I&AM beyond the “standard approach”

At the core of the I&AM domain we find the architectural principles of Identity Data Management and Identity Data Ownership.  Contrary to appearances and technological trends, I&AM is essentially data management and its correct understanding will lead to the application of both industry and enterprise standards in the sphere of information management. I&AM must be supported by a services-oriented information architecture and founded on data ownership and stewardship. I&AM is the Security area most affected by organizational factors and is, in turn, the area which most affects every aspect of the organization’s processes and structures.

The consolidation of these ideas runs against a major obstacle, which I call the “standard approach to Security”.

The starting point of the “standard approach” is the identification of the enterprise “informational assets”. Subsequently, these assets are assessed to estimate their value and the potential threats they are exposed to. This approach has its historical origins in the protection of business data repositories and central computing facilities and networks. This allows the standard approach to determine the level of risk, which is a quantitative measure. In the standard approach there is no other way to approach security and consequently no other way to propose, design and operate security services.  It is almost not necessary to say that this approach is appropriate for many areas of security, for example, for network zoning and network access policy development.

My contention is that I&AM can’t be fruitfully approached in this way, as approximately only ¼ of the rationale of this domain can be associated with the notion of informational asset risk. Only a small part of investment requirements and decisions in this area can be determined by risk calculations. To avoid these limitations, I&AM needs to gain a balanced focus encompassing four areas: Governance (Direction), Selection, Protection and Compliance.

To be clear, a similar balance could be applied to all security disciplines and not only to I&AM, but it is nevertheless the case that I&AM is more negatively affected by the “standard approach” than any other Security discipline.

All Security disciplines should be rooted in the Cycle of Trust: Trust is first defined, then it is established, then it is enforced, then –finally– it is verified. The cycle of trust can thus be readily mapped to the areas of Governance, Selection, Protection and Compliance, in that order.

While it is frequently the case that Security is strongly associated with the area of Protection disciplines, a more balanced approach, a more business-centred vision should develop other complementary strategies:

1) It is essential to understand that there is no “security” without Governance (Direction), especially without the definition of what the organization wants to maintain as a level of trust. The organization’s policies come first, and the definition of what is a trusted environment is a precondition to all the rest.

2) The disciplines of Protection, mostly centred around network and platform security have been historically the realm of security, but there is an evident and well-established trend to go beyond perimeter and zone protection. How to we respond to this?

3) More recently, perhaps accelerated by increasing regulatory pressure, the area of Compliance has developed. It is evident that there can be no Compliance without Protection and Governance.

4) Finally, even more recently in history, still immature, comes the area of Selection . It has grown out of the Protection quadrant, becoming much more than “access controls” and including role management, provisioning and authorisation workflows.

Overall, then, I&AM processes appear as a natural component of the Security disciplines and their expansion across the enterprise. This also reflects increasing linkage with business and organizational concerns. While the initial layers of security solutions were mostly technical the more recent are to a great extent mostly business-based and cannot exist without business process changes as indicated in a previous post.

All of this has important consequences for security architecture and investment decisions:

In the recent past,  architecture and investment decisions in security have been marked by the preference for the Protection disciplines. Building up the perimeter and guaranteeing security zones was equal to securing the environment. Currently this is the strongest  area in any relatively mature organisation. This period has left a mark in the decision process. Decisions are marked by the preference for risk analysis based on threat and vulnerability.

The situation has evolved somewhat  with the emergence of Compliance concerns. But this has not changed the fundamental idea of “asset protection” and “perimeter security”. Are you compliant? What is the risk of not being compliant?

Nothing of the above denies the actual problems of compliance and vulnerability to external or internal attack; but I think that it can be demonstrated that the Protection-Risk based approach effectively ignores important segments of business economics precisely because it is focused on asset risk and not on investment risk. On closer analysis the standard approach reveals itself as complementary to economic investment, but not centred on business growth. Whereas in the business world investment is fundamentally done under the combined notions of investment risk and opportunity, in the Information Security world and in particular in I&AM we are still working under the notion of insurance and asset protection.

So, in conclusion, to present the whole case of Security, and of I&AM in particular, it is essential to include those opportunities and benefits that can be derived from transformation and process efficiencies and are complementary to the other areas of security.  In my next post I will describe how surpassing the standard approach in I&AM furthers the ideas of Identity Data Management and Identity Data Ownership.