Identity Risk Modeling: the Secret Sauce of IT Risk Management

Lately I’ve been talking to a lot of customers and prospects about how to proactively approach risk mitigation with identity-related technologies. In today’s climate, I see an ever increasing need for a new approach to managing identity and the need for a more “directed” focus for the deployment of identity management infrastructure. Over the past decade our industry has rolled out billions of dollars worth of identity infrastructure. Certainly, this investment has made IT and the business processes that it supports more efficient and increasingly more secure, but has it also lowered risk? Do the controls we have focus on the right things, do they provide the right kinds of control, do they manage, monitor and lower operational risk for identity?

Particularly in today’s economy, it’s essential that every dollar, pound, Euro or Yen we spend counts. It has to count toward more efficient and transparent operations, increased control and better overall identity governance. By taking a risk-based approach, companies can put “business visibility” in the center of managed identity. When we present the business with a risk “model,” we begin to speak the language of business; the language of balancing cost and return, the data needed to evaluate risk exposure against mitigation cost. When we present identity risk as a repeatable model-based metric, we allow the business to take control and truly start managing the business of identity.

I’m personally a big proponent of a phased approach to defining and building identity risk models. By employing a value-based risk scoring model, we can quickly and accurately build a comprehensive view of the current risk posture of a given identity configuration. Assuming we have visibility into our core identity processes and “profiles,” we can very quickly and easily assign value-based metrics and highlight meaningful key risk indicators for identity. By identifying and categorizing identity attributes and groupings, by ranking and categorizing high-risk roles, and by putting in place the reliable assessment of critical business controls like separation of duty, we can quickly and very effectively define a true identity risk “model.”

I recently took part in a webinar on exactly this subject. In conjunction with Martin Kuppinger, the founder and principle analyst at Kuppinger Cole, I presented some thoughts on the trends and market findings around Identity Risk Management. During the webinar, we discussed some of the drivers for, and approaches to, identity risk management and how risk scoring can increase the odds of good outcomes and reduce the odds of bad outcomes.