Economics of Identity and Access Management: Providing Decision Support for Investments

Economics of Identity and Access Management: Providing Decision Support for Investments Marco Casassa Mont (marco.casassa-mont@hp.com) Yolanta Beres, David Pym, Simon Shiu HP Labs, Systems Security Lab, Bristol, UK IEEE IFIP BDIM 2010

Presentation Outline Problem: How to Enable Decision Makers to make Informed Decisions about IAM Strategy Economics of Identity an Access Management (IAM) Methodology for Strategic Decision Support IAM Case Study Elicitation of Strategic Preferences Exploring the Impact of IAM Investment by means of Modelling and Simulation Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support Discussion and Conclusions

Complexity of Identity and Access Management • Identity and Access Management (IAM) Solutions are widely adopted by Organisations • Common IAM Capabilities: • Business enabler • Support user management • Access control • Compliance • Security Risk Mitigation • However, most Organisations Struggle with their IAM Strategies

IAM Investments vs Other Investments • Enterprises are experiencing an Increasing Number of Internal and External Threats • Scarcity of Resources and Budget to address them all • Decision Makers (CIOs, CISOs etc.) need to Prioritize and Motivate their Requests for Investments • IAM Investments vs Other Possible Security or Business Investments

Addressed Problem Problem: How to enable Decision Makers to make Informed Decisions about their IAM Strategies and Investments? IAM Strategy affects Organisations’ Business in terms of Agility, Productivity, User Experience, Security Risks, … Challenging task: • Very Difficult to determine how different combinations of technology and process affects business outcomes • Little knowledge of future Business Needs and Threat Landscape • Multiple attributes, choices, outcomes and high degree of uncertainty Cost constraints dictate a more and more rigorous approach to: • Making the case for specific investments • Showing due Diligence

On Providing Strategic Decision Support Decision Makers would Love to get Decision Support Capabilities to Simplify their Work Traditional Approaches: • Techniques based on RoSI: Accountancy  Limited as it does not address operational and dynamic aspects • Risk Assessment and Security Practices (ISO 2700x)  Generic, high-level assessment • Solution Providers’ agenda to sell IAM products We argue it is a matter of Understanding and Dealing with IAM Economics …

Presentation Outline Problem: How to Enable Decision Makers to make Informed Decisionsabout IAM Strategy Economics of Identity an Access Management (IAM) Methodology for Strategic Decision Support IAM Case Study Elicitation of Strategic Preferences Exploring the Impact of IAM Investment by means of Modelling and Simulation Mapping Predicted Outcomes against Decision Makers’ Preferences: Decision Support Discussion and Conclusions

On IAM Economics [1/2] • Decision Makers operating in IAM Space must: • Cope with different Tension Points at the Business, Security and Governance Levels • Worry about Trade-offs • Make Informed IT Investment Decisions in an Ever Changing World To Provide Decision Support we need to Understand the Economics that are at the base of these Strategic IT Investments

On IAM Economics [2/2] • We assume there is an Economic Framework where the Value of Different Investment Outcomes can be Explored and Discussed • Need to: • Identify Business and Strategic Outcomes of Concern • Determine different Decision Makers’ Intuitive Views of how these trade-off and preferences for overall outcomes • Traditional IT Metrics can help to Ground the Analysis • Multiple Decision Makers with Different Worries and Priorities: • CISO Security Risks and IT costs • Business and Application Manager  User Productivity • Governance Manager  Compliance to Regulations

IAM: Strategic Outcomes of Interest Decision Makers’ Strategic Outcomes of Interest in the IAM Space: • Security • Productivity • Compliance to Regulation • Costs • … These multiple Objectives Trade-off to each other: • Security Risks vs Productivity • Compliance vs Productivity • All have implications in terms of Budget Need to Identify Decision Makers’ Preferences for Achieving these Objectives

U = ω1 f1 (T1–T1)+ω2 f2 (T2 –T2)+ … +ωn fn (Tn–Tn) Ti: Outcome of Interest Ti: Desired Target ωi: Weight fi: function representing decision maker’s tolerance for variance from targets Quadratic Function vs Linex Function to capture diminishing marginal utility IAM Economics and Utility Functions [1/2] Ideally we could determine a Utility Function of the Decision Maker so that a comparative value can be applied for each outcomes:

U = ω1(SR–SR)2+ω2 (P –P)2+ ω3 f3 (Co–Co)2 + ω3 f3 (C–C)2 IAM Economics and Utility Functions [2/2] In case of IAM Economics an Example of this Utility Function is: SR: Security Risks P: Productivity Co: Compliance C: Costs • In Practice it is hard to Identify this Utility Function purely from an Abstract • Analytic approach – without taking into account the Impact of • IAM Investments on: • operational and business processes • people behaviour • underlying IT systems • security threats

Explore Decision Makers’ Preferences on Strategic Aspects of Relevance Use System Modelling and Simulation to Predict Impact of Different IAM Investments/Choices Map Predicted Outcomes against Strategic Preferences to Identify Suitable Options Overview of Our Approach to Provide Strategic Decision Support - Exploring Impact of various Options - Enables Discussions at Business Level

Methodology for Decision Support [1/4] Integrating two Key Aspects: • Methods from Economics • Executable Mathematical Models of: • Underlying IT Systems and Processes • Dynamic Threat Environments

Methodology for Decision Support [2/4] Characterise Key questions/ problems System Modelling & Analytics Economic Analysis Empirical Data Collection Stakeholders’ Preference Elicitation Cross Fertilisation Validation Model System Processes Utility Function Mapping Outcomes (proxies) To Preferences Simulate & Analyse Evaluate & Recommend

Methodology for Decision Support [3/4] Strategic Preferences are Elicited from Decision Makers by using Targeted Questionnaires to Identify Priorities and Trade-offs Executable Mathematical Models keep into account: • Strategic Preferences • Architectural • Policies • Business and IT Processes • Dynamic Threat Environments Predictions of Models can be Validated against the Targets and Preferences of Decision Makers

Methodology for Decision Support [4/4] Predictions are seen as Proxies to Utility Functions’ Components: Model Model Predictions (Proxies) Utility Function Security Risks Productivity Compliance Costs The Model can be refined as Decision Makers’ understanding of Targets and Preferences might itself be subject to reassessment and refinement

IAM Case Study • Carried out in Collaboration with 3 Security and IAM Experts • Presentation focus is on the Outcomes of 1 Expert that played the CIO/CISO Role for a Major Customer • Case Study based on Large Organisation • Decision Maker had to make Strategic IAM Investment decisions to Support Core Enterprise Business Services, Underpinned by SAP Applications • Decision Maker confirmed that their core Concerns (Strategic Outcomes of Interest) are: • Productivity, Compliance, Security Risks, Costs

IAM Case Study: Targeted Environment

IAM Case Study: Relevant Aspects User Joining, Leaving and Changing Roles • Users can Join, Leave or Change their Roles within the Organisation • Aspects of relevance: • Accurate Management of User Accounts and Rights • Ensure Compliance to Laws • Mitigate Security Risks • Enhance Productivity • Cope with Limited Budgets • Investment Choices are determined by Priorities and Strategic issues of Relevance to Decision Makers Organisation

IAM Investment Options • IAM Investments can be Classified in terms of: • Provisioning • Compliance • Enforcement • IAM Investments have different Impacts on Strategic Outcomes of Interest: • Provisioning  Productivity and Security • Compliance  Governance and Security • Enforcement  Security

Classes of IAM Investments [1/2] We Identified 5 Classes of IAM Investment Levels, in the [1,5] Range, with an increasing Impact in term of Effectiveness of Involved Control Points, Policies and Costs: Productivity 4 5 1 2 3 Compliance 4 5 1 2 3 Enforcement 4 5 1 2 3 Hybrid Approaches Degrees of Automation and Policy Definition Ad-hoc Processes and Manual Approaches Strong Automation and Integration with Security and Business Policies

Classes of IAM Investments [2/2]

Assumptions • The Interviewed IAM Experts stated that Enforcement was not a Major Concern for their organisations as: • Relatively mature area • Implications are reasonably understood • Investments have already been made • We estimated that available Enforcement Investments are comparable to Level 4 in our classifications • IAM Case Study focusing on Exploring Investment options and Trade-offs in the space of Compliance and Provisioning to achieve Strategic Outcomes of Relevance

Security Risks Predicted number of breaches/incidents (e.g. exploitations of credentials, unauthorised accesses, etc. due to internal/external attacks) that happens in 1 year timeframe. We looked for the max number of incidents the decision maker accepts happening and the min number of incidents they would be reasonably comfortable with Productivity Predicted ratio (percentage) of all user accounts (& related access rights) that the organisation would have liked to have been provisioned in 1 year. A productivity of 70% means that only 70% of all the accounts that should have been correctly provisioned actually have been provisioned. Compliance Predicted number of audit findings/violations (e.g. # SOX compliance audit violations) in 1 year. The lower the number, the higher is compliance. Costs Approximated costs in terms of budget ($) to be invested in IAM initiatives in 1 year timeframe. Elicitation of Strategic Preferences [1/5] PHASE I Approach Consisting of Three Phases: • Eliciting Set of Strategic Aspects/Outcomes of Relevance to Decision Makers • Decision Maker confirmed top Strategic Concerns about: • Security Risks • Productivity • Compliance • Costs • Clear Semantic of These Strategic Outcomes along with meaningful • IT Metrics (Proxies) to Estimate them:

Elicitation of Strategic Preferences [2/5] PHASE II • For each Strategic Outcomes asked the Decision Maker about • which “Values” were “Good Enough” and which were “Just Acceptable”: • Min Value: not willing to spend additional money to achieve more • Max Value: level below which Decision Makers get concerned and willing to act on • The Decision Maker Identified a set of Value Ranges: • Security Risks: Min: 1 Max: 3 • Productivity: Min: 100% Max: 100% • Compliance: Min: 1 Max: 1 • Costs: Min: 500K$ Max: 10M$ • Decision Maker biased towards Productivity: key Priority • Costs are not a major issue for this Decision Maker • Some degree of tolerance in terms of Security Risks and Compliance

Security Risks vs. Productivity Exploring how much the decision maker is willing to compromise security in order to improve productivity (or the way around) Productivity vs. Compliance Lack of compliance can sometime be acceptable to increase productivity and the way around (due to stronger controls and bureaucratic processes) Productivity vs. Costs Exploring how much the decision maker is willing to compromise in terms of productivity, based on the involved costs Security Risks vs. Compliance Exploring the relative preferences between security risks and compliance. Strong preferences in the compliance area indicate the attitude at accepting low security risks especially the ones causing audit failures Elicitation of Strategic Preferences [3/5] PHASE III • Asked Decision Maker for their Relative Preferences between • values of Paired Outcomes to highlight Tension Points and • quantify Trade-offs: • Created 4 questionnaires and populated with values elicited in Phase II and • by introducing outliers • Asked the Decision to State their priorities in the [1,5] Range • Used Graphical Diagrams to achieve this

Elicitation of Strategic Preferences [4/5] PHASE III Examples of Instantiated Questionnaires with Decision Makers’ Priorities:

Elicitation of Strategic Preferences [5/5] PHASE III - Results • Decision Maker confirmed bias towards Productivity • Willing to accept Security Risks as long as Productivity is achieved • Compliance has high importance too

Usage of Modelling and Simulation [1/2] • Use Modelling and Simulation Techniques to make Predictions about the Impact of Investment Options • Rigorous Scientific Approach • Enables Next Step – i.e. Mapping Predicted Outcomes to Strategic Preferences to Identify suitable Investments • Approach based on Predictive System Modelling: • Discrete Event Modelling • Systems viewed as having following Components: • Environment • Location • Resource • Process

Usage of Modelling and Simulation [2/2] • HP Labs’ Toolset for Modelling and Simulation based on Mathematical foundations: • GNOSIS (http://www.hpl.hp.com/research/systems_security/gnosis.html) • Advantages over Traditional Analytics approaches • Explicitly represents dynamic dependencies and interactions among Entities, Processes and Decisions • Relevant for IAM Scenario because of the involved variety of Events, Business Processes, Systems and Human Interactions

High-level IAM Model [1/2] • General Model built as a result of our Analysis of IAM Processes • Model Validated by our Security and IAM Experts • Model characterised by: • Status of the System • Set of Processes • Events • Model Parametric to 3 Types of Investments, in the [1,5] Range: • Provisioning, Compliance, Enforcement (Assumption: Level=4)

High-level IAM Model [2/2] User Joining Event User Changing Role(s) Event User Leaving Event Audit Event Internal Attack Event External Attack Event Ex-Employee Attack User Joining Provisioning Process User Changing Role(s) Provisioning Process User leaving Provisioning Process Auditing Process Attack Processes Status Access Status: # BIZ Access # NONBIZ Access # BAD Access # NON Access # Other Access (hanging accounts) Apps Status: Apps Status: #Weak, #Medium, #Strong Measures: # Incidents # Access & Security Compliance Findings # Access & Security Remediation # Access & Security Audit Failures % Productivity • Investment Options [Parameters] • Provisioning Level • Compliance Level • Enforcement Level Compliance Checking & Remediation Process Application Security Weakening Process Application Security Strengthening Process Compliance Check Event App. Security Weakening Event App. Security Strengthening Event

Explicit Modelling of Users’ Access Rights • Model explicitly tracks the Users’ Access Rights for allManaged SAP Applications to: • Capture the Access Posture of the Organisation • Determine the Impact on Strategic Outcomes of Interest • Wrongly Allocated Access Rights encourage Threats/Attacks  Negative Impact on Productivity and Compliance + “Other Access” (Hanging Accounts)

Impact of IAM Investments • IAM Investments are Parameters in the Model: • Provisioning, Compliance Levels in [1,5] Range • Enforcement Level = 4 • The Impacts of IAM Investments are: • Factored in the various Modelled Processes • Represented by keeping into Account the Cause-Effects Relationships that are at the base of Failures, Mistakes and Successes • Driven by Probability Distributions that Depends on these Investments

Modelled Process: User Joining the Organisation

Modelled Process: User Leaving the Organisation

Modelled Process: Compliance Checking and Remediation Process

Modelled Process: Auditing Process

Modelled Processes: Application Security Status

Modelled Processes: Types of Attacks

Modelled Measures • Processes Impact the Status of the Model by modifying the Values of Various Measures, Including: • Number of Occurred Incidents • Number of Access and Security Compliance Findings and Remediation • Number of Access and Security Audit Failures • Productivity • Productivity defined as: • (#BizAccess + #BadAccess)/(#BizAccess + noBizAccess + #BadAccess) • The Above Measures are Proxies to Utility Function’s Components • Cost represented as a function of the Provisioning and Compliance Investment Levels

Assumptions and Parameters [1/2] • Model driven by a Set of Parameters: • Provisioning, Compliance and Enforcement Investment Levels • Status Initialization • Threat Environment • Events • Processes • Probability Distributions associated to these Parameters derived from audit logs, discussions with IAM Experts and IT Teams • Probabilities related to Events modelled as Negative Exponentials • Probabilities related to Likelihood of Mistakes, Faults, etc. vary depending on Levels of IAM Investments, in the [1,5] Range

User Events - Frequency New user: negexp (3.5 days), Leaving user: negexp(7 days), User change: negexp(30 days) Attack Events - Frequency Internal attack: negexp (10days), External attack: negexp (10days), Ex-worker attack: negexp (25days) Provisioning Process sysAdminFailureRate[1,5]=[1/50,1/150,1/250, 1/800,1/1000] bypassProvisioningApprovalRate[1,5]=[1/50,1/100,1/500,1/1000,1/1200] Audit Freq. Audit activity: negexp (180*days) Assumptions and Parameters [2/2] • Examples of a few Parameters: • Considered a Population of 60 SAP Applications • Model Initialised with a small set of Users (10) to explore Impact of • Organisational Changes

Simulations: Predicting the Impact of Investment Choices • Carried out Monte Carlo Simulations for a Simulated Period of 1 year • Considered all Combinations of Provisioning and Compliance Investment Levels: • Provisioning [1,5] * Compliance [1,5]  25 Options • Enforcement Level = 4 • For Each Combination the Model has been run 100 times to get Statistically Relevant Results • Graphically represented the Predicted Average Values of the Proxy Measures associated to the Strategic Outcomes of Interest: • Productivity (Proxy: Productivity) • Security Risks (Proxy: Security Incidents) • Compliance (Proxy: Audit Failures)

Simulation: Outcomes for Productivity • Productivity Increases almost 30% for Provisioning Investment • Levels in the [2,4] Range. Saturates to 100% for Level =5 • Marginal Impact of Compliance

Economics of Identity and Access Management: Providing Decision Support for Investments