity Analytics has so far used in case studies and customer engagements.

We start by understanding customers’ problems and their key questions. For example: what is the risk exposure of my company, related to the management of access control and access rights? How effective are my IAM provisioning and deprovisioning processes? What are the implications of increasing/decreasing my IAM investments, in terms of productivity, security risks, compliance and costs? Which degree of risk mitigation is actually introduced? Which IAM investment trade-offs should I consider?

By using modelling techniques we represent, with a rigorous and scientific approach, current organisational IAM processes (e.g. access management processes, provisioning/deprovisioning, authentication and authorization approaches, compliance management, auditing, etc.) their impact on underlying IT infrastructures, people behaviours and various implications due to internal and external threats. We capture the core cause-effect relationships that are at the base of process failures and of relevance to a variety of concerns, including risk exposure, productivity, costs, etc.

We jointly define the metrics and measures with the customers to ensure that we can convey the relevant findings and outcomes in a way that actually address their questions and problems.

We develop models in collaboration with the customers, by understanding their processes and operational contexts. We iterate models and use simulations to ensure they are representative of the reality.

Then, we use our modelling to carry out what-if analysis, i.e. to explore different scenarios, where, for example, we simulate the introduction of new IAM controls or process changes. We convey the outcomes to the customers by means of report, to create awareness of the implications of their potential choices.

For more information, please read some of the technical reports and documentation available here.

So how is HP Labs Identity Analytics different?

Our approach is top down.

Most of the other approaches are bottom-up. They aim at collecting and processing large amounts of data from the IT infrastructure and IAM solutions. They use business intelligence to aggregate data and present it.

These approaches are definitely valuable and work fine if you have full control of the IT infrastructure, if all your systems are instrumented and if the deployed solution is pervasive. However, my personal experience (based on some evidence gathered from customers …) is that most organisational realities are far from this ideal situation. Different organisational groups within enterprises can have different IAM processes in place, ranging from ad-hoc to automated ones. Different IAM solutions might have been deployed. There is scarcity of information. Processes can be broken, bypassed or adapted to needs. Furthermore, in many cases only coarse grained assumptions are made about the potential (internal and external) threats, their actual impacts and how the current controls effectively address them, on ongoing bases.

In these cases, I believe that it might be problematic making sense of what actually happens in the organisation just with a bottom-up approach. As an analogy, it would be like trying to understand what a complex, distributed solution does at the business level, by trying to analyse snippets of assembler code …

With the top-down Identity Analytics approach, developed at HP Labs, we focus on the root causes; we capture the essence of the involved processes, people behaviours and threats. We model the cause-effect relationships that are of relevance to answer the problems highlighted by the decision makers.

We indeed need data coming from the field (empirical data), however this data consists of very specific information, relevant to describe the processes and modelled entities. In absence of data, various hypotheses are explored, with “what-if” analysis.

In summary, we are talking about two different approaches to Identity Analytics, the HP Labs’ one being the only one (I am aware of) that comes from a top-down perspective.

I personally believe that the best of the two approaches (top-down and bottom up) should be combined and dynamically tuned together, to fully address customers’ needs, based on their specific contexts and organisational situations.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

No comments: