IT and Privacy Landscape: Areas to Watch in 2008

A recent article by Brian Tretick, titled “IT and the Changing Privacy Landscape: Eight Areas to Watch in 2008”, provides an interesting analysis of the current state of privacy management and suggests eight areas to watch in 2008:

• Information is Power: Keeping Data Classification up to Date;
• Less is More: Minimising the Use of Personal Information;
• Decode or Not Decode: The Evolving Use of Encryption;
• The Three-Legged Stool: Strict Standards for Vendors and Business Partners;
• On the Road Again: Personal Information and the Telecommuter’s Way of Life;
• In Case of Emergency: Having a Plan for a Worst-Case Scenario;
• It’s a Small World: Developing Privacy Procedures for Home and Abroad;
• Building a Better Mousetrap: Keeping Pace with Privacy Management Technologies;
  

This article concludes by saying that “Privacy is a mainstream business issue. These eight areas deserve more than a check-the-box exercise. Each one should be addressed as part of the comprehensive, deliberate management of privacy risk and compliance. Founded on policy and governance, an effective privacy program relies on controls, monitoring, compliance activities and other assurances to keep an effective operation in place.”.

I really tend to agree with this point: in my view, identities and privacy should be more and more considered as key “enterprise assets” and addressed from an “enterprise risk and compliance management” perspective (also see a related post of mine, here).

--- NOTE: my original HP blog can be found here ---

Identity Management 2007: A Year in Review

2007 is drawing to a close. This has been an interesting but also frustrating year for Identity Management. Here are some thoughts and highlights of what happened:

• Consolidation of Identity Management in Enterprises: Identity Management has gone through further consolidation in enterprises. In my view, there have been no major news and proposals in this space, apart from the maturation of IdM offerings in the space of “Auditing and Compliance Management”. In this context we also assisted to a growing interest for solutions in the space of Role Discovery/Mining and Role Management;
• Federated Identity Management: solutions in the space of Federated Identity Management have further matured, with various proposals and options both in “client-driven” and “service-driven” scenarios. This includes Liberty Alliance and Web 2.0/Identity 2.0 solutions, such as Microsoft CardSpace, OpenId, Higgins, etc. Despite this, there is still confusion in the market in terms of ways to move forward, due to (partially) competing proposals, lack of critical mass (in terms of adoption) and weak business opportunities for Identity Providers;
• Privacy Management: this has been another interesting year for privacy and privacy management. There is no doubt that privacy and privacy management are recognised as important aspects of identity management (and have stron backing from a legislative side): however, despite the increased number (and gravity) of identity thefts and “identity accidents”, very few Identity Management suite still provide integrated privacy management/enforcement solutions/capabilities. Current focus is still on auditing and compliance checking approaches (for the law compliance reasons mentioned above) that, in my view, only partially address the privacy problem. There has been a first step towards a more systemic Identity Governance Framework, with the IGF proposal (in the context of Liberty Alliance and Openliberty) putting privacy enforcement at the center of processes involving accesses and manipulation of personal data;
• Identity Management beyond Management of People’s Profiles: during 2007 we assisted to the first steps/attempts to extend “identity management” from traditional, centralised management of people’s identity attributes (and their rights/permissions) to include the management of device/system identities and exploring distributed/delegated approached to the management of identities. This includes work done in the context of Liberty Alliance, with the Identity Capable Platform initiative, R&D done on device based identity management, various initiatives involving Network-based Access Control (NAC) and attempts to integrate this with identity management solutions at higher level of abstractions;
• Business-driven Identity Management: I believe that 2007 has been the turning point in realising that Identity Management is not only about self-standing technological solutions but also it must be considered in an overall business context and as such it is of concern of strategic business decisions. Apart from the existing influence of legislation and laws, we also assisted to a growing interest in revisiting Identity Management in the context of ITIL (from a service management perspective) and Risk Management (from a security management perspective). Despite being at the beginning of a long evolution process, ITIL and Risk Management will impact and reshape Identity Management, at least in an enterprise context;
• Identity as a Service: during 2007 we also assisted to the first steps towards “Identity as a service”, driven by a growing interest, within enterprises, on SOA and web 2.0. This area is just at the beginning: it is going to be interesting to explore and contribute to its development in the coming years.

--- NOTE: my original HP blog can be found here ---

Who Am I?

Well, on the Web this also depends on the search engine …

As a simple test, I searched (on 23 December 2007) for my surname, “casassa mont”, by using three popular search engines:

• Google: 5470 results
• Microsoft MSN: 15900 results
• Yahoo: 5070 results

Quite interestingly Microsoft MSN indicates a (potential) number of findings 3 times greater than the ones provided by Yahoo and Google … This ratio is pretty much the same also for a more specific search, about “marco casassa mont”:

• Google: 3960 results
• Microsoft MSN: 9940 results
• Yahoo: 3790 results

In this simple test, these search engines provide consistent information about my “web profile”: MSN also includes some oddities, i.e. specific findings not immediately spotted by the other two search engines. Of course I didn’t check for all the findings, just the first 30 …

Just wondering about the impact that “Consent and Privacy Management” could have on “digital personae”, in the context of the web and search engines …

--- NOTE: my original HP blog can be found here ---

Coming Conferences on Identity and Privacy Management

Here are a few conferences related to the Identity and Privacy Management topics whose paper submission deadlines are in January and February 2008:

• SEC 2008 23rd International Information Security Conference, Co-located with IFIP World Computer Congress 2008, Milan, Italy, September 8-10, 2008. (Submissions due 10 January 2008)
• IFIP-TM 2008 Joint iTrust and PST conferences on Privacy, Trust Management and Security, Trondheim, Norway, June 18-20, 2008. (Submissions due 11 January 2008)
• UPSEC 2008 Workshop on Usability, Psychology, and Security, Co-located with the 5th USENIX Symposium on Networked Systems Design & Implementation (NSDI 2008), San Francisco, California, USA, April 14, 2008. (Submissions due 18 January 2008)
• CARDIS 2008 8th Smart Card Research and Advanced Application Conference, Royal Holloway, University of London, Egham, Surrey, UK, September 8-11, 2008. (Submissions due 15 February 2008)
• IFIP-DAS 2008 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, London, UK, July 13-16, 2008. (Submissions due 20 February 2008)
• SHPCS 2008 Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2008 International Conference on High Performance Computing & Simulation (HPCS 2008) and the 22nd European Conference on Modelling and Simulation (ECMS 2008), Nicosia, Cyprus, June 3-6, 2008.
• SOUPS 2008 Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA, July 23-25, 2008. (Submissions due 29 February 2008)

--- NOTE: my original HP blog can be found here ---

Are Kids the New Targets of Identity Thefts?

A recent article, titled “Children Becoming Prime Identity Theft Targets”, reports the findings of a recent study by the Identity Theft Resource Center:

“According to a recent study by the Identity Theft Resource Center, based in San Diego, the theft usually takes place early in the child’s life. The researchers found that, in 54 percent of the cases, the theft took place before the child was six years old. The study also found that, while parents or other relatives were the most likely perpetrators, other identity thieves increasingly target children for one simple reason. It’s easy to do, and to get away with for long periods of time before discovery.”

This article also highlights that:

“Of the more than 255,000 identity theft complaints received in 2005 by the Federal Trade Commission, five percent involved people 18 or younger, an increase from three percent in 2003.”

--- NOTE: my original HP blog can be found here ---

Liberty Alliance’s Advanced Client 1.0 - Final Specifications

The Liberty Alliance’s “Advanced Client v1.0” Final Specification set has been released publicly and can be found here.

--- NOTE: my original HP blog can be found here ---

UK Information Commissioner’s Office (ICO): Call for Privacy Impact Assessment

A recent ICO’s Press Release (on December, 11th) reveals that:

“At a surveillance conference in Manchester the ICO will say that the breach at HM Revenue and Customs was a watershed and will call for organisations to implement new safeguards to help protect individuals’ privacy. The UK’s first privacy impact assessment handbook will be launched to help organisations address the risks to personal privacy before implementing new initiatives and technologies. By carrying out a privacy impact assessment organisations will also increase public confidence in data collection”

This Privacy Impact Assessment (PIA) handbook has now been released and it is available online, here.

--- NOTE: my original HP blog can be found here ---

W3C PLING Interest Group: Wiki site is now up and running …

The Wiki site of the W3C Policy Languages Interest group (PLING) is now up and running. Feel free to subscribe and add your contributions.

As anticipated in a previous post of mine, the current discussion topics are:

1) Use-cases involving the usage of policies in various scenarios, pros and cons of adopted policy frameworks, pain points, issues and recommendations

2) Review of Policy languages and frameworks that are currently used in the industry and research

--- NOTE: my original HP blog can be found here ---

Evolution of Identity Management

Jon Oltsik, in his blog post, “Redux in the Identity Management Market”, provides a concise and interesting account of the evolution of Identity Management, from initial start-ups, consolidation by large corporations and back again to start-ups, in some “hot” areas (such as governance, role management, network-based Identity Management, etc.).

Interestingly, he does not mention potential future evolutions of Identity Management in two areas: “Identity as a Service” and Identity Management for (Enterprise) Web 2.0.

He predicts more M&As and specializations in the Identity Management space in the months to come.

--- NOTE: my original HP blog can be found here ---

W3C Policy Language Interest Group (PLING): Discussion Topics …

The W3C Policy Language Interest Group is now ready to start discussions on policy related topics. Of course, if you are interested in this topic, feel free to join the public mailing list.

The PLING's team contacts (Thomas and Rigo), Renato and I have received a few (off-line) emails asking for more information about PLING's next steps and discussion topics.

Given the PLING Charter, we suggest to start discussing these two key topics:

1) Use-cases involving the usage of policies in various scenarios, pros and cons of adopted policy frameworks, pain points, issues and recommendations

2) Creating a list of known policy languages & frameworks that are currently used in the industry, academy, etc. and/or are of relevance to the audience

Topic 1 aims at sharing practical experiences in using policies in a variety of contexts, along with any issue and requirements. The goal is to create awareness of important (and/or common) use-cases, limitations and needs.
Please notice this is NOT a discussion about specific policy language features.

Topic 2 aims at creating a list that "maps" the current "policy language" space, by clearly identifying policy languages and frameworks that the audience uses and/or believe are of some relevance.

Of course these two topics are not independent: discussions and contributions are really welcome on both themes.

The PLING team is also exploring the usage of a W3C Wiki site to record various discussions and contributions. More information on this aspect will follow.

We would also like to encourage the members of this mailing list to publicly introduce themselves by sharing their affiliation, interests, what they would like to get from this IG and/or how they would like to contribute (thanks to the ones that have already done it!) .

--- NOTE: my original HP blog can be found here ---

ENISA Position Paper – Reputation-based System: a Security Analysis

A new Position Paper has been released by ENISA, titled “Reputation-based System: a Security Analysis”:
“This paper aims to provide a useful introduction to security issues affecting Reputation-based Systems by identifying a number of possible threats and attacks, highlighting the security requirements that should be fulfilled by these systems and providing recommendations for action and best practices to reduce the security risks to users. … This paper is aimed at providers, designers, research and standardisation communities, government policy-makers and businesses.”

It provides an introduction to reputation-based systems and significant use-cases. It then analyses related key threats and security requirements. Finally it provides recommendations and concluding remarks.

The Identity Management Community might be interested in this paper given the role that identity management and privacy have in reputation-based systems and the fact that these systems are affected by and affect identities.

--- NOTE: my original HP blog can be found here ---

UK Personal Data for Sale on the Internet …

A recent article by “The Times” (authors: Alexi Mostrous and Dominic Kennedy), called “Websites Sell Secret Bank Data and PINs”, reveals how journalists easily managed to get identity information about UK citizens, on the Internet, for free, offered as “tasters”:

“Security breaches that are allowing the financial details of tens of thousands of Britons to be sold on the internet are to be investigated by the country’s information watchdog.
Without paying a single penny, The Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director. The private account numbers, PINs and security codes were offered as tasters by illegal hacking sites in the hope that purchases would follow.
Richard Thomas, the Information Commissioner, will begin an investigation into the security breach today and Scotland Yard is also investigating. Experts said that the findings suggested that more personal data than ever before was going astray. The Times found: More than 100 websites trafficking British bank details; A fraudster offering to sell 30,000 British credit card numbers for less than £1 each; A British “e-passport” for sale, although the Government insists that they are unhackable. …”

--- NOTE: my original HP blog can be found here ---

A “Living List of Identity Management Forums”

I have found on the web this interesting “Living List of Identity Management Forums”.

Despite being incomplete, it provides a pretty much good overview of (most of) public initiatives in the space of Identity Management.

An opportunity for the Identity Management Community to get references and create awareness about the missing ones …

--- NOTE: my original HP blog can be found here ---

US Federal Trade Commission: about 8 million US people estimated being victims of Identity Theft …

A recent report published by the US Federal Trade Commission, called “Federal Trade Commission – 2006 Identity Theft Survey Report” (the report is available online, here) provides an analysis and estimate of Identity Thefts happened in US, in 2005.

Based on this report, “A total of 3.7 percent of survey participants indicated that they had discovered they were victims of ID theft in 2005. This result suggests that approximately 8.3 million U.S. adults discovered that they were victims of some form of ID theft in 2005”.

Identity thefts have been classified in the following categories:

• New Accounts & Other Frauds
• Misuse of Existing Non-Credit Card Accounts or Account Number
• Misuse of Existing Credit Card or Credit Card Number
  

This report estimates that “The median value of goods and services obtained by the identity thieves for all categories of ID theft was $500. Ten percent of victims reported that the thief obtained $6,000 or more, while 5 percent reported that the thief obtained at least $13,000 in goods and services.
…
In more than 50 percent of ID thefts, victims incurred no out-of-pocket expenses. (Out-of-pocket expenses include any lost wages, legal fees, any payment of fraudulent debts, and miscellaneous expenses such as notarization, copying, and postage.) In the New Accounts & Other Frauds category, the median value of out-of-pocket expenses was $40”.

This report also compares these recent findings against findings of a similar investigation carried out in 2003: “The 2003 survey found that 4.6% of the survey population had experienced ID theft during the one year period before the survey was conducted. The 2006 survey found that 3.7% of the survey population had experienced ID theft during 2005. The difference between the rates is not statistically significant. Given the sample sizes and the variances within the samples, one cannot conclude that the apparent difference between the two figures is the result of a real decrease in ID theft rather than a result of random variation.”

--- NOTE: my original HP blog can be found here ---

On Policies and Policy Management: Present and Future …

I have recently given a presentation on the topic of Policies and Policy Management. My presentation is available online, here.

This topic is extremely complex, considering the variety of aspects to be kept into account. This presentation reflects my (high-level) view about current status and some of the potential future research areas.

In the introduction part I tried to describe the concepts of policy and policy management from a wide perspective, highlighting some of the open issues and involved complexity. I’ve also described some of current HPL R&D work in the space of policy management applied to identity and privacy management.

I have then highlighted a few future R&D activities in this space that might be worth exploring. They include:

• Policy Refinement Process
• “Federated Policy Management” in Organisations
• Management of “Sticky Policies” in Information Flow
• Content-aware Access Control in Collaborative (Enterprise Web 2.0) Environments driven by Policies
• Overall Policy Lifecycle Management

Last but not least, I described again the opportunity of getting involved in the newly created W3C Policy Languages Interest Group and contributing to it.

Your comments and input are welcome.

--- NOTE: my original HP blog can be found here ---

Conference Event: Ethics, Technology and Identity

I’d like to create awareness about the “Ethics, Technologies and Identity” conference (June 18-20, 2008 - The Hague, the Netherlands):

“Information technology plays an increasingly important role in society and in human lives. Identity Management Technologies (e.g. biometrics, profiling, surveillance), in combination with a variety of identification procedures and personalized services are ubiquitous and pervasive. This calls for careful consideration and design of collecting, mining, storing and use of personal information. This conference aims to discuss the theme of ‘identity’ in light of new (information) technology. Key-note speakers are David Velleman, Oscar Gandy, Robin Dellon and David Shoemaker.”

The deadline to submit abstracts is 07 December 2007. The full call for papers is available here.

--- NOTE: my original HP blog can be found here ---

UK: Personal data of 25 million people have gone missing by Postal Service

A recent BBC article (called “UK’s families put on fraud alert”) provides more details about a recent incident happened in UK, where two CDs containing the personal details of all families in the UK with a child under 16 that have gone missing:

“The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.

Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts "for unusual activity". The chancellor blamed mistakes by junior officials at HMRC, who he said had ignored security procedures when they sent information to the National Audit Office (NAO) for auditing.

Mr Darling told MPs: "Two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”

It looks like good practices and processes were in place but nevertheless the system failed. I see the limitations of any privacy enforcement system, in this context.

I wonder if a “Risk-Driven Decision Support System” would have been of some use in this context, to discourage this action (given the existing policies and the potential involved risks) and suggest more compliant ways to proceed …

--- NOTE: my original HP blog can be found here ---

What is your “Identity Footprint” on the Web?

Very few people actually know what their “Identity Footprint” is (e.g. various pieces of information and details related to them, given away on the web …), especially if they have been exposed for a while to the Internet, have accessed and interacted with various social network services or simply have been involved in web service interactions.

What are going to be the risk induced by these “Identity Footprints”? Could “personal profiles” be inferred from this information at a point to become a threat e.g. enable identity thefts, frauds or simply have future impact on people’s reputation, etc.?

I believe that understanding and managing this kind of risk is going to become a priority in a not so far away future … Its implications are already becoming obvious today, as it is possible to gather reasonable amount of “personal” information on individuals by searching in various sites (e.g. Google, FaceBook, Linkedin, Del.icio.us, Technorati, etc.).

I see an opportunity for researching and developing new identity management services in this space to help people assessing risks and potentially mitigating them (for example, the “Personal Guardian Angel” service, that I described in a previous post, “2012: A Day in the Life of John Webber”).

--- NOTE: my original HP blog can be found here ---

Technologies and Solutions to Help Fighting Identity Thefts …

A recent article by Brad Stone, titled “In ID Theft, some victims see opportunities”, provides an interesting overview of some emerging technologies and solutions that can help people to be more aware of identity thefts and potentially fight them.

Some emerging companies have interesting ideas and proposals in this space. Have a look …

--- NOTE: my original HP blog can be found here ---

Event - Privacy Enhancing Technology: How to Create a Trusted Information Society …

A Conference/Forum is going to be held in London, UK, on 21 November, focusing on “Privacy enhancing technologies: How to create a trusted information society”:

“Organised by three of the UK’s Knowledge Transfer Networks (KTN), and supported by the European Commission, A Fine Balance 2007 is an independent forum for discussing privacy in relation to the development of new technology. Building on last year’s event of the same name, this year’s conference discusses the development and integration of technologies which can build privacy into new devices and services at the design stage.
Privacy Enhancing Technologies (PETs) will encourage industry to recognise that valuable emerging technologies can be designed with privacy and data security in-mind from the outset. On May 2nd, the European Commission adopted a Communication "Promoting Data Protection by Privacy enhancing Technologies (PETs)" in which it calls for stepping up research in and development of PETs. In this context, the outcomes of this event will be taken under consideration by the European Commission in its formulation of upcoming work programmes for funding calls in this area of the FP7 - ICT programme and will influence the direction of future research in the fields of privacy and technology.”

Apparently part of this forum/conference can also be followed in a “Web 2.0 workshop” on Second Life.

More information about EU initiatives on PET can be fond here. PRIME Project is mentioned as one of them …

--- NOTE: my original HP blog can be found here ---

What’s the Future of Enterprise Identity Management? Risk Management …

I believe that Risk Management is going to have a deep impact on Enterprise Identity Management.

On one hand “Traditional” Enterprise Identity Management solutions (e.g. provisioning solutions, AAA, storage solutions, etc.) are under consolidation.

On the other hand, there is an increased urge to assess and (automatically) deal with risks and vulnerabilities affecting enterprise “assets”, driven by business and security perspectives. In this context, it is going to be important to accurately assess risks, vulnerabilities and threats for identity (and privacy) management practices, processes, solutions and related assets.

Of course, a few “Identity Risk Management” solutions are already aware on the market and there is a consolidation process in the consulting space. However, the big challenge has to come in a few years, because of the increased adoption of open “web 2.0” solutions by enterprises, the blurring of enterprise boundaries and a workforce that is more and more “accustomed” to use “social networking solutions” in their private and professional activities (and consequently expose enterprise information and assets to the external world).

It will be very important to be able to assess and mitigate risks about “confidential information” that has been directly or indirectly exposed to the web in terms of enterprise systems, plans, projects or activities and whose discovery and correlation (by third parties) can provide relevant insights and intelligence about enterprise “high-value” strategies and practices.

Ultimately “risk analysis” solutions will be used to assess threats concerning the overall “identity” of an enterprise in addition to the ones related to its assets …

--- NOTE: my original HP blog can be found here ---

Identity Management @ HP Labs: Challenges and Opportunities

I have recently given a few public presentations about HPL R&D activities on Identity Management. I would like to share a presentation (.ppt), called “Identity Management @ HP Labs: Challenges and Opportunities” where I discuss:

• Challenges and Opportunities (in the next 5 years) in the Identity Management space
• A few HPL research activities in the space of Identity Management. This includes work done on “Enterprise Privacy Management for Identity Management” and “Device-based Identity Management in Enterprises”
• A few Identity Management initiatives HPL have been involved in. This includes the “Identity Capable Platforms (ICP)” initiative and the “Identity Governance Framework” initiative.

My presentation is available online and can be downloaded here.

--- NOTE: my original HP blog can be found here ---

Health Information Exchanges and Privacy Concerns

A recent article, by Diana Manos, called “Privacy Concerns Remain Barrier to Health Information Exchanges (HIE)” provides an overview on a report released by the American Health Information Management Association (AHIMA) and the Office of the National Coordinator (ONC) for Health Information Technology:

“A new report on health information exchange says state public-private health information exchange organizations are making progress in some areas, but the question of privacy remains a hurdle. … ONC chief Robert Kolodner, MD, said one barrier to HIE growth is the lack of trust across all stakeholders. Governance must include all stakeholders or “solutions are sub-optimized,” he said. Now is “a pivotal time” for building sustainable health information exchange, he added.”

This report, titled “State-Level Health Information Exchange: Roles in Ensuring Governance and Advancing Interoperability” is available online and can be downloaded here:

“It outlines a potential framework for organizing HIE functions and formalizing organizational and sector roles and responsibilities. It synthesizes field research and provides recommendations to be considered for strengthening and expanding HIE capacity, capitalizing on the important contributions of state-level HIE initiatives.”

--- NOTE: my original HP blog can be found here ---

ACM DIM 2007 Workshop: more on Identity Assurance

ACM Digital Identity Management (DIM) 2007 Workshop (2, November 2007) presentations are going to be available online, here. A few of them can already be downloaded.

Presentations have been given in sessions covering the following topics:

• Usability and Authentication
• Identity Assurance and Linkability
• Network-based Approach
• Reputation and Trust
• (Discussion) What are Usability issues for Identity Management?
  

HP Labs had a paper accepted, called “On Identity Assurance in the Presence of Federated Identity Management Systems” (authors: Adrian Baldwin, Yolanta Beres, Marco Casassa Mont, Simon Shiu). It has been presented by Yolanta Beres.

Our main goal was to raise awareness about the importance of assurance in the context of identity management, in particular for federated identity management. A related HP Labs Technical Report on this topic is available here.

--- NOTE: my original HP blog can be found here ---

ENISA Event – “Information Risk Management: Why Businesses need it?”

ENISA (in collaboration with INTECO) is organising an event on Information Risk Management, on 8-9 November, 2007 – Barcelona, Spain:

“On this event, the experience drawn from the implementation of the Risk Management process in various European countries will be presented. To this end, representatives from several countries from the EU will present their views on the matter and will report on their experience in this area. This unique event will shed light on how to make SMEs safer and less liable to technological incidents.”

Specifically, this event is going to cover “Information Risk Management” cases from the following EU countries: Spain, Germany, UK, France and Austria. The full program is available here.

--- NOTE: my original HP blog can be found here ---

HP’s Security Handbook

The HP’s Security Handbook is available online (2006 edition):

“The HP Security handbook provides a view into all the different threads of security that HP works in. Much of the content is focused on the three pillars of our security strategy: Identity Management, Proactive Security Management and Trusted Infrastructures. The handbook also describes how Governance issues fit into our security strategy and provides an insight into the security research work done by HP Labs.”

In particular, the Identity Management community might be interested in having a look at the section on Identity Management.

--- NOTE: my original HP blog can be found here ---

The Basics of Identity Management?

An interesting article has been recently written by John Dunn, Techworld, called “The Basics of Identity Management”.

This article actually focuses on “Federated Identity Management (FIM)”. It analyses aspects of FIM and provides the author’s view about what FIM can offer to IT planners. A key point is made by the author:

“To succeed, FIM has to undo half a century of IT, based on the idea that IT is constructed around the logical arrangement and securing of systems into which users are placed. FIM, by contrast, has the potential to be radically user-centric, making users the centrepiece of an IT system, around which systems are built as digital supports. A systems mentality looks on users as existing on a hierarchy of privilege, with higher rungs gaining more authorisation and power, but within defined geographical and logical limits. A FIM way of looking at users is to see these systems from their point of view. That information, or the ability to transact, resides on the network of another company matters not if that it essential to the business objective. It should be accessible.

For the time-being, FIM will most likely be restricted to specific projects – getting two partners working together - with defined goals and timescales. Longer term, it has the potential to transform even the humblest IT operation into something quite new. But as a concept, federation surely represents the future of networks, so that they become not as islands of digital power, but overlapping ‘networks of networks’. It is happening already. But it will force companies to re-examine their own security processes before they jump into its whirlpool of potential difficulties.”

--- NOTE: my original HP blog can be found here ---

New ENISA Position Paper: Security Issues and Recommendations for Online Social Networks

ENISA has recently released a position paper, called “Security Issues and Recommendations for Online Social Networks” (available online, here) – Editor: Giles Hogben (ENISA):

“This paper aims to provide a useful introduction to security issues in the area of Social Networking, highlight the most important threats and make recommendations for action and best practices to reduce the security risks to users.”

Specifically, it focuses on the following threats and recommendations:

• Principal Threats: privacy related threats, information security threats, identity related threats and social threats);
• Recommendations and Countermeasures: government policy recommendations, provider and corporate policy recommendations, technical recommendations, research and standardisation recommendations.
  
  “This paper is aimed at corporate and political decision-makers as well as Social Network application-providers. It also seeks to raise awareness among political and corporate decision-makers of the legal and social implications of new developments in Social Networking technologies. In particular, the findings should have important implications for education and data protection policy.”

--- NOTE: my original HP blog can be found here ---

2012: A Day in the Life of John Webber

How digital-personae, identity management and web 2.0 will impact, influence and reshape people lives and organisations during the next 5 years? What is going to be “hot” in 2012?

Difficult questions … A few colleagues of mine and I tried to explore future scenarios and opportunities in the space of digital identity and identity management. We wrote a story, “2012: A Day in the Life of John Webber”. We would like to share it with this community, to open a debate and exchange opinions. Enjoy it …

--- 2012: A Day in the Life of John Webber ---

“John Webber is a young, ambitious professional. He has a very intense life with interests spanning work, social and political aspects, many friends spread all over the world and a girlfriend. He is accustomed to using new technologies and web 3.0 services: he sees them as a way to simplify his life and enable the broad, rich set of personal and digital interactions that he requires on daily basis in his life.

John works for a multinational enterprise. He uses his mobile appliances (laptop, office PC, smartphone, etc.) in an interchangeable way, to interact with colleagues, send/receive multimedia e-mails and edit reports and critical information for his company. On a daily basis he accesses state-of-the art enterprise services, to collaborate with project colleagues all over the word. This is a simple and gratifying experience thanks to the latest generation, enterprise web 3.0 collaborative, integrated services – where multimedia information is easily collected, stored and indexed for future usage, as well as securely and privately protected, based on the “value” of the content.

John gets access to all these services with his “personae-selector” (virtual) device, installed on his Smartphone. Recognizing John using multiple biometric sensors, the device suggests a persona relevant to the current context or allows John to override the automatic selection. This (virtual) device securely interacts with other of John’s devices and authorised enterprise devices (including that new, secure Printer, and associated Print 3.0 services, recently deployed in John’s office).

John is aware that to be successful in his job, he needs to have constant interactions with other professionals and experts around the world: he wants to exchange opinions and have an early understanding of new trends and exciting initiatives. This is now a recognised need and common practice within modern enterprises.

John runs a few, interactive, multimedia external blogs to expose his views, start discussions and get feedback. He is aware of confidentiality aspects that might rise from his interactions with external people: he uses ad-hoc personae to interact with these services, by exposing a profile and information compatible with his company’s business policies and his privacy preferences. An online, trusted “personal guardian angel” service, accessible via his “personae-selector” (virtual) device, helps him to handle these different personae and to get reminders about the context he is interacting with.

The multinational he works for is aware that people and information are the most valuable assets in these days. On one hand it recognises the need to enable collaborative interactions of its employees with the external world. On the other hand it is aware of potential risks and threads for its own security and businesses.
Thanks to the new generation of “Identity Risk Management and Assessment” services jointly run by the CIO/CPO Offices, enterprise officers periodically scan various sources on the web (including social networks, blogs, etc.) against any improper leak of confidential data or information that could harm enterprise business and employees. This service provides reports on critical issues and confidential and personalised suggestions (on how to mitigate risks) to employees, in case of any problem.

Today, John works from home. It is his girlfriend’s (Alice) birthday. This is special occasion he wants to properly celebrate. By using his home laptop he accesses his preferred “federated service provider community” and in few minutes makes all the required arrangements to celebrate this event: buying Alice’s preferred flowers at “Flowers’R Us”, arranging for an exclusive dinner at the “Genuine Italian Food Restaurant” and buying that jewellery ring that Alice desired so much.
From his laptop John securely links to his “personae-selector” (virtual) device to authenticate and access these various service providers in a transparent way – thanks to their integrated single-sign-on capabilities (via interoperable Liberty Alliance 3.0, OpenId 3.0 and CardSpace 3.0 protocols). In 5 minutes, he buys flowers (to be delivered at the restaurant), arranges for a table at the restaurant and buys the present for Alice. His interactions with these service providers is smooth and simple, as it is mediated by a “joint-collaboration” between his “personae-selector” device and the “personal guardian angel” service, that ensure that a “personae-handover” process happens across various service providers (i.e. different personae are automatically used in different contexts) and the right credentials (including credit card details) and contextual data are exposed based on John’s privacy preferences and interaction policies.

The service providers involved above use the latest, state-of-the-art “Personae-aware” Identity and Privacy Management Services to seamlessly engage in federated contexts and properly handle and process personal information disclosed by John. They ensure his privacy preferences are enforced along with current world-wide (privacy and data protection) legislation. They also use a new generation of “Risk Management and Assessment” services to check their own compliance to business objectives and legislation and automatically report any violation (and start remediation steps). Consistently with this, they offer John a tailored (persona-aware) service experience, in suggesting a customised but not invasive interaction.

It is still early for John to meet with Alice. A good opportunity for John to socialise with his friends spread all over the world and engage in these social networks he likes so much. John connects to a few of them by using appropriate personae (thanks to the help of his “personae-selector” device) and starts posting and chatting.

John is aware that he his using multiple personae and the implications and possible risks that exposing information on the web could have, such as correlation, deductions and misuse of this information to commit crimes. His trusted “personal guardian angel” service helps him to keep track of John’s personae, automatically updating changes and providing additional, useful services. John chooses to have all his interactions on the internet monitored by his trusted “personal guardian angel” service: he configures it to monitor his social network interactions and warn him of any danger, in particular related to disclosure of personal details and information. This has been a wise choice: the interactions with a new guy - Charles, a friend of his friend Bob is strange. His questions and request for work information are going in a direction that could be dangerous. The “personal guardian angel” service warns John of the risks of disclosing some information and the implications this could have for his work and social life. John decides that it is best to drop the call …

Reminded of these potential dangers, John, whilst he is dressing up to go out with Alice, starts a “Personae-Risk Scan” check via his “personal guardian angel” service. This checks for any information directly/indirectly exposed on the web or via his various social network links (Facebook 3.0, MySpace 3.0, LinkedIn 3.0, YouTube 3.0, Second and Third Life 3.0, etc.) and service accounts. It compares retrieved information against perceived threads and risks and provides a meaningful, user friendly report along with suggestion on how to mitigate problems. This time John is lucky: nothing to worry about.

Alice is going to be a little bit late. Why not doing a back-up of John “personae-selector” (virtual) device – as prompted by the device itself? After all it is a “virtual” device: a few seconds and its entire content is securely copied and protected in his new Smartphone along with an image of its personae and preferences.

This was a good move: at the restaurant, perhaps distracted by the good Italian food, a thief steals his current Smartphone with his “personae-selector” (virtual) device. No problem: just the hassle of reporting this (online) to the police. He can carry on celebrating with Alice.

The thief didn’t realise he had no way to access the content and use the device, thanks to its biometric-based protection and encrypted content. It is a “useless tool” to be thrown away at the first opportunity. So he does.
This is good for John: the discarded device is quickly located via GPS and the collaboration with its “personal guardian angel” service. The device is back home the next day.”

--- NOTE: my original HP blog can be found here ---

Part II: CIMIP to Release Landmark Study on Identify Theft

As anticipated in my previous post, “CIMIP to Release Landmark Study on Identify Theft”, The CIMIP report, called “Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement”, has been released. It can be downloaded, for free, here.

The executive summary of this report mentions that: “The purpose of this study was to provide empirical evidence on which law enforcement can base enhanced proactive identity theft control and prevention efforts. It focuses on identity theft offenders, which sets it apart from previous surveys and other research which have centered on identity theft victims. As a result of the study of closed United States Secret Service cases with an identity theft component (2000-2006), empirical data concerning the key factors relevant to the criminal behavior of identity thieves and the conditions under which that behavior occurs are available to law enforcement agencies and corporate security and fraud investigators for the first time.”

This report covers various topics, including: Goals and Values of the Study, The Empirical Approach, Findings, The Offenders,The Commission of the Crime, Victimization, Recommendations and Conclusions. It is worth reading it: it provides an interesting perspective and analysis on Identity Thefts based on factual information.

--- NOTE: my original HP blog can be found here ---

CIMIP to Release Landmark Study on Identify Theft

This could be of interest to the Identity Management Community. A recent article written by Amanda Damiano (“CMIP to Release Landmark Study”) reveals that:

“On Monday (Oct. 22), Utica College’s Center for Identity Management and Information Protection (CIMIP) will release the results of a landmark study of closed U.S. Secret Service cases involving identity theft. The study, which will reveal new findings about identity theft perpetrators, victims, and methods, marks the first time the U.S. Secret Service has allowed review of its closed case files on identity theft and fraud. The research will be of particular value to government, law enforcement and corporate entities whose mission is to prevent, detect, investigate or prosecute identity theft crimes, said Gary R. Gordon, executive director of CIMIP and professor of economic crime at Utica College. Information on insider threats, points of compromise, and vulnerabilities will be of specific interest to chief security and chief information officers across many industries, including financial services and retail corporations, Gordon said.”

These results will be released at the 18th annual ECI (Economic Crime Institute) Conference (October, 21-23), this year focusing on the topic: “Identity Management and Information Protection: Research and Action”.

--- NOTE: my original HP blog can be found here ---

On the Joy of Having Multiple (Digital) Personae …

Having multiple “digital personae” (i.e. identity profiles that provide a different “view” about an individual, depending on the context, service, location, etc.) is undoubtedly useful. Different concerns, roles, interest and priorities can be conveyed in this way and your interactions on the web can be simplified (and in some way “compartimentalised”).

But what about its potential risks? What about the potential correlations that can happens by linking together and analysing your personae (for example the ones you use at works, in social networks - Facebook, LinkedIn, MySpace, in your service accounts, on your blog postings (…), etc). What would be the future consequences?

Having a sort of Personal “Identity Leak” Service providing an overview of your “current situations” and warning you about potential threats and risks would not be bad …

--- NOTE: my original HP blog can be found here ---

Making a case for the “Identity Leak” Service …

A recent article by Tom Bowers, called “Smart security testing on the cheap”, makes a few good points:

“Most executives in a company are focused on building on the company's strengths. The chief information security officer, however, must look through a different lens. The job of the security chief is to measure the risks to the business, and then to work to reduce them. That means focusing on weaknesses, namely on weaknesses in the company's networks, systems, and business processes. It's a big job that requires a comprehensive plan, strong skills, and a good set of tools.

The time and skills necessary for effective security assessment will never be free, but a terrific plan and excellent tools are readily available at no cost, courtesy of the open source community. I'm a big believer in tapping open source solutions whenever possible, but there is a catch. Open source is free in cost, but not free in time. Be prepared to spend time learning how to use open source tools and techniques properly. …”

Now, have a look at the mentioned “Google Hacking Database”. The key point that Tom makes here is that similar techniques could be used to “find privacy data of your employees that may have leaked to the Internet from your network”. This is actually important.

Given an enterprise, which confidential information has been disclosed/leaked (and for which reasons) on the web? Which (personal/business) information about people (in their roles as employees and private people) has been disclosed that could be used for cross-correlations and inferences about enterprises businesses or individuals?

In the context of current discussions about “Identity Providers”, it might also make sense to think about “Identity Leak” Services (or if you prefer, more in general, “Information Leak” Services) … providing (on payment?) consolidated information about leaked data (for a user, an organisation, in a specific area/context) AND potential predictions about risks and threats for the involved entities.

Something to think about …

--- NOTE: my original HP blog can be found here ---

On the “Identity Oracle” and Improper Disclosures

I have been following with great interest the thread of discussions about the business concept of “Identity Oracle” and related posts by Bob Blakley, Kim Cameron (here and here), Jeff Bohren and Phil Hunt.

I wondered for a while about business models and business scenarios for “Identity Providers” (e.g. see here and here): the idea of the Identity Oracle can have some good, interesting potential.

However, there is one thing, about the Identity Oracle, that is puzzling me, based on what Bob Blakley wrote in his post:

“… The Identity Oracle charges GiCorp and other relying-party customers money for its services. The asset on the basis of which the Identity Oracle is able to charge money is its database of personal information. Because personal information is its only business asset, the Identity Oracle guards personal information very carefully.
Because disclosing personal information to relying-party customers like GiCorp would be giving away its only asset for free, it strongly resists disclosing personal information to its relying-party customers. In the rare cases in which relying parties need to receive actual personal data (not just metadata) to do their jobs, the Identity Oracle requires its relying-party customers to sign a legally binding contract stating what they are and are not allowed to do with the information. This contract contains indemnity clauses – if GiCorp signs the contract and then misuses or improperly discloses the personal information it receives from the Identity Oracle about Bob, the contract requires GiCorp to pay a large amount of cash money to the Identity Oracle, which then turns around and reimburses Bob for his loss. …”

How are (in practice) improper disclosures of personal data going to be detected? And what would be (in practice) an “improper disclosure”? Some misuse of credit card details? Spamming emails?

I guess that to be a viable business, the Identity Oracle needs to have relationships with many Relying Parties – which themselves might have relationships with other parties. How to track the source of improper leakages/data misuses? Wouldn’t the cost of “forensic analysis” be potentially very high for the Identity Oracle (which I assume it must make the first steps in investigating the incident and in finding the source of improper disclosure)?

Wouldn’t this also be a potential source of frauds against the Identity Oracle, paradoxically generated by some of its own “customers”, trying to get money/compensations back by orchestrating “improper disclosures” and relying on the fact that it will be hard to pinpoint the culprit?

How would the legal framework help the Identity Oracle in these situations? I am afraid this might end-up with very restrictive “terms & condition” imposed by the Identity Oracle (to protect its own interests) that eventually won’t be of any benefit to honest users (the very large majority) in case of genuine identity misuses.

I would be very interested in getting opinions and views about the above aspects.

--- NOTE: my original HP blog can be found here ---

Call for Papers: IEEE Workshop Policy 2008 (2-4 June 2008, NY)

The call for papers for Policy 2008 is now available online:

“POLICY 2008 is the 9th in a series of successful workshops, which since 1999 have provided a forum for discussion and collaboration between researchers, developers, and users of policy-based systems. This year, in addition to the latest research results from the communities working in any area of policy-based management and computing, we encourage contributions on policy-based techniques in support of all types of wireless networks: cellular, Wi-Fi, Mobile Ad Hoc, hybrids, etc.
Policy 2008 aims to bring together researchers and practitioners working on policy-based systems across a wide range of application areas including networking, privacy and security management, storage area networking, enterprise systems, and the Web.”

Topics of interest are classified in the following categories:

• Policy models and Languages
• Policy Applications
• Policies in Wireless Networks

Identity management, privacy and security are key topics of this workshop. Please consider submitting a paper.

More information about call for papers, Organising Committee and Program Committee is available online.

--- NOTE: my original HP blog can be found here ---

The Open Group: Whitepaper on “Information Security Strategy” - Version 1.0

The Open Group has announced that their Information Security Strategy white paper is now published on The Open Group's online bookstore (a free PDF version is available on the Web). It is about a “Framework for Information-Centric Security Governance”:

“This White Paper proposes a new framework for ensuring enterprise-level information security that reflects current realities of enterprise, network, and information sharing and access. … It was developed by the Security Forum in collaboration with the Cyberspace Law Committee, Business Law Section, of the American Bar Association, who are also publishing it.”

This document is a high-level, strategic-oriented white paper but it should be of interest to the Identity Management community. After all, identity is a “special kind” of information …

--- NOTE: my original HP blog can be found here ---

Part III - PLING: the W3C Policy Languages Interest Group

I have been asked by a few people what a new group member should discuss once involved in the W3C Policy Languages Interest Group (PLING).

I am sure that the discussions of this interest group and priorities will evolve and adapt over time, also based on the interests of this group. Of course, Renato and I will provide some input and guidance.

For the time being, I would personally encourage a new group member to start by sharing his/her own perspective/experience on:

• Which kind of policies (and languages) do you (or your organisation) use and for which purposes (e.g. security, access control, privacy, federated IdM, etc.)?
• In which contexts, environments (e.g. network, system, application, service, business levels, etc.) are policies deployed and used?
• Do you need to deal with heterogeneous set of policies? Do you have interoperability problems? How do you currently keep them consistent and up-to-date?
• Any relevant use cases and scenarios you would like to share with the group/community?
• Which issues did you come across (if any) when handling policies?
• What are the major pain points and limitations (if any) of current policy languages and related policy management systems?
• Any policy requirement or need you would like to share with the group?

--- NOTE: my original HP blog can be found here ---

Part II - Announcing PLING: the W3C Policy Languages Interest Group

In a previous post, I announced the creation of the W3C Policy Languages Interest Group (PLING) and briefly discussed the scope and mission of this group.

As a first step, I would like to invite people, interested in discussions on policies, policy interoperability, use cases, issues and requirements, to subscribe to the PLING Mailing list and start sharing their experiences and views.

We are also considering organising a PLING panel at WWW 2008. Your input on topics of interest to be discussed in this panel (along with your priorities) is welcome.

--- NOTE: my original HP blog can be found here ---

Call for Papers: 23rd International Information Security Conference – SEC 2008

The Call for Papers for SEC 2008 (Milan, Italy – September, 8-10, 2008), is now available online:

“The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of computer security, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing argument for the practical significance of the results.”

In particular, topics of relevance include topics in the “Identity Management” area:

• Access control
• Electronic frauds
• Anonymity
• Accounting and Audit
• Smartcards
• Data and application security
• Risk analysis and risk management
• Data protection
• Privacy-enhancing technology
• Trust management
• Trust models

Paper submissions are due by January 10, 2008. More details about Important Dates and Committees are also available online.

--- NOTE: my original HP blog can be found here ---

Announcing PLING: the W3C Policy Languages Interest Group

I am proud to announce the creation of the W3C Policy Languages Interest Group (PLING). Roberto Iannella (Research Scientist, NICTA, Australia) and I (Marco Casassa Mont, Senior Researcher, HP Labs, UK) are going to be the co-Chairs. Thomas Roessler and Rigo Wenning (W3C) are the initial Team Contacts:

“The Policy Languages Interest Group, part of the Privacy Activity, is a forum for W3C Members and non-Members to discuss interoperability questions that arise when different policy languages are used in integrated use cases, along with related requirements and needs”.

I would like to encourage people that have interests in the area of policy languages, interoperability, privacy, etc. to engage and share their experience, requirements, use cases and open issues. A PLING Mailing list is available.

The PLING Charter provides information about PLING mission, scope, deliverables, participation, communication and obligations. The proceedings of this Interest Group (mailing list archives, minutes, etc.) are going to be publicly visible.

The mission of this interest group is the following:

“The Policy Languages Interest Group is a forum for W3C Members and the public to discuss interoperability issues - along with related requirements and needs - that arise when using a variety of policy languages where there is a need to compute results across these multiple languages. The Interest Group follows up on the October 2006 W3C Privacy Workshop, and addresses areas of work identified as a key common interest of participants. An important function of the Interest Group is information sharing within and between application communities. …”

The scope of PLING is:

“The Policy Languages Interest Group is designed as a forum to support researchers, developers, solution providers, and users of policy languages such as XACML (eXtensible Access Control Markup Language), the IETF's Common Policy framework and related work, and P3P (W3C's Platform for Privacy Preferences Project). It provides a forum to enable broader collaboration, through use of email discussion, scheduled IRC topic chats, Wikis, and Weblog tools.

The group will primarily focus on policy languages that are already specified and broadly address the privacy, access control, and obligation management areas; it is not expected to engage in the design of new policy or rule languages. The Interest Group will work towards identifying obstacles to a joint deployment of such languages, and suggest requirements and technological enablers that may help overcome such obstacles.”

More information will follow.

--- NOTE: my original HP blog can be found here ---

Part II: Privacy Management in Enterprises? It is a matter of Enforcement and Automation …

I find James McGovern’s feedback always useful and relevant to trigger further thoughts. This is particularly true for his last post (see the “Links for 2007-10-01” part), related to a recent post of mine (on “Privacy Management in Enterprises? It is a matter of Enforcement and Automation …”):

“I really hate posts such as these as they start with technology discussions and abstract notions such as policies while ignoring simple facts of business. Have you ever considered that some industries simply couldn't function if privacy were so pervasive? Consider what happens when you win the Lottery and decide to buy yourself and me a Porsche Boxster. If you spend cash, you will have your privacy violated by the Patriot to ensure that you aren't laundering money. If you pay by credit, folks will be able to see everyone else you have done business with in the past. Likewise, you will need insurance on your Porsche Boxster where they will also check with the Department of Motor Vehicles to tell how many accidents you have gotten into. They will also check into past claims you have filed even if it was with another insurance carrier. How about a conversation that talks about the business model of privacy first?”

Interesting view and position! I think I never said that privacy needs to be “pervasive” and/or should disrupt current businesses (we are talking about businesses that are compliant to laws and legislation as well as legitimate user’s expectations and rights, aren’t we?).

My main message was simply that, to improve current privacy practices, there is a need for more enforcement and automation – as (1) human-based processes and “good willingness” are usually prone to mistakes and (2) an approach entirely based on “compliance checking and remediation” has its own limitations …

Privacy for the “sake of privacy” is indeed pointless, if not by considering it in the overall context – being the business one (important) aspect of it. However, it must not be forgotten, that the perception of “privacy” (and what is important) is not the same everywhere, see the different mentality, philosophy and approaches to privacy in US and EU!

I thought to be clear on this point, when in my previous post I said: “I argue that the decision on the “actual blend” of policy enforcement and auditing/compliance checking should be the outcome of a “risk analysis” process, which must keep into account the specific enterprise context and the assets to be protected.”

Having said this, I disagree on the part of the comment saying “… start with technology discussions and abstract notions while ignoring simple facts of business”.

The requirement of having more “privacy enforcement and automation” is not an invention of mine. It is the (consistent) outcome of various investigative projects, customers’ feedback and related survey reports – keeping into account a variety of aspects and dimensions (including the business perspective).

See for example the EU PRIME project and its outcome, that has kept into account (during its entire duration – almost 4 years) input, requirements and needs coming from business, social, economical, legislative and “personal” sources. Similarly, the outcome of a recent effort in the context of Identity Governance Framework (in particular the MRD use case document) has highlighted the importance of enforcement and compliance, it has been the outcome of a collaborative work involving multiple business groups (including HP) and it has illustrated use cases and business scenarios.

James makes a good point when he says: “How about a conversation that talks about the business model of privacy first?”

James – any input or suggestion, based on your experience and/or needs of businesses and customers you have been interacting with?

What would be, in your view (or in your customers’ view), a suitable business model of privacy? Are there, in your view, any emerging patterns or approaches to be kept into account? Would there be “the business model of privacy” or many of them, depending on the context (e.g. geographical location, legislation, etc.) and the business/organisations? How to reconcile in this model all requirements and needs?

--- NOTE: my original HP blog can be found here ---

Introducing a “Privacy Week” in Enterprises?

Marc Groman, Chief Privacy Officer for the (US) Federal Trade Commission, makes the case for having Privacy Weeks (see this article):

“Annual computer security and privacy awareness training for all employees is a good start, but it is just the beginning. Planning an agencywide “privacy week” or similar event is an excellent way to put privacy center stage and demonstrate your agency’s commitment to building a culture of privacy and security. The theme for the Federal Trade Commission’s privacy week held this past March was “Info — Handle With Care.” Your privacy week can include events such as educational seminars on compliance issues, training sessions on technology resources that protect sensitive information, or an all-day privacy fair. Thought-provoking or “catchy” posters in high-traffic areas, brochures and contests and prizes help to generate enthusiasm for the week’s activities and to communicate the message. Finally, to reinforce your agency’s commitment — in terms of resource investment and leadership buy-in — have your agency head host an event or deliver a speech explaining why privacy and security are important. …”

This is an interesting idea and good initiative, that potentially could apply (in general) also to enterprises and other organisations: educating employees, creating awareness of risks and threats and requirements in terms of security and privacy is a good way to improve privacy practices.

However, as I argued in a previous post, I believe this should be coupled with a more proactive approach (within organisations) to privacy policy enforcement and automation: “human-based” processes are indeed prone to mistakes and interpretations (and education …).

--- NOTE: my original HP blog can be found here ---

Lots of Warnings about “Enterprise Web 2.0” Risks – What about Identity 2.0?

A recent article by Robert Mullins, called “Enterprises warned to approach Web 2.0 with caution”, says:

“Danny Allan of IBM had just finished his primer on potential security risks of Web 2.0 applications when enterprise software developers filing out were overheard telling each other, “That was scary!” and “Now I’m depressed.” Allan says he didn’t mean to scare, but to educate. “The lesson is not to run away but to prepare,” said Allan, director of security research at Watchfire, an IBM-owned security firm”

This is also consistent with what HP SPIDynamics said sometimes ago, in particular about security risks and issues with Enterprise Web 2.0 (see here and here).

In a previous post of mine, called “Web 2.0/Ajax “Submission Throttling” and Privacy Concerns” I also highlighted a (simple) example of a potential Web 2.0 privacy threat (ok, this was primarily from a B2C perspective, but this could also apply to enterprise and federated IdM contexts …). I am sure this is just the tip of the iceberg …

I would be interested in knowing what the outcome of a similar risk/security/threat analysis/assessment would *specifically* be for “Identity 2.0”-based solutions (including Liberty Alliance, of course …) – in B2C, Enterprise and federated IdM contexts.

I believe there will be interesting findings, from a privacy and data security perspective, in particular when dealing with personal and confidential information.

--- NOTE: my original HP blog can be found here ---

Privacy Management in Enterprises? It is a matter of Enforcement and Automation …

Privacy policy enforcement and automation are, in my view, two key aspects necessary to improve enterprise privacy management practices.

Privacy auditing and compliance checking are reactive approaches, definitely important but of little help when violations occur and the “privacy” of people has been compromised (e.g. their personal data has been misused, identity thefts, etc.). More effort is required to enforce privacy policies, in particular by introducing more automation (and integration with current enterprise identity management solutions …).

At HP Labs we have been researching for years in this direction. Some relevant projects have focused on:

• Automation of Privacy-aware Access Control
• Automation of Privacy-aware Identity Lifecycle Management

In the context of the PRIME project, various Privacy Enhancing Approaches and Technologies have also been researched and developed.

More recently, the Identity Governance Framework (IGF) effort has introduced use cases, approaches and criteria to deal with data governance and enforce privacy both in enterprises and federated identity management contexts.

I argue that the decision on the “actual blend” of policy enforcement and auditing/compliance checking should be the outcome of a “risk analysis” process, which must keep into account the specific enterprise context and the assets to be protected.

--- NOTE: my original HP blog can be found here ---

Research Report: Lack of Strong Identity and Access Management in UK Businesses …

A recent article by Miya Knights, called “Strong ID and Access Management eludes UK Business” provides an overview of the findings of a recent research report by Insight Consulting, on UK business attitudes towards identity and access management. Here are a few key points highlighted in this article:

“New research into attitudes towards identity and access management has found very few are taking effective steps to address potential security lapses.

Although most UK businesses realise the increased threat from inadequate security systems and policies the research, produced for Siemens-owned Insight Consulting, found 71 per cent of companies still rely solely username and password authentication, which has been criticised for its effectiveness in protecting against malicious attacks.A further 62 per cent of the 259 IT services and management professionals surveyed admitted that their organisation had no information security management system in place, or at least they didn't know if it did.

And more than 90 per cent do not have a fully automated solution capable of producing audit reports detailing network, application and data access, despite the fact that 51 per cent of businesses surveyed now have to deal with increasing partner, supplier and customer system access.

In addition, only 50 per cent of respondents were confident that network access rights of staff members who leave a company are removed or deactivated when they leave - the other half leave outdated user accesses active and open to malicious misuse as well.

Only 22 per cent of businesses have an enterprise single sign-on identity and access management systems in place, which Insight said delivers the fastest return on investment.”

--- NOTE: my original HP blog can be found here ---

On Security Experts pitching “Culture of Data” …

I’ve found this article by Matt Hines, called “Security experts pitch culture of data” quite interesting:

“The companies that are having the most success in advancing their data security efforts today are those that are finding a way to protect sensitive information without getting in the way of business users, industry experts maintain.

In crafting their data-handling policies and selecting from the multitude of security technologies at their fingertips, those businesses that can foster both ready access to information, along with strong defenses for end-users and IT systems, are making progress the fastest, claim leading vendors and service providers.

After years of "throwing technologies" at the data security problem while juggling complex business demands along with external threats and regulatory compliance audits, some businesses are finally discovering that they can simplify the entire process by taking a more comprehensive approach to tailoring their programs to the manner in which their users access, handle, and share information. …”

It would also be interesting getting some concrete examples, e.g. how this could be achieved for identity data, where related policies dictate goals and expectations from (sometimes contradictory) business, security and privacy perspectives.

--- NOTE: my original HP blog can be found here ---

Identity Usage Analytics: towards “IdentityBurner”?

As a blogger, I have found the services provided by feedburner very useful: in particular I like the service providing analytics about the usage of my blog, number and provenance (…) of visitors, accessed posts, etc. This helps to better understand from which geographic areas there is an interest in my posts, which topics are perceived being more relevant, etc. (ok, somebody might think about this as a privacy threat. We could have an interesting debate …).

I was thinking about the implications and impact of having a similar service in the context of “Identity Management”, where, by analogy, instead of monitoring blogs and posts, end-users would be enabled to monitor (potentially in a fine-grained way) their identity information and profiles scattered around an organisation …

I think this would give “more control” to users on their personal data, by helping them to better understand the status of their data, who has been accessing/using it, indications of any violations (against agreed purposes/consent), etc. – via a visual and easy to understand GUI. This feature could be provided in addition to the usual self-registration and account management capabilities, by Service Providers and/or by Identity Providers (in case of federated IdM) …

Anyway, I believe a key issue would be around “trust”. Should a user trust the information provided by such a service? Which assurance should be given to the user about the integrity and accuracy of these metrics and displayed information? Who should run this service?

Another key issues is the impact (cost) for the enterprise/service provider (if done seriously) because of the need to track, monitor, collect and process “events” associated to large set of data, within their IT stack. So, after all, would there be anyone willing to deploy and run such a kind of service – in the context of Identity Management?

--- NOTE: my original HP blog can be found here ---

Material Available on Identity Governance Framework (IGF)

As highlighted by Phil Hunt in a related post, material available on Identity Governance Framework (IGF) has been posted here. This includes overview material and previous documents such as:

• Overview of the Id Governance Framework
• Id Governance - Identity Privacy and Access Policy MRD
  

I have contributed to the “Identity Privacy and Access Policy MRD” document and I believe IGF has key potentials to help organisations dealing with data/identity governance aspects.

What is your view on IGF? Any comment or feedback?

--- NOTE: my original HP blog can be found here ---

ACM DIM 2007 – Workshop on Digital Identity Management

On November, 2nd 2007, George Mason University (Fairfax, VA) is going to host ACM DIM 2007 – a Workshop on Digital Identity Management, in the wider context of CCS 2007 (14th ACM Conference on Computer and Communications Security).

This year, DIM focus is on “Usability Issues for Identity Management”. Accepted papers cover the following topics:

• Usability and Authentication
• Identity Assurance and Linkability
• Network based Approach to Identity Management
• Reputation and Trust

A preliminary program is available here. Registration information is available here.

--- NOTE: my original HP blog can be found here ---

Webcast (11 Oct 2007) - Federated Identity Management, Web Services and Health Information Exchange …

You might be interested in attending this online webcast by Ignacio Alamillo of CATCert (topic: “Federated Identity Management, Web Services, and Health Information Exchange: Technology, Policy, Case Study and Best Practices”) on October, 11 2007:

“The adoption of health information technology (HIT) with the development of decentralized, interoperable health information networks, is widely regarded as critical to enhancing the performance of our health care systems locally and globally. Health information exchange involving disparate networks enabling access to personal and public health information regardless of source or format will require scalable, affordable authentication and authorization individuals accessing these systems. Federated identity management provides real world solutions for real world identity management problems. This discussion will explore and describe the technology needed and policy considerations through the lens of a Case Study (Catalonia ePrescribing project) that delivers best practices guidance.”

Webcast registration information is available here.

--- NOTE: my original HP blog can be found here ---

PRIME Project News

News from the General PRIME meeting:

“The PRIME project recently received more support and endorsement for its work to raise awareness and knowledge about Privacy-Enhancing Technologies for identity management to a wider audience that makes the decisions which will affect their take-up in real applications.

The main activities in PRIME are about advancing the state of the art in user-centric identity management, including in PETs themselves, but it also has an outreach and dissemination objective to ensure that its technology work is made known to all communities whose decisions will affect how these advances are made available for real use. As part of that objective, it has written two White Papers on its work, which are aimed at different audiences and will be soon made available on PRIME website http://www.prime-project.eu/ . The second of these is aimed at IT professionals.

A currently public version of the PRIME Whitepaper (v2) is available here.

PRIME is very keen to ensure that its work remains focused on topics that are relevant and on results that are deployable in real situations. To that end, it formed a project advisory board, named the Reference Group,that provides guidance on direction and priorities and reviews the project's output.

The Reference Group comprises more than a dozen professionals from various countries' data protection commissions and privacy specialists from industry, consumer groups and academia. They recently reviewed the second White Paper and were very positive about it and the role it could play in bringing about wide adoption of PETs. The project is now making plans for another White Paper, together with other educational materials, such as tutorials, that will be aimed at other communities.”

--- NOTE: my original HP blog can be found here ---

EU PRIME Project – Look Forward to Hearing from You!

I am currently attending a General Meeting (one of the last – the project is meant to finish by the beginning of next year) of the EU PRIME Project (Privacy for Identity Management in Europe).

Current PRIME results and published documents (in terms of requirements, approaches to privacy, whitepapers, reports, architecture, prototypes, etc.) are available here.

We look forward to hearing from you: any question, concern, feedback, etc. is welcome. I’ll make sure to share this with the team here and let you know about any reply.

--- NOTE: my original HP blog can be found here ---

Part II: To Be or Not To Be an Identity Provider?

In a recent post, James McGovern makes this comment about a post of mine, called “To Be or Not To Be and Identity Provider?”:

“One should never research the notion of the business model of identity providers from scratch when there are many already in existence. How about starting with Securities Hub to not only understand the business model of being an identity provider but why it matters in an industry vertical context which most identity bloggers pretend don't exist.”

Well, I’ve never said I was researching on this topic – I was just trying to understand the business model …, as I also wrote in a previous post of mine called “What is the Business Case for Identity Providers?”: “I wonder what would be the incentive for an organization to be an Identity Provider (IdP) and, in particular one that just plays this role i.e. with no additional stake in providing other services”.

Anyway, thanks for suggesting an example – even if this example looks like more being about a “Hub-based Service Provider” rather than an “Identity Provider” …

Any other example? In particular where the role of the Identity Provider is clear, whatever underlying federated identity management solution is adopted.

--- NOTE: my original HP blog can be found here ---

New Interdisciplinary Initiative at University of Toronto on Identity, Privacy and Security

I think this is a great initiative, opening new opportunities in teaching and researching in the areas of Identity, Privacy and Security – as highlighted in this article by CNW Group:

“On September 17, 2007, Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, will be presenting the inaugural lecture at the University of Toronto's new interdisciplinary program called the Identity, Privacy and Security Initiative (IPSI), www.ipsi.utoronto.ca.

This initiative links two new graduate concentrations in privacy and security, offered this fall through the Faculty of Applied Science and Engineering and the Faculty of Information Studies. A key goal of IPSI is to bring together faculty and students from different disciplines to study and think together about identity, privacy and security and related technologies, policies and sciences.

Commissioner Cavoukian was appointed as the Chair of the Advisory Council for IPSI. "Given the Commissioner's strong support over the past two decades for privacy-related research, education and innovation, we are delighted that Dr. Cavoukian has agreed to act as the Advisory Council Chair," says Dr. Tim McTiernan, Interim Vice-President, Research, at the University of Toronto. "We feel that she is the ideal partner for this exciting initiative." …”

--- NOTE: my original HP blog can be found here ---

Google and the Call for Global Privacy Standards

You might be interested in this initiative by Google, which is meant to make a call for Global Privacy Standards. An article by Jeremy Kirk provides an overview:

“Search giant Google will propose on Friday that governments and technology companies create a transnational privacy policy to address growing concerns over how personal data is handled across the Internet.

Google's global privacy counsel, Peter Fleischer, will make the proposal at a United Nations Educational, Scientific and Cultural Organization meeting in Strasbourg, France, dealing with the intersection of technology with human rights and ethics. Fleischer's 30-minute presentation will advocate that regulators, international organizations, and private companies increase dialog on privacy issues with a goal to create a unified standard.

Google envisions the policy to be a product of self-regulation by companies, improved laws, and possible new ones, according to a Google spokesman based in London. …”

I believe this is going to be a huge challenge, considering the different cultural approaches to privacy and ways to deal with it (just look at how US and EU have a different interpretation and approach to the concept of privacy …). It would also be interesting to see how the voice of consumers and citizens is going to be factored in.

More details and thoughts about this initiative can be found in a post by Peter Fleischer.

--- NOTE: my original HP blog can be found here ---

What are your Priorities in the Identity Management space?

As a researcher at HP Labs I have some ideas and opinions about what could be (long-term) priorities in the Identity Management space. Some of these opinions are driven by factual information (analysis of trends, etc.) others by intuitions. I expressed some of my views in various previous posts.

Listening to people and customers is another important source – to understand what is valuable and required by the business. For example, a customer has recently told me that their key priorities in the identity management space include:

• Consolidation, integration and coordinated management of various identity management systems in their organisation: this apparently is still a major issue and problem to be solved;
• Suitable authentication mechanisms for their customers, along with mechanisms providing a better attestation of their asserted identities.

As you can see, these are not very fancy “things” but they are very important from a business perspective.

What are your priorities in the Identity management space? Which areas of identity management you think are/will be more valuable to you/your business/the market?

--- NOTE: my original HP blog can be found here ---