1 / 45

Using Modelling and Simulation for Policy Decision Support in Identity Management

Using Modelling and Simulation for Policy Decision Support in Identity Management. Marco Casassa Mont ( marco.casassa-mont@hp.com ) Adrian Baldwin, Simon Shiu HP Labs, Systems Security Lab, Bristol, UK. IEEE Policy 2009 Symposium. Presentation Outline. On the Policy Decision Making Process

gerald
Télécharger la présentation

Using Modelling and Simulation for Policy Decision Support in Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Modelling and Simulation forPolicy Decision Support inIdentity Management Marco Casassa Mont (marco.casassa-mont@hp.com) Adrian Baldwin, Simon Shiu HP Labs, Systems Security Lab, Bristol, UK IEEE Policy 2009 Symposium

  2. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

  3. On the Policy Decision Making Process • The process of Making Decisions about IT (Security) Policies is Complex • It is driven by Business Objectives, Risk Mitigation, other Organisational Goals … • Key Decision Makers (e.g. CIOs, CISOs) make final Policy Decisions but … • Policy Decisions are usually reached through a Consensus-building Process involving various Stakeholders i.e. Domain Experts from Business, Security, Finance, HR, Legal Departments, etc.

  4. Organisations’ IT Security Challenges validation regulation Develop Policy Understandthe “Economics” Decide & DeployPolicies (Enforcement) Threats, Investments IT infrastructure Risk, Assurance, Compliance 4 4/2/2014

  5. Current Policy Decision Making & Assessment Process Existing Policies Is there any Problem? NO YES Discussions about future Action Plans based on possible “Levers” to act on (e.g. IT Automation, Security Controls, Education, Monitoring and Punishment, etc.) Informal predictions about impact of choices, based on stakeholders’ expertise. Any Agreed Action Plan helping to Match Policies? NO Act On Levers/ Define Action Plans YES Policy Failure Revisit Current Policies

  6. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

  7. Problem Space • How to Support the Process of Making IT (Security) Policies or Re-assessing Current Ones? • How to Enable different Stakeholders to bring their Skills and Perspectives to the Discussions whilst Limiting Conflicts and Misunderstandings?

  8. Refine/ Reality-Check YES Modelling Explore Space Simulations by Acting on Different “Levers” Suggested Approach: Modelling and Simulation • Modelling and Simulation • Support the Policy Decision • Making Process by: • Conveying consistent • Explanations and • Predictions to • to Stakeholders • Providing “What-if” Analysis • Providing Information • at the Right Level • of Abstraction Policies Is there any Problem? NO Any Outcome Matching Policies? NO Act On Levers/ Define Action Plans Policy Failure Revisit Current Policies YES  Case Study in the Identity and Access Management Space

  9. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

  10. Identity and Access Management (IAM) - Enterprise IAM • Network Access Control (NAC) • Directory Services • Authentication, Authorization, Audit • Provisioning • Single-Sign-On, • Federation • … • IAM is part of • IT Security Strategy • Risk Management • Policy Definitions • Compliance & • Governance Practices • Legislation

  11. Case Study: User Account Provisioning Management • Provisioning Management deals with Lifecycle Management of User Identities and Accounts on Protected Resources (PCs, Servers, Business Applications) • It is about Configuration: Managing User Accounts and Setting and Removing Permissions/Rights • A wrong or poor User Provisioning could: • Give more than necessary rights to users • Prevent users from accessing legitimate resources Enrolment Modification Removal Customisation

  12. User Provisioning Management [1/2] Aspects involved in Provisioning Management: Policies • Workforce • Changes: • - New User • User Changes • User Leaves Approval Phase Deployment & Configuration Phase • Org Changes: • M&A • Re-orgs • lay-offs Configuration on Systems/Apps/Services: - Create, Modify, Remove User Accounts - Setting Access Rights Getting Authorizations

  13. User Provisioning Management [2/2] • Provisioning of User Accounts can be carried out with different levels of Automation: • Ad-hoc Processes • Automated and Centralised Processes • The Provisioning could be subject to various Failures due to: • User and Administrators’ Misbehaviours • Cultural Attitudes • IT and Solutions Failures • Attacks …

  14. Examples of User Provisioning Policies • P1:Employees’ user accounts should be provisioned within an organization in max 3 days • P2:No user account must be provisioned without management approval • P3:All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval • P4:Users accounts of people leaving a company must be removed within 2 days the departure date • P5:The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99% - Are these policies appropriate for a given organisation? - Are they achievable? - Which investments and actions are required to meet them?

  15. Policy Decision Makers • The CIO or CISO or Risk Manager is likely to define or re-assess these Policies and their appropriateness • However Policy Analysis and Decisions requires Inputs and Consent (buy-in) from several Stakeholders: • Security Experts • Business Experts and Application/Service Owners • Compliance Experts • IT Operation Experts • These Stakeholders have Different Priorities and Concerns • They have different Background and Knowledge … • We argue that Modelling and Simulation can Support the Overall Policy Decision Making Process

  16. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

  17. Role of Modelling and Simulation • Explain current situation to Stakeholders, at different level of Abstractions (with suitable Metrics) • Provide Consistent Views and Information • Provide Predictions based on potential Policy Choices and their Impact • Support “What-if” Analysis for Policies • Help exploring “Trade-offs” We illustrate how this can be achieved, using the IAM Provisioning Case Study as a Significant Example

  18. Data Collection Iterative Learning Process Define Situation & Context Evaluate & Recommend Simulate & Analyse Characterise Key Questions/ Problems Model System Processes & Hypothesis Test Adequacy Methodology: Overview Typical Methodology involved in Case Studies • Understand Context • Identify Suitable Metrics • Modelling • Simulation • Testing and Reality Checks • Analysis of Outcomes

  19. Case Study on IAM User Provisioning:Context and Assumptions • The Enterprise has a set of Applications subject to User Provisioning: • 5 Core Business Applications • 100 Non-Core Applications • Current Applications are provisioned with a mix of Approaches: • Ad-hoc Provisioning • Centralised and Automated Provisioning • Each of these Provisioning approaches can be described in terms of the involved Approval and Configuration Processes

  20. Case Study on IAM User Provisioning:Focus on Policies Policies of Interest • P1:Employees’ user accounts should be provisioned within an organization in max 3 days • P2:No user account must be provisioned without management approval • P3:All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval • P4:Users accounts of people leaving a company must be removed within 2 days the departure date • P5:The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%

  21. Case Study on IAM User Provisioning:Core Questions and Levers • General Questions • Are these policies appropriate for a given organisation? • If not, which Investments and Actions are required to • (try to) meet them, by acting on available “Levers”? Levers • “Automation Lever” i.e. Increase or Decrease Investments • on“ Centralised and Automated Provisioning” for Managed Applications • Change Existing Policies • Formulate New Policies

  22. Case Study on IAM User Provisioning:Identifying Security Metrics [1/3] • A set of High-level Security Metrics has been identified, by interacting with Different Stakeholders involved in the Policy Decision Making Process • Different Metrics are relevant to Different Stakeholders when Making Decisions about Policies. Way to convey information to Stakeholders with different viewpoints:

  23. Case Study on IAM User Provisioning:Identifying Security Metrics [2/3] Lower-level Measures are also available from involved processes and systems, that are of interest to System Administrators and Domain Experts: • Number of correctly configured and mis-configured user accounts; • Number of hanging accounts (people that left); • Overall approval time (delays) for provisioning requests; • Overall configuration/deployment time (delays); • Number of lost approval and deployments/configuration requests; • Number of bypassed approval processes; • Number of successful approval processes NOTE: High-level Security Metrics can be derived from these Low-level Measures

  24. Case Study on IAM User Provisioning:Identifying Security Metrics [3/3] More Details – HPL TR: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html

  25. Modelling Activity • Focus on the “Key Questions” and available Levers (e.g. Automation Lever) • Identify what needs to be Modelled to achieve this: • Relevant Events affecting Provisioning activities i.e. people joining, leaving, changing roles • Processes involved “ad-hoc” and “centralised & automated” provisioning for approval and deployment • Cause-effect relationships of relevance to calculate measures and security metrics • Threats

  26. High-Level Model Ad-Hoc IAM Provisioning Processes Users Joining Approval Process Config./ Deployment Process Requests to Add/Modify/Delete User Accounts on Managed Applications failures & delays Users Changing Roles failures & delays Automated & Central IAM Provisioning Process Simulation Measures Users Leaving Approval Process Config./ Deployment Process failures & delays failures & delays External Events Threats Impacting IAM Provisioning Processes and/or Fuelled by Them Threats Simulation State Process Failures Bypassed Approvals Criminal Conducts • High-level Metrics • Access Accuracy • Approval Accuracy • Productivity Costs • IAM Prov. Costs • Effort Levels • … Data & Outcome Analysis • Low-level Measures • #Account misconf. • #Account hanging • #Account wrong • Delays • … Internal Attacks Frauds External Attacks

  27. Provisioning Model: Details [1/4] • User Profile • Roles • Set of req. Apps • Location/Region • User Profile • Role • Set of req. Apps • Location/Region • User Profile • Role • Set of req. Apps • Location/Region Events User Leaves User Changes Role User Joins • App Profile • ad-hoc/centrally managed • - Admin Location/Region • Entitle mgmt team & profile • Available IAM Controls • Application/Service Profiles • ad-hoc/centrally managed • - Admin Location/Region • Provisioning mgmt team & profile • Available IAM Controls • Application/Service Profiles • ad-hoc/centrally managed • - Admin Location/Region • Provisioning mgmt team & profile • Available IAM Controls Types of Changes on Affected apps? “Leaving” For each affected Application: For each affected Application: “Joining” “Changing” For each affected Application: User Joining: IAM Provisioning Management Process User Leaving: IAM Provisioning Management Process User Changing Role: IAM Provisioning Management Process

  28. Provisioning Model: Details [2/4] User Joining: Provisioning Management Process • Application Profile • ad-hoc/centrally managed • - Admin Location/Region • Provisioning mgmt team & profile • Available IAM Controls • Dependency on: • regional/local attitudes • available resources (admin, mgmt). • - presence of automation (e.g. • IAM provisioning solution) • - type of applications • Dependency on: • regional/local attitudes • presence of automation (e.g. • notification workflow) Request for each affected Application: YES Measure: # Lost Approval Requests (Denied Access) Prob. Loss Approval Request? YES Carry on, without auth. NO Measure: User Joins - time to get Approval Waiting time To Process Approval Request • Dependency on: • regional/local attitudes • available resources • presence of IAM automation: • provisioning & deployment • Dependency on: • regional/local attitudes • - available resources • presence of IAM automation: • provisioning & deployment • Dependency on: • regional/local attitudes • - available resources • presence of IAM automation: • provisioning & deployment Prob. Loss Deployment Activity? Measure: #Lost Deployment Activities YES YES NO Waiting time To Deploy/COnfig Measure: time to deploy (conf. account) Prob. Misconfig? YES YES Measure: #Misconfigured Account NO

  29. Provisioning Model: Details [3/4] User Changing Roles: Provisioning Management Process • Application Profile • ad-hoc/centrally managed • - Admin Location/Region • Provisioning mgmt team & profile • Available IAM Controls • Dependency on: • regional/local attitudes • presence of automation (e.g. • notification workflow) • - type of applications • Dependency on: • regional/local attitudes • available resources • presence of automation (e.g. • IAM provisioning solution) • - type of applications Request for each affected Application: YES Measure: # Lost Approval Requests (Misconfigured Access) Prob. Loss Approval Request? YES Carry on, without auth. NO Measure: User Change - time to get Approval Waiting time to Process Approval Request • Dependency on: • regional/local attitudes • - available resources. Contention? • presence of IAM automation: • provisioning & deployment • Dependency on: • regional/local attitudes • presence of automation (e.g. • notification workflow) • - type of applications • Dependency on: • regional/local attitudes • presence of automation (e.g. • notification workflow) • - type of applications Prob. Loss Execution Activity? Measure: #Lost Deployment Activities YES YES NO Waiting time To Deploy Measure: time to deploy (conf. account) Prob. Misconfig? YES YES Measure: # Misconfigured Account NO

  30. Provisioning Model: Details [4/4] User Leaving: Provisioning Management Process • App Profile • ad-hoc/centrally managed • - Admin Location/Region • Entitle mgmt team & profile • Available IAM Controls • Dependency on: • regional/local attitudes • available resources. Contention? • presence of automation (e.g. • notification workflow) • - type of applications • Dependency on: • regional/local attitudes • presence of automation (e.g. • notification workflow) • - type of applications Request for each affected Apps: YES Measure: # Lost Approval Requests (hanging accounts) Prob. Loss Approval Request? YES NO • Dependency on: • regional/local attitudes • - available resources. Contention? • presence of IAM automation: • provisioning & deployment • Dependency on: • regional/local attitudes • presence of automation (e.g. • notification workflow) • - type of applications Measure: User Leaves - time to get Approval Waiting time To Process Auth. Request Prob. Loss Execution Activity? Measure: #Loss Deployment Activities (hanging account) YES YES NO Waiting time To Deploy Measure: time to deploy (remove Account)

  31. Simulation Activity • Run Monte Carlo Simulations of the Model to: • Explore and Justify Current Situation • Provide “What-If” Predictions by acting on Available “Levers” • Analyse and Interpret the Simulation Outcomes to Support the Policy Decision Making Process • Provide meaningful Results to Different Stakeholders • Map these results to the implications for Policies

  32. Case Study: Simulation Plan • Explore impact on Metrics and other Measures based on Current Situation • Are Policies satisfied? Simulation Time: 1 year - Number of runs: 100

  33. IAM Provisioning Costs Productivity Costs Access Accuracy Approval Accuracy 1 0.84 0.83 0.5 Accuracy Measures 33855 11200 10000 20000 Cost Measures 30000 40000 3480 1032 Effort Level #Ad-Hoc Provisioning Activities # Automated Prov. Activities Simulation Outcomes Current Situation - Security Metrics

  34. # Hanging Accounts # Denied Good Accounts # Misconfigured Accounts Overall Approval Time Overall Deployment Time Bypassed Approval Step Simulation Outcomes Current Situation - Low-level Security Measures

  35. Some Observations about Outcomes … • The Estimated Values of Security Metrics and Metrics are based on Common Assumptions and consistently determined by Model & Simulations • E.g. Access Accuracy = 0.83 (mean value) • So, the organisations is failing in implementing Policy P5 …  P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99% • What-If analysis can be carried out to explore how to address this by acting on available Levers

  36. Simulation: What-IF Analysis – Experiments Acting on the “Automation” Lever:

  37. IDM Provisioning Costs Access Accuracy Approval Accuracy Productivity Cost Simulation Outcomes: What-IF Analysis - Security Metrics 1 0.99 1 0.95 0.90 0.94 0.89 0.84 0.83 0.5 Accuracy Measures Case #1 Current State Case #2 Case #3 Case #4 20500 10403 17400 25753 17949 11200 33855 10000 14300 20000 Cost Measures 30000 40000 Effort Level 2230 3480 1032 1134 3378 4512 2281 # Automated Prov. Activities #Ad-Hoc Provisioning Activities

  38. Some Observations about Outcomes … • Only “Case #4” ensures that the organisations can met Policy P5 …  P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99% • However the involved “IDM Provisioning Costs” are almost doubling, compared to Current Situation … • Wouldn’t be better to change policies to be compliant with “Case#2” or “Case#3”?  Policy Decision Makers now have consistent Metrics and Measures to support their decisions based on What-IF analysis …

  39. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

  40. Related Work • Lot of literature on how to use mathematical modelling to affect policy decisions, but in areas such as Management Science, Hydrology, Land Usage, Environmental Contexts … The area of Policy Decision Support for Security, Privacy and IDM is still a green field • Key work done in applying Modelling and Simulation in specific areassuch as Password Policies (Purdue), Identity Fishing, Access Control …  Not focusing on the problem about how to provide support to different stakeholders for policy decision making • Our work is complimentary to work done in security and risk management standards, such as ISO 27001, CoBit, ITIL, etc. which describe general bet practices and Methodologies  We use this as drivers by ground the reasoning to specific environments

  41. Discussion and Future Work • We have a full working, implemented model for the IAM Provisioning Case Study. Full details about this work (model, results, etc.) are available in a HPL Technical Report: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html • This model has been internally tested to support policy decision making for IAM Provisioning • This is just an example of “Identity Analytics” work, by applying Modelling and Simulation techniques to the IAM space. • Future work involves exploring multiple IAM areas and their impact on policies, organisations’ investments an strategies: • Enterprise Single-Sign-On • Authentication and Authorization Strategies • IAM Outsourcing • IAM as a Service • Impact on IAM in the Cloud and Web 2.0 Scenarios • …

  42. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

  43. Conclusions • The Process of Policy Decision Making in organisations is Complex • Many stakeholders are involved: need to form good opinions and deal with politics and the process of reaching consensus • Modelling and Simulation methods can help, by providing consistent and objective analysis to multiple stakeholders at different level of abstractions • We illustrated how this has been successfully achieved in the IAM Provisioning Case Study • This I work in progress. More to come in the context of R&D research at HP Labs Systems Security Lab, Identity Analytics activity …

  44. Thanks and Q&A Contact: Marco Casassa Mont, HP Labs, marco.casassa-mont@hp.com

More Related