Research on Security and Identity Management (by Marco Casassa Mont) : Security Analytics

New HP Labs Technical Report – “Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management”

marcocasassamont — Wed, 22 Jul 2009 10:53:00 GMT

A new HP Labs Technical Report has been released, in the area of Security and Identity Analytics, called "Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management" by Adrian Baldwin, Marco Casassa Mont, David Pym and Simon Shiu:

"Identity and Access Management (IAM) is a key issue for systems security managers such as CISOs. More specifically, it is a difficult problem to understand how different investments in people, process, and technology affect the intended security outcomes. We position this problem within the framework of optimal control models in macroeconomics, and use a process model to understand the dynamics of the utility of possible trade-offs between investment, access, and security incidents (breaches). A utility function is used to express the security manager's IAM preferences, and the functional behaviour of its components is described via a process model. Executing our process model as Monte Carlo simulations, we illustrate the behaviour of the utility function for varying levels of investment and threat, and so provide the beginnings of a decision-support tool for systems security managers."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

EEMA e-Identity: Presentation on the Future of the Identity in the Cloud

marcocasassamont — Mon, 29 Jun 2009 22:30:00 GMT

I recently attended the EEMA e-Identity Conference, in London, 25-26 June 2009. There have been interesting presentation and good talks.

I also gave a presentation on "The Future of Identity in the Cloud: Requirements, Risks and Opportunities":

"This presentation aims at: setting the context about Identity in the Cloud; discussing related identity management issues along with core requirements (coming from users and organisations); illustrating, from an HP Labs' perspective, future possible models, approaches and IT infrastructures to handle Identity in the Cloud.

The introduction of the presentation sets some background: it gives an overview of Cloud Computing and its implications, in terms of service provisioning, security, privacy and identity management. In particular it discusses the paradigm shift from a close & controlled approach (within enterprises) to potentially, on-the-fly composable and customisable services, in the Cloud.

Use cases are introduced to illustrate "common" usage and management tasks involving Identity in the Cloud - from both user and organisational perspectives, including the implications of having to deal with Identity in composable and dynamic services. New emerging, related threats and risks are briefly discussed, such as the potential growth of bogus service providers, targeted attacks to the weakest points in the service provisioning chain and identity thefts.

This will lead to a discussion of key requirements, determined by new interaction models and service-provisioning paradigms in the Cloud, including: control of identity flows and management of distributed user accounts; trust and reputation about service providers in the Cloud; identity assurance; transparency about security practices; privacy (including consent and revocation).

I will then discuss current (categories of) identity management solutions and approaches that deal with aspects of Identity in the Cloud (such as identity federation, identity brokering, Identity 2.0, etc.), along with their pros and cons and failures to address some of the core requirements (such as assurance, trust and privacy control).

The final part of this presentation challenges current assumptions and approaches and illustrates future directions, by presenting HP Labs' medium and long-term vision about how the underlying Cloud infrastructure is going to evolve along with its implication in terms of Identity and Identity Management. This includes the paradigm shifts introduced by the usage of trusted virtualisation, remote attestation of platform capabilities (Trusted Computing Platforms) and identity-driven computational environment (coming from the cloud) that could run on local systems (e.g. at the user side); new emerging identity management models driven by identity-aware platforms and policy-driven delegation of credentials; the role that Security and Identity Analytics can play, by using modelling and simulation, to help organisations to evaluating and predicting the consequences of using services in the Cloud, based on assumptions made on the underlying identity management model and existing threats."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Another New HP Labs Technical Report: Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes

marcocasassamont — Mon, 29 Jun 2009 22:27:00 GMT

Another new HP Labs Technical Report has been recently released, called "Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes" (authors: Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu):

"It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations' security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what- if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders"

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Part II: On Applying Modelling and Simulation Techniques to Identity Management

marcocasassamont — Fri, 14 Nov 2008 09:13:00 GMT

Thanks to the readers that sent comments to me (interestingly, by email ...), about my previous post on "Applying Modeling and Simulation techniques to Identity Management". Feel also free to post your comments directly on the blog.

An interesting question I received was about the overall scope of the R&D work on Identity Analytics, i.e. if it only strictly applies to the Identity Management space.

I would say that the scope is wide. The goal is to include also economics aspects, people's behaviours, privacy and privacy management elements along with any IT and business aspects of relevance for the analysed scenario/case study. Our models and simulations indeed represent the (risk mitigation) effects of identity controls: they do it in the context of the scenario of interest, by including the representation of involved processes, data storage, information flows along with relevant applications and services.

The outcomes of our models can vary, depending on the questions we want to answer, such as ROIs in using specific IdM solutions, trade-offs in investments, impact of controls and security on usability, etc.

Hope this answer the question.

Please have also a look at the Demos2k model attached to our recent HP Labs Technical Report HPL-2008-186, for a few illustrative examples of the above points.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Part II: Risk Management for Unstructured Data in Enterprises

marcocasassamont — Thu, 04 Sep 2008 13:09:00 GMT

In a recent post published on the Netweaver Identity Manager Weblog, the author has made a few comments about my post on "Risk Management for Unstructured Data in Enterprises" (well, actually the published URL to my post is apparently broken ...).

Thanks for this input, in particular about three main points that I (tried to) summarise as it follows:

1) Meaning of unstructured data (or the fact that unstructured data does not exist by definition ...)

2) Narrowness of perception of approaches and incompleteness of my list of required solutions

3) Availability of comprehensive methodology for implementing enterprise wide risk management

About point 1), this looks pretty much a philosophical discussion. No doubt that, at the end, we talk about information that has some sort of structure (well, an email has a header, a body with some texts and attachments; a document is made of paragraphs or lines of text; ...). However, the (maybe over-hyped) "unstructured data" term is currently used to (a) identify specific types of information and (b) contrast it against classic "structured data" (e.g. information stored in RDBMS repositories, etc.). I think I will stick with this terminology ...

Back to the key point, recent reports (including the Ponemon Institute's survey on "Governance of Unstructured Data" and other market and research reports) indeed highlight that the management of unstructured data in enterprises is a raising concern for enterprises, both in terms of governance and risk management. I think this is what really matters - independently from the terminology.

No doubt that classification of data is an important point, especially if you ever manage to "find" where this "unstructured data" is, within a complex enterprise environment ... I would say that, given the particular nature of "unstructured data", a preliminary "data discovery" phase might be required, indeed followed by a classification and assessment of its value (considering though, that the value of some of this information might also come from aggregations and correlations ...).

About point 2), by no means my post was meant to provide a definitive or comprehensive assessment and answer to the problem of information risk management or, more specifically, on "unstructured" information risk management. It was just a statement of some "desirable" properties and capabilities that I would like to see (and I know it would be of some help to customers ...).

I am well aware of the complexity of the overall (security) "enterprise risk assessment and management" problem, its extent and the fact that, when assessing and managing (security) risks, many factors are involved, including business goals, IT, other assets, people, processes, awareness/education, etc.

(Security) risk assessment and management techniques/methodologies/frameworks and standards/etc. are indeed out there (e.g. ISO 27005/2700x, CoBIT, etc.). These "standards" provide guidelines and criteria to be carefully refined, grounded and contextualized in various "operational" realities, along with some good, common sense ...

So, no doubt that there are already "comprehensive methodology for implementing enterprise wide risk management", at least from a consulting perspective, but this was not my main point.

My main point was not so focused on these methodologies but rather on the need to better understand and possibly improve the process of exploring, explaining and predicting the consequences and impacts of strategic (policy) choices and decisions in enterprise contexts and environments, in particular when dealing with security matters.

An approach that we are currently exploring is based on modeling and simulation techniques in the security field, coupled with economic theory and social science. Please have a look at the HPL Technical Report on "Identity Analytics" that I mentioned a few times - to see what I mean, in more details (at least from an "IdM perspective").

Specifically, one of my R&D interests is in "(semi-) automation" tools and solutions in this space that can indeed help and support professional and consulting services in their risk assessment & management activities. This includes providing decision support and "what-if analysis", involving modeling and simulation, providing trade-off analysis, etc.

Given the complexity of this space, I deliberately focused on the aspect of "management of unstructured data" and the IdM perspective, well conscious this is just a part of the overall problem and space.

I hope I clarified this point.

About point 3), no doubt about this, as I mentioned above.

However the statement that "comprehensive methodology for implementing enterprise wide risk management is done" sounds (at least to me) sounds a little bit abstract to me ...

It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company ...:-)).

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

On Identity Analytics: New HP Labs Technical Report

marcocasassamont — Wed, 09 Jul 2008 09:35:00 GMT

This community might be interested to a new HPL Technical Report, just released, titled "On Identity Analytics: Setting the Context" (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu).

This report reflects R&D work we are doing at HP Labs, Systems Security Lab. I am very keen in getting your views and input. The abstract of this technical report follows:

"This paper aims at setting the context for "Identity Analytics" within enterprises and paving the path towards new R&D opportunities. In our vision, Identity Analytics is about explaining and predicting the impact of identity and identity management (along with other related aspects, such as users' behaviours) on key factors of relevance to decision makers (e.g. CIOs, CISOs), in complex enterprise scenarios - based on their initial assumptions and investment decisions.

Ultimately the goal is to provide rigorous techniques to help decision makers gain a better understanding of the investment trade-offs within the identity space (e.g. investing in technologies vs. changing processes vs. investing in users' education, etc.). This means providing "decision support" and "what-if analysis" capabilities to decision makers enabling them to explore these investment trade-offs, formulate new policies and/or justify existing ones. Our vision of "Identity Analytics" is introduced and discussed, along with the methodology that we intend to adopt.

There are many research opportunities and challenges in this space: we believe that a scientific approach is required, involving the usage of modelling and simulation techniques, coupled with the understanding of involved technologies and processes, human behaviours and economic aspects. To ground some of the concepts discussed in this paper, we provide an illustration of Identity Analytics focusing on emerging "web 2.0 enterprise collaborative data sharing", where unstructured information is created, stored and shared by people in collaborative contexts, within and across organisations. We demonstrate how trade-offs can be explored using the modelling approach hence allowing decision makers to explore the different impacts of policy choices."

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---