Using Modelling and Simulation for Policy Decision Support in Identity Management

  • 510 views
Uploaded on

The process of making IT (security) policy decisions, within organizations, is complex: it involves reaching consensus between a set of stakeholders (key decision makers, e.g. CISOs/CIOs, domain …

The process of making IT (security) policy decisions, within organizations, is complex: it involves reaching consensus between a set of stakeholders (key decision makers, e.g. CISOs/CIOs, domain experts, etc.) who might have different views, opinions and biased perceptions of how policies need to be shaped. This involves multiple negotiations and interactions between stakeholders. This suggests two roles for policy decision support tools and methods: firstly to help an individual stakeholder test and refine their understanding of the situation and, secondly, to support the formation of consensus by helping stakeholders to share their assumptions and conclusions. We argue that an approach based on modeling and simulation can help with both these aspects, moreover we show that it is possible to integrate the assumptions made so that they can be directly contrasted and discussed. We consider, as a significant example, an Identity and Access Management (IAM) scenario: we focus on the provisioning process of user accounts on enterprise applications and services, a key IAM feature that has an impact on security, compliance and business outcomes. Whilst security and compliance experts might worry that ineffective policies for provisioning could fuel security and legal threats, business experts might be against policies that dictate overly strong or bureaucratic processes as they could have a negative impact on productivity. We explore the associated policy decision making process from these different perspectives and show how our systems modeling approach can provide consistent or comparable data, explanations, “what-if” predictions and analysis at different levels of abstractions. We discuss the implications that this has on the actual IT (security) policy decision making process.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
510
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
29
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Using Modelling and Simulation for Policy Decision Support in Identity Management Marco Casassa Mont ( [email_address] ) Adrian Baldwin, Simon Shiu HP Labs, Systems Security Lab, Bristol, UK IEEE Policy 2009 Symposium
  • 2. Presentation Outline
    • On the Policy Decision Making Process
    • Problem: How to Support the Policy Decision Making Process?
    • Case Study: Policy Decision Support for Identity and Access Management
    • Approach: Predictive Modelling and Simulation
    • Discussion and Future Work
    • Conclusions
  • 3. On the Policy Decision Making Process
    • The process of Making Decisions about IT (Security) Policies is Complex
    • It is driven by Business Objectives, Risk Mitigation, other Organisational Goals …
    • Key Decision Makers (e.g. CIOs, CISOs) make final Policy Decisions but …
    • Policy Decisions are usually reached through a Consensus-building Process involving various Stakeholders i.e. Domain Experts from Business, Security, Finance, HR, Legal Departments, etc.
  • 4. Organisations’ IT Security Challenges 02/08/10 Understand the “Economics” Develop Policy IT infrastructure Risk, Assurance, Compliance Threats, Investments Decide & Deploy Policies (Enforcement) HP Confidential validation regulation
  • 5. Current Policy Decision Making & Assessment Process Existing Policies Is there any Problem? NO YES Any Agreed Action Plan helping to Match Policies? YES Act On Levers/ Define Action Plans NO Policy Failure Revisit Current Policies Discussions about future Action Plans based on possible “Levers” to act on (e.g. IT Automation, Security Controls, Education, Monitoring and Punishment, etc.) Informal predictions about impact of choices, based on stakeholders’ expertise.
  • 6. Presentation Outline
    • On the Policy Decision Making Process
    • Problem: How to Support the Policy Decision Making Process?
    • Case Study: Policy Decision Support for Identity and Access Management
    • Approach: Predictive Modelling and Simulation
    • Discussion and Future Work
    • Conclusions
  • 7. Problem Space
    • How to Support the Process of Making IT (Security) Policies or Re-assessing Current Ones?
    • How to Enable different Stakeholders to bring their Skills and Perspectives to the Discussions whilst Limiting Conflicts and Misunderstandings?
  • 8. Suggested Approach: Modelling and Simulation Policies Is there any Problem? NO Any Outcome Matching Policies? YES Act On Levers/ Define Action Plans NO Policy Failure Revisit Current Policies
    • Modelling and Simulation
    • Support the Policy Decision
    • Making Process by:
    • Conveying consistent
    • Explanations and
    • Predictions to
    • to Stakeholders
    • Providing “What-if” Analysis
    • Providing Information
    • at the Right Level
    • of Abstraction
     Case Study in the Identity and Access Management Space YES Modelling Simulations by Acting on Different “ Levers” Refine/ Reality-Check Explore Space
  • 9. Presentation Outline
    • On the Policy Decision Making Process
    • Problem: How to Support the Policy Decision Making Process?
    • Case Study: Policy Decision Support for Identity and Access Management
    • Approach: Predictive Modelling and Simulation
    • Discussion and Future Work
    • Conclusions
  • 10. Identity and Access Management (IAM) - Enterprise IAM
    • Network Access Control (NAC)
    • Directory Services
    • Authentication, Authorization, Audit
    • Provisioning
    • Single-Sign-On,
    • Federation
    • IAM is part of
    • IT Security Strategy
    • Risk Management
    • Policy Definitions
    • Compliance &
    • Governance Practices
    • Legislation
  • 11. Case Study: User Account Provisioning Management
    • Provisioning Management deals with Lifecycle Management of User Identities and Accounts on Protected Resources (PCs, Servers, Business Applications)
    • It is about Configuration: Managing User Accounts and Setting and Removing Permissions/Rights
    • A wrong or poor User Provisioning could:
      • Give more than necessary rights to users
      • Prevent users from accessing legitimate resources
    Enrolment Customisation Modification Removal
  • 12. User Provisioning Management [1/2]
    • Aspects involved in Provisioning Management:
    Approval Phase Deployment & Configuration Phase
    • Workforce
    • Changes:
    • - New User
    • User Changes
    • User Leaves
    • Org Changes:
    • M&A
    • Re-orgs
    • lay-offs
    Getting Authorizations Configuration on Systems/Apps/Services: - Create, Modify, Remove User Accounts - Setting Access Rights Policies
  • 13. User Provisioning Management [2/2]
    • Provisioning of User Accounts can be carried out with different levels of Automation:
      • Ad-hoc Processes
      • Automated and Centralised Processes
    • The Provisioning could be subject to various Failures due to:
      • User and Administrators’ Misbehaviours
      • Cultural Attitudes
      • IT and Solutions Failures
      • Attacks …
  • 14. Examples of User Provisioning Policies
    • P1 : Employees’ user accounts should be provisioned within an organization in max 3 days
    • P2 : No user account must be provisioned without management approval
    • P3 : All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval
    • P4 : Users accounts of people leaving a company must be removed within 2 days the departure date
    • P5 : The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%
    • - Are these policies appropriate for a given organisation?
    • - Are they achievable?
    • - Which investments and actions are required to meet them?
  • 15. Policy Decision Makers
    • The CIO or CISO or Risk Manager is likely to define or re-assess these Policies and their appropriateness
    • However Policy Analysis and Decisions requires Inputs and Consent (buy-in) from several Stakeholders:
      • Security Experts
      • Business Experts and Application/Service Owners
      • Compliance Experts
      • IT Operation Experts
    • These Stakeholders have Different Priorities and Concerns
    • They have different Background and Knowledge …
    • We argue that Modelling and Simulation can Support the
    • Overall Policy Decision Making Process
  • 16. Presentation Outline
    • On the Policy Decision Making Process
    • Problem: How to Support the Policy Decision Making Process?
    • Case Study: Policy Decision Support for Identity and Access Management
    • Approach: Predictive Modelling and Simulation
    • Discussion and Future Work
    • Conclusions
  • 17. Role of Modelling and Simulation
    • Explain current situation to Stakeholders, at different level of Abstractions (with suitable Metrics)
    • Provide Consistent Views and Information
    • Provide Predictions based on potential Policy Choices and their Impact
    • Support “What-if” Analysis for Policies
    • Help exploring “Trade-offs”
    •  We illustrate how this can be achieved, using the IAM
    • Provisioning Case Study as a Significant Example
  • 18. Methodology: Overview Typical Methodology involved in Case Studies
    • Understand Context
    • Identify Suitable Metrics
    • Modelling
    • Simulation
    • Testing and Reality Checks
    • Analysis of Outcomes
    Define Situation & Context Characterise Key Questions/ Problems Model System Processes & Hypothesis Simulate & Analyse Evaluate & Recommend Test Adequacy Data Collection Iterative Learning Process
  • 19. Case Study on IAM User Provisioning: Context and Assumptions
    • The Enterprise has a set of Applications subject to User Provisioning:
      • 5 Core Business Applications
      • 100 Non-Core Applications
    • Current Applications are provisioned with a mix of Approaches:
      • Ad-hoc Provisioning
      • Centralised and Automated Provisioning
    • Each of these Provisioning approaches can be described in terms of the involved Approval and Configuration Processes
  • 20. Case Study on IAM User Provisioning: Focus on Policies
    • Policies of Interest
    • P1 : Employees’ user accounts should be provisioned within an organization in max 3 days
    • P2 : No user account must be provisioned without management approval
    • P3 : All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval
    • P4 : Users accounts of people leaving a company must be removed within 2 days the departure date
    • P5 : The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%
  • 21. Case Study on IAM User Provisioning: Core Questions and Levers
    • General Questions
    • Are these policies appropriate for a given organisation?
    • If not, which Investments and Actions are required to
    • (try to) meet them, by acting on available “Levers”?
    • “ Automation Lever” i.e. Increase or Decrease Investments
    • on“ Centralised and Automated Provisioning” for Managed Applications
    • Change Existing Policies
    • Formulate New Policies
    Levers
  • 22. Case Study on IAM User Provisioning: Identifying Security Metrics [1/3]
    • A set of High-level Security Metrics has been identified, by interacting with Different Stakeholders involved in the Policy Decision Making Process
    • Different Metrics are relevant to Different Stakeholders when Making Decisions about Policies. Way to convey information to Stakeholders with different viewpoints:
      • IAM Provisioning Costs
      • Provisioning Efforts
    IT Operations (IT Budget Holder)
      • Productivity Cost
    Application Owner (Business)
      • Access Accuracy
      • Approval Accuracy
    Security/Compliance Officers: Metrics Stakeholder
  • 23. Case Study on IAM User Provisioning: Identifying Security Metrics [2/3]
    • Lower-level Measures are also available from involved processes and systems, that are of interest to System Administrators and Domain Experts:
      • Number of correctly configured and mis-configured user accounts;
      • Number of hanging accounts (people that left);
      • Overall approval time (delays) for provisioning requests;
      • Overall configuration/deployment time (delays);
      • Number of lost approval and deployments/configuration requests;
      • Number of bypassed approval processes;
      • Number of successful approval processes
      • NOTE: High-level Security Metrics can be derived from
      • these Low-level Measures
  • 24. Case Study on IAM User Provisioning: Identifying Security Metrics [3/3] More Details – HPL TR: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html # Ad-Hoc_provisoning_activities Ad-hoc Effort # IAM_automated_provisioning_activities IAM Effort Estimated costs of running automated IAM provisioning processes, depending of fixed costs (e.g. fixed yearly fee) and variabl e costs (e.g. additional license fees depending on the number of provisioned applications) Fixed_Costs + Variable_Costs*Num_IAM_Automated_Apps IAM Automation Cost keeps into account loss of productivity due to waiting time (for the approval and deployment phases) and for lost of approval and deployment activities. The impact of these costs are weighted by constants for “unit cost per day” and “unit cost per loss”. [(join_appr_time+ change_appr_time) + (join_prov_time + change_prov_time)] * Unit_cost_per_day + [(#loss_join_appr + #loss_join_prov) + (#loss_change_appr+#loss_change_prov)] * Unit_cost_lost. Productivity Costs #Approved_Provisioning / (#Approved_Provisioning + # Bypassed_Approvals) Approval Accuracy w1, w2, w3 are relevance weights in the [0,1] range, UAD is the number of denied user accounts, UAM is the number of misconfigured user accounts, UAH is the number of hanging user accounts and UAA is the overall number of user account provisioned (for which either there has been approval or the approval process has been bypassed); 1-(w1*UAD+w2*UAM+w3*UAH)/ (UAA) Access Accuracy Description Formula Metrics
  • 25. Modelling Activity
    • Focus on the “Key Questions” and available Levers (e.g. Automation Lever)
    • Identify what needs to be Modelled to achieve this:
      • Relevant Events affecting Provisioning activities i.e. people joining, leaving, changing roles
      • Processes involved “ad-hoc” and “ centralised & automated” provisioning for approval and deployment
      • Cause-effect relationships of relevance to calculate measures and security metrics
      • Threats
  • 26. High-Level Model Users Joining External Events Users Leaving Users Changing Roles Ad-Hoc IAM Provisioning Processes Automated & Central IAM Provisioning Process Approval Process Approval Process Config./ Deployment Process Config./ Deployment Process failures & delays failures & delays failures & delays failures & delays Simulation State
    • Low-level Measures
    • #Account misconf.
    • #Account hanging
    • #Account wrong
    • Delays
    • High-level Metrics
    • Access Accuracy
    • Approval Accuracy
    • Productivity Costs
    • IAM Prov. Costs
    • Effort Levels
    Simulation Measures Requests to Add/Modify/Delete User Accounts on Managed Applications Data & Outcome Analysis Threats Process Failures Bypassed Approvals Criminal Conducts Internal Attacks Frauds External Attacks Threats Impacting IAM Provisioning Processes and/or Fuelled by Them
  • 27. Provisioning Model: Details [1/4] User Joins User Leaves User Changes Role Events For each affected Application :
    • User Profile
    • Role
    • Set of req. Apps
    • Location/Region
    • App Profile
    • ad-hoc/centrally managed
    • - Admin Location/Region
    • Entitle mgmt team & profile
    • Available IAM Controls
    • User Profile
    • Role
    • Set of req. Apps
    • Location/Region
    • User Profile
    • Roles
    • Set of req. Apps
    • Location/Region
    For each affected Application :
    • Application/Service Profiles
    • ad-hoc/centrally managed
    • - Admin Location/Region
    • Provisioning mgmt team & profile
    • Available IAM Controls
    Types of Changes on Affected apps? “ Joining” “ Leaving” For each affected Application : “ Changing”
    • Application/Service Profiles
    • ad-hoc/centrally managed
    • - Admin Location/Region
    • Provisioning mgmt team & profile
    • Available IAM Controls
    User Joining: IAM Provisioning Management Process User Changing Role: IAM Provisioning Management Process User Leaving: IAM Provisioning Management Process
  • 28. Provisioning Model: Details [2/4] Request for each affected Application : Waiting time To Process Approval Request Measure: User Joins - time to get Approval Prob. Loss Approval Request? Waiting time To Deploy/COnfig Measure: time to deploy (conf. account) Prob. Loss Deployment Activity? NO NO Measure: # Lost Approval Requests (Denied Access) YES Prob. Misconfig? Measure: #Misconfigured Account YES YES YES YES Measure: #Lost Deployment Activities NO YES
    • Application Profile
    • ad-hoc/centrally managed
    • - Admin Location/Region
    • Provisioning mgmt team & profile
    • Available IAM Controls
    User Joining : Provisioning Management Process
    • Dependency on:
    • regional/local attitudes
    • presence of automation (e.g.
    • notification workflow)
    • Dependency on:
    • regional/local attitudes
    • available resources (admin, mgmt).
    • - presence of automation (e.g.
    • IAM provisioning solution)
    • - type of applications
    • Dependency on:
    • regional/local attitudes
    • - available resources
    • presence of IAM automation:
    • provisioning & deployment
    • Dependency on:
    • regional/local attitudes
    • - available resources
    • presence of IAM automation:
    • provisioning & deployment
    • Dependency on:
    • regional/local attitudes
    • available resources
    • presence of IAM automation:
    • provisioning & deployment
    Carry on, without auth.
  • 29. Provisioning Model: Details [3/4] Request for each affected Application : Waiting time to Process Approval Request Measure: User Change - time to get Approval Prob. Loss Approval Request? Waiting time To Deploy Measure: time to deploy (conf. account) Prob. Loss Execution Activity? NO NO Measure: # Lost Approval Requests (Misconfigured Access) YES Prob. Misconfig? Measure: # Misconfigured Account YES YES YES YES Measure: #Lost Deployment Activities NO YES User Changing Roles : Provisioning Management Process
    • Application Profile
    • ad-hoc/centrally managed
    • - Admin Location/Region
    • Provisioning mgmt team & profile
    • Available IAM Controls
    • Dependency on:
    • regional/local attitudes
    • presence of automation (e.g.
    • notification workflow)
    • - type of applications
    • Dependency on:
    • regional/local attitudes
    • available resources
    • presence of automation (e.g.
    • IAM provisioning solution)
    • - type of applications
    • Dependency on:
    • regional/local attitudes
    • presence of automation (e.g.
    • notification workflow)
    • - type of applications
    • Dependency on:
    • regional/local attitudes
    • presence of automation (e.g.
    • notification workflow)
    • - type of applications
    Carry on, without auth.
    • Dependency on:
    • regional/local attitudes
    • - available resources. Contention?
    • presence of IAM automation:
    • provisioning & deployment
  • 30. Provisioning Model: Details [4/4] Request for each affected Apps : Waiting time To Process Auth. Request Measure: User Leaves - time to get Approval Prob. Loss Approval Request? Waiting time To Deploy Measure: time to deploy (remove Account) Prob. Loss Execution Activity? NO NO Measure: # Lost Approval Requests (hanging accounts) YES YES YES YES Measure: #Loss Deployment Activities (hanging account)
    • App Profile
    • ad-hoc/centrally managed
    • - Admin Location/Region
    • Entitle mgmt team & profile
    • Available IAM Controls
    User Leaving : Provisioning Management Process
    • Dependency on:
    • regional/local attitudes
    • presence of automation (e.g.
    • notification workflow)
    • - type of applications
    • Dependency on:
    • regional/local attitudes
    • available resources. Contention?
    • presence of automation (e.g.
    • notification workflow)
    • - type of applications
    • Dependency on:
    • regional/local attitudes
    • presence of automation (e.g.
    • notification workflow)
    • - type of applications
    • Dependency on:
    • regional/local attitudes
    • - available resources. Contention?
    • presence of IAM automation:
    • provisioning & deployment
  • 31. Simulation Activity
    • Run Monte Carlo Simulations of the Model to:
      • Explore and Justify Current Situation
      • Provide “What-If” Predictions by acting on Available “Levers”
    • Analyse and Interpret the Simulation Outcomes
    • to Support the Policy Decision Making Process
      • Provide meaningful Results to Different Stakeholders
      • Map these results to the implications for Policies
  • 32. Case Study: Simulation Plan
    • Explore impact on Metrics and other Measures based on Current Situation
    • Are Policies satisfied?
    Simulation Time: 1 year - Number of runs: 100 automation: 10 Apps ad-hoc : 90 Apps automation: 2 Apps ad-hoc: 3 Apps CASE #1 – Provisioning CURRENT SITUATION Non Core Business Applications (100 Apps) Core Business Applications (5 Apps) Experiment
  • 33. Simulation Outcomes Current Situation - Security Metrics Accuracy Measures 0.83 1 0.84 Access Accuracy Approval Accuracy Cost Measures 33855 11200 Productivity Costs IAM Provisioning Costs Effort Level 3480 1032 #Ad-Hoc Provisioning Activities # Automated Prov. Activities 0.5 10000 20000 30000 40000
  • 34. Simulation Outcomes Current Situation - Low-level Security Measures # Hanging Accounts # Denied Good Accounts # Misconfigured Accounts Overall Approval Time Overall Deployment Time Bypassed Approval Step
  • 35. Some Observations about Outcomes …
    • The Estimated Values of Security Metrics and Metrics are based on Common Assumptions and consistently determined by Model & Simulations
    • E.g. Access Accuracy = 0.83 (mean value)
    • So, the organisations is failing in implementing Policy P5 …
    •  P5 : The accuracy of the provisioning process (in
    • terms of correctly configured user accounts on
    • protected resources) should never be less than 0.99%
    • What-If analysis can be carried out to explore
    • how to address this by acting on available Levers
  • 36. Simulation: What-IF Analysis – Experiments Acting on the “Automation” Lever: automation : 40 Apps ad-hoc : 60 Apps automation: 3 Apps ad-hoc : 2 Apps CASE #2 (WHAT-IF CASE) automation : 70 Apps ad-hoc : 30 Apps automation: 4 Apps ad-hoc : 1 Apps CASE #3 (WHAT-IF CASE) automation: 100 Apps ad-hoc: 0 Apps automation: 5 Apps ad-hoc : 0 Apps CASE #4 (WHAT-IF CASE) automation: 10 Apps ad-hoc : 90 Apps automation: 2 Apps ad-hoc: 3 Apps CASE #1 – Provisioning CURRENT SITUATION Non Core Business Applications (100 Apps) Core Business Applications (5 Apps) Experiments
  • 37. Simulation Outcomes: What-IF Analysis - Security Metrics Case #1 Current State 0.83 0.89 0.94 0.99 0.84 0.90 0.95 1 Effort Level 3480 1032 1134 3378 4512 2281 2230 #Ad-Hoc Provisioning Activities # Automated Prov. Activities Case #2 Case #3 Case #4 Accuracy Measures 1 Cost Measures 0.5 10000 20000 30000 40000 33855 25753 17949 10403 11200 14300 17400 20500 Access Accuracy Approval Accuracy Productivity Cost IDM Provisioning Costs
  • 38. Some Observations about Outcomes …
    • Only “Case #4” ensures that the organisations can met Policy P5 …
    •  P5 : The accuracy of the provisioning process (in
    • terms of correctly configured user accounts on
    • protected resources) should never be less than 0.99%
    • However the involved “IDM Provisioning Costs” are almost doubling, compared to Current Situation …
    • Wouldn’t be better to change policies to be compliant with “Case#2” or “Case#3”?
    •  Policy Decision Makers now have consistent Metrics and
    • Measures to support their decisions based on What-IF analysis …
  • 39. Presentation Outline
    • On the Policy Decision Making Process
    • Problem: How to Support the Policy Decision Making Process?
    • Case Study: Policy Decision Support for Identity and Access Management
    • Approach: Predictive Modelling and Simulation
    • Discussion and Future Work
    • Conclusions
  • 40. Related Work
    • Lot of literature on how to use mathematical modelling to affect policy decisions, but in areas such as Management Science, Hydrology, Land Usage, Environmental Contexts …
    •  The area of Policy Decision Support for Security, Privacy and IDM is still a green field
    • Key work done in applying Modelling and Simulation in specific areas such as Password Policies (Purdue), Identity Fishing, Access Control …
    •  Not focusing on the problem about how to provide support to different stakeholders for policy decision making
    • Our work is complimentary to work done in security and risk management standards, such as ISO 27001, CoBit, ITIL, etc. which describe general bet practices and Methodologies
    •  We use this as drivers by ground the reasoning to specific environments
  • 41. Discussion and Future Work
    • We have a full working, implemented model for the IAM Provisioning Case Study. Full details about this work (model, results, etc.) are available in a HPL Technical Report: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html
    • This model has been internally tested to support policy decision making for IAM Provisioning
    • This is just an example of “Identity Analytics” work, by applying Modelling and Simulation techniques to the IAM space.
    • Future work involves exploring multiple IAM areas and their impact on policies, organisations’ investments an strategies:
      • Enterprise Single-Sign-On
      • Authentication and Authorization Strategies
      • IAM Outsourcing
      • IAM as a Service
      • Impact on IAM in the Cloud and Web 2.0 Scenarios
  • 42. Presentation Outline
    • On the Policy Decision Making Process
    • Problem: How to Support the Policy Decision Making Process?
    • Case Study: Policy Decision Support for Identity and Access Management
    • Approach: Predictive Modelling and Simulation
    • Discussion and Future Work
    • Conclusions
  • 43. Conclusions
    • The Process of Policy Decision Making in organisations is Complex
    • Many stakeholders are involved: need to form good opinions and deal with politics and the process of reaching consensus
    • Modelling and Simulation methods can help, by providing consistent and objective analysis to multiple stakeholders at different level of abstractions
    • We illustrated how this has been successfully achieved in the IAM Provisioning Case Study
    • This I work in progress. More to come in the context of R&D research at HP Labs Systems Security Lab, Identity Analytics activity …
  • 44. Thanks and Q&A Contact: Marco Casassa Mont, HP Labs, [email_address]
  • 45. 02/08/10 HP Confidential