ifip fidis s ummer s chool 2007 enterprise identity
play

IFIP FIDIS S ummer S chool 2007: Enterprise Identity - PowerPoint PPT Presentation

IFIP FIDIS S ummer S chool 2007: Enterprise Identity Management What s in it for Organisations? Denis Royer Johann Wolfgang Goethe University Frankfurt Chair for Mobile Business and Multilateral S ecurity ... ...


  1. …… …… IFIP FIDIS S ummer S chool 2007: Enterprise Identity Management – What’ s in it for Organisations? Denis Royer Johann Wolfgang Goethe University Frankfurt Chair for Mobile Business and Multilateral S ecurity ... ...

  2. …… …… Agenda � Introduction � The Need for IdM in Organisations � Driving Factors for IDM � The Cost S ide of IdM � Evaluation of IdM � Prerequisites � The Evaluation Process � Conclusion / Discussion ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 2

  3. …… …… Goals and Obj ective � S ecurity related technologies often lack strategic focus for the decision makers. � Decision makers will not invest into security technologies and infrastructures without analysing the costs and benefits. � Evaluation schemes are needed to help identifying potentials and support the decision making process. � A generic approach how to tackle these issues is presented. ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 3

  4. …… …… Enterprise Identity Management ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 [Flynn] 4

  5. …… …… Identity lifecycle � Enrolment - Creation of accounts for new employees: issuance of the credentials and setting of the access permissions. � Management - Maintenance of accounts: in a changing working environment (promotions, change of departments, etc,) the user and access management needs to handle the access permission (e.g. for minimising liabilities). � Support - Password management: issue new passwords or reset passwords that are “ lost” . � Deletion - End of lifecycle: revoke or freeze accounts or entitlements. ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 5

  6. …… …… (Enterprise) Identity Management � Organisational: S oftware systems that help to facilitate one or more of the 4 As: Authorisation, Authentication, Administration, and Audit � Technological: Cluster of different technologies: � S ingle S ign-On (S S O) � Meta Directories � PKI Infrastructures � Access Management S ystems � ... � Therefore, IdM is a framework of different technologies, not a specific product. ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 6

  7. …… …… Problems of IT S ecurity Investments � Many problems inherited from general IT investments. � Also additional problems: � “ How can the arguments be overcome that security investments do not generate any revenue? ” � “ How can an IT security investment be established as cost-effective, when the best that could happen is that “ nothing” happens? ” � “ How can the optimal level of the total IT security investments be determined? ” ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 7

  8. …… …… Driving Factors for IdM � Amongst a variety of driving factors for introducing IdM into an organisation, the most prerelevant appear to be: � Risk management / IT security soals � Value creation goals (e.g. efficiency, cost reduction) � Compliance goals � The goals itself are not mutually exclusive - However there are overlaps. ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 8

  9. …… …… Example: The CIO and Compliance � Legislative mandates � S arbanes-Oxley � Basel 2 � Goals: � Goals: accountability, fraud prevention, & reporting � Instruments needed to build up infrastructures and to control them � Otherwise risk of serving “ jail time jail time ” for the CIO. ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 9 [Berghal]

  10. …… …… The cost side � IdM is not a purely technology driven topic, as it intervenes with the infrastructure and the processes in an organisation. � The nature of the proj ects differ considerably, depending on the inherent requirements. � The lifecycle costs (e.g. introduction, running costs, etc.) need to be integrated as well. Bottom line: There are high saving potentials, Bottom line: bundled with high costs. ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 10

  11. …… …… The Paradox of the Return on IdM Investment � Need for a holistic approach, since IdM has a high impact on the organisational structure. � However, organisations tend to fail to see the big picture and cannot achieve the return [Dos S antos] aimed at. � Solution: build cross-functional teams � Enable strategic thinking � Better estimate costs and benefits � Overcome possible “ language” barriers ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 11

  12. …… …… IdM S takeholders Management Management IT Department IT Department Management IT Department Cross- Cross - • Make decisions Cross- • Implement solutions • Set policies functional functional • Support users functional • Develop strategies and management Team Team • Risk assessment Team Users Users Users • Knowledge of processes ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 12

  13. …… …… Agenda � Introduction � The Need for IdM in Organisations � Driving Factors for IDM � The Cost S ide of IdM � Evaluation of IdM � Prerequisites � The Evaluation Process � Conclusion / Discussion ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 13

  14. …… …… Prerequisites for the Analysis � Underlying assumptions need to be realistic (e.g. by using reference/ benchmark proj ects). � Complete view on costs � Impact of the different factors on each other � Usage of finance-mathematical methods � Usage of scenarios to cope with uncertainty � For decision support: � It is not possible to gather all data in an acceptable timeframe � S ome degree of compromise is needed � Results only need to be sufficiently accurate for decision making ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 14

  15. …… …… Operationalisation 1 2 Build Holistic Build Holistic Analyse Goals & Analyse Goals & Build Holistic Analyse Goals & View of the Environment View of the Environment View of the Environment Organisation Organisation Organisation Divide plan Divide plan Divide plan 3 based on strategy based on strategy based on strategy S trategic Planning Phase 1. Assessment of org. view and strategic goals Definition Definition 2. Define and document scope Zur Anzeige wird der QuickTime™ Dekompressor „“ benötigt. 4 Z ur wir ge ei Anz kT ic der Qu d i me™ D b eko mpr es sor enö ti gt. „“ 3. Define Costs Zur Anzeige wird der QuickTime™ Dekompressor „“ benötigt. 4. te E sti ma tan be ble gi fit ne s Assessment Assessment Evaluate Evaluate Evaluate 5. D ocu me nt be int an gib le nef its 6. Document risks Calculation Calculation 7. C alc ul ate po tur te nti al re n 5 Sequence of Execution Sequence of Execution Sequence of Execution ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 15

  16. …… …… Evaluation Process 1. Assessment of org. view and strategic goals 1. Assessment of org. view and strategic goals Definition Definition 2. Define and document scope 2. Define and document scope 3. Define Costs 3. Define Costs 4. Estimate tangible benefits 4. Estimate tangible benefits Assessment Assessment 5. Document intangible benefits 5. Document intangible benefits 6. Document risks 6. Document risks Calculation Calculation 7. Calculate potential return 7. Calculate potential return ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 16

  17. …… …… Lifecycle View Planning Implementation Running Upgrading Decommission Planning Implementation Running Upgrading Decommission Economical Proj ect Planning & Control Evaluation Controlling [t] Process & Role Models Best Practice S teering Methodologies ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 17

  18. …… …… Agenda � Introduction � The Need for IdM in Organisations � Driving Factors for IDM � The Cost S ide of IdM � Evaluation of IdM � Prerequisites � The Evaluation Process � Conclusion / Discussion ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 18

  19. …… …… Conclusion � The proposed evaluation process should help to assess costs and benefits in a formalised way. � Associated risks � Facilitate the decision process � More transparent assessment of introduction � Cross-functional team � Planning of IdM strategy ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 19

  20. …… …… How to Proceed? � Build a complete evaluation and steering scheme as a decision support tool for organisations � Based on ROS I? � Based on a specific IT S ecurity Balanced S corecard? � ... [Kaplan & Norton] ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 20

  21. …… …… Thank you for your attention! Any Questions? denis.royer@ m-chair.net ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 21

  22. …… …… � Decision support instruments � Return on S ecurity Investment (ROS I) � More holistic approach to make evaluations comparable in the way they are conducted. ... ... Denis Royer @ IFIP/ FIDIS S ummer S chool 2007 22

Recommend


More recommend