1. © 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Using Modelling and Simulation for Policy Decision Support in Identity Management Marco Casassa Mont (marco.casassa-mont@hp.com)marco.casassa-mont@hp.com Adrian Baldwin, Simon Shiu HP Labs, Systems Security Lab, Bristol, UK IEEE Policy 2009 Symposium

2. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

3. On the Policy Decision Making Process The process of Making Decisions about IT (Security) Policies is Complex It is driven by Business Objectives, Risk Mitigation, other Organisational Goals … Key Decision Makers (e.g. CIOs, CISOs) make final Policy Decisions but … Policy Decisions are usually reached through a Consensus- building Process involving various Stakeholders i.e. Domain Experts from Business, Security, Finance, HR, Legal Departments, etc.

4. 45/6/2015 Organisations’ IT Security Challenges validation regulation Understand the “Economics” Develop Policy IT infrastructure Risk, Assurance, Compliance Threats, Investments Decide & Deploy Policies (Enforcement) HP Confidential

5. Current Policy Decision Making & Assessment Process Existing Policies Is there any Problem? NO YES Any Agreed Action Plan helping to Match Policies? YES Act On Levers/ Define Action Plans NO Policy Failure Revisit Current Policies Discussions about future Action Plans based on possible “Levers” to act on (e.g. IT Automation, Security Controls, Education, Monitoring and Punishment, etc.) Informal predictions about impact of choices, based on stakeholders’ expertise.

6. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

7. Problem Space How to Support the Process of Making IT (Security) Policies or Re-assessing Current Ones? How to Enable different Stakeholders to bring their Skills and Perspectives to the Discussions whilst Limiting Conflicts and Misunderstandings?

8. Suggested Approach: Modelling and Simulation Policies Is there any Problem? NO Any Outcome Matching Policies? YES Act On Levers/ Define Action Plans NO YES Modelling Simulations by Acting on Different “Levers” Refine/ Reality-Check Explore Space Policy Failure Revisit Current Policies Modelling and Simulation Support the Policy Decision Making Process by: Conveying consistent Explanations and Predictions to to Stakeholders Providing “What-if” Analysis Providing Information at the Right Level of Abstraction  Case Study in the Identity and Access Management Space

9. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

10. Identity and Access Management (IAM) - Enterprise IAM Network Access Control (NAC) Directory Services Authentication, Authorization, Audit Provisioning Single-Sign-On, Federation … - IAM is part of IT Security Strategy Risk Management Policy Definitions Compliance & Governance Practices Legislation

11. Case Study: User Account Provisioning Management Provisioning Management deals with Lifecycle Management of User Identities and Accounts on Protected Resources (PCs, Servers, Business Applications) It is about Configuration: Managing User Accounts and Setting and Removing Permissions/Rights A wrong or poor User Provisioning could: −Give more than necessary rights to users −Prevent users from accessing legitimate resources Enrolment Customisation Modification Removal

12. User Provisioning Management [1/2] Aspects involved in Provisioning Management: Approval Phase Approval Phase Deployment & Configuration Phase Deployment & Configuration Phase Workforce Changes: - New User - User Changes - User Leaves Org Changes: - M&A - Re-orgs - lay-offs Getting Authorizations Configuration on Systems/Apps/Services: - Create, Modify, Remove User Accounts - Setting Access Rights Policies

13. User Provisioning Management [2/2] Provisioning of User Accounts can be carried out with different levels of Automation: −Ad-hoc Processes −Automated and Centralised Processes The Provisioning could be subject to various Failures due to: −User and Administrators’ Misbehaviours −Cultural Attitudes −IT and Solutions Failures −Attacks …

14. Examples of User Provisioning Policies P1: Employees’ user accounts should be provisioned within an organization in max 3 days P2: No user account must be provisioned without management approval P3: All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval P4: Users accounts of people leaving a company must be removed within 2 days the departure date P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99% - Are these policies appropriate for a given organisation? - Are they achievable? - Which investments and actions are required to meet them?

15. Policy Decision Makers The CIO or CISO or Risk Manager is likely to define or re-assess these Policies and their appropriateness However Policy Analysis and Decisions requires Inputs and Consent (buy-in) from several Stakeholders: −Security Experts −Business Experts and Application/Service Owners −Compliance Experts −IT Operation Experts These Stakeholders have Different Priorities and Concerns They have different Background and Knowledge …  We argue that Modelling and Simulation can Support the Overall Policy Decision Making Process

16. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

17. Role of Modelling and Simulation Explain current situation to Stakeholders, at different level of Abstractions (with suitable Metrics) Provide Consistent Views and Information Provide Predictions based on potential Policy Choices and their Impact Support “What-if” Analysis for Policies Help exploring “Trade-offs”  We illustrate how this can be achieved, using the IAM Provisioning Case Study as a Significant Example

18. Methodology: Overview Define Situation & Context Characterise Key Questions/ Problems Model System Processes & Hypothesis Simulate & Analyse Evaluate & Recommend Test Adequacy Data Collection Iterative Learning Process Typical Methodology involved in Case Studies Understand Context Identify Suitable Metrics Modelling Simulation Testing and Reality Checks Analysis of Outcomes

19. Case Study on IAM User Provisioning: Context and Assumptions The Enterprise has a set of Applications subject to User Provisioning: −5 Core Business Applications −100 Non-Core Applications Current Applications are provisioned with a mix of Approaches: −Ad-hoc Provisioning −Centralised and Automated Provisioning Each of these Provisioning approaches can be described in terms of the involved Approval and Configuration Processes

20. Case Study on IAM User Provisioning: Focus on Policies Policies of Interest P1: Employees’ user accounts should be provisioned within an organization in max 3 days P2: No user account must be provisioned without management approval P3: All user accounts to be provisioned (added, modified, changed) on core business applications and services must require 2 levels of approval P4: Users accounts of people leaving a company must be removed within 2 days the departure date P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99%

21. Case Study on IAM User Provisioning: Core Questions and Levers General Questions Are these policies appropriate for a given organisation? If not, which Investments and Actions are required to (try to) meet them, by acting on available “Levers”? “Automation Lever” i.e. Increase or Decrease Investments on“ Centralised and Automated Provisioning” for Managed Applications Change Existing Policies Formulate New Policies Levers

22. Case Study on IAM User Provisioning: Identifying Security Metrics [1/3] A set of High-level Security Metrics has been identified, by interacting with Different Stakeholders involved in the Policy Decision Making Process Different Metrics are relevant to Different Stakeholders when Making Decisions about Policies. Way to convey information to Stakeholders with different viewpoints: StakeholderMetrics Security/Compliance Officers: Access Accuracy Approval Accuracy Application Owner (Business) Productivity Cost IT Operations (IT Budget Holder) IAM Provisioning Costs Provisioning Efforts

23. Case Study on IAM User Provisioning: Identifying Security Metrics [2/3] Lower-level Measures are also available from involved processes and systems, that are of interest to System Administrators and Domain Experts: −Number of correctly configured and mis-configured user accounts; −Number of hanging accounts (people that left); −Overall approval time (delays) for provisioning requests; −Overall configuration/deployment time (delays); −Number of lost approval and deployments/configuration requests; −Number of bypassed approval processes; −Number of successful approval processes NOTE: High-level Security Metrics can be derived from these Low-level Measures

24. MetricsFormulaDescription Access Accuracy 1-(w1*UAD+w2*UAM+w3*UAH)/ (UAA) w1, w2, w3 are relevance weights in the [0,1] range, UAD is the number of denied user accounts, UAM is the number of misconfigured user accounts, UAH is the number of hanging user accounts and UAA is the overall number of user account provisioned (for which either there has been approval or the approval process has been bypassed); Approval Accuracy #Approved_Provisioning / (#Approved_Provisioning + # Bypassed_Approvals) Productivity Costs [(join_appr_time+ change_appr_time) + (join_prov_time + change_prov_time)] * Unit_cost_per_day + [(#loss_join_appr + #loss_join_prov) + (#loss_change_appr+#loss_change_prov)] *Unit_cost_lost. keeps into account loss of productivity due to waiting time (for the approval and deployment phases) and for lost of approval and deployment activities. The impact of these costs are weighted by constants for “unit cost per day” and “unit cost per loss”. IAM Automation Cost Fixed_Costs + Variable_Costs*Num_IAM_Automated_Apps Estimated costs of running automated IAM provisioning processes, depending of fixed costs (e.g. fixed yearly fee) and variable costs (e.g. additional license fees depending on the number of provisioned applications) IAM Effort#IAM_automated_provisioning_activities Ad-hoc Effort #Ad-Hoc_provisoning_activities Case Study on IAM User Provisioning: Identifying Security Metrics [3/3] More Details – HPL TR: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.htmlhttp://www.hpl.hp.com/techreports/2009/HPL-2009-57.html

25. Modelling Activity Focus on the “Key Questions” and available Levers (e.g. Automation Lever) Identify what needs to be Modelled to achieve this: −Relevant Events affecting Provisioning activities i.e. people joining, leaving, changing roles −Processes involved “ad-hoc” and “centralised & automated” provisioning for approval and deployment −Cause-effect relationships of relevance to calculate measures and security metrics − Threats

26. Users Joining External Events Users Leaving Users Changing Roles Ad-Hoc IAM Provisioning Processes Automated & Central IAM Provisioning Process Approval Process Approval Process Config./ Deployment Process Config./ Deployment Process failures & delays Simulation State Low-level Measures #Account misconf. #Account hanging #Account wrong Delays … High-level Metrics Access Accuracy Approval Accuracy Productivity Costs IAM Prov. Costs Effort Levels … Simulation Measures Requests to Add/Modify/Delete User Accounts on Managed Applications Data & Outcome Analysis Threats Process Failures Bypassed Approvals Criminal Conducts Internal Attacks Frauds External Attacks Threats Impacting IAM Provisioning Processes and/or Fuelled by Them High-Level Model

27. User Joins User Leaves User Changes Role Events For each affected Application : User Profile - Role - Set of req. Apps - Location/Region App Profile - ad-hoc/centrally managed - Admin Location/Region - Entitle mgmt team & profile - Available IAM Controls User Profile - Role - Set of req. Apps - Location/Region User Profile - Roles - Set of req. Apps - Location/Region For each affected Application : Application/Service Profiles - ad-hoc/centrally managed - Admin Location/Region - Provisioning mgmt team & profile - Available IAM Controls Types of Changes on Affected apps? “Joining” “Leaving” For each affected Application : “Changing” Application/Service Profiles - ad-hoc/centrally managed - Admin Location/Region - Provisioning mgmt team & profile - Available IAM Controls User Joining: IAM Provisioning Management Process User Changing Role: IAM Provisioning Management Process User Leaving: IAM Provisioning Management Process Provisioning Model: Details [1/4]

28. Request for each affected Application : Waiting time To Process Approval Request Measure: User Joins - time to get Approval Prob. Loss Approval Request? Waiting time To Deploy/COnfig Measure: time to deploy (conf. account) Prob. Loss Deployment Activity? NO Measure: # Lost Approval Requests (Denied Access) YE S Prob. Misconfig? Measure: #Misconfigured Account YE S Measure: #Lost Deployment Activities NO YES Application Profile - ad-hoc/centrally managed - Admin Location/Region - Provisioning mgmt team & profile - Available IAM Controls User Joining: Provisioning Management Process Dependency on: - regional/local attitudes - presence of automation (e.g. notification workflow) Dependency on: - regional/local attitudes - available resources (admin, mgmt). - presence of automation (e.g. IAM provisioning solution) - type of applications Dependency on: - regional/local attitudes - available resources - presence of IAM automation: provisioning & deployment Dependency on: - regional/local attitudes - available resources - presence of IAM automation: provisioning & deployment Dependency on: - regional/local attitudes available resources - presence of IAM automation: provisioning & deployment Carry on, without auth. Provisioning Model: Details [2/4]

29. Request for each affected Application : Waiting time to Process Approval Request Measure: User Change - time to get Approval Prob. Loss Approval Request? Waiting time To Deploy Measure: time to deploy (conf. account) Prob. Loss Execution Activity? NO Measure: # Lost Approval Requests (Misconfigured Access) YE S Prob. Misconfig? Measure: # Misconfigured Account YE S Measure: #Lost Deployment Activities NO YES User Changing Roles: Provisioning Management Process Application Profile - ad-hoc/centrally managed - Admin Location/Region - Provisioning mgmt team & profile - Available IAM Controls Dependency on: - regional/local attitudes - presence of automation (e.g. notification workflow) - type of applications Dependency on: - regional/local attitudes - available resources - presence of automation (e.g. IAM provisioning solution) - type of applications Dependency on: - regional/local attitudes - presence of automation (e.g. notification workflow) - type of applications Dependency on: - regional/local attitudes - presence of automation (e.g. notification workflow) - type of applications Carry on, without auth. Dependency on: - regional/local attitudes - available resources. Contention? - presence of IAM automation: provisioning & deployment Provisioning Model: Details [3/4]

30. Request for each affected Apps : Waiting time To Process Auth. Request Measure: User Leaves - time to get Approval Prob. Loss Approval Request? Waiting time To Deploy Measure: time to deploy (remove Account) Prob. Loss Execution Activity? NO Measure: # Lost Approval Requests (hanging accounts) YE S Measure: #Loss Deployment Activities (hanging account) App Profile - ad-hoc/centrally managed - Admin Location/Region - Entitle mgmt team & profile - Available IAM Controls User Leaving: Provisioning Management Process Dependency on: - regional/local attitudes - presence of automation (e.g. notification workflow) - type of applications Dependency on: - regional/local attitudes - available resources. Contention? - presence of automation (e.g. notification workflow) - type of applications Dependency on: - regional/local attitudes - presence of automation (e.g. notification workflow) - type of applications Dependency on: - regional/local attitudes - available resources. Contention? - presence of IAM automation: provisioning & deployment Provisioning Model: Details [4/4]

31. Simulation Activity Run Monte Carlo Simulations of the Model to: −Explore and Justify Current Situation −Provide “What-If” Predictions by acting on Available “Levers” Analyse and Interpret the Simulation Outcomes to Support the Policy Decision Making Process −Provide meaningful Results to Different Stakeholders −Map these results to the implications for Policies

32. Case Study: Simulation Plan Explore impact on Metrics and other Measures based on Current Situation Are Policies satisfied? Experiment Core Business Applications (5 Apps) Non Core Business Applications (100 Apps) CASE #1 – Provisioning CURRENT SITUATION automation: 2 Apps ad-hoc: 3 Apps automation: 10 Apps ad-hoc : 90 Apps Simulation Time: 1 year - Number of runs: 100

33. Accuracy Measures 0.83 1 0.84 Access Accuracy Approval Accuracy Cost Measures 33855 11200 Productivity Costs IAM Provisioning Costs Effort Level 34801032 #Ad-Hoc Provisioning Activities# Automated Prov. Activities 0.5 10000 20000 30000 40000 Simulation Outcomes Current Situation - Security Metrics

34. # Hanging Accounts# Denied Good Accounts # Misconfigured Accounts Overall Approval TimeOverall Deployment Time Bypassed Approval Step Simulation Outcomes Current Situation - Low-level Security Measures

35. Some Observations about Outcomes … The Estimated Values of Security Metrics and Metrics are based on Common Assumptions and consistently determined by Model & Simulations E.g. Access Accuracy = 0.83 (mean value) So, the organisations is failing in implementing Policy P5 …  P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99% What-If analysis can be carried out to explore how to address this by acting on available Levers

36. Experiments Core Business Applications (5 Apps) Non Core Business Applications (100 Apps) CASE #1 – Provisioning CURRENT SITUATION automation: 2 Apps ad-hoc: 3 Apps automation: 10 Apps ad-hoc : 90 Apps CASE #2 (WHAT-IF CASE) automation: 3 Apps ad-hoc : 2 Apps automation : 40 Apps ad-hoc : 60 Apps CASE #3 (WHAT-IF CASE) automation: 4 Apps ad-hoc : 1 Apps automation : 70 Apps ad-hoc : 30 Apps CASE #4 (WHAT-IF CASE) automation: 5 Apps ad-hoc : 0 Apps automation: 100 Apps ad-hoc: 0 Apps Simulation: What-IF Analysis – Experiments Acting on the “Automation” Lever:

37. Case #1 Current State 0.83 0.89 0.94 0.99 0.84 0.90 0.95 1 Effort Level 3480 1032 113433784512 2281 2230 Access Accuracy Approval Accuracy Productivity Cost IDM Provisioning Costs #Ad-Hoc Provisioning Activities # Automated Prov. Activities Case #2 Case #3 Case #4 Accuracy Measures 1 Cost Measures 0.5 10000 20000 30000 40000 33855 2575317949 10403 11200 14300 17400 20500 Simulation Outcomes: What-IF Analysis - Security Metrics

38. Some Observations about Outcomes … Only “Case #4” ensures that the organisations can met Policy P5 …  P5: The accuracy of the provisioning process (in terms of correctly configured user accounts on protected resources) should never be less than 0.99% However the involved “IDM Provisioning Costs” are almost doubling, compared to Current Situation … Wouldn’t be better to change policies to be compliant with “Case#2” or “Case#3”?  Policy Decision Makers now have consistent Metrics and Measures to support their decisions based on What-IF analysis …

39. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

40. Related Work Lot of literature on how to use mathematical modelling to affect policy decisions, but in areas such as Management Science, Hydrology, Land Usage, Environmental Contexts …  The area of Policy Decision Support for Security, Privacy and IDM is still a green field Key work done in applying Modelling and Simulation in specific areas such as Password Policies (Purdue), Identity Fishing, Access Control …  Not focusing on the problem about how to provide support to different stakeholders for policy decision making Our work is complimentary to work done in security and risk management standards, such as ISO 27001, CoBit, ITIL, etc. which describe general bet practices and Methodologies  We use this as drivers by ground the reasoning to specific environments

41. Discussion and Future Work We have a full working, implemented model for the IAM Provisioning Case Study. Full details about this work (model, results, etc.) are available in a HPL Technical Report: http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html This model has been internally tested to support policy decision making for IAM Provisioning This is just an example of “Identity Analytics” work, by applying Modelling and Simulation techniques to the IAM space. Future work involves exploring multiple IAM areas and their impact on policies, organisations’ investments an strategies: −Enterprise Single-Sign-On −Authentication and Authorization Strategies −IAM Outsourcing −IAM as a Service −Impact on IAM in the Cloud and Web 2.0 Scenarios −…−…

42. Presentation Outline On the Policy Decision Making Process Problem: How to Support the Policy Decision Making Process? Case Study: Policy Decision Support for Identity and Access Management Approach: Predictive Modelling and Simulation Discussion and Future Work Conclusions

43. The Process of Policy Decision Making in organisations is Complex Many stakeholders are involved: need to form good opinions and deal with politics and the process of reaching consensus Modelling and Simulation methods can help, by providing consistent and objective analysis to multiple stakeholders at different level of abstractions We illustrated how this has been successfully achieved in the IAM Provisioning Case Study This I work in progress. More to come in the context of R&D research at HP Labs Systems Security Lab, Identity Analytics activity …

44. Thanks and Q&A Contact: Marco Casassa Mont, HP Labs, marco.casassa-mont@hp.commarco.casassa-mont@hp.com

45. 5/6/201545HP Confidential