More Web Proxy on the site http://driver.im/

research-article

Towards Improving Identity and Access Management with the IdMSecMan Process Framework

Authors:

Sebastian Seeber,

Jule A. Ziegler,

David SchmitzAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 89, Pages 1 - 10

https://doi.org/10.1145/3465481.3470055

Published: 17 August 2021 Publication History

Abstract

In today’s networks, administrative access to Linux servers is commonly managed by Privileged Access Management (PAM). It is not only important to monitor these privileged accounts, but also to control segregation of duty and detect keys as well as accounts that potentially bypass PAM. Unprohibited access can become a business risk. In order to improve the security in a controlled manner, we establish IdMSecMan, a security management process tailored for identity and access management (IAM). Security management processes typically use the Deming Cycle or an adaption for continuous improvements of products, services, or processes within the network infrastructure. We adjust a security management process with visualization for IAM, which also shifts the focus from typical assets to the attacker. With the controlled cycles, the maturity of IAM is measured and can continually advance. This paper presents and applies the work in progress IdMSecMan to a motivating scenario in the field of Linux server. We evaluate our approach in a controlled test environment with first steps to roll it out in our data center. Last but not least, we discuss challenges and future work.

References

[1]

Avalanche Technology Group. 2021. BreachAlarm - How Safe Is your Password?Retrieved 2021/06/18 08:31:42from https://breachalarm.com

[2]

Balaji Balakrishnan 2015. Security Data Visualization. SANS Institute InfoSec Reading Room(2015).

[3]

Adrian Baldwin, Marco Casassa Mont, and Simon Shiu. 2009. Using Modelling and Simulation for Policy Decision Support in Identity Management. In 2009 IEEE International Symposium on Policies for Distributed Systems and Networks. 17–24.

[4]

Remo Burkhard. 2005. Knowledge Visualization: The Use of Complementary Visual Representations for the Transfer of Knowledge: a Model, a Framework, and Four New Approaches. University of St. Gallen (01 2005).

[5]

Center for Internet Security. 2019. CIS Controls – Version 7.1. Technical Report.

[6]

Ben Fry. 2004. Computational Information Design. (01 2004).

Digital Library

[7]

Paul A. Grassi, Michael E. Garcia, and James L. Fenton. 2017. NIST Special Publication 800-63-3 – Digital Identity Guidelines. Technical Report. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.

[8]

Hendrik Graupner, David Jaeger, Feng Cheng, and Christoph Meinel. 2016. Automated Parsing and Interpretation of Identity Leaks. In Proceedings of the ACM International Conference on Computing Frontiers (Como, Italy) (CF 16). Association for Computing Machinery, New York, NY, USA, 127–134.

Digital Library

[9]

Tanja Hanauer, Wolfgang Hommel, Stefan Metzger, and Daniela Pöhn. 2018. A Process Framework for Stakeholder-Specific Visualization of Security Metrics. In Proceedings of the 13th International Conference on Availability, Reliability and Security (Hamburg, Germany) (ARES 2018). Association for Computing Machinery, New York, NY, USA, Article 28, 10 pages.

Digital Library

[10]

Troy Hunt. 2021. Have I Been Pwned: Check if your email has been compromised in a data breach. Retrieved 2021/06/18 08:31:42from https://haveibeenpwned.com

[11]

IBM Security. 2020. Designing a modern IAM programm for your business. Whitepaper.

[12]

ISO/IEC 27001:2017 2017. Information Technology - Security Techniques - Information Security Management Systems – Requirements (ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015); German version EN ISO/IEC 27001:2017. Standard. International Organization for Standardization, Geneva, CH.

[13]

David Jaeger, Hendrik Graupner, Chris Pelchen, Feng Cheng, and Christoph Meinel. 2016. Fast Automated Processing and Evaluation of Identity Leaks. International Journal of Parallel Programming 46 (12 2016).

[14]

David Jaeger, Hendrik Graupner, Andrey Sapegin, Feng Cheng, and Christoph Meinel. 2015. Gathering and Analyzing Identity Leaks for Security Awareness. In Technology and Practice of Passwords, Stig F. Mjølsnes (Ed.). Springer International Publishing, Cham, 102–115.

[15]

Joseph Johnson. 2021. Cyber crime: number of breaches and records exposed 2005-2020. Retrieved 2021/06/18 08:31:42from https://www.statista.com/statistics/273550/

[16]

R. Koch, M. Golling, L. Stiemert, and G. D. Rodosek. 2016. Using Geolocation for the Strategic Preincident Preparation of an IT Forensics Analysis. IEEE Systems Journal 10, 4 (2016), 1338–1349.

[17]

Sebastian Kurowski, Richard Litwing, and Gero Lückemeyer. 2015. A view on ISO/IEC 27001 compliant identity lifecycles for IT service providers. In 2015 World Congress on Internet Security (WorldCIS). 85–90.

[18]

localos. 2019. PoCyMa. Retrieved 2021/06/18 08:31:42from https://github.com/localos/PoCyMa

[19]

Timo Malderle, Matthias Wübbeling, Sven Knauer, Arnold Sykosch, and Michael Meier. 2018. Gathering and Analyzing Identity Leaks for a Proactive Warning of Affected Users. In Proceedings of the 15th ACM International Conference on Computing Frontiers (Ischia, Italy) (CF ’18). Association for Computing Machinery, New York, NY, USA, 208–211.

Digital Library

[20]

Raffael Marty. 2008. Applied Security Visualization(1 ed.). Addison-Wesley Professional.

[21]

L. Milgram, A. Spector, and M. Treger. 1999. Plan, Do, Check, Act: The Deming or Shewhart Cycle. Gulf Professional Publishing, Boston.

[22]

NIST Joint Task Force. 2020. NIST Special Publication 800-53 Revision 5 – Security and Privacy Controls for Information Systems and Organizations. Technical Report. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.

[23]

Sandro Passarelli, Cem Gündogan, Lars Stiemert, Matthias Schopp, and Peter Hillmann. 2020. NERD: Neural Network for Edict of Risky Data Streams. CoRR abs/2007.07753(2020).

[24]

Pastebin. 2021. Pastebin.com - # 1 paste tool since 2002!Retrieved 2021/06/18 08:31:42from https://pastebin.com

[25]

Daniela Pöhn and Wolfgang Hommel. 2020. IMC: A Classification of Identity Management Approaches. In Computer Security, Ioana Boureanu, Constantin Cătălin Drăgan, Mark Manulis, Thanassis Giannetsos, Christoforos Dadoyan, Panagiotis Gouvas, Roger A. Hallman, Shujun Li, Victor Chang, Frank Pallas, Jörg Pohle, and Angela Sasse(Eds.). Springer International Publishing, Cham, 3–20.

[26]

Sajay Rai, Frank Bresz, Tim Renshaw, Jeffrey Rozek, and Torpey White. 2007. Identity and Access Management. Audit Guide.

[27]

Ben Shneiderman. 1996. The Eyes Have It: A Task by Data Type Taxonomy for Information Visualizations. In Proceedings of the 1996 IEEE Symposium on Visual Languages(VL ’96). IEEE Computer Society, USA, 336.

[28]

Rob van der Meulen. 2017. Build Adaptive Security Architecture Into Your Organization. Retrieved 2021/06/18 08:31:42from https://www.gartner.com/smarterwithgartner/build-adaptive-security-architecture-into-your-organization/

[29]

Felix von Eye, David Schmitz, and Wolfgang Hommel. 2013. SLOPPI – a Framework for Secure Logging with Privacy Protection and Integrity. In ICIMP 2013, The Eighth International Conference on Internet Monitoring and Protection, William Dougherty and Petre Dini (Eds.). IARIA, Roma, Italia, 14–19.

[30]

Colin Ware. 2004. Information Visualization: Perception for Design: Second Edition. Morgan Kaufmann Publishers Inc.

Digital Library

Cited By

Pöhn DSeeber SHommel W(2023)Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT InfrastructuresApplied Sciences10.3390/app1304234913:4(2349)Online publication date: 11-Feb-2023
https://doi.org/10.3390/app13042349

Index Terms

Towards Improving Identity and Access Management with the IdMSecMan Process Framework

Index terms have been assigned to the content through auto-classification.

Recommendations

An overview of limitations and approaches in identity management
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Identity and access management (I&AM) is the umbrella term for managing users and their permissions. It is required for users to access different services. These services can either be provided from their home organization, like a company or university, ...
Adaptive identity and access management--contextual data based policies

Due to compliance and IT security requirements, company-wide identity and access management within organizations has gained significant importance in research and practice over the last years. Companies aim at standardizing user management policies in ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
136
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)1

Reflects downloads up to 29 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pöhn DSeeber SHommel W(2023)Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT InfrastructuresApplied Sciences10.3390/app1304234913:4(2349)Online publication date: 11-Feb-2023
https://doi.org/10.3390/app13042349

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten