[PPT] - IFIP FIDIS S ummer S chool 2007: Enterprise Identity PowerPoint Presentation

SLIDE 1

…… ... …… ...

IFIP FIDIS S ummer S chool 2007:

Enterprise Identity Management – What’ s in it for Organisations?

Denis Royer

Johann Wolfgang Goethe University Frankfurt Chair for Mobile Business and Multilateral S ecurity

SLIDE 2

2

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Agenda

Introduction

The Need for IdM in Organisations Driving Factors for IDM The Cost S

ide of IdM

Evaluation of IdM

Prerequisites The Evaluation Process

Conclusion / Discussion

SLIDE 3

3

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Goals and Obj ective

S

ecurity related technologies often lack strategic focus for the decision makers.

Decision makers will not invest into security

technologies and infrastructures without analysing the costs and benefits.

Evaluation schemes are needed to help

identifying potentials and support the decision making process.

A generic approach how to tackle these

issues is presented.

SLIDE 4

4

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Enterprise Identity Management

[Flynn]

SLIDE 5

5

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Identity lifecycle

Enrolment - Creation of accounts for new

employees: issuance of the credentials and setting of the access permissions.

Management - Maintenance of accounts: in a

changing working environment (promotions, change of departments, etc,) the user and access management needs to handle the access permission (e.g. for minimising liabilities).

Support - Password management: issue new

passwords or reset passwords that are “ lost” .

Deletion - End of lifecycle: revoke or freeze

accounts or entitlements.

SLIDE 6

6

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

(Enterprise) Identity Management

Organisational: S

ftware systems that help to

facilitate one or more of the 4 As: Authorisation, Authentication, Administration, and Audit

Technological: Cluster of different technologies:

S

ingle S ign-On (S S O)

Meta Directories PKI Infrastructures Access Management S

ystems

...

Therefore, IdM is a framework of different

technologies, not a specific product.

SLIDE 7

7

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Problems of IT S ecurity Investments

Many problems inherited from general IT

investments.

Also additional problems:

“ How can the arguments be overcome that security

investments do not generate any revenue? ”

“ How can an IT security investment be established

as cost-effective, when the best that could happen is that “ nothing” happens? ”

“ How can the optimal level of the total IT security

investments be determined? ”

SLIDE 8

8

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Driving Factors for IdM

Amongst a variety of driving factors for

introducing IdM into an organisation, the most prerelevant appear to be:

Risk management / IT security soals Value creation goals (e.g. efficiency, cost reduction) Compliance goals

The goals itself are not mutually exclusive -

However there are overlaps.

SLIDE 9

9

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Example: The CIO and Compliance

Legislative mandates

S

arbanes-Oxley

Basel 2

Goals:

Goals: accountability, fraud prevention, & reporting

Instruments needed to

build up infrastructures and to control them

Otherwise risk of serving

“ jail time jail time” for the CIO.

[Berghal]

SLIDE 10

10

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

The cost side

IdM is not a purely technology driven topic, as

it intervenes with the infrastructure and the processes in an organisation.

The nature of the proj ects differ considerably,

depending on the inherent requirements.

The lifecycle costs (e.g. introduction, running

costs, etc.) need to be integrated as well. Bottom line: Bottom line: There are high saving potentials, bundled with high costs.

SLIDE 11

11

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

The Paradox of the Return on IdM Investment

Need for a holistic approach, since IdM has a

high impact on the organisational structure.

However, organisations tend to fail to see the

big picture and cannot achieve the return aimed at.

Solution: build cross-functional teams

Enable strategic thinking Better estimate costs and benefits Overcome possible “ language” barriers

[Dos S antos]

SLIDE 12

12

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

IdM S takeholders

IT Department IT Department IT Department Management Management Management

Cross- functional Team Cross Cross-

functional

functional Team Team

Implement solutions
Support users

and management

Make decisions
Set policies
Develop strategies
Risk assessment

Users Users Users

Knowledge of processes

SLIDE 13

13

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Agenda

Introduction

The Need for IdM in Organisations Driving Factors for IDM The Cost S

ide of IdM

Evaluation of IdM

Prerequisites The Evaluation Process

Conclusion / Discussion

SLIDE 14

14

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Prerequisites for the Analysis

Underlying assumptions need to be realistic (e.g. by

using reference/ benchmark proj ects).

Complete view on costs Impact of the different factors on each other Usage of finance-mathematical methods Usage of scenarios to cope with uncertainty For decision support:

It is not possible to gather all data in an acceptable timeframe S

me degree of compromise is needed

Results only need to be sufficiently accurate for decision

making

SLIDE 15

15

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

S trategic Planning Phase

Operationalisation

Analyse Goals & Environment Analyse Goals & Analyse Goals & Environment Environment Build Holistic View of the Organisation Build Holistic Build Holistic View of the View of the Organisation Organisation Divide plan based on strategy Divide plan Divide plan based on strategy based on strategy

1. Assessment of org. view and strategic goals
2. Define and document scope

Zur Anzeige wird der QuickTime™ Dekompressor „“ benötigt. 3. Define Costs 4. E sti ma te tan gi ble be ne fit s 5. D

cu

me nt int an gib le be nef its 6. Document risks Zur Anzeige wird der QuickTime™ Dekompressor „“ benötigt. 7. C alc ul ate po te nti al re tur n Z ur Anz ei ge wir d der Qu ic kT i me™ D eko mpr es sor „“ b enö ti gt.

Definition Definition Assessment Assessment Calculation Calculation

Evaluate Evaluate Evaluate Sequence of Execution Sequence of Execution Sequence of Execution 1 2 3 4 5

SLIDE 16

16

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Evaluation Process

1. Assessment of org. view and strategic goals
2. Define and document scope
1. Assessment of org. view and strategic goals
2. Define and document scope
3. Define Costs
4. Estimate tangible benefits
5. Document intangible benefits
6. Document risks
3. Define Costs
4. Estimate tangible benefits
5. Document intangible benefits
6. Document risks
7. Calculate potential return
7. Calculate potential return

Definition Definition Assessment Assessment Calculation Calculation

SLIDE 17

17

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Lifecycle View

Implementation Implementation Planning Planning Decommission Decommission Running Running Upgrading Upgrading

Process & Role Models Economical Evaluation Proj ect Controlling Planning & Control Best Practice S teering Methodologies

[t]

SLIDE 18

18

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Agenda

Introduction

The Need for IdM in Organisations Driving Factors for IDM The Cost S

ide of IdM

Evaluation of IdM

Prerequisites The Evaluation Process

Conclusion / Discussion

SLIDE 19

19

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Conclusion

The proposed evaluation process should

help to assess costs and benefits in a formalised way.

Associated risks Facilitate the decision process More transparent assessment of introduction

Cross-functional team Planning of IdM strategy

SLIDE 20

20

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

How to Proceed?

Build a complete

evaluation and steering scheme as a decision support tool for organisations

Based on ROS

I?

Based on a specific IT

S ecurity Balanced S corecard?

...

[Kaplan & Norton]

SLIDE 21

21

…… ... …… ...

Denis Royer @ IFIP/ FIDIS S ummer S chool 2007

Thank you for your attention! Any Questions? denis.royer@ m-chair.net