Risk definition and detection in IBM Security Verify Governance

Risk is a wide range of possible critical situations that can be associated with a generic business activity.

In the IBM® Security Verify Governance data model, a specific business activity can be associated with a risk.

This information is used to evaluate the "aggregated risk" of the set of activities that are assigned to a user.

Consider a financial management activity and an ICT technical activity. Typically, these types of activities require specialized and extensive knowledge.

Is it reasonable to entrust these activities to the same user?

From an organizational standpoint, depending on the user's prevalent competency, either financial or technical, there is a valid risk in assigning these two unrelated activities to a single user. An activity such as financial management can be considered sensitive even if it is not part of a set of activities. It makes sense to associate a risk evaluation to a single activity.

Generally, possible aggregations are of the following type:

  • A risk to a single activity
  • A risk to a single set of at-risk or conflicting activities
  • Multiple risk to a single activity
  • Multiple risk to a single set of at-risk or conflicting activities

According to this information, it is possible to evaluate the aggregated risk of the set of activities that are assigned to a user.

The ARC module extends features of the RBAC model by introducing the concept of at-risk activities and provides the tools necessary to link activities to entitlements or permissions.

The assessment of the risk level of activities can be translated into the risk level of entitlements or permissions that are assigned to users involved in those activities.

The following figure shows all the IBM Security Verify Governance extended data model elements that are involved in the risk definition and detection layer.

Figure 1. ARC engine and AG Core: Business Model - RBAC Model
ARC engine and AG Core: Business Model - RBAC Model

The figure shows an example with few elements.

In a generic large organization, you might find:

  • Permissions (>200,000)
  • IT roles (>100,000)
  • External roles (>15000)
  • Business roles (>1000 and <5000)
  • Business activities (<500).

In a large organization, the number of business activities is drastically lower than roles and permissions.

The advantage of defining risks as activity-driven is clear. By using the assessment of risk that is associated with activities, conflicts among permissions or entitlements can be traced. Conflicts among roles are easier to trace. They are less complex because the number of activities is lower than the number of permissions or BRoles.