37: What is Identity Risk Management?
Audio Cast:
Takeaway Points:
Risk management in general is complex and requires a host of skills including technical security controls, appropriate communications, measurements and end user understanding
Risk management of course, is not limited simply to organisational technology - we apply many of the facets in our everyday lives - from crossing the road to teaching our children about the world around us
There are numerous frameworks available to help steer this complex process including the like of NIST Risk Management Framework and ISO27001/2
Whilst the latter is more focused on how to develop an Information Security Management System, risk management is a fundamental part of that
Risk management aims to assess and respond to events of “uncertainty” happening to things “of value”
Those two points are often assumed to be well understood - but are often misrepresented, will false assumptions that often undermine the entire risk process
We need to first understand what is of “value” - which really requires a strong understanding of end user objectives - from running a bank, selling products or sailing a battle ship. What are the big top 5 objectives. From there we reduce that to supporting strategies and in turn smaller tactics
From there we identify chains of information, technology and relationships that we deem to be important assets
Here we can then start to threat model - that is identify any exploitable vulnerabilities that may exist within the people, process and technology steps within those assets
From there we can consider risk treatment options - to either avoid, reduce, accept or transfer the identified risk, which will be influenced by both the impact and likelihood of the event of uncertainty to our identified assets of value
From an IAM point of view risk management is an amalgam of these principles applied to our identity information flows
These flows need to consider both the identity data and identity runtime activities that occur post authentication - such as session management, activity and transaction processing
We need to consider the entire identity lifecycle - from onboarding, usage, change, offboarding across all identity types including B2E, B2C, NHI, Agentic and hardware
Identity asset identification (along with the associated tools and infrastructure) is the first step, before threat modelling at all parts of the interdependent information flows
Only then, can we start to address control selection and implementation
These controls need both continual monitoring for their application but also clear metrics around the benefit they bring to the overall objectives and strategies of the end user
The IAM Risk Management process will include protective, preventative and detective controls and that highly interdependent
The goal is to both identify the identity attack surface and in turn manage it inline with dynamic changes to the risk appetite and changing external factors such as threat intelligence and business priorities