The document discusses foundational concepts for identity and access management (IAM). It emphasizes focusing on business needs like productivity, security, compliance and risk optimization when building IAM programs. It also covers topics like onboarding users, preventing identity abuse, separation of duties, and metrics for evaluating IAM implementations like role-based access control efficiency and average time to detect unauthorized access.

1. IAM: Getting the basics right
David Doret
david.doret@me.com
https://ch.linkedin.com/in/daviddoret
https://twitter.com/daviddoret
From the perspective of an IAM manager
IDM Conference, 14 march 2019

2. Focus on the business to build sponsorship
Business Productivity & Agility
Information Security
Compliance & Auditability
Risk Optimization
On-boarding, ID beyond boundaries, Reorgs
Protection from identity and privilege abuse
SoD, 4 eyes checks, toxic rights, transparency
Legal risk, fraud prevention and detection
risk by Template
from the Noun
Project
start up by Alina
Oleynik from the
Noun Project
Audit by Arafat
Uddin from the
Noun Project
Security by Ben
Davis from the
Noun Project

3. A Value Proposition Sample: DPOProducts&Services
Gain Creators
Pain Relievers Pains
CustomerJobs
Gains
Reference: Alex Osterwalder et al. (2015). Value Proposition Design - How to create products and services customers want.
Sticky notes: © Copyright Showeet.co.
Process +
centralized
repository of
roles and
authorizations
+ SoD matrix
Data
Extend data
model to cover
DP requirements
Protect
sensitive
personal data
Assess and
demonstrate
compliance
Supervise
cross border
accesses
Extend
workflows
Focus on DP
expertise
value added
tasks
Monitor
Be alerted

4. IAM shrinks the opportunity vertex of the fraud triangle
PRESSURE
RATIONALIZATIONIAM
Cool reference on Fraud Management: Singleton, T.W., Singleton, A.J., 2010. Fraud Auditing and Forensic Accounting

5. Net Economic Benefit of RBAC
RBAC
Net Economic Benefit
Per Employee per Year
in 2018 (with inflation)
USD: 168.47
EUR: 147.71
CHF: 167.56
Reference: O’Connor and Loomis (2010)

6. Foundational Metric: RBAC Efficiency
• Easy to collect and compute
• If you don’t measure this indicator, you
don’t know if RBAC is implemented or not
• Minimum level to claim RBAC: 80%
• Should reach an optimal plateau
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
RBACEfficiency
Cost / Time / Effort
Law of diminishing returns
𝒂𝒄𝒄𝒆𝒔𝒔𝒊𝒏𝒉𝒆𝒓𝒊𝒕𝒆𝒅
𝒂𝒄𝒄𝒆𝒔𝒔 𝒕𝒐𝒕𝒂𝒍

7. Foundational Metric: Unauthorization Detection Time
• Easy to collect and compute
• Must be complemented with: # of
uncontrolled systems
• More difficult but key enhancement:
resolution time instead of detection
time
• Auto-reconciliation is your friend
𝟑𝟔𝟓𝒚 + 𝟗𝟎𝒒 + 𝒅
𝒔
0
50
100
150
200
250
300
350
400
Averageanomalydetectiontime(indays)
Cost / Time / Effort
Law of diminishing returns

8. As certain as death and taxes, if you don’t observe it, you just don’t see it!
Permission Drift (definition)
“If deprovisioning does not occur, it may not affect a user’s
productivity, but it results in the user maintaining unnecessary or
inappropriate permissions. This phenomenon is referred to as
permission drift and results in ‘overentitled’ users.”
Reference: Alan C. O’Connor and Ross J. Loomis (2010)

9. Control Depth
Business App
Report
Middleware
OS
Hypervisor
Out-of-band
Database ETL
Web Server
PAM
Security ServicesInfra Services
Physical Security
SDLC
UEFI
It is much more rewarding to embrace
complexity and adopt a risk-based
approach
Queuing
Etc. Etc. Etc.
API
You may live a happy life
ticking boxes to scratch
the surface Report
AD LDAP Kerberos Radius
Federation Services

10. Top-Down “Not all our challenges are top-down.
There is a need for an important
bottom-up view of security
requirements engineering.”
Crook et al. (2002)
Bottom-Up

11. Ignorance-by-Design
The Need-to-Know Meme
• Not a principle, sometimes a dogma
• An excellent tool for strictly limited use cases
• Burden of proof inversion
• Inhibits collaboration, innovation
• As a general rule, we want information to flow
• What risk?
• What opportunity cost?

12. Overentitlement Underentitlement
Security Risk
Business Risk
& Security Risk
Indispensable References: Sinclair and Smith (2008) + O’Connor and Loomis (2010)

13. MFA with physical tokens is the Graal
Level 4 is intended to provide the highest practical
remote network authentication assurance. Level 4
authentication is based on proof of possession of a
key through a cryptographic protocol. At this level, in-
person identity proofing is required. Level 4 is similar
to Level 3 except that only “hard” cryptographic
tokens are allowed.
Burr, Dodson, et al., (2013) NIST SP 800-63-2: Electronic Authentication Guideline
Stop arguing, it is affordable and superior to everything else
Implement it for all reachable users
Source: https://krebsonsecurity.com/2018/07/google-security-
keys-neutralized-employee-phishing/

14. Turn off the tap of inbound chaos
Audit
PMO
SDLC
Architecture
DevOpsIT Change
Management
Procurement
Top
Management
Security
Slow rewards, do it for your successor

15. • 50 years of academic research in
ARM/IAM/IAG/etc.
• Piles of cool books, case studies, articles
• Yet people keep on reinventing the
wheel
• Hypothesis: The NIH Syndrom
https://en.wikipedia.org/wiki/Not_invented_here
• Be lazy and stand on the shoulders of
giants
Are we in love with ignorance?

16. The Key is the IAM Team and its Skillset
IAM requires highly specialized skills across multiple disciplines
E.g. roles engineering
Aggressively develop the
hell out of your IAM staff!
team by Gwen Stacy, teach by Becris, win by Dev Patel from the Noun Project

17. «If I have seen
further it is by
standing on the
sholders of
Giants.”
Isaac Newton, 1676
Bibliography
• Anderson (1994) Liability and
computer security: Nine
principles
• Benantar (2006). Access control
systems: security, identity
management and trust models.
• Bertino and Takahashi (2011)
Identity management: concepts,
technologies, and systems.
• Barker, S. (2009). The next 700
access control models or a
unifying meta-model
• Brink (2015) How Managing
Privileged Access Reduces the
Risk of a Data breach.
• Coyne, E.J. and Davis, J.M.
(2008). Role engineering for
enterprise security
management.
• Crook et al. (2002) Security
requirements engineering: when
anti-requirements hit the fan.
• Donaldson et al. (2018)
Enterprise Cybersecurity Study
Guide.
• Ernst & Young (2013) Key
considerations for your internal
audit plan - Enhancing the risk
assessment and addressing
emerging risks.
• Ferraiolo et al. (2007). Role-
based access control. 2nd ed.
• Gallaher et al. (2002). Planning
Report 02-1: The Economic
Impact of Role-Based Access
Control
• Gartner (2005) Consider Identity
and Access Management as a
Process, Not a Technology.
• Gartner (2017) Best Practices for
Privileged Access Management.
• Hall et al. (2005) Policies,
Models, and Languages for
Access Control
• Herda (1995). Non-repudiation:
Constituting evidence and proof
in digital cooperation.
• Huet (2015). Identity and Access
Management - Data modeling.
• Kobelsky (2014) Enhancing IT
Governance With a Simplified
Approach to Segregation of
Duties.
• Massacci et al. (2007) Computer-
aided Support for Secure Tropos.
• O’Connor and Loomis (2010).
2010 Economic Analysis of Role-
Based Access Control - Final
Report. NIST.
• Osmanoglu, T.E. (2013). Identity
and access management:
business performance through
connected intelligence.
• Sinclair and Smith (2008)
Preventative Directions For
Insider Threat Mitigation Via
Access Control
• Zhang, D. et al. (2014). Efficient
Graph Based Approach to Large
Scale Role Engineering