Leveraging Dynamic Information for Identity and Access Management:

An Extension of Current Enterprise IAM Architecture

Alexander Puchta

, Sebastian Groll

and G

unther Pernul

Nexis GmbH, Franz-Mayer-Str. 1, 93053 Regensburg, Germany

Chair of Information Systems, University of Regensburg, Universit

atsstraße 31, 93053 Regensburg, Germany

Keywords:

Identity and Access Management, IAM, Access Control, Architecture, Big Data, Stream Data, Real Time

Analysis.

Abstract:

Identity and access management (IAM) functions as a core component for today’s enterprises managing digital

identities and their access to resources. However, IAM systems are quite isolated from other applications with

useful information resulting in individual data pots. By interconnecting these systems, important information

on relevant IAM entities like criticality or usage information can be additionally gathered for further improve-

ment. Current IAM landscapes within enterprises are not prepared for such challenges as the data needs to

be harmonised, analysed, and veriﬁed. Within this work a state-of-the-art IAM architecture in enterprises and

existing shortcomings are deﬁned. Based on these, an extended IAM architecture scheme is proposed and

described in detail. Key component is the integration of additional information sources for mutual beneﬁt in

IAM and external applications. Finally, the approach is applied to two use cases based on real data. They

originate from our conducted IAM projects and show the feasibility of the proposed architecture.

1 INTRODUCTION

Identity and access management (IAM) has increas-

ingly become a core component in today’s enterprise

IT as it is vital to fulﬁl internal and external require-

ments and obligations. SOX (SOX, 2002) or Basel

III (Basel Comittee on Banking Supervisions, 2010)

require the application of various processes, policies

and technical solutions. This also includes a change

of the current IAM architecture as it is mainly cen-

tralised around one IAM system being connected to

managed applications. IAM currently is rarely and if

then only partially linked to other important systems

like SIEM or real time information systems. How-

ever, there potentially exists a great mutual beneﬁt

in tighter connections of IAM with further informa-

tion sources. On the one hand IAM systems may re-

trieve additional information which is helpful for ex-

isting IAM processes like access reviews, also known

as recertiﬁcation (Osmanoglu, 2013). On the other

hand analytical ﬁndings inside the IAM system are

also valuable to be automatically exported into other

systems to enhance quality and process duration.

Within this work, we want to deﬁne how existing

information can be integrated in IAM, analysed and

exported back into other systems if needed. In order

to reach this goal, we focus on the following three

research questions:

• RQ-1. What does a current IAM architecture look

like and which shortcomings exist?

• RQ-2. What could be an extended IAM architec-

ture for better integration of dynamic information

from external (= non-IAM related) systems?

• RQ-3. How can the extended IAM architecture be

implemented and is there a practical applicability?

By answering these research questions our work

provides two main contributions. We propose a

generic IAM architecture based on scientiﬁc research

and experience from IAM practitioners which de-

scribes how the integration of external information (=

information from external systems) can be carried out.

Besides that, we show exemplary solutions how the

architecture can be implemented and demonstrate the

feasibility by applying anonymised real world IAM

data to the approach.

The remainder of this work is structured as fol-

lows. Section 2 introduces the relevant background

on IAM and related work as well as the deﬁnition

of a current IAM architecture (RQ-1). Within Sec-

tion 3 we deﬁne the extended architecture and give

an overview of the relevant building blocks to answer

Puchta, A., Groll, S. and Pernul, G.

Leveraging Dynamic Information for Identity and Access Management: An Extension of Current Enterpr ise IAM Architecture.

DOI: 10.5220/0010315706110618

In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021), pages 611-618

ISBN: 978-989-758-491-6

611

RQ-2. Section 4 gives a more ﬁne-grained view of

each building block (RQ-3). We demonstrate the fea-

sibility of our approach within Section 5 with several

use cases based on real world data from our IAM

project work (RQ-3). Section 6 concludes our work

and highlights possible future research directions as

well as current limitations.

2 BACKGROUND & RELATED

WORK

Within this section the key concepts of IAM are de-

ﬁned. Furthermore, we introduce a typical state-of-

the art IAM architecture which can be commonly

found in practice and show related work regarding the

integration of dynamic information into IAM. We re-

fer to dynamic information in this work as all kind of

information being not exclusively IAM data from ap-

plications. This comprises static data as well as con-

tinuous information ﬂows (e.g. data streams).

2.1 Background on IAM and IAM

Architecture

When speaking of IAM it primarily supports two pur-

poses: Managing identities and granting them access

to resources (e.g. ﬁles or applications). Within the

scope of this paper we are assuming an enterprise fo-

cused IAM limited to a single company’s context.

Based on their status in the identity management

process, access control is applied to identities to reg-

ulate access to documents, applications or other in-

formation (Samarati and de Vimercati, 2000). In or-

der to achieve this, various access control models are

enforced in IAM. One of the most common types

is role-based access control (RBAC) (Sandhu et al.,

1996). Today it is one of the most commonly found

access control models in IAM systems but remains a

quite static approach (Kunz et al., 2019). By leverag-

ing identities’ attributes and predeﬁned policy rules,

attribute-based access control (ABAC) enables enter-

prises to apply a more dynamic access management

(Hu et al., 2014). Please note that there exist various

other access control models. However, for the sake of

clarity we focus only on the core models RBAC and

ABAC as these are also the most common models in

practice.

Enterprises employ large pieces of software, so

called IAM systems like SailPoint or OneIdentity to

manage thousands of identities. As such IAM sys-

tems are a key component of IAM, enterprises often

leverage a centralised system architecture. The con-

nection to other systems being no part of the IAM

cosmos is typically rather loose. For example it may

only consist of one monitoring system connecting to

the IAM system database to read out logs. Thus, the

company can react in the case of a failure (e.g. data

could not be loaded into the IAM system).

However, such approaches leave IAM isolated

from other relevant information systems like SIEM

systems or data streams of connected applications.

Within this paper we want to propose a new archi-

tecture and procedure to leverage such existing in-

formation. This improves the system as a whole.

On the one hand additional information relevant for

IAM can be retrieved from the IAM system. On the

other hand critical information which may be gener-

ated within IAM systems via data analysis and is vital

for other processes can be exported to connected sys-

tems. Thus, SIEM systems may get information of a

possible data breach faster, resulting in an overall im-

proved performance of the company’s IT processes.

2.2 Related Work

Regarding access control a large body of literature can

be found. When it comes to deﬁning various access

control models, like the previously mentioned RBAC

(Sandhu et al., 1996) or ABAC (Hu et al., 2014) mod-

els, there is a huge variability in existence. However,

as this is only one part of IAM, our work is not pre-

dominantly focused on access control itself. When it

comes to IAM-speciﬁc topics not as much literature

can be found. Literature is mainly focused on spe-

ciﬁc problems within IAM, like role mining or mod-

elling (Colantonio et al., 2012; Elliott and Knight,

2010). Regarding the integration of dynamic infor-

mation there already exists some fundamental work,

however it is not focused on deﬁning an overarching

architecture but is more focused on the introduction

of attribute-based approaches in enterprises (Hummer

et al., 2015; Hummer et al., 2016; Kunz et al., 2015).

To the best of our knowledge none of these or

other existing approaches deﬁne a suitable architec-

ture for enterprise IAM in order to connect IAM with

external applications or mechanisms to gain mutual

beneﬁts by leveraging external information. Our ar-

chitecture comprises of several building blocks with

different use cases in mind. In advance to this work

we already published related work on various of these

building blocks (Kunz et al., 2019; Nuss et al., 2018;

Puchta et al., 2019). Within this work we aim to span

the arch around these individual topics to generate a

uniﬁed architecture to interconnect IAM with external

systems.

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

612

3 ARCHITECTURE DEFINITION

& OVERVIEW

In this section we deﬁne the current shortcomings of

IAM architecture and today’s IAM in general more

formally as this represents the baseline for our im-

proved approach. Based on this, we give an overview

of our proposed extension of an IAM architecture and

the underlying building blocks.

3.1 Current Shortcomings of IAM

Architecture

As mentioned before, current IAM architecture is

centred around an IAM system connected to relevant

applications. This connection is predominantly lim-

ited to database access to retrieve or change IAM rel-

evant data (e.g. account and entitlement information).

There may also be a loose connection to other systems

not in the IAM cosmos. However, based on our prac-

tical experience this is mainly a one-way connection.

Additionally, we conducted interviews with three dif-

ferent IAM consultants having four to 15 years expe-

rience with IAM projects in order to verify this struc-

ture.

Such architecture results in several shortcomings

for current IAM solutions when it comes to integra-

tion of external information. IAM systems have quite

static procedures as they are mainly based on an im-

port and export cycle of assignments to the respec-

tive connected systems. This often results in relevant

information missing or being erroneous in IAM sys-

tems (Kunz et al., 2019). Examples for this would

be the lack of data on responsibilities or criticality of

entitlements. Besides that, a further relevant infor-

mation is often not present within current IAM sys-

tems, namely usage of entitlements per (individual)

account. Such usage information is especially of high

importance, when it comes to decision making within

IAM (e.g. access reviews) as shown in Section 5.

Because decisions are often made from managers re-

sponsible for employees or entitlements they need to

rely on quickly comprehensible information.

Besides the points stated above, further literature

can be found deﬁning shortcomings or challenges

within the current IAM generation. In one of our pre-

vious works we already analysed existing IAM liter-

ature and practice to derive relevant IAM challenges

(Puchta et al., 2019). Please note that we do not refer

to each individual underlying literature source for the

sake of brevity. The relevant literature per challenge

can be taken from the referenced work. These chal-

lenges may also be interpreted as shortcomings of cur-

rent IAM architecture. Namely the missing priority of

privacy within IAM, heterogeneity of IAM data, data

quality management, and the transformation from an

RBAC centred approach to an attribute based one.

All these shortcomings indicate that the approach

to IAM in general needs to be revised. When speak-

ing of enterprise IAM this can mainly be achieved via

a profound architecture as a basis for the technical im-

plementation.

3.2 Overview of the Extended IAM

Architecture

Our proposed extended IAM architecture can be

found in Figure 1. We added a central component to

handle the input of IAM and external data, in the fol-

lowing it is called InterConnectivity Module (ICM).

The arrows indicate the information ﬂow within our

generic IAM architecture. Please note that the ICM

could also be an integral part of the IAM system and

must not be a standalone component. However, for

the sake of clarity we treat them as two different parts

of the architecture. The ICM is used as a mediator be-

tween connected IAM applications, the IAM system,

and external applications. Here information from

connected and external applications is harmonised to

allow for a homogeneous data ﬂow to the IAM sys-

tem. Furthermore, data quality approaches can be ap-

plied to the imported data (Kunz et al., 2019).

As data may need to be combined, the connected

applications are not directly connected to the IAM

system but are rather communicating via the ICM

with the IAM system. The ICM may need to con-

vert this information into a suitable format. Where

possible, information is represented as an attribute of

the respective IAM entity to enable the application of

ABAC (Hu et al., 2015). However, when it comes

to pure IAM operations (e.g. provisioning of entitle-

ments), the IAM system is still able to perform such

actions independently from the ICM to guarantee per-

formance of the basic IAM operations.

When exporting information to external applica-

tions the ICM handles these operations as well. On

the contrary to current IAM architecture there is a

bidirectional interface in existence. This also enables

the IAM system to receive a response from external

applications. For this, a use case would be an auto-

matically started emergency process to deactivate a

speciﬁc user in case a SIEM system detects an insider

attack (Anderson et al., 2007).

Regarding user experience nothing will change as

users like analysts or decision makers are still access-

ing the front end of the IAM system. The only change

they will notice, is the enhancement of information

available or additional tasks to be available like fur-

Leveraging Dynamic Information for Identity and Access Management: An Extension of Current Enterprise IAM Architecture

613

Figure 1: Extended IAM architecture.

ther data analysis steps (c.f. Section 4.2) or veriﬁca-

tion of information to be exported (c.f. Section 4.3).

As the ICM consists of different building blocks

the internal structure is described in the following.

4 ARCHITECTURAL BUILDING

BLOCKS OF THE ICM

MODULE

Figure 2 shows the internal structure of the ICM. We

created four different steps while the arrows indicate

the information ﬂow within the ICM:

• Data Harmonisation & Quality Monitoring.

IAM data is integrated with external information.

Furthermore, privacy and data quality related pro-

cedures are applied.

• IAM Data Analysis. Information is provided for

the IAM system for analysis. Valuable informa-

tion for external systems is generated.

• Result Veriﬁcation. Results from the IAM data

analysis can be veriﬁed by experts and marked for

export to external applications.

• Data and Result Storage. The relevant combined

data sets are immutably stored if proof is needed.

Within the next sections we describe each building

block more detailed and hint at possible implementa-

tions. Please note that we provide a generic architec-

ture which shall be suitable for as many enterprises as

possible. Thus, the mentioned implementations are

not exhaustive measures but rather exemplary ones.

Some enterprises may even decide not to fully imple-

ment all procedures for individual reasons.

4.1 Data Harmonisation & Quality

Monitoring

As soon as new dynamic information is sent to the

ICM module the ﬁrst step is started. First the infor-

mation from the connected external applications need

Figure 2: Building Blocks within the ICM module.

to be harmonised with the already existing IAM data

set. In order to ensure compatibility with existing

IAM systems, our approach integrates the external in-

formation as attributes in the context of ABAC. Thus,

for each information a suitable data type can be found

(e.g. boolean attribute, string attribute or numerical

attribute). Based on already existing IAM data mod-

els this results in attribute connections with identities,

accounts, permissions or roles (Kunz et al., 2019).

Within this work we extend the scope such that exter-

nal information can also be linked to an assignment

of two IAM entities (e.g. information on the usage

value of a speciﬁc assignment of one permission to

an account). For better understanding Table 1 shows

suitable examples which external information may be

relevant per entity.

Table 1: Exemplary external information per IAM entity.

IAM entity Potential external information

Identity Business function or trust score

Account Necessity of account

Permission Responsible person, criticality

Role Usage, business relevance

Assignment Usage of assignment

During this approach additional privacy measures

are to be applied. In order to preserve the possi-

bility to export identiﬁed anomalies back to external

applications like a SIEM system, pseudonymisation

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

614

methods instead of anonymisation are to be preferred

within our approach. Thus, relevant identities or per-

missions can be depseudonymised during the export

process or after the transmission to a SIEM system.

One method for pseudonymisation is the encryption

of privacy related attributes (e.g. ﬁrst and last name

of identities). As many enterprises already have a key

infrastructure in existence, suitable public and pri-

vate keys can be generated and distributed to the rel-

evant systems. Although existing IAM literature does

not cover this topic yet, please note that this work

does not focus on an in-depth procedure how to ap-

ply pseudonymisation within IAM.

Finally, data quality measures are applied to the

harmonised data set in order to improve the informa-

tion base used by IAM analysts and decision mak-

ers. As data from various different sources are used

data quality problems are imminent. One example

would be several different location attribute values in-

dicating the same location (e.g. Munich, MUC, and

unchen). There are already existing measures for

general data quality management as well as measures

speciﬁcally suited for data quality within IAM which

can be used for implementation (Batini and Scanna-

pieco, 2016; Kaiser et al., 2007; Kunz et al., 2019).

4.2 IAM Data Analysis

Within this step the harmonised IAM data set is pro-

vided to the IAM system for further analysis. On the

one hand additional information from external appli-

cations can support several already existing IAM data

analysis measures. Examples of this extensive collec-

tion would be visual analytics, role mining or policy

management (Colantonio et al., 2012; Puchta et al.,

2019; Fuchs and Pernul, 2008; Hummer et al., 2016).

Besides that additional information also has major im-

pact on the conduction of access reviews (Osmanoglu,

2013; Reinwarth, 2019). Further information can be

displayed for the decision maker to improve the re-

sult quality of access reviews (i.e. improved rate of

removed assignments).

On the other hand new automated analysis pro-

cedures can be established. Having information on

the usage of speciﬁc permissions or their criticality

for business processes related requests can be anal-

ysed from the IAM system and automatically denied

(e.g. if an identity requests a speciﬁc permission to be

added to her account although none of her coworkers

have used this permission). Furthermore, anomalies

can be identiﬁed when comparing permission usage

within speciﬁc identity groups.

4.3 Result Veriﬁcation & Data Export

All information that needs to be exported to external

systems is veriﬁed within this step. Especially when it

comes to automatically identiﬁed anomalies, a human

domain expert should be responsible to verify if the

anomaly is indeed potential threat information or if

there exist explainable reasons for the anomaly (e.g.

administrative work during the weekend).

After successful veriﬁcation, the data can be ex-

ported to the respective external application. Within

this work, we are focusing on threat information as

an example. Thus, a suitable application for this use

case would be a SIEM system. The ICM module has

to prepare the data by including all relevant informa-

tion from IAM or other applications and converting it

into a suitable data format. When speaking of threat

information there exist various languages for threat

exchange as well as an in-depth analysis (Menges

and Pernul, 2018). Based on this outcome, STIX2

or the more generic MISP

may be suitable for our

approach. Especially MISP allows for an export ap-

propriate for our use case as individual MISP objects

suitable for IAM can be deﬁned.

4.4 Data and Result Storage

As the integration of data is an ongoing process, we

decided to introduce a storage module speciﬁcally for

the ICM besides the fact that IAM systems already

have their own databases. Reasons for that are the

possibilities to integrate information as soon as they

are sent to the ICM as well as the usage of immutable

and more ﬂexible storage technologies. To solve this

redundancy of storage, the IAM system could also ac-

cess the result storage provided by the ICM module.

However, in reality this may be quite challenging as

established IAM systems typically have their individ-

ual database structure needed for fully functionality.

Furthermore, the ICM is able to harmonise all in-

formation on its own such that the IAM system only

receives completely integrated and privacy-respecting

data. Thus, no additional data operations need to

be conducted within the IAM system. Addition-

ally, as potential threat information is to be exported

via the ICM module we want to ensure immutabil-

ity of existing records as well as the possibility to

depseudonymise affected IAM entities.

The technical implementation could be done via

traditional SQL databases. However, if enterprises fo-

cus on immutability of stored records as well as ﬂexi-

https://oasis-open.github.io/cti-documentation/stix/

intro

https://www.misp-project.org

Leveraging Dynamic Information for Identity and Access Management: An Extension of Current Enterprise IAM Architecture

615

bility upcoming storage technologies like blockchain

may be a suitable implementation as well (Nuss et al.,

2018; Dunphy and Petitcolas, 2018).

5 REAL-LIFE APPLICABILITY

OF THE ARCHITECTURE

Within this section we will show the feasibility of our

proposed approach. However, as our approach also

has generic elements included, we focus on evalu-

ating the applicable parts of our research. For this

we are using aforementioned access reviews as the

outcome heavily relies on the quality of information

given (Osmanoglu, 2013). Furthermore, within ac-

cess reviews, decision makers in IAM can either con-

ﬁrm or remove an assignment which leads to binary

results when measuring the results. Thus, we want to

show that the quality of results of reviews is signiﬁ-

cantly improved by leveraging the extended IAM ar-

chitecture. Typically within IAM projects, one way to

measure quality of access reviews would be to look at

the numbers of removed assignments. The better the

quality of information provided, the higher the conﬁ-

dence of decision makers to remove assignments in-

stead of conﬁrming them (Osmanoglu, 2013).

The foundation of this section is represented by

two anonymised real-life use cases from our IAM

project experience. Firstly, FinCorp working within

the ﬁnance & insurance sector, and secondly En-

gineCorp active in the engineering sector. During

these projects we (partly) applied our proposed archi-

tecture resulting in having external information inte-

grated into the IAM system. Subsequently, we con-

ducted the reviews together with the individual en-

terprise by leveraging parts of the existing IAM an-

alytics and governance platform Nexis Controle

. Af-

ter concluding the reviews during 2019 and 2020, we

extracted and analysed the decisions made by the in-

dividual employees. As the rate of removed assign-

ments may greatly differ depending on the individual

enterprise and its culture we conducted two access re-

views within each use-case with only one of them in-

cluding external information. Thus, by having a con-

trol group per company, we can ensure comparability

of our results. Furthermore, we can secure that the de-

cision makers for both access reviews mostly remain

the same. Based on these reasons, we only compare

the results within each company.

Table 2 shows the overview of our results. Per

anonymised enterprise we used one additional exter-

nal information during the reviews. Both enterprises

https://www.nexis-secure.com

have more than 5,000 employees and respectively re-

viewed more than 20,000 assignments in the time pe-

riod 2019 to 2020. When looking at the indicator of

removed assignments our results for each enterprise

show an extensively higher conﬁdence to remove as-

signments when having additional external informa-

tion integrated via our approach. We also applied a

hypothesis test to both of our use cases to show

the signiﬁcance of the results and thus to proof that

our approach is linked with the rate of removed as-

signments. With FinCorp having

≈ 1328.12 and

EngineCorp having

≈ 178.25 both use cases show

a statistically signiﬁcance with a signiﬁcance level of

α = 0.001.

In the following the individual use cases are de-

scribed more precisely

5.1 FinCorp

Our ﬁrst use case covers a ﬁnance and insurance com-

pany having a centralised IAM system as well as vari-

ous connected applications (e.g. Microsoft Active Di-

rectory, SAP, and databases). As a member of this

sector, FinCorp needs to comply with various internal

as well as external regulations regarding the manage-

ment of IT systems. The company currently is in the

ﬁnal steps of a role modelling project. Additional in-

formation of external applications proved also to be a

critical success factor for that. During the process ad-

ditional information from the individual departments

was gathered in role modelling sessions (e.g. if an re-

source is still needed). Subsequently, we integrated

the information into the IAM system using parts of

Nexis Controle as our ICM resulting in additional at-

tributes for entitlements. Therefore, the domain of an

entitlement could be described (e.g. accounting en-

titlement or customer service entitlement) as well as

its necessity. Furthermore we applied attribute quality

mechanisms by identifying duplicate values or miss-

ing key attributes.

Parallel to the role modelling, access reviews

including this external information were conducted

from 03/2019 to 06/2020. Various managers had to

recertify the entitlements assigned to employees and

not already included in modelled roles. The previ-

ously assessed information on permission necessary

was added as external information to the review. The

information was expressed as binary value, if the per-

mission was still needed or not. In total, 23,260 as-

signments could be reviewed while 21.62% of these

assignments were removed.

The second access review examined the existing

roles, their included employees and entitlements as

well as the assignments of functional accounts used

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

616

Table 2: Conducted real-life IAM access reviews.

Use Case Total assignments Removed assignments (%) External information Date

FinCorp 23,260 21.62% Necessity of permission 06/2020

FinCorp 9,006 4.67% – 09/2020

EngineCorp 3,635 7.21% Usage of assignment 12/2019

EngineCorp 17,212 2.72% – 12/2019

for trainees. These accounts were not recertiﬁed dur-

ing the ﬁrst review. No additional external informa-

tion was included during this review and 9,006 assign-

ments were reviewed. However, only 4.67% of these

assignments were removed. Although this is quite a

high number compared to other IAM projects from

our experience, there is clearly a signiﬁcant difference

when comparing the results with the ﬁrst review.

By applying our approach during the role mod-

elling and review process FinCorp was able to im-

prove the quality of their modelled roles by integrat-

ing additional information in the process. Further-

more, existing assignments beside their role model

could be effectively removed.

5.2 EngineCorp

EngineCorp develops and builds machine parts within

the engineering sector. Access reviews are conducted

on a regular yearly basis with a focus on SAP role

hierarchies and account permission assignments. For

the review conducted in 2019, we added further ex-

ternal information for the recertiﬁcation of the SAP

composite roles. In detail we included the informa-

tion if a SAP single role within the SAP composite

role was used by any of the SAP composite role mem-

bers during the last 6 months. Thus, decision mak-

ers are able to quickly identify the single roles which

may not be required by the users. We did not include

this information when it comes to the access review of

individual account permission assignments (= second

review).

The usage information itself can be gathered

within the SAP application. We extracted the data

from several SAP tables and aggregated it to show

only the usage within SAP composite roles but not

for individual accounts. In this use case SAP func-

tions both as connected application and as external

application with regards to our extended IAM archi-

tecture. We are aware of potential privacy issues when

it comes to SAP composite roles assigned to only

one account. After discussion with EngineCorp, these

composite roles should be reviewed as well, however

we did not include the list of the accounts assigned to

the respective composite role during the review.

In total, 3,635 SAP role hierarchy assignments

were reviewed including the usage information.

7.21% of these assignments were removed by the de-

cision makers. Similar to our ﬁrst use case there is a

signiﬁcant difference to the review conducted with-

out having external information. Although, 17,212

account permission assignments were audited, only

2.72% of these assignments should be removed. The

reviews were conducted in parallel while the decision

makers for both recertiﬁcations remained the same for

the most part.

6 CONCLUSION

Enterprises constantly have to face a rising number

of internal and external regulations. While IAM has

already proven its value for these scenarios, it lacks

of interconnections with other IT systems for mu-

tual beneﬁts. Within this work we carved out the

look of current IAM architecture as well as potential

shortcomings (RQ-1). However, the extended IAM

architecture should still be compatible with already

existing approaches. By adding the ICM and struc-

turing the information ﬂow we proposed a new IAM

component where information from external applica-

tions can also be considered (RQ-2). The introduced

ICM was further detailed with four different building

blocks and descriptions with a more practical point of

view for each of them (RQ-3). To show the practical

applicability of our approach two real-life use cases

from our IAM project experience were introduced.

By conducting two reviews per use case with one hav-

ing applied our procedure we were able to show a sig-

niﬁcant improvement regarding the rate of removed

assignments.

However, as our use cases are based on real data,

we could not grant an identical setup of our reviews

per company. Exemplary, EngineCorp reviewed as-

signments of SAP roles with external information and

account assignments in the control group review. Also

the number of reviewed assignments differed. This

is a natural limitation when applying real enterprise

data. It would be uneconomic behaviour if differ-

ent employees should conduct the same review while

adding external information to one review would be

the only difference. Additionally, we made the re-

views as similar as possible by using the same graph-

ical interface, the same emails, and the same support

Leveraging Dynamic Information for Identity and Access Management: An Extension of Current Enterprise IAM Architecture

617

documents. Finally, the comparably high

values

per use case indicate a clear difference when applying

our proposed work.

In the future we want to further apply our architec-

tural approach to more IAM use cases in order to col-

lect even further data. By using our extended archi-

tecture, enterprises can achieve the integration of such

additional information. As we provide a more generic

approach for this, it has to be speciﬁcally tailored to

the individual enterprise. This is a step not covered

within our work and needs to be done within an IAM

project in cooperation with the respective business.

One aspect of this is also the appliance and extent of

privacy measures or IAM processes in general.

ACKNOWLEDGEMENTS

This research was supported by the Federal Ministry

of Education and Research, Germany, as part of the

BMBF DINGfest project (https://dingfest.ur.de).

REFERENCES

Anderson, G. F., Selby, D. A., and Ramsey, M. (2007).

Insider attack and real-time data mining of user be-

havior. IBM Journal of Research and Development,

51(3.4):465–475.

Basel Comittee on Banking Supervisions (2010). Basel III:

Int. framework for liquidity risk measurement, stan-

dards and monitoring.

Batini, C. and Scannapieco, M. (2016). Data and informa-

tion quality: Dimensions, principles and techniques.

Springer.

Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N.

(2012). Visual role mining: A picture is worth a thou-

sand roles. IEEE Transactions on Knowledge and

Data Engineering, 24(6):1120–1133.

Dunphy, P. and Petitcolas, F. A. P. (2018). A ﬁrst look

at identity management schemes on the blockchain.

IEEE Security Privacy, 16(4):20–29.

Elliott, A. and Knight, S. (2010). Role explosion: Acknowl-

edging the problem. In Proceedings of the 8th Interna-

tional Conference on Software Engineering Research

and Practice, pages 349–355.

Fuchs, L. and Pernul, G. (2008). Hydro–hybrid develop-

ment of roles. In Proceedings of the 2008 Interna-

tional Conference on Information Systems Security,

pages 287–302. Springer.

Hu, V., Ferraiolo, D. F., Kuhn, D. R., Kacker, R. N., and Lei,

Y. (2015). Implementing and managing policy rules in

attribute based access control. In Proceedings of the

2015 IEEE International Conference on Information

Reuse and Integration, pages 518–525. IEEE.

Hu, V. C., Ferraiolo, D. F., Kuhn, D. R., Schnitzer, A., San-

dlin, K., Miller, R., and Scarfone, K. (2014). Guide to

attribute based access control (ABAC) deﬁnition and

considerations. NIST Special Publication.

Hummer, M., Kunz, M., Netter, M., Fuchs, L., and Pernul,

G. (2015). Advanced identity and access policy man-

agement using contextual data. In Proceedings of the

IEEE International Conference on Availability, Relia-

bility and Security, pages 40–49. IEEE Computer So-

ciety.

Hummer, M., Kunz, M., Netter, M., Fuchs, L., and Pernul,

G. (2016). Adaptive identity and access management

- contextual data based policies. EURASIP Journal on

Information Security, 2016(1):1–19.

Kaiser, M., Klier, M., and Heinrich, B. (2007). How to

measure data quality?–A metric-based approach. In

Proceedings of the 28th International Conference on

Information Systems. AISeL.

Kunz, M., Fuchs, L., Hummer, M., and Pernul, G. (2015).

Introducing dynamic identity and access management

in organizations. In Proceedings of the 11th Inter-

national Conference on Information Systems Security,

pages 139–158.

Kunz, M., Puchta, A., Groll, S., Fuchs, L., and Pernul, G.

(2019). Attribute quality management for dynamic

identity and access management. Journal of Informa-

tion Security and Applications, 44:64–79.

Menges, F. and Pernul, G. (2018). A comparative analysis

of incident reporting formats. Computers & Security,

73:87 – 101.

Nuss, M., Puchta, A., and Kunz, M. (2018). Towards

blockchain-based identity and access management for

internet of things in enterprises. In Proceedings of

the International Conference on Trust and Privacy in

Digital Business, pages 167–181. Springer.

Osmanoglu, E. (2013). Identity and Access Manage-

ment: Business Performance Through Connected In-

telligence. Newnes.

Puchta, A., B

ohm, F., and Pernul, G. (2019). Contributing

to current challenges in identity and access manage-

ment with visual analytics. In Foley, S. N., editor,

Data and Applications Security and Privacy XXXIII -

33rd Annual IFIP WG 11.3 Conference, DBSec 2019,

Charleston, SC, USA, July 15-17, 2019, Proceedings,

volume 11559 of Lecture Notes in Computer Science,

pages 221–239. Springer.

Reinwarth, M. (2019). Access reviews done right.

Technical report, Kuppingercole Analysts,

https://www.kuppingercole.com/report/lb80195.

Samarati, P. and de Vimercati, S. C. (2000). Access con-

trol: Policies, models, and mechanisms. In Interna-

tional School on Foundations of Security Analysis and

Design, pages 137–196. Springer.

Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman,

C. E. (1996). Role-based access control models. Com-

puter, 29(2):38–47.

SOX (2002). Sarbanes-Oxley Act of 2002, pl 107-204, 116

stat 745.

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

618