Using Modelling and Simulation for Policy Decision Support in Identity Management

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Using Modelling and Simulation for

Policy Decision Support inIdentity Management

Marco Casassa Mont ([email protected])

Adrian Baldwin, Simon Shiu

HP Labs, Systems Security Lab, Bristol, UK

IEEE Policy 2009 SymposiumIEEE Policy 2009 Symposium

mailto:[email protected]

Presentation Outline

• On the Policy Decision Making Process

• Problem: How to Support the Policy Decision Making Process?

• Case Study: Policy Decision Support for Identity and Access Management

• Approach: Predictive Modelling and Simulation

• Discussion and Future Work

• Conclusions

On the Policy Decision Making Process

• The process of Making Decisions about IT (Security) Policies is Complex

• It is driven by Business Objectives, Risk Mitigation, other Organisational Goals …

• Key Decision Makers (e.g. CIOs, CISOs) make final Policy Decisions but …

• Policy Decisions are usually reached through a Consensus-building Process involving various Stakeholders i.e. Domain Experts from Business, Security, Finance, HR, Legal Departments, etc.

4 04/10/23

Organisations’ IT Security Challenges

validation

regulation

Understandthe “Economics”

Develop Policy

IT infrastructureRisk, Assurance, Compliance

Threats, Investments

Decide &DeployPolicies

(Enforcement)

HP Confidential

Current Policy Decision Making & Assessment Process

ExistingPolicies

Is there any

Problem?

NO

YES

Any AgreedAction Plan helping

to Match Policies?

YESAct On Levers/Define Action

Plans

NO Policy FailureRevisit Current

Policies

Discussions about future Action Plansbased on possible “Levers” to act on (e.g. IT Automation, Security Controls, Education, Monitoring and Punishment, etc.)

Informal predictions about impact of choices, based on stakeholders’ expertise.







• Conclusions

Problem Space

• How to Support the Process of Making IT (Security) Policies or Re-assessing Current Ones?

• How to Enable different Stakeholders to bring their Skills and Perspectives to the Discussions whilst Limiting Conflicts and Misunderstandings?

Suggested Approach: Modelling and Simulation

Policies

Is there any

Problem?

NO

Any OutcomeMatching Policies?

YESAct On Levers/Define Action

Plans

NO

YES

Modelling

Simulations by Acting on Different

“Levers”

Refine/Reality-Check

ExploreSpace

Policy FailureRevisit Current

Policies

Modelling and SimulationSupport the Policy DecisionMaking Process by:

• Conveying consistent Explanations and Predictions to to Stakeholders

• Providing “What-if” Analysis

• Providing Information at the Right Level of Abstraction

Modelling and SimulationSupport the Policy DecisionMaking Process by:

• Conveying consistent Explanations and Predictions to to Stakeholders

• Providing “What-if” Analysis

• Providing Information at the Right Level of Abstraction

Case Study in the Identity and Access Management Space Case Study in the Identity and Access Management Space







• Conclusions

Identity and Access Management (IAM)

- Enterprise IAM- Enterprise IAM

• Network Access Control (NAC) • Directory Services• Authentication, Authorization, Audit• Provisioning• Single-Sign-On, Federation• …

• Network Access Control (NAC) • Directory Services• Authentication, Authorization, Audit• Provisioning• Single-Sign-On, Federation• …

- IAM is part of IT Security Strategy - IAM is part of IT Security Strategy • Risk Management• Policy Definitions • Compliance & Governance Practices• Legislation

• Risk Management• Policy Definitions • Compliance & Governance Practices• Legislation

Case Study: User Account Provisioning Management• Provisioning Management deals with Lifecycle Management of

User Identities and Accounts on Protected Resources (PCs, Servers, Business Applications)

• It is about Configuration: Managing User Accounts and Setting and Removing Permissions/Rights

• A wrong or poor User Provisioning could:− Give more than necessary rights to users

− Prevent users from accessing legitimate resources

En

rolm

en

tE

nro

lme

nt

Cu

sto

mis

atio

nC

ust

om

isat

ion

Mo

difi

catio

nM

od

ifica

tion

Re

mo

val

Re

mo

val

User Provisioning Management [1/2]

Aspects involved in Provisioning Management:

Approval Phase

Approval Phase

Deployment & Configuration

Phase

Deployment & Configuration

Phase

WorkforceChanges:- New User- User Changes- User Leaves

WorkforceChanges:- New User- User Changes- User Leaves

Org Changes:- M&A- Re-orgs- lay-offs

Org Changes:- M&A- Re-orgs- lay-offs

GettingAuthorizationsGettingAuthorizations

Configuration on Systems/Apps/Services:

- Create, Modify, Remove User Accounts - Setting Access Rights

Configuration on Systems/Apps/Services:

- Create, Modify, Remove User Accounts - Setting Access Rights

PoliciesPolicies

User Provisioning Management [2/2]

• Provisioning of User Accounts can be carried out with different levels of Automation:−Ad-hoc Processes

−Automated and Centralised Processes

• The Provisioning could be subject to various Failures due to:−User and Administrators’ Misbehaviours

−Cultural Attitudes

−IT and Solutions Failures

−Attacks …

Examples of User Provisioning Policies

• P1: Employees’ user accounts should be provisioned within an organization in max 3 days

• P2: No user account must be provisioned without management approval

• P3: All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval

• P4: Users accounts of people leaving a company must be removed within 2 days the departure date

• P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%

- Are these policies appropriate for a given organisation?

- Are they achievable?

- Which investments and actions are required to meet them?

Policy Decision Makers

• The CIO or CISO or Risk Manager is likely to define or re-assess these Policies and their appropriateness

• However Policy Analysis and Decisions requires Inputs and Consent (buy-in) from several Stakeholders: −Security Experts−Business Experts and Application/Service Owners−Compliance Experts−IT Operation Experts

• These Stakeholders have Different Priorities and Concerns

• They have different Background and Knowledge …

We argue that Modelling and Simulation can Support the

Overall Policy Decision Making Process







• Conclusions

Role of Modelling and Simulation

• Explain current situation to Stakeholders, at different level of Abstractions (with suitable Metrics)

• Provide Consistent Views and Information• Provide Predictions based on potential Policy

Choices and their Impact• Support “What-if” Analysis for Policies • Help exploring “Trade-offs”

We illustrate how this can be achieved, using the IAM

Provisioning Case Study as a Significant Example

Methodology: Overview

Define Situation & Context

Define Situation & Context

CharacteriseKey Questions/

Problems

CharacteriseKey Questions/

Problems

Model SystemProcesses &Hypothesis

Model SystemProcesses &Hypothesis

Simulate &Analyse

Simulate &Analyse

Evaluate &RecommendEvaluate &

Recommend

Test AdequacyTest Adequacy

Data CollectionData CollectionIterativeLearning Process

IterativeLearning Process

Typical Methodology involved in Case StudiesTypical Methodology involved in Case Studies

• Understand Context• Identify Suitable Metrics• Modelling• Simulation• Testing and Reality Checks• Analysis of Outcomes

• Understand Context• Identify Suitable Metrics• Modelling• Simulation• Testing and Reality Checks• Analysis of Outcomes

Case Study on IAM User Provisioning:Context and Assumptions

• The Enterprise has a set of Applications subject to User Provisioning:−5 Core Business Applications

−100 Non-Core Applications

• Current Applications are provisioned with a mix of Approaches:−Ad-hoc Provisioning

−Centralised and Automated Provisioning

• Each of these Provisioning approaches can be described in terms of the involved Approval and Configuration Processes

Case Study on IAM User Provisioning:Focus on Policies

Policies of Interest

• P1: Employees’ user accounts should be provisioned within an organization in max 3 days

• P2: No user account must be provisioned without management approval

• P3: All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval

• P4: Users accounts of people leaving a company must be removed within 2 days the departure date

• P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%

Case Study on IAM User Provisioning:Core Questions and Levers

General Questions • Are these policies appropriate for a given organisation?

• If not, which Investments and Actions are required to (try to) meet them, by acting on available “Levers”?

General Questions • Are these policies appropriate for a given organisation?

• If not, which Investments and Actions are required to (try to) meet them, by acting on available “Levers”?

• “Automation Lever” i.e. Increase or Decrease Investments

on“ Centralised and Automated Provisioning” for Managed Applications

• Change Existing Policies

• Formulate New Policies

• “Automation Lever” i.e. Increase or Decrease Investments

on“ Centralised and Automated Provisioning” for Managed Applications

• Change Existing Policies

• Formulate New Policies

LeversLevers

Case Study on IAM User Provisioning:Identifying Security Metrics [1/3]• A set of High-level Security Metrics has been identified, by

interacting with Different Stakeholders involved in the Policy Decision Making Process

• Different Metrics are relevant to Different Stakeholders when Making Decisions about Policies. Way to convey information to Stakeholders with different viewpoints:

Stakeholder Metrics

Security/Compliance Officers: •Access Accuracy

•Approval Accuracy

Application Owner (Business) •Productivity Cost

IT Operations (IT Budget Holder) •IAM Provisioning Costs

•Provisioning Efforts

Case Study on IAM User Provisioning:Identifying Security Metrics [2/3]

Lower-level Measures are also available from involved processes and systems, that are of interest to System Administrators and Domain Experts:

− Number of correctly configured and mis-configured user accounts; − Number of hanging accounts (people that left); − Overall approval time (delays) for provisioning requests; − Overall configuration/deployment time (delays); − Number of lost approval and deployments/configuration requests; − Number of bypassed approval processes;− Number of successful approval processes

NOTE: High-level Security Metrics can be derived from

these Low-level Measures

Metrics Formula DescriptionAccess Accuracy

1-(w1*UAD+w2*UAM+w3*UAH)/ (UAA) w1, w2, w3 are relevance weights in the [0,1] range, UAD is the number of denied user accounts, UAM is the number of misconfigured user accounts, UAH is the number of hanging user accounts and UAA is the overall number of user account provisioned (for which either there has been approval or the approval process has been bypassed);

Approval Accuracy

#Approved_Provisioning /

(#Approved_Provisioning + # Bypassed_Approvals)

Productivity Costs

[(join_appr_time+ change_appr_time) + (join_prov_time + change_prov_time)] * Unit_cost_per_day + [(#loss_join_appr + #loss_join_prov) + (#loss_change_appr+#loss_change_prov)] *Unit_cost_lost.

keeps into account loss of productivity due to waiting time (for the approval and deployment phases) and for lost of approval and deployment activities. The impact of these costs are weighted by constants for “unit cost per day” and “unit cost per loss”.

IAM Automation Cost

Fixed_Costs + Variable_Costs*Num_IAM_Automated_Apps

Estimated costs of running automated IAM provisioning processes, depending of fixed costs (e.g. fixed yearly fee) and variable costs (e.g. additional license fees depending on the number of provisioned applications)

IAM Effort #IAM_automated_provisioning_activities

Ad-hoc Effort #Ad-Hoc_provisoning_activities

Case Study on IAM User Provisioning:Identifying Security Metrics [3/3]

More Details – HPL TR: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.htmlMore Details – HPL TR: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html

http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html


Modelling Activity

• Focus on the “Key Questions” and available Levers (e.g. Automation Lever)

• Identify what needs to be Modelled to achieve this:−Relevant Events affecting Provisioning activities

i.e. people joining, leaving, changing roles

−Processes involved “ad-hoc” and “centralised & automated” provisioning for approval and deployment

−Cause-effect relationships of relevance to calculate measures and security metrics

− Threats

UsersJoining

External Events

UsersLeaving

UsersChanging

Roles

Ad-Hoc IAM Provisioning Processes

Automated & Central IAM Provisioning Process

ApprovalProcess

ApprovalProcess

Config./Deployment

Process

Config./Deployment

Process

failures & delays failures & delays

failures & delays failures & delays

Simulation State

Low-level Measures• #Account misconf.• #Account hanging• #Account wrong• Delays• …

High-level Metrics• Access Accuracy• Approval Accuracy• Productivity Costs• IAM Prov. Costs• Effort Levels• …

Simulation Measures

Requests toAdd/Modify/DeleteUser Accounts onManaged Applications

Dat

a &

Out

com

e A

naly

sis

Threats

ProcessFailures

BypassedApprovals

Criminal Conducts

InternalAttacks

FraudsExternalAttacks

Threats ImpactingIAM ProvisioningProcesses and/orFuelled by Them

High-Level Model

User Joins User LeavesUserChanges Role

Events

For each affected

Application:

User Profile- Role- Set of req. Apps- Location/Region

App Profile- ad-hoc/centrally managed- Admin Location/Region- Entitle mgmt team & profile- Available IAM Controls

User Profile- Role- Set of req. Apps- Location/Region

User Profile- Roles- Set of req. Apps- Location/Region

For each affected

Application:

Application/Service Profiles- ad-hoc/centrally managed- Admin Location/Region- Provisioning mgmt team & profile- Available IAM Controls

Types of Changes onAffected apps?

“Joining”

“Leaving”

For each affected

Application:

“Changing”

Application/Service Profiles- ad-hoc/centrally managed- Admin Location/Region- Provisioning mgmt team & profile- Available IAM Controls

User Joining:

IAM ProvisioningManagement

ProcessUser

Changing Role:IAM Provisioning

ManagementProcess

UserLeaving:

IAM ProvisioningManagement

Process

Provisioning Model: Details [1/4]

Request for each affected

Application:

Waiting timeTo Process Approval

Request

Measure:User Joins - time to get

Approval

Prob. LossApprovalRequest?

Waiting timeTo Deploy/COnfig

Measure:time to deploy(conf. account)

Prob.Loss Deployment

Activity?

NO

NO

Measure:# Lost Approval

Requests(Denied Access)

YES

Prob.Misconfig?

Measure:#Misconfigured

Account

YES

YES

YES

YES

Measure:#Lost Deployment

Activities

NO

YES

Application Profile- ad-hoc/centrally managed- Admin Location/Region- Provisioning mgmt team & profile- Available IAM Controls

User Joining: Provisioning Management Process

Dependency on:- regional/local attitudes- presence of automation (e.g. notification workflow)

Dependency on:- regional/local attitudes- available resources (admin, mgmt). - presence of automation (e.g. IAM provisioning solution)- type of applications

Dependency on:- regional/local attitudes- available resources- presence of IAM automation: provisioning & deployment

Dependency on:- regional/local attitudes- available resources- presence of IAM automation: provisioning & deployment

Dependency on:- regional/local attitudes available resources- presence of IAM automation: provisioning & deployment

Carry on,without auth.


Request for each affected

Application:

Waiting timeto Process Approval

Request

Measure:User Change - time to get

Approval


Waiting timeTo Deploy

Measure:time to deploy(conf. account)

Prob.Loss Execution

Activity?

NO

NO

Measure:# Lost Approval Requests

(Misconfigured Access)

YES

Prob.Misconfig?

Measure:# Misconfigured

Account

YES

YES

YES

YES

Measure:#Lost Deployment

Activities

NO

YES

User Changing Roles: Provisioning Management ProcessApplication Profile- ad-hoc/centrally managed- Admin Location/Region- Provisioning mgmt team & profile- Available IAM Controls

Dependency on:- regional/local attitudes- presence of automation (e.g. notification workflow)- type of applications

Dependency on:- regional/local attitudes- available resources- presence of automation (e.g. IAM provisioning solution)- type of applications



Carry on,without auth.

Dependency on:- regional/local attitudes- available resources. Contention?- presence of IAM automation: provisioning & deployment


Request for each affected Apps:

Waiting timeTo Process Auth.

Request

Measure:User Leaves - time to get

Approval


Waiting timeTo Deploy

Measure:time to deploy

(remove Account)

Prob.Loss Execution

Activity?

NO

NO

Measure:# Lost Approval

Requests (hangingaccounts)

YES

YES

YES

YES

Measure:#Loss DeploymentActivities (hanging

account)

App Profile- ad-hoc/centrally managed- Admin Location/Region- Entitle mgmt team & profile- Available IAM Controls

User Leaving: Provisioning Management Process


Dependency on:- regional/local attitudes- available resources. Contention?- presence of automation (e.g. notification workflow)- type of applications


Dependency on:- regional/local attitudes- available resources. Contention?- presence of IAM automation: provisioning & deployment


Simulation Activity

• Run Monte Carlo Simulations of the Model to:−Explore and Justify Current Situation

−Provide “What-If” Predictions by acting on Available “Levers”

• Analyse and Interpret the Simulation Outcomes

to Support the Policy Decision Making Process−Provide meaningful Results to Different

Stakeholders

−Map these results to the implications for Policies

Case Study: Simulation Plan

• Explore impact on Metrics and other Measures based on Current Situation

• Are Policies satisfied?

Experiment Core Business Applications

(5 Apps)

Non Core Business Applications

(100 Apps)

CASE #1 – Provisioning

CURRENT SITUATION automation: 2 Apps

ad-hoc: 3 Apps

automation: 10 Apps

ad-hoc : 90 Apps

Simulation Time: 1 year - Number of runs: 100Simulation Time: 1 year - Number of runs: 100

Ac

cu

rac

y M

ea

su

res

0.83

1

0.84

AccessAccuracy

ApprovalAccuracy

Co

st

Me

as

ure

s 33855

11200

ProductivityCosts

IAM ProvisioningCosts

EffortLevel

3480 1032

#Ad-Hoc Provisioning Activities # Automated Prov. Activities

0.5

1000

020

000

3000

040

000

Simulation Outcomes Current Situation - Security Metrics

# Hanging Accounts # Denied Good Accounts # Misconfigured Accounts

Overall Approval Time Overall Deployment Time Bypassed Approval Step

Simulation Outcomes Current Situation - Low-level Security Measures

Some Observations about Outcomes …

• The Estimated Values of Security Metrics and Metrics are based on Common Assumptions and consistently determined by Model & Simulations

• E.g. Access Accuracy = 0.83 (mean value)

• So, the organisations is failing in implementing Policy P5 …

P5: The accuracy of the provisioning process (in

terms of correctly configured user accounts on

protected resources) should never be less than 0.99%

• What-If analysis can be carried out to explore how to address this by acting on available Levers

Experiments Core Business Applications

(5 Apps)

Non Core Business Applications

(100 Apps)

CASE #1 – Provisioning

CURRENT SITUATION automation: 2 Apps

ad-hoc: 3 Apps

automation: 10 Apps

ad-hoc : 90 Apps

CASE #2

(WHAT-IF CASE) automation: 3 Apps

ad-hoc : 2 Apps

automation : 40 Apps

ad-hoc : 60 Apps

CASE #3

(WHAT-IF CASE)automation: 4 Apps

ad-hoc : 1 Apps

automation : 70 Apps

ad-hoc : 30 Apps

CASE #4

(WHAT-IF CASE)automation: 5 Apps

ad-hoc : 0 Apps

automation: 100 Apps

ad-hoc: 0 Apps

Simulation: What-IF Analysis – Experiments

Acting on the “Automation” Lever:Acting on the “Automation” Lever:

Case #1Current State

0.830.89 0.94

0.990.84

0.90 0.95 1

EffortLevel

3480 1032 1134 3378 45122281 2230

AccessAccuracy

ApprovalAccuracy

ProductivityCost

IDM ProvisioningCosts

#Ad-Hoc Provisioning Activities # Automated Prov. Activities

Case #2

Case #3

Case #4

Acc

ura

cy

Mea

su

res 1

Co

st M

easu

res

0.5

10

000

20

000

30

000

40

000

338

55

257

53

179

49

104

03

112

00

143

00

174

00

205

00

Simulation Outcomes: What-IF Analysis - Security Metrics

Some Observations about Outcomes …

• Only “Case #4” ensures that the organisations can met Policy P5 …

P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%

• However the involved “IDM Provisioning Costs” are almost doubling, compared to Current Situation …

• Wouldn’t be better to change policies to be compliant with “Case#2” or “Case#3”?

Policy Decision Makers now have consistent Metrics and Measures to support their decisions based on What-IF analysis

…







• Conclusions

Related Work• Lot of literature on how to use mathematical modelling to

affect policy decisions, but in areas such as Management Science, Hydrology, Land Usage, Environmental Contexts …

The area of Policy Decision Support for Security, Privacy and IDM is still a green field

• Key work done in applying Modelling and Simulation in specific areas such as Password Policies (Purdue), Identity Fishing, Access Control …

Not focusing on the problem about how to provide support to different stakeholders for policy decision making

• Our work is complimentary to work done in security and risk management standards, such as ISO 27001, CoBit, ITIL, etc. which describe general bet practices and Methodologies

We use this as drivers by ground the reasoning to specific environments

Discussion and Future Work• We have a full working, implemented model for the IAM

Provisioning Case Study. Full details about this work (model, results, etc.) are available in a HPL Technical Report: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html

• This model has been internally tested to support policy decision making for IAM Provisioning

• This is just an example of “Identity Analytics” work, by applying Modelling and Simulation techniques to the IAM space.

• Future work involves exploring multiple IAM areas and their impact on policies, organisations’ investments an strategies:− Enterprise Single-Sign-On

− Authentication and Authorization Strategies

− IAM Outsourcing

− IAM as a Service

− Impact on IAM in the Cloud and Web 2.0 Scenarios

− …








• Conclusions

Conclusions

• The Process of Policy Decision Making in organisations is Complex

• Many stakeholders are involved: need to form good opinions and deal with politics and the process of reaching consensus

• Modelling and Simulation methods can help, by providing consistent and objective analysis to multiple stakeholders at different level of abstractions

• We illustrated how this has been successfully achieved in the IAM Provisioning Case Study

• This I work in progress. More to come in the context of R&D research at HP Labs Systems Security Lab, Identity Analytics

activity …

Thanks and Q&A

Contact: Marco Casassa Mont, HP Labs, [email protected] Contact: Marco Casassa Mont, HP Labs, [email protected]



04/10/2345 HP Confidential

Using Modelling and Simulation for Policy Decision Support in Identity Management

Technology

Transcript of Using Modelling and Simulation for Policy Decision Support in Identity Management