Technical Reports
HPL-2009-57
Click here for full text:
Identity Analytics - "User Provisioning" Case Study: Using Modelling and Simulation for Policy Decision Support
Casassa Mont, Marco; Baldwin, Adrian; Shiu, Simon
HP Laboratories
HPL-2009-57
Keyword(s): Identity Analytics, IAM, User Provisioning, Modelling, Simulation, Identity Management, Policy Decision Support
Abstract: This paper extends and complements paper [24] by providing additional details on how modelling and simulation can support the (policy) decision making process, for Identity and Access Management (IAM). Specifically, the process of making IT (security) policy decisions, within organizations, is complex: it involves reaching consensus between a set of stakeholders (key decision makers, e.g. CISOs/CIOs, domain experts, etc.) who might have different views, opinions and biased perceptions of how policies need to be shaped. This involves multiple negotiations and interactions between stakeholders. IAM is a rich area that introduces various dilemmas, e.g. in terms of required IT investments and related policies. We focus on the "user account provisioning process" for enterprise applications and services, a key IAM feature that has an impact on security, compliance and business outcomes. Whilst security and compliance experts might worry that ineffective policies for provisioning could fuel security and legal threats, business experts might be against policies that dictate overly strong or bureaucratic processes as they could have a negative impact on productivity. Policy decision support tools and methods can firstly help an individual stakeholder to test, refine their understanding of the situation and, secondly, to support the formation of consensus by helping stakeholders to share their assumptions and conclusions. We argue that an approach based on modeling and simulation can help with both these aspects, moreover we show that it is possible to integrate the assumptions made so that they can be directly contrasted and discussed. We explore the associated policy decision making process from these different perspectives and show how our systems modeling approach can provide consistent or comparable data, explanations, "what-if" predictions and analysis at different levels of abstractions. We discuss the implications that this has on the actual IT (security) policy decision making process, for IAM. In this context, we introduce and discuss a fully working Demos2k model for "user account provisioning".
48 Pages
External Posting Date: March 21, 2009 [Fulltext]. Approved for External Publication
Internal Posting Date: March 21, 2009 [Fulltext]