Using Modelling and Simulation for Policy Decision Support in Identity Management
-
Upload
gueste4e93e3 -
Category
Technology
-
view
518 -
download
1
description
Transcript of Using Modelling and Simulation for Policy Decision Support in Identity Management
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Using Modelling and Simulation for
Policy Decision Support inIdentity Management
Marco Casassa Mont ([email protected])
Adrian Baldwin, Simon Shiu
HP Labs, Systems Security Lab, Bristol, UK
IEEE Policy 2009 SymposiumIEEE Policy 2009 Symposium
Presentation Outline
• On the Policy Decision Making Process
• Problem: How to Support the Policy Decision Making Process?
• Case Study: Policy Decision Support for Identity and Access Management
• Approach: Predictive Modelling and Simulation
• Discussion and Future Work
• Conclusions
On the Policy Decision Making Process
• The process of Making Decisions about IT (Security) Policies is Complex
• It is driven by Business Objectives, Risk Mitigation, other Organisational Goals …
• Key Decision Makers (e.g. CIOs, CISOs) make final Policy Decisions but …
• Policy Decisions are usually reached through a Consensus-building Process involving various Stakeholders i.e. Domain Experts from Business, Security, Finance, HR, Legal Departments, etc.
4 04/10/23
Organisations’ IT Security Challenges
validation
regulation
Understandthe “Economics”
Develop Policy
IT infrastructureRisk, Assurance, Compliance
Threats, Investments
Decide &DeployPolicies
(Enforcement)
HP Confidential
Current Policy Decision Making & Assessment Process
ExistingPolicies
Is there any
Problem?
NO
YES
Any AgreedAction Plan helping
to Match Policies?
YESAct On Levers/Define Action
Plans
NO Policy FailureRevisit Current
Policies
Discussions about future Action Plansbased on possible “Levers” to act on (e.g. IT Automation, Security Controls, Education, Monitoring and Punishment, etc.)
Informal predictions about impact of choices, based on stakeholders’ expertise.
Presentation Outline
• On the Policy Decision Making Process
• Problem: How to Support the Policy Decision Making Process?
• Case Study: Policy Decision Support for Identity and Access Management
• Approach: Predictive Modelling and Simulation
• Discussion and Future Work
• Conclusions
Problem Space
• How to Support the Process of Making IT (Security) Policies or Re-assessing Current Ones?
• How to Enable different Stakeholders to bring their Skills and Perspectives to the Discussions whilst Limiting Conflicts and Misunderstandings?
Suggested Approach: Modelling and Simulation
Policies
Is there any
Problem?
NO
Any OutcomeMatching Policies?
YESAct On Levers/Define Action
Plans
NO
YES
Modelling
Simulations by Acting on Different
“Levers”
Refine/Reality-Check
ExploreSpace
Policy FailureRevisit Current
Policies
Modelling and SimulationSupport the Policy DecisionMaking Process by:
• Conveying consistent Explanations and Predictions to to Stakeholders
• Providing “What-if” Analysis
• Providing Information at the Right Level of Abstraction
Modelling and SimulationSupport the Policy DecisionMaking Process by:
• Conveying consistent Explanations and Predictions to to Stakeholders
• Providing “What-if” Analysis
• Providing Information at the Right Level of Abstraction
Case Study in the Identity and Access Management Space Case Study in the Identity and Access Management Space
Presentation Outline
• On the Policy Decision Making Process
• Problem: How to Support the Policy Decision Making Process?
• Case Study: Policy Decision Support for Identity and Access Management
• Approach: Predictive Modelling and Simulation
• Discussion and Future Work
• Conclusions
Identity and Access Management (IAM)
- Enterprise IAM- Enterprise IAM
• Network Access Control (NAC) • Directory Services• Authentication, Authorization, Audit• Provisioning• Single-Sign-On, Federation• …
• Network Access Control (NAC) • Directory Services• Authentication, Authorization, Audit• Provisioning• Single-Sign-On, Federation• …
- IAM is part of IT Security Strategy - IAM is part of IT Security Strategy • Risk Management• Policy Definitions • Compliance & Governance Practices• Legislation
• Risk Management• Policy Definitions • Compliance & Governance Practices• Legislation
Case Study: User Account Provisioning Management• Provisioning Management deals with Lifecycle Management of
User Identities and Accounts on Protected Resources (PCs, Servers, Business Applications)
• It is about Configuration: Managing User Accounts and Setting and Removing Permissions/Rights
• A wrong or poor User Provisioning could:− Give more than necessary rights to users
− Prevent users from accessing legitimate resources
En
rolm
en
tE
nro
lme
nt
Cu
sto
mis
atio
nC
ust
om
isat
ion
Mo
difi
catio
nM
od
ifica
tion
Re
mo
val
Re
mo
val
User Provisioning Management [1/2]
Aspects involved in Provisioning Management:
Approval Phase
Approval Phase
Deployment & Configuration
Phase
Deployment & Configuration
Phase
WorkforceChanges:- New User- User Changes- User Leaves
WorkforceChanges:- New User- User Changes- User Leaves
Org Changes:- M&A- Re-orgs- lay-offs
Org Changes:- M&A- Re-orgs- lay-offs
GettingAuthorizationsGettingAuthorizations
Configuration on Systems/Apps/Services:
- Create, Modify, Remove User Accounts - Setting Access Rights
Configuration on Systems/Apps/Services:
- Create, Modify, Remove User Accounts - Setting Access Rights
PoliciesPolicies
User Provisioning Management [2/2]
• Provisioning of User Accounts can be carried out with different levels of Automation:−Ad-hoc Processes
−Automated and Centralised Processes
• The Provisioning could be subject to various Failures due to:−User and Administrators’ Misbehaviours
−Cultural Attitudes
−IT and Solutions Failures
−Attacks …
Examples of User Provisioning Policies
• P1: Employees’ user accounts should be provisioned within an organization in max 3 days
• P2: No user account must be provisioned without management approval
• P3: All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval
• P4: Users accounts of people leaving a company must be removed within 2 days the departure date
• P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%
- Are these policies appropriate for a given organisation?
- Are they achievable?
- Which investments and actions are required to meet them?
Policy Decision Makers
• The CIO or CISO or Risk Manager is likely to define or re-assess these Policies and their appropriateness
• However Policy Analysis and Decisions requires Inputs and Consent (buy-in) from several Stakeholders: −Security Experts−Business Experts and Application/Service Owners−Compliance Experts−IT Operation Experts
• These Stakeholders have Different Priorities and Concerns
• They have different Background and Knowledge …
We argue that Modelling and Simulation can Support the
Overall Policy Decision Making Process
Presentation Outline
• On the Policy Decision Making Process
• Problem: How to Support the Policy Decision Making Process?
• Case Study: Policy Decision Support for Identity and Access Management
• Approach: Predictive Modelling and Simulation
• Discussion and Future Work
• Conclusions
Role of Modelling and Simulation
• Explain current situation to Stakeholders, at different level of Abstractions (with suitable Metrics)
• Provide Consistent Views and Information• Provide Predictions based on potential Policy
Choices and their Impact• Support “What-if” Analysis for Policies • Help exploring “Trade-offs”
We illustrate how this can be achieved, using the IAM
Provisioning Case Study as a Significant Example
Methodology: Overview
Define Situation & Context
Define Situation & Context
CharacteriseKey Questions/
Problems
CharacteriseKey Questions/
Problems
Model SystemProcesses &Hypothesis
Model SystemProcesses &Hypothesis
Simulate &Analyse
Simulate &Analyse
Evaluate &RecommendEvaluate &
Recommend
Test AdequacyTest Adequacy
Data CollectionData CollectionIterativeLearning Process
IterativeLearning Process
Typical Methodology involved in Case StudiesTypical Methodology involved in Case Studies
• Understand Context• Identify Suitable Metrics• Modelling• Simulation• Testing and Reality Checks• Analysis of Outcomes
• Understand Context• Identify Suitable Metrics• Modelling• Simulation• Testing and Reality Checks• Analysis of Outcomes
Case Study on IAM User Provisioning:Context and Assumptions
• The Enterprise has a set of Applications subject to User Provisioning:−5 Core Business Applications
−100 Non-Core Applications
• Current Applications are provisioned with a mix of Approaches:−Ad-hoc Provisioning
−Centralised and Automated Provisioning
• Each of these Provisioning approaches can be described in terms of the involved Approval and Configuration Processes
Case Study on IAM User Provisioning:Focus on Policies
Policies of Interest
• P1: Employees’ user accounts should be provisioned within an organization in max 3 days
• P2: No user account must be provisioned without management approval
• P3: All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval
• P4: Users accounts of people leaving a company must be removed within 2 days the departure date
• P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%
Case Study on IAM User Provisioning:Core Questions and Levers
General Questions • Are these policies appropriate for a given organisation?
• If not, which Investments and Actions are required to (try to) meet them, by acting on available “Levers”?
General Questions • Are these policies appropriate for a given organisation?
• If not, which Investments and Actions are required to (try to) meet them, by acting on available “Levers”?
• “Automation Lever” i.e. Increase or Decrease Investments
on“ Centralised and Automated Provisioning” for Managed Applications
• Change Existing Policies
• Formulate New Policies
• “Automation Lever” i.e. Increase or Decrease Investments
on“ Centralised and Automated Provisioning” for Managed Applications
• Change Existing Policies
• Formulate New Policies
LeversLevers
Case Study on IAM User Provisioning:Identifying Security Metrics [1/3]• A set of High-level Security Metrics has been identified, by
interacting with Different Stakeholders involved in the Policy Decision Making Process
• Different Metrics are relevant to Different Stakeholders when Making Decisions about Policies. Way to convey information to Stakeholders with different viewpoints:
Stakeholder Metrics
Security/Compliance Officers: •Access Accuracy
•Approval Accuracy
Application Owner (Business) •Productivity Cost
IT Operations (IT Budget Holder) •IAM Provisioning Costs
•Provisioning Efforts
Case Study on IAM User Provisioning:Identifying Security Metrics [2/3]
Lower-level Measures are also available from involved processes and systems, that are of interest to System Administrators and Domain Experts:
− Number of correctly configured and mis-configured user accounts; − Number of hanging accounts (people that left); − Overall approval time (delays) for provisioning requests; − Overall configuration/deployment time (delays); − Number of lost approval and deployments/configuration requests; − Number of bypassed approval processes;− Number of successful approval processes
NOTE: High-level Security Metrics can be derived from
these Low-level Measures
Metrics Formula DescriptionAccess Accuracy
1-(w1*UAD+w2*UAM+w3*UAH)/ (UAA) w1, w2, w3 are relevance weights in the [0,1] range, UAD is the number of denied user accounts, UAM is the number of misconfigured user accounts, UAH is the number of hanging user accounts and UAA is the overall number of user account provisioned (for which either there has been approval or the approval process has been bypassed);
Approval Accuracy
#Approved_Provisioning /
(#Approved_Provisioning + # Bypassed_Approvals)
Productivity Costs
[(join_appr_time+ change_appr_time) + (join_prov_time + change_prov_time)] * Unit_cost_per_day + [(#loss_join_appr + #loss_join_prov) + (#loss_change_appr+#loss_change_prov)] *Unit_cost_lost.
keeps into account loss of productivity due to waiting time (for the approval and deployment phases) and for lost of approval and deployment activities. The impact of these costs are weighted by constants for “unit cost per day” and “unit cost per loss”.
IAM Automation Cost
Fixed_Costs + Variable_Costs*Num_IAM_Automated_Apps
Estimated costs of running automated IAM provisioning processes, depending of fixed costs (e.g. fixed yearly fee) and variable costs (e.g. additional license fees depending on the number of provisioned applications)
IAM Effort #IAM_automated_provisioning_activities
Ad-hoc Effort #Ad-Hoc_provisoning_activities
Case Study on IAM User Provisioning:Identifying Security Metrics [3/3]
More Details – HPL TR: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.htmlMore Details – HPL TR: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html
Modelling Activity
• Focus on the “Key Questions” and available Levers (e.g. Automation Lever)
• Identify what needs to be Modelled to achieve this:−Relevant Events affecting Provisioning activities
i.e. people joining, leaving, changing roles
−Processes involved “ad-hoc” and “centralised & automated” provisioning for approval and deployment
−Cause-effect relationships of relevance to calculate measures and security metrics
− Threats
UsersJoining
External Events
UsersLeaving
UsersChanging
Roles
Ad-Hoc IAM Provisioning Processes
Automated & Central IAM Provisioning Process
ApprovalProcess
ApprovalProcess
Config./Deployment
Process
Config./Deployment
Process
failures & delays failures & delays
failures & delays failures & delays
Simulation State
Low-level Measures• #Account misconf.• #Account hanging• #Account wrong• Delays• …
High-level Metrics• Access Accuracy• Approval Accuracy• Productivity Costs• IAM Prov. Costs• Effort Levels• …
Simulation Measures
Requests toAdd/Modify/DeleteUser Accounts onManaged Applications
Dat
a &
Out
com
e A
naly
sis
Threats
ProcessFailures
BypassedApprovals
Criminal Conducts
InternalAttacks
FraudsExternalAttacks
Threats ImpactingIAM ProvisioningProcesses and/orFuelled by Them
High-Level Model
User Joins User LeavesUserChanges Role
Events
For each affected
Application:
User Profile- Role- Set of req. Apps- Location/Region
App Profile- ad-hoc/centrally managed- Admin Location/Region- Entitle mgmt team & profile- Available IAM Controls
User Profile- Role- Set of req. Apps- Location/Region
User Profile- Roles- Set of req. Apps- Location/Region
For each affected
Application:
Application/Service Profiles- ad-hoc/centrally managed- Admin Location/Region- Provisioning mgmt team & profile- Available IAM Controls
Types of Changes onAffected apps?
“Joining”
“Leaving”
For each affected
Application:
“Changing”
Application/Service Profiles- ad-hoc/centrally managed- Admin Location/Region- Provisioning mgmt team & profile- Available IAM Controls
User Joining:
IAM ProvisioningManagement
ProcessUser
Changing Role:IAM Provisioning
ManagementProcess
UserLeaving:
IAM ProvisioningManagement
Process
Provisioning Model: Details [1/4]
Request for each affected
Application:
Waiting timeTo Process Approval
Request
Measure:User Joins - time to get
Approval
Prob. LossApprovalRequest?
Waiting timeTo Deploy/COnfig
Measure:time to deploy(conf. account)
Prob.Loss Deployment
Activity?
NO
NO
Measure:# Lost Approval
Requests(Denied Access)
YES
Prob.Misconfig?
Measure:#Misconfigured
Account
YES
YES
YES
YES
Measure:#Lost Deployment
Activities
NO
YES
Application Profile- ad-hoc/centrally managed- Admin Location/Region- Provisioning mgmt team & profile- Available IAM Controls
User Joining: Provisioning Management Process
Dependency on:- regional/local attitudes- presence of automation (e.g. notification workflow)
Dependency on:- regional/local attitudes- available resources (admin, mgmt). - presence of automation (e.g. IAM provisioning solution)- type of applications
Dependency on:- regional/local attitudes- available resources- presence of IAM automation: provisioning & deployment
Dependency on:- regional/local attitudes- available resources- presence of IAM automation: provisioning & deployment
Dependency on:- regional/local attitudes available resources- presence of IAM automation: provisioning & deployment
Carry on,without auth.
Provisioning Model: Details [2/4]
Request for each affected
Application:
Waiting timeto Process Approval
Request
Measure:User Change - time to get
Approval
Prob. LossApprovalRequest?
Waiting timeTo Deploy
Measure:time to deploy(conf. account)
Prob.Loss Execution
Activity?
NO
NO
Measure:# Lost Approval Requests
(Misconfigured Access)
YES
Prob.Misconfig?
Measure:# Misconfigured
Account
YES
YES
YES
YES
Measure:#Lost Deployment
Activities
NO
YES
User Changing Roles: Provisioning Management ProcessApplication Profile- ad-hoc/centrally managed- Admin Location/Region- Provisioning mgmt team & profile- Available IAM Controls
Dependency on:- regional/local attitudes- presence of automation (e.g. notification workflow)- type of applications
Dependency on:- regional/local attitudes- available resources- presence of automation (e.g. IAM provisioning solution)- type of applications
Dependency on:- regional/local attitudes- presence of automation (e.g. notification workflow)- type of applications
Dependency on:- regional/local attitudes- presence of automation (e.g. notification workflow)- type of applications
Carry on,without auth.
Dependency on:- regional/local attitudes- available resources. Contention?- presence of IAM automation: provisioning & deployment
Provisioning Model: Details [3/4]
Request for each affected Apps:
Waiting timeTo Process Auth.
Request
Measure:User Leaves - time to get
Approval
Prob. LossApprovalRequest?
Waiting timeTo Deploy
Measure:time to deploy
(remove Account)
Prob.Loss Execution
Activity?
NO
NO
Measure:# Lost Approval
Requests (hangingaccounts)
YES
YES
YES
YES
Measure:#Loss DeploymentActivities (hanging
account)
App Profile- ad-hoc/centrally managed- Admin Location/Region- Entitle mgmt team & profile- Available IAM Controls
User Leaving: Provisioning Management Process
Dependency on:- regional/local attitudes- presence of automation (e.g. notification workflow)- type of applications
Dependency on:- regional/local attitudes- available resources. Contention?- presence of automation (e.g. notification workflow)- type of applications
Dependency on:- regional/local attitudes- presence of automation (e.g. notification workflow)- type of applications
Dependency on:- regional/local attitudes- available resources. Contention?- presence of IAM automation: provisioning & deployment
Provisioning Model: Details [4/4]
Simulation Activity
• Run Monte Carlo Simulations of the Model to:−Explore and Justify Current Situation
−Provide “What-If” Predictions by acting on Available “Levers”
• Analyse and Interpret the Simulation Outcomes
to Support the Policy Decision Making Process−Provide meaningful Results to Different
Stakeholders
−Map these results to the implications for Policies
Case Study: Simulation Plan
• Explore impact on Metrics and other Measures based on Current Situation
• Are Policies satisfied?
Experiment Core Business Applications
(5 Apps)
Non Core Business Applications
(100 Apps)
CASE #1 – Provisioning
CURRENT SITUATION automation: 2 Apps
ad-hoc: 3 Apps
automation: 10 Apps
ad-hoc : 90 Apps
Simulation Time: 1 year - Number of runs: 100Simulation Time: 1 year - Number of runs: 100
Ac
cu
rac
y M
ea
su
res
0.83
1
0.84
AccessAccuracy
ApprovalAccuracy
Co
st
Me
as
ure
s 33855
11200
ProductivityCosts
IAM ProvisioningCosts
EffortLevel
3480 1032
#Ad-Hoc Provisioning Activities # Automated Prov. Activities
0.5
1000
020
000
3000
040
000
Simulation Outcomes Current Situation - Security Metrics
# Hanging Accounts # Denied Good Accounts # Misconfigured Accounts
Overall Approval Time Overall Deployment Time Bypassed Approval Step
Simulation Outcomes Current Situation - Low-level Security Measures
Some Observations about Outcomes …
• The Estimated Values of Security Metrics and Metrics are based on Common Assumptions and consistently determined by Model & Simulations
• E.g. Access Accuracy = 0.83 (mean value)
• So, the organisations is failing in implementing Policy P5 …
P5: The accuracy of the provisioning process (in
terms of correctly configured user accounts on
protected resources) should never be less than 0.99%
• What-If analysis can be carried out to explore how to address this by acting on available Levers
Experiments Core Business Applications
(5 Apps)
Non Core Business Applications
(100 Apps)
CASE #1 – Provisioning
CURRENT SITUATION automation: 2 Apps
ad-hoc: 3 Apps
automation: 10 Apps
ad-hoc : 90 Apps
CASE #2
(WHAT-IF CASE) automation: 3 Apps
ad-hoc : 2 Apps
automation : 40 Apps
ad-hoc : 60 Apps
CASE #3
(WHAT-IF CASE)automation: 4 Apps
ad-hoc : 1 Apps
automation : 70 Apps
ad-hoc : 30 Apps
CASE #4
(WHAT-IF CASE)automation: 5 Apps
ad-hoc : 0 Apps
automation: 100 Apps
ad-hoc: 0 Apps
Simulation: What-IF Analysis – Experiments
Acting on the “Automation” Lever:Acting on the “Automation” Lever:
Case #1Current State
0.830.89 0.94
0.990.84
0.90 0.95 1
EffortLevel
3480 1032 1134 3378 45122281 2230
AccessAccuracy
ApprovalAccuracy
ProductivityCost
IDM ProvisioningCosts
#Ad-Hoc Provisioning Activities # Automated Prov. Activities
Case #2
Case #3
Case #4
Acc
ura
cy
Mea
su
res 1
Co
st M
easu
res
0.5
10
000
20
000
30
000
40
000
338
55
257
53
179
49
104
03
112
00
143
00
174
00
205
00
Simulation Outcomes: What-IF Analysis - Security Metrics
Some Observations about Outcomes …
• Only “Case #4” ensures that the organisations can met Policy P5 …
P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%
• However the involved “IDM Provisioning Costs” are almost doubling, compared to Current Situation …
• Wouldn’t be better to change policies to be compliant with “Case#2” or “Case#3”?
Policy Decision Makers now have consistent Metrics and Measures to support their decisions based on What-IF analysis
…
Presentation Outline
• On the Policy Decision Making Process
• Problem: How to Support the Policy Decision Making Process?
• Case Study: Policy Decision Support for Identity and Access Management
• Approach: Predictive Modelling and Simulation
• Discussion and Future Work
• Conclusions
Related Work• Lot of literature on how to use mathematical modelling to
affect policy decisions, but in areas such as Management Science, Hydrology, Land Usage, Environmental Contexts …
The area of Policy Decision Support for Security, Privacy and IDM is still a green field
• Key work done in applying Modelling and Simulation in specific areas such as Password Policies (Purdue), Identity Fishing, Access Control …
Not focusing on the problem about how to provide support to different stakeholders for policy decision making
• Our work is complimentary to work done in security and risk management standards, such as ISO 27001, CoBit, ITIL, etc. which describe general bet practices and Methodologies
We use this as drivers by ground the reasoning to specific environments
Discussion and Future Work• We have a full working, implemented model for the IAM
Provisioning Case Study. Full details about this work (model, results, etc.) are available in a HPL Technical Report: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html
• This model has been internally tested to support policy decision making for IAM Provisioning
• This is just an example of “Identity Analytics” work, by applying Modelling and Simulation techniques to the IAM space.
• Future work involves exploring multiple IAM areas and their impact on policies, organisations’ investments an strategies:− Enterprise Single-Sign-On
− Authentication and Authorization Strategies
− IAM Outsourcing
− IAM as a Service
− Impact on IAM in the Cloud and Web 2.0 Scenarios
− …
Presentation Outline
• On the Policy Decision Making Process
• Problem: How to Support the Policy Decision Making Process?
• Case Study: Policy Decision Support for Identity and Access Management
• Approach: Predictive Modelling and Simulation
• Discussion and Future Work
• Conclusions
Conclusions
• The Process of Policy Decision Making in organisations is Complex
• Many stakeholders are involved: need to form good opinions and deal with politics and the process of reaching consensus
• Modelling and Simulation methods can help, by providing consistent and objective analysis to multiple stakeholders at different level of abstractions
• We illustrated how this has been successfully achieved in the IAM Provisioning Case Study
• This I work in progress. More to come in the context of R&D research at HP Labs Systems Security Lab, Identity Analytics
activity …
Thanks and Q&A
Contact: Marco Casassa Mont, HP Labs, [email protected] Contact: Marco Casassa Mont, HP Labs, [email protected]
04/10/2345 HP Confidential