Ludwig Fuchs

The Role Mining Process Model - Underlining the Need for a Comprehensive Research Perspective

Organizations that migrate from identity-centric to role-based Identity Management face the initial task of defining a valid set of roles for their employees. Due to its capabilities of automated and fast role detection, role mining as a solution for dealing with this challenge has gathered a rapid increase of interest in the academic community. Research activities throughout the last years resulted in a large number of different approaches, each covering specific aspects of the challenge. In this paper, firstly, a survey of the research area provides insight into the development of the field, underlining the need for a comprehensive perspective on role mining. Consecutively, a generic process model for role mining including pre- and post-processing activities is introduced and existing research activities are classified according to this model. The goal is to provide a basis for evaluating potentially valuable combinations of those approaches in the future.

Analyzing quality criteria in role-based identity and access management

Roles have turned into the de facto standard for access control in enterprise identity management systems. However, as roles evolve over time, companies struggle to develop and maintain a consistent role model. Up to now, the core challenge of measuring the current quality of a role model and selecting criteria for its optimization remains unsolved. In this paper, we conduct a survey of existing role mining techniques and identify quality criteria inherently used by these approaches. This guides organizations during the selection of a role mining technique that matches their company-specific quality preferences. Moreover, our analysis aims to stimulate the research community to integrate quality metrics in future role mining approaches.

How to Discover High-Quality Roles? A Survey and Dependency Analysis of Quality Criteria in Role Mining

Roles have evolved into the de facto standard for access control in Enterprise Identity Management. However, companies struggle to develop and maintain a role-based access control state. For the initial role deployment, role mining is widely used. Due to the high number and complexity of available role mining algorithms, companies fail to perceive which is selected best according to their needs. Furthermore, requirements on the composition of roles such as reduction of administration cost are to be taken into account in role development. In order to give them guidance, in this paper we aggregate existing role mining approaches and classify them. For consideration of individual prerequisites we extract quality criteria that should be met. Later on, we discuss interdependencies between the criteria to help role developers avoid unwanted side-effects and produce RBAC states that are tailored to their preferences.

Advanced Identity and Access Policy Management Using Contextual Data

Due to compliance and IT security requirements, company-wide Identity and Access Management within organizations has gained significant importance in research and practice over the last years. Companies aim at standardizing user management policies in order to reduce administrative overhead and strengthen IT security. Despite of its relevance, hardly any supportive means for the automated detection and refinement as well as management of policies are available. As a result, policies outdate over time, leading to security vulnerabilities and inefficiencies. Existing research mainly focuses on policy detection without providing the required guidance for policy management. This paper closes the existing gap by proposing a Dynamic Policy Management Process which structures the activities required for policy management in Identity and Access Management environments. In contrast to current approaches it fosters the consideration of contextual user management data for policy detection and refinement and offers result visualization techniques that foster human understanding. In order to underline its applicability, this paper provides a naturalistic evaluation based on real-life data from a large industrial company.

Qualitätssicherung im Identity- und Access Management

ZusammenfassungDie effiziente Verwaltung der Zugriffsrechte auf IT-Ressourcen (Identity- und Access Management, IAM) ist eine der größten Herausforderungen für Unternehmen. Neben Kostensenkung und der angestrebten Erhöhung der IT-Sicherheit erfordern interne und externe Regularien die dauerhafte Kontrolle über Berechtigungen. Viele Unternehmen streben daher die Bereinigung ihrer gewachsenen Berechtigungsstrukturen an. Dieser Beitrag schlägt einen Datenqualitätszyklus zur praktischen Erkennung, Bereinigung und periodischen Kontrolle von Datenfehlern, wie überschüssigen Berechtigungen von Mitarbeitern, vor.

Measuring Identity and Access Management Performance - An Expert Survey on Possible Performance Indicators.

Currently existing digital challenges such as securing access, proof of compliance with regulations and improvement of business performance are urging companies to implement structured Identity and Access Management (IAM). Over the past decades, the introduction of IAM represented a critical task for companies trying to get their complex IT infrastructures comprising hundreds of systems, thousands of accounts and millions of access right assignments under control. However, once introduced, the identification of potential IAM malfunctions remains an unsolved challenge. Within this paper, we want to provide a first step into the direction of sustainable IAM maintenance, by introducing indicators that are able to capture the efficiency of a rolled-out IAM. We firstly derive IAM performance indicators via a structured scientific approach and later evaluate their relevance by surveying IAM experts.

Introducing Dynamic Identity and Access Management in Organizations

Efficient and secure management of access to resources is a crucial challenge ini?źtodays corporate IT environments. During the last years, introducing company-wide Identity and Access Management IAM infrastructures building on the Role-based Access Control RBAC paradigm has become the de facto standard for granting and revoking access to resources. Due to its static nature, the management of role-based IAM structures, however, leads to increased administrative efforts and is not able to model dynamic business structures. As a result, introducing dynamic attribute-based access privilege provisioning and revocation is currently seen as the next maturity level of IAM. Nevertheless, upi?źto now no structured process for incorporating Attribute-based Access Control ABAC policies into static IAM has been proposed. This paper closes the existing research gap by introducing a novel migration guide for extending static IAM systems with dynamic ABAC policies. By means of conducting structured and tool-supported attribute and policy management activities, the migration guide supports organizations to distribute privilege assignments in an application-independent and flexible manner. In order to show its feasibility, we provide a naturalistic evaluation based on two real-world industry use cases.

Intensive Programme on Information and Communication Security

IT Security is a problem that can only be addressed and taught holistically. Just as broad as the field of ICT itself, IT Security is an integral part of all network and software applications. Security must be guaranteed throughout services. Too often, a single university or department cannot offer the complete range of IT Security subjects to their students or provide the up-to-date information and knowledge needed. Consequently, the demand of keeping up with hackers, threats, and risks is hardly met. Our proposal is a combination of the know-how of multiple institutions, aligned in an Intensive Programme for Master- and PhD Students of Computer Science, Information Systems, and Business Informatics. The proposed Intensive Programme on Information and Communication Security (IPICS) uses e-learning and traditional learning methods to form a blended learning course. Using the synergies of 19 contracted European Universities and their IT Security experts, IPICS will deliver momentum for IT Security education and training to those who take part and furthermore through their networks.