Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Saturday, September 18, 2010

Identity Analytics as a Service: Packaging Solutions for Risk Assessment in IAM

As I mentioned in a previous blog post of mine, we successfully delivered an analytic assessment of the risk related to the IAM operational processes for a major HP customer. This provided good insights and key taking points to the customer as well as useful feedback for our Security Analytics work, in particular in the context of HP Labs Identity Analytics.

On one hand we are now liaising with HP businesses in order to transfer this as a service, by packaging our IAM analytic solutions. Some exciting activities are happening with Vistorm and other HP businesses in this space.

On the other hand, I am interested in further expanding the Identity Analytics offering, beyond the risk assessment for provisioning and deprovisioning processes.

More specifically, I aim at creating “various analytic” templates for different critical IAM areas which will be part of the overall “Identity Analytics as a Service” offering and will be used to address specific customer needs.

Based on various inputs received from customers (and from our analysis), a few critical areas have already emerged as relevant for a full assessment of the associated risks. This includes:

Vetting and accreditation processes, specifically for critical users
Compliance checking and governance processes
SoD assessment processes

Of course these three areas go beyond IAM, but they have a specific and important impact on this area.

I am in the process of gathering insights about these key processes, various involved steps and potential failure points. The aim is to model them, define metrics to convey the involved risks and provide decision support to customers by means of “what-if” analysis (simulations).

Your help would be appreciated if you could provide input and/or any public information/links/documents/requirements about:

The above three areas. Which types of process steps are currently in place? Any case study?
Additional areas, related to IAM, you believe you/your customers might be interested in assessing in order to determine their risk exposure


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

No comments: