Privacy and Security Risks Analysis of Identity Management Systems

This thesis develops a risk model and model-based risk analysis method for privacy and security risks analysis of identity management systems (IDMSs) in order to reduce cost and provide scientific support for the choice of identity management approaches. In order to analyze a system, we need a clear understanding of the system as well as what can go wrong in it. Risk assessors often rely on system specifications and stakeholders (end-users and system owners) to understand a targeted system. Similarly, system stakeholders may rely on risk assessors to understand the risk analysis process. Model-based risk analysis methods use graphical models to assist system stakeholders to understand the risk analysis process. The graphical risk models communicate what can go wrong in a system and assist in the security risk analysis. They facilitate participation, risk communication and documentation. However, current model-based risk analysis methods provide general support for security risk analysis but pay little attention to privacy. Privacy requirements complement that of security but conflicts can arise in their implementation. Identifying and understanding such conflicts are a prerequisite for developing adequate and a balanced risk analysis method. Furthermore, due to lack of data on past events, model-based risk analysis methods either rely on subjective intuitions of risk assessors and system stakeholders, or complex mathematical validation techniques to determine a system’s risk. Subjective intuitions lead to high uncertainties in risk analysis. Moreover, complex mathematical risk modeling and validation techniques are expensive, difficult to learn and can impede risk communication among system stakeholders. This thesis develops a balanced approach to risk analysis where systems’ characteristics and tools that are relatively easy to learn are relied upon to analyze privacy and security risks in IDMSs. It provides new knowledge on how to develop a privacy and security risks model for IDMSs from the characteristics of information that flow in them. Furthermore, it develops an executable model-based risk analysis method (EM-BRAM) to improve risk communication, automation, participation as well as documentation in IDMSs. The EM-BRAM relies on system behaviors or characteristics rather than data on past events or intuitions of a risk assessor to analyze privacy and security risks in IDMSs. Consequently, the method can reduce subjectivity and uncertainty in risk analysis of IDMSs. EM-BRAM identifies risk factors inherent in IDMSs and uses them as inputs for the privacy and security risks analysis. The risk factors are categorized into external and internal misuse cases. The external misuse cases consist of risk factors that may be outside the control of IDMSs while the opposite is true for internal misuse cases. The internal misuse cases are used for the privacy and security risks analysis. In order to determine a system’s risk, the EM-BRAM uses Colored Petri Nets tools and queries to model and analyze the characteristics of information flow in the target IDMS. The method has been applied to analyze the security and privacy risks of popular IDMSs such as OpenID and SAML single sign-on services for Google Apps. The results show that the EM-BRAM is effective in analyzing privacy and security of IDMSs if it is applied to low level system specifications.