Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Tuesday, July 31, 2007

TrustBus 2007 – 4th International Conference on Trust, Privacy & Security in Digital Business

The program and registration form for the 4th International Conference on Trust, Privacy & Security in Digital Business, TrustBus 2007, are now available online:

“The 4th International Conference on Trust, Privacy and Security in Digital Business (TrustBus’07) will provide an international forum for researchers and practitioners to exchange information regarding advancements in the state of the art and practice of trust and privacy in digital business.”

Paper sessions are going to cover the following topics:

  • Secure and Trusted Virtual Organisations
  • Privacy in Digital Business
  • Identity Management and Usage Control
  • Authentication and Access Control
  • Compliance and User Privacy
  • Policy Management
  • Secure System Management
  • Security and Trust


There is also going to be a panel discussion on “Managing Digital Identities – Challenges and Opportunities” and various invited talks. More information about the Program is available here.

Posted by at No comments:

Monday, July 30, 2007

Web 2.0/Ajax “Submission Throttling” and Privacy Concerns

“Submission Throttling” (e.g. see here) is an “Ajax Pattern” commonly used in state-of-the-art web applications: in a nutshell, data is buffered at the user/client side (web browser) and then sent to the server (e.g. remote web site) at predetermined times.

Interesting “side-effects” might occur when “personal data” is involved and the user is not really aware of what is going on … Let’s consider a simple example.

In the context of an “HTML form”, shown in a web page within a web browser, “Submission Throttling” techniques consist in sending part of the information already typed in this form - *** BEFORE any “Submit” button has been clicked by the user …*** - to the remote server (for a variety of reasons, e.g. field content validation, getting suggestions, etc.) and getting back some “feedback” (e.g. word correction, complete word, etc.). This Ajax pattern is simple to implement as it requires “java script-enabled” web browsers and some client-server coordination (see a full working example here):

  1. A web form is displayed to the user in a web page, via a web browser;
  2. Java script code, running in the web browser (associated to the current web page), listens for events related to the form, such as typing characters or changes of focus (e.g. related to form fields);
  3. When such event occurs, the current content of one or more fields is collected by a java script function and sent to the remote web server, for example via XMLHttpRequest (i.e. a programmatic HTTP request to the remote site made by java script code);
  4. The remote web server gets this data, does some processing and returns back an answer (e.g. a corrected version of the typed word/sequence of characters, a complete version of word, an indication that that word cannot be used in that context, etc.) to the java script code, running in the user’s web browser;
  5. This java script code uses this “answer” to provide some “feedback” to the user (e.g. suggesting that the typed “userId” cannot be used, as somebody else has already used it or that the currently typed e-mail address is incorrect).


Please notice that the current data in the form is disclosed in advance to the remote web server - prior to any explicit “Submit” decision made by the user and/or without necessarily the end-user understanding that this is happening and giving his/her consent …

On one hand, I see the usefulness of this mechanism (when properly used) and the value it brings in making web services more usable and interactive. On the other hand, from an identity and privacy management perspective, I see the possible risks this pattern could bring – both in malicious and non-malicious situations – for example when the involved user’s data is personal data.

I believe there are some implications in terms of privacy laws and data protection. Is it legal to disclose in advance user’s data, prior to his/her “consent” to submit this data? Of course javascripts could be disabled in web browsers and the problem neutralised – but in doing this most of the current “web 2.0” functionalities are disabled as well.

I think that users should be made aware when these techniques are used (and perhaps their consent asked in advance) … and “web browser tools” deployed to achieve this (e.g. web browser plug-ins detecting outgoing XMLHttpRequests or other attempts to connect to web servers during a session and transfer data).

What do you think? What is your view?

Posted by at No comments:

Friday, July 27, 2007

Digital ID World 2007 Conference

The 6th Digital ID World 2007 Conference is going to take place in San Francisco, September, 24-26.

I attended this conference in the past and I found it very useful not only in terms of presentations, but also in terms of networking and opportunity to have an overview of state-of-the-art Identity Management products and solutions, shown in the exposition area.

Based on the current program, topics covered this year include:
  • Deploying identity-based network access control
  • Using identity to achieve compliance
  • Authentication as risk management
  • How identity fits into SOA, Leveraging virtual directories
  • Understanding OpenID and CardSpace
  • Achieving "anywhere access" with E-SSO
  • Understanding successful federated identity deployments
  • Lessons for provisioning deployments
  • The convergence of physical and logical access control
  • Role Management as the lynchpin of scaling identity
  • Integrating machine identity into an identity architecture
  • Acting on policy enforcement for compliance
  • Addressing challenges in identity and the telco space
  • Overcoming hurdles specific to identity and financial services
  • Using identity to address healthcare specific concerns

More information on the program, exhibition and registration is available online.

Posted by at No comments:

Thursday, July 26, 2007

Next Steps: Identity Governance Framework (IGF) and Open Liberty …

A few days ago I wrote about a new Identity Governance Framework (IGF) document available online, “Id Governance – Privacy and Access Policy Market Requirements”, which describes use cases and requirements.

A recent article by Jeremy Kirk, titled “Identity Framework moves into next phase” provides an overview of possible next steps:

“… Those market requirements will be used to develop technical specifications for the Identity Governance Framework (IGF), a set of standard protocols that can be widely used in applications that handle identity information, said Amit Jasuja, vice president of product development for identity management at Oracle, one of Liberty's members. Those technical specifications should be finalized next year. … Eventually, IGF will also be compatible with other identity management specifications, such as OpenID and WS*, and systems like Project Bandit, Project Higgins, and Microsoft's CardSpace. Liberty is also encouraging identity application development projects through Open Liberty, its open-source development site that uses an Apache licensing model, said Brett McDowell, executive director of Liberty.”

More information about Open Liberty and the related IGF project can be found here.
Posted by at No comments:

Wednesday, July 25, 2007

R&D Opportunity: Identity 2.0 and its Impact on the Enterprise …

Identity 2.0 is currently associated to a broad wave of Web 2.0 initiatives, involving collaborative networking, content mashups, individual content provision, etc. In this context, Identity 2.0 includes technologies and approaches such as OpenId, InfoCard/CardSpace, Sxip, etc.

These technologies and solutions currently focus on user-centric approaches. However, they are also going to (heavily) impact the Enterprise (and there are already signs that this is happening, as people/employees are starting using them to perform their tasks and job).

I believe it is important to investigate and research the impact that Identity 2.0 and Web 2.0 are going to have in the *Enterprise* context, by keeping into account that the “enterprise” is subject to various business, security and privacy constraints. Here is a set of questions to be investigated:

  • What is the “meaning of” content mashup, collaborative networking, collective knowledge, etc. in an enterprise context and how Identity 2.0 (and Web 2.0) will evolve in this context?
  • How to reconcile enterprise constraints with the capabilities offered by these emerging approaches and technologies?
  • What are the implications for existing enterprise Identity Management solutions?
  • What are the implications from a “business-driven IT management” perspective?
  • What are the implications for assurance and risk management?
  • Is there any new emerging area/opportunity in the space of enterprise identity management?

I think that the outcome of this R&D effort is likely to highlight opportunities for new products, solutions and services in the Identity Management space.

Posted by at No comments:

Tuesday, July 24, 2007

New Identity Governance Framework (IGF) Document - Available Online …

A new Identity Governance Framework document, titled “Id Governance – Privacy and Access Policy Market Requirements”, is now publicly accessible online, in the Liberty Alliance portal:

“This document provides the key business actors, use cases, and requirements for identity privacy and access policy. Actors define the key individuals that play a role or have a responsibility for the use of identity-related data in enterprise web applications. Following the actor definitions are use case scenarios that highlight scenarios that drive the requirements for a future specification.
This document is based on the contributions from Oracle’s Identity Governance Framework submission to the Liberty Alliance (now known as Id-Governance), the
Liberty Alliance Technical Expert Group use cases, and individual Liberty member case submissions.”
Posted by at No comments:

Experiment: Blogs and Role of Authentication on Comments …

After getting some feedback (including Paul Madsen’s comment), I decided to run an experiment to explore how much “authentication” plays a role when submitting comments to blogs – in particular to my blog. This blog is the mirror site of my HP blog on “Research on Identity Management”, with the same title and content. This blog allows for different types of posting, including anonymous posts. This will relax the current requirement of having to use the “HP Passport” authentication (including registering for it …), required by my blog hosted in the HP site. I am going to post my input in parallel, on both blogs and observe if this changes at all the dynamics of how people submit their comments to my blog. So, to summarise, here are the URLs of the two blogs on “Research on Identity Management”:

Hope this will simplify the process of sending comments and getting your input.

Posted by at No comments:

Monday, July 23, 2007

Search Engines and Privacy …

Robert McMillan has just published an article highlighting Microsoft’s move to support anonymity and privacy in the search engine space:
“Microsoft is joining Ask.com in offering Web surfers a way to use its search engines anonymously, and the two companies are now calling on the search and online advertising industry to develop a common set of privacy practices.”
I think this is a good move, consistent with existing requirements, dictated by various Data Protection laws and related legislation.
I am also interested in the follow-ups, i.e. how and in which context the “common set of privacy practices” is going to be discussed, specified and enforced. I believe this should not just stop at the “anonymity” aspect (or to the fact data should be deleted after a predefined period of time) but also embrace other privacy aspects, such as:
  1. Actively ask for users’ consent when collecting their personal data; clearly state purposes for which this data is going to be used, for the entire retention period;
  2. Provide tools and mechanisms to end-users to potentially “search” and get reports about the information that has been *internally* collected by the search engine provider (at least during the act of searching, but hopefully also afterwards): this will keep users in the loop and help them to have better understanding of the collected information. How to achieve this might not be trivial but I think it is doable;
  3. Define mechanisms and processes to actually enforce these practices;
  4. Explicitly define procedures to audit and check for compliance.
Ultimately I believe this would bring more transparency and increase the level of trust in search providers’ practices.
Posted by at No comments:

Identity Thefts? It is Matter of Opinion …

After reading Roger A. Grimes’ post, “Identity Thefts? What Identity Thefts?”, I had a look at the mentioned US Government Accountability Office (GAO) report, called “Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown”.
In his post, Roger says: “The GAO reports that identity theft really isn’t a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks. … The 50-page report was developed to assist Congress with crafting all the various data breach notification legislation being proposed (the Data Security Act of 2007 (H.R. 1685), Data Accountability and Trust Act (H.R. 958), Identity Theft Prevention Act (S. 1178), and the Personal Data Privacy and Security Act of 2007 (S. 495), to name a few.) Overall, it’s not an entirely bad report, but it comes to nebulous conclusions.”
I share some of Roger’s concerns. It also looks odd to me the statement that “the extent to which the data breaches result in identity theft is not well known” and the fact that end-users (data subjects) have (apparently) not been involved in the surveys and interviews.
In addition, I believe that just focusing on “Notification Strategies/Legislation” is not the right way to go. The “Notification” of identity thefts should really be the last step, once the damage has been done, as an ultimate attempt to contain its consequences. Legislation should also focus in defining criteria and guidelines to be met in terms of effective data protection, policy enforcement, good security and business practices as well as defining punishments for breaching rules and compensations for affected people. I think this will give an “impulse and motivation” to be more compliant and tackle root problems.
Posted by at No comments:

Worries of IT & Compliance Practitioners about Privacy and Data Security

Phil Hunt (Oracle) has created awareness (in a recent post) of the availability of a report on “What Worries IT & Compliance Practitioners Most About Privacy and Data Security?”:
"A recent study, commissioned by Oracle and conducted by privacy and information management research firm Ponemon Institute, reveals the top issues that IT and compliance professionals find most worrisome and conveys a pervasive sense of pessimism among individuals tasked with protecting sensitive corporate data."
Even if this report is only focused on corporate IT departments located in the US, I found it very useful to better understand the different views and worries that IT Practitioners and Compliance Practitioners have on privacy and data security. In particular this report compares their views in terms of issues that might occurs and adequacy of controls in various areas, along with a survey of which technologies are more likely to change to address related issues.
This report can be downloaded here.
Posted by at No comments:

Report: 90 percent of companies fail compliance to data-handling regulations

A recent InfoWord article (by Matt Hines) titled “Report: 90 percent of companies fail compliance” provides an interesting anticipation of the findings of an IT Policy Compliance Group’s report, to be published on July 18:
“The consortium of IT compliance and security experts concludes that some 90 percent of all businesses still do not have sufficient policies in place to meet data governance regulations and adequately limit the risk of a breach. In the survey of 475 companies, a third of whom reported revenues of more than $1 billion last year, the industry group found that an overwhelming majority of the firms expect to deal with at least six business disruptions related to major data incidents per year along with five or more instances of information loss or theft.
While businesses continue to invest policy enforcement software, and other technologies aimed at helping them meet data-handling regulations, said James Hurley, managing director of IT Policy Compliance Group, most are still struggling to fill all the gaps left in their systems that leave them open to potential incidents.”
These findings do not surprise me too much. I believe that the areas of data-handling management (in a policy-compliant way) and policy enforcement are very complex and still open to research and contributions.
In particular, I see opportunities in the space of “Federated Policy Management”, i.e. how to model, federate, align, manage, enforce and monitor (heterogeneous) policies across multiple IT layers (systems, data repositories, middleware, applications/services, etc.) – when dealing with sensitive information and data. Another important area is how to effectively track the location and storage of sensitive data in complex and distributed organisations, along with related data flows.
Posted by at No comments:

ISSE 2007: Information Security Solutions Europe

I’d like to bring to your attention the ISSE 2007 conference, 25-27 September 2007, Warsaw, Poland. Its program is now available online.
ISSE (Information Security Solutions Europe) is an independent, European, interdisciplinary security conference and exhibition. I attended this conference in the last few years and found it very useful to better understand aspects of security, trust and identity management from a European perspective. Based on the published program, ISSE 2007 will cover key security topics such as:

  • Security Management
  • Economics of Security
  • Risk Management
  • Digital Rights – Management
  • Enterprise Rights Management
  • Privacy & Data Protection, Cyberspace Regulations
  • Compliance & Governance
  • Protection against mail and web attacks
  • Defense from Social engineering attacks
  • Cert Cooperation and Support
  • Phishing and Pharming
  • Hackers and Threats
  • Emerging Security Technologies and Crypto Developments
  • Future of Security Aspects
  • Identity Management
  • e-Identification
  • Biometrics
  • Smart Tokens, ID-Cards, RFID, e-Passports
  • PKI-Solutions
  • Network Security
  • Web Services Security
  • Mobile & Wireless Security
  • Trusted Computing and Applications based on TC Services
  • European e-Government Applications and European IT-Security Projects
  • Cross Border Interoperability
  • eHealth Applications

“Now in its ninth year, ISSE is supported by a number of key partners such as ENISA (the European Network and Information Security Agency), providing delegates with a unique insight into their work within the European Commission, Member States and the wider European business community. ISSE 2007 is poised to attract over 400 delegates from across Europe, providing an informal and stimulating environment for attendees to learn, share experiences and explore solutions with their European counterparts, focusing on security as a part of business processes and electronic transactions and discussing related issues like return on investment, total cost of ownership, risk management and interoperability.”
This year, ISSE 2007 is jointly organised with SECURE 2007.

Posted by at No comments:

Authorization in-a-Box

The authorization process is a critical aspect in distributed/federated environment. For example, in federated identity management scenarios or outsourcing scenarios “distributed” decisions and authorizations are made by multiple parties involved in an interaction or business activity.
How to ensure that the remote party or business partner is making the right decisions and carrying out the correct authorization processes, based on agreed policies? I guess that one way to achieve this would be via legal contracts and periodical auditing for compliance checking.
A few years ago Joe Pato, Adrian Baldwin and I had a “complementary” idea, keeping into account also the “policy enforcement” angle. This idea consisted in an “Authorization-in-a-Box” approach. We wrote a technical report, but had no major follow-ups. Perhaps this suggested approach might now be of some interest (of course to be revisited in the current web service frameworks), considering the increased attention in distributed/federated environments and the role that authorization is going to cover in these contexts. The abstract of our technical report follows:
“This paper presents a distributed authorisation model suitable for use in a web service framework where multiple parties are involved in performing a particular transaction. The authorisation model uses a third party authorisation service that checks users or services' credentials against a set of authorisation policies. A traditional service provision model does not scale well for such transactions. The proposed model uses a hardware security appliance to deliver the service to the most appropriate site involved in the transaction. The authorisation model supports a multi-party session so that authorisation policies can be checked and built as part of the web service composition process.”
Comments and discussions are welcome.
Posted by at No comments:

Federated Access Management for SOA

A technical report has recently been published by two HP Labs colleagues (Jun Li and Alan Karp) on “Zebra Copy: A Reference Implementation of Federated Access Management”. It might be of interest to the Identity Management community.
Jun and Alan discuss some of the issues involved in using Federated Identity Management in Service Oriented Architecture (SOA) contexts and argue that a better approach would be based on a “Federated Access Management”.
The abstract of their report follows:
“Federated Identity Management (FIdM) is being applied to Services Oriented Architecture (SOA) deployments that cross enterprise boundaries. These systems have been found to be inflexible, unscalable, and difficult to use, manage, and upgrade. We contend that a major reason for these difficulties is that FIdM solves the wrong problem. Specifically, FIdM says nothing about federating access policies. What is needed instead of FIdM is a system for Federated Access Management (FAccM). This report demonstrates the benefits of FAccM over FIdM for SOA deployments and includes a step-by-step explanation of code needed to deploy, manage, and use a sample service.”
Posted by at No comments:

Identity Management and the Human Factor

This last case of “identity misuse/theft” (source: Fidelity employee steals 2.3 million consumer records) illustrates yet again how the “human factor” plays a key role in all aspects involving identity and privacy management – and how the key issues are in the “back-end” of organisations.
Apparently “security” was in place and it was enforced (the employee had a role that justified access to the customer data). So at the end it is a matter of misplaced trust in the employee and abuse of his role …
However, shouldn’t an upfront risk analysis (done at the business level) have highlighted how critical this “role” was, identified risks associated to this “customer data repository” – and hopefully suggested control points and mitigation factors (see also my recent post on Business-driven Identity Management …)?
I also wonder if any identity management technology or solution could have been of any help at (least at) detecting (in time) what was going and/or stopping/minimizing this fraudulent act …
Posted by at No comments:

Ensuring Privacy and Consent in Identity Management Infrastructures

An interesting conference is going to take place on July, 9th in London, UK on “Ensuring Privacy and Consent in Identity Management Infrastructures”. It is supported by DTI and free to attend to the private sector and academics. The conference program and online registration form are available at:
http://www.kablenet.com/KE.nsf/EventsSummaryView/0CFE397AFD0FF888802572E50050D62B?OpenDocument
“The Department of Trade and Industry (DTI), through the Technology Strategy Board's Network Security Innovation Platform, is working with the Identity and Passport Service (IPS), the Home Office, the Economic and Social Research Council (ESRC) and the Engineering and Physical Sciences Research Council (EPSRC) to develop a work package that will sponsor a £10m, 3-year, research and development programme into how to balance the potentially intrusive nature of identity services and network security with users' expectations of privacy and consent. This research will be cross-disciplinary, combining social science with technological innovation. …
The aim of this initial workshop on 9 July is to discuss and refine the areas of importance for research, as well as identifying where the research is needed and where the UK has potential to develop world-leading commercial services. The findings of the workshop will lead to the development of projects and proposals using the EPSRC's sand-pit concept at a further workshop to be held in early October.”
You might want to consider attending if you work in the areas of identity and privacy management …
Posted by at No comments:

Business-driven Identity Management

Enterprises are increasingly managing IT from a business perspective, to reduce costs, improve availability, tune capacity, optimise resource utilization, deal with risks and regulatory compliance.
In this context, the ITIL (IT Infrastructure Library) framework defines a set of best practices focused on aligning IT with businesses. This applies to a “Service-oriented Culture”, where there is an understanding that IT exists to support the business, that there is a commitment to deliver agreed level of service and that customers’ satisfaction comes first.
ITIL core disciplines are centred on Service Support and Service Delivery. ITIL provides guidance in terms of Configuration Management, Change Management, Incident Management, Security Management (based on ISO/IEC 17799) and Audit Management.
Considering the increased importance that Identity Management has in enterprises and the trend towards “Identity Services” (see here), I see the key role that ITIL is going to have in defining best practices and “Identity Controls” for Identity Management.
Ultimately, I believe that “Identity Management” (in enterprise contexts) will evolve towards “Business-driven Identity Management” – so related Identity Management solutions will …
Posted by at No comments:

On Identity Information and “Sticky Policies” …

A recent post by Paul Madsen (Stuck on Band-Aids, 'cause Band-Aids ...) highlights an “extreme” (and curious) case where user consent and user control is required to deal with “personal information”. Without going for these extreme situations … more control is indeed required on “personal data” collected and stored by organisations.
Today a lot of emphasis is on “front-end” issues i.e. how to convey personal attributes and information (for example via InfoCard or OpenId references or Liberty Alliance ID-FF mechanisms) from an entity to another, how to smoothly enable SSO, etc. All important aspects, of course, but … there is much less “interest” on what happens afterwards, i.e. once identity information has been extracted from various “credentials/tokens” and stored in standard enterprise data repositories … Enterprise Identity Management solutions focus primarily on identity provisioning and lifecycle management, “identity information” storage and their usage for authentication and access control. Identities are often stolen or misused, people’s preferences are not kept into account, privacy is violated. Privacy management and enforcement is still a green field.
Users (data subjects) should be enabled (upfront) to express their consent on how their data should be used, for stated purposes: these preferences (and related policies) should be considered as an integral part of users’ personal data i.e. they should really “stick” with data. Data can be moved around, within an organisation, copied and disclosed to third parties. Policies and preferences should follow …
The “sticky policy” problem is currently overlooked … Of course, dealing with all these issues is a matter of business and risk/cost management, good practices, definition of suitable processes and “Identity Controls” (from which “enforcement” mechanisms can be derived). Identity auditing and compliance checking can help to do the rest… No doubt this is a pragmatic way to go for, but it leaves me with the feeling that all this is done with “ad-hoc” approaches, based on good will and understanding of issues - whilst more systematic approaches and solutions are required …
I am not saying we should go for the “extreme approach” proposed sometimes ago (Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services) but I believe something “in the middle” is required to enable the management and enforcement of (privacy) policies and make progress in terms of accountability and (privacy) compliance.
Posted by at No comments:

Identity = Data + Policies

A few years ago I wrote a HP Labs Technical Report titled “Identity Management: On the "Identity = Data + Policies" Model”, reflecting some R&D work and thinking done at HP Labs. In this paper I was arguing that the current Identity Management model is based on the “Identity = Data” paradigm whilst we need to move towards a paradigm that also includes preferences and data handling policies, to ensure better (privacy) management, address users’ expectations and provide more compliance and data governance at the enterprise (data receiver) side. This paper explored a way to deal with this extended “Identity = Data + Policy” model and related “sticky policies” ...
Since then, little has changed – at least in the commercial “Identity Management” world … This is particularly true in federated identity management contexts, where great deal of efforts have been spent in enabling smooth single-sign-on capabilities and ways to exchange information (or possibly minimise the exchanged information …) but little has been done to “convey” preferences and policies along with data – when this data is exchanged (for example, between a user and a Data Receiver/Identity Provider, between an Identity Provider to a Service Provider or between two Identity Providers).
To make progress in this direction it is necessary to:
  • Enable users to provide their (privacy) preferences in a more explicitly and fine grained way (e.g. in terms of consent, disclosure list, deletion, notification, etc.);
  • Enable enterprise back-end Identity Management solutions to manage the association of preferences and (data handling) policies to data and keep them into account during data processing steps;
  • Enable the exchange of data along with associated preferences/policies;
  • Introduce accountability, tracing and auditing mechanisms.
I believe this is an important area where R&D activities can help to make progress. Efforts are also required in the “standardisation” arena – to define standard ways to represent preferences and related policies (and their semantic) as well as ways to exchange them …
Posted by at No comments:

PRIME (Privacy for Identity Management in Europe) Whitepaper v2 available …

The PRIME Whitepaper v2 is now available online:
“The EU PRIME project demonstrates the viability of privacy-enhancing identity management. By this we mean identity management solutions that manage the individual's online identity and that also empower the individual to actively protect their own privacy. … This white paper describes our vision of privacy-enhancing identity management and how it can be realised in software. It also shows where work remains to be done.”
I’d also like to remind you that a more detailed description of PRIME Architecture and related solutions is available here.
Posted by at No comments:

Known Unknowns: OpenId, InfoCard/CardSpace, Liberty Alliance ID-FF/SAML, …

Many attempts have been made to compare emerging “solutions” for web single-sign-on, federation and exchange of identity attributes: OpenId, InfoCard/CardSpace, Liberty Alliance ID-FF/SAML, etc.
However, most of these comparisons (including recent posts by Kim Cameron and Conor Cahill) have been focusing on specific aspects/points (or specific solutions). The outcome are very interesting discussions but with frequent misunderstandings and confusion.
I believe that a “rationale” for comparing these solutions is required, as well as a related systematic, comparative analysis based on:
Core functional capabilities: authentication, authorization, single-sign-on mechanisms, federated capabilities/interaction models, mechanisms to exchange identity information, auditing, etc.
Non-functional capabilities: security, trust, privacy, usability, etc.
Business aspects: adoption rate, roadmaps, interoperability plans, etc.
I think that such an analysis would be valuable to various stakeholders (solution adopters, solution providers, developers, users …) to make informed decisions and to start reasoning in terms of potential interoperability and synergies.
So far I failed to find this type of comprehensive analysis. If it exists, I would really appreciate getting a pointer/link …
Posted by at No comments:

HP Identity Center

HP has recently announced the creation of the “HP Identity Center”:
“HP Identity Center helps you to optimise and automate the management of people, processes, security and compliance. HP Identity Center is a comprehensive identity and access management solution. The center helps you to reduce costs, improve user experience and productivity, and improve compliance by optimizing identity and access management processes to meet business needs. Identity Center’s unique features help mitigate the impact from ongoing change that occurs in user, IT and business lifecycles, improving efficiency, productivity, security and compliance.”
This is a good sign. I believe this is a further recognition of the strategic role that “Identity Management” has for enterprises and users and a statement about its importance for HP.
As an HP Labs researcher, one of my challenges is going to contribute to the medium-long term strategy and evolution of this HP Identity Center, with the outcome of some HP Labs R&D projects (and also with new projects currently under exploration in the space of Enterprise 2.0/Identity 2.0), including:
Posted by at No comments:

The European e-Identity Conference 2007: Presentations available online …

A few relevant/interesting tracks (with presentations available online):
  • Security issues in social networking
  • Security issues in reputation systems
  • Authentication, Interoperability e-ID/Government Schemas
  • Industry & Standards IdM related aspects
http://www.enisa.europa.eu/pages/auth/programme_auth_eid_ws2007.htm
Enjoy!
Posted by at No comments:

HIPAA Audit and “Shock Waves” on Health Care IT …

A recent ComputerWorld article discusses the outcome of an audit of a US Hospital and the implications this might have in the Health Care industry: “An audit of Atlanta’s Piedmont Hospital that was quietly initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of further enforcement actions related to the federal HIPAA law’s data security requirements …”.
Not a surprise … I have always supported the notion that when dealing with personal data, proper privacy policy enforcement must be in place. However, I don’t believe this can just be addressed with data encryption and/or traditional security mechanisms. When dealing with personal data in organisations, it is important to keep into account basic privacy principles, such as users’ consent, clearly state purposes for collecting data, enforce related constraints at the access time and fulfil any pending obligation. Privacy-aware access control and privacy-aware identity lifecycle management are key requirements.
Two HP Labs’ R&D projects have been focusing on this space for a while and suggest approaches and solutions to deal with (some) related issues:
Privacy-aware Access Control
Privacy-aware Identity Lifecycle Management
I am interested in exploring opportunities for technology trials in this space and/or getting further input/requirements/feedback from the field.
Posted by at No comments:

Concordia Project Workshop: on Interoperability and Harmonization of Different Identity Standards and Protocols ...

I’d like to bring to your attention the upcoming Concordia Project Workshop (June 26, San Francisco, Burton Catalyst pre-conference session 2007):
“This workshop is aimed at defining and understanding deployer needs with regards to interoperability and harmonization of different identity standards and protocols. The workshop is organized on the premise that there is a spectrum that exists in the marketplace across consumer desire (open vs private), business drivers (low risk transactions vs high risk transactions), regulatory impact (little vs much), implementation cost (low cost vs high cost), etc. End deployers, which currently include AOL, Boeing, General Motors, the Government of British Columbia, and the US General Services Administration (GSA), will present real world use case presentations to help define and develop marketplace drivers, which include:

People
• Authentication
• Personalization
• Privacy control

Services and applications
• Delegation
• Unification
• Access control

Organizations
• Secure outsourcing
• Reduce costs
• Privacy Control”

Additional information is available online.
Posted by at No comments:

Policy 2007

I am just back from IEEE Policy 2007 (Bologna, Italy, 13-15 June 2007). It has been a very interesting workshop where various aspects of policies and policy management have been discussed along with their implications for IT, identity management, access control, security, privacy, trust, semantic web, etc. A few presentations are available online: http://lia.deis.unibo.it/confs/policy2007/
I also took part to a related panel (involving IBM, HP, Telcordia and University of West Ontario) about “Business Impact of Research on Policies for Distributed Systems and Networks” where we discussed our vision of how policies can help in the “Business-driven IT Management” context and how this will evolve in the coming years. All presentations are available online.
Posted by at No comments:

Privacy Management: A Reality Check …

Ben Laurie and Kim Cameron have been recently posting on their respective blogs (links.org, identityblog.org) about potential violations of identity laws, related privacy issues (on linkability), etc. This discussion was triggered in the context of their respective user-centric identity management work on InfoCard/CardSpace and “Selective Disclosure” - where users are enabled to have degrees of control on the disclosure of their personal data.
Interestingly, at the same time this debate was taking place, Google was warned by the EU data protection advisory group that it could be violating European privacy laws by keeping data on people’s searches for as long as two years …
This is just an example. Large amounts of personal data have already been disclosed to enterprises - by millions of people! Privacy laws and legislation are violated by too many organisations (worldwide) – not only because of lack of (strong) punishment but also (and especially) because of lack of internal processes, expertise, tools and solutions to enforce privacy policies and check for compliance.
Let’s have a reality check … I really see the urgency and priority of investing and contributing at fixing privacy problems and issues in the enterprise space!
Posted by at No comments:

Enterprise Web 2.0/Enteprise 2.0 and impact on “Identity Management” …

I have been exploring for a while the “Enterprise Web 2.0/Enterprise 2.0” topic. It is fascinating. I must say that at the current stage it is hard to fully understand and predict what is going to happen. I am particularly interested in the implications that this is going to have on “Enterprise Identity Management”.
The increased adoption and use of “Web 2.0” technologies and “social networking approaches and tools” (e.g. blogs, wikis, etc.) by employees is indeed having an impact on:
How employees interact and share information
How information is collected, dynamically organised and re-shared
How expertise, enterprise’s “communities of interest” and work relationships are created
I’ve found relevant discussions on this topic in Dion Hinchcliffe’s blog (Enterprise Web 2.0 - http://blogs.zdnet.com/Hinchcliffe/). The trend of introducing Web 2.0 in the enterprise (and its impact) is referred as the “consumerization of the enterprise”. Interesting predictions include:
Convergence of Web 2.0 and SOA
“Mashup” of enterprise processes, applications and involved information
Moving towards “Social Collaboration” in enterprises
“Collective Intelligence”
I believe this trend is going to be reinforced when “IT & support organisations” within the enterprise are going to explore and adopt “Web 2.0 models” in production, control and distribution processes.
In this context, I wonder what the actual impact on “Enterprise Identity Management” is going to be, for example in terms of access control, identity lifecycle management, provisioning, storage and aggregation of confidential and personal data and privacy.
Current enterprises are mainly organised around a “centralised/very hierarchical” control, driven by business policies and objectives – impacting how information is made available, how employees interact and how tasks and processes are performed. “Web 2.0” and social, collaborative approaches are instead moving the control towards the individuals who aim at continuously create, reshape and aggregate “content and information” and dynamically (re-)define interaction flows. I see potential conflicts in this space that need to be properly understood and addressed.
However, I am sure that current trends will bring a new wave of opportunities that (among other things) will also impact “enterprise identity management” and reshape current solution offerings. This is an interesting research topic I am going to spend time in the coming months …
What do you think? What is your prediction/view?
Posted by at No comments:

EU PRIME Project - “Privacy for Identity Management in Europe”: Architecture V2 Document Available …

The “Architecture v2” document of the EU PRIME project has been released: https://www.prime-project.eu/prime_products/reports/arch/pub_del_D14.2.c_ec_WP14.2_v1_Final.pdf
This reflects the outcome of R&D work done in the PRIME project during the last year. Additional technical work on aspects of privacy and identity management will be carried out in the coming months. Your input and feedback is welcome.
For more information about the EU PRIME project and its deliverables have a look at: https://www.prime-project.eu/
Posted by at No comments:

United States’ “REAL ID Act”: a Threat to Privacy?

An interesting post by “Burton Group Identity Blog” (http://identityblog.burtongroup.com/bgidps/2007/05/reporting_on_a_.html) highlights various privacy threats and consequences that the “REAL ID Act” (http://en.wikipedia.org/wiki/REAL_ID_Act) might have on US citizen, as reported by the DHS’ Data Privacy and Integrity Advisory Committee. This Act will be enforced from the end of December 2009 …
I tend to agree about the potential issues this Act could bring – in particular with some of the conclusions drawn by the Advisory Committee (http://www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_05-2007_realid.pdf):
“The REAL ID Act is one of the largest identity management undertakings in history. It would bring more than 200 million people from a large, diverse, and mobile country within a uniformly defined identity system, jointly operated by state governments. This has never been done before in the USA, and it raises numerous policy, privacy, and data security issues that have had only brief scrutiny, particularly given the scope and scale of the undertaking …”
Recommendations made by the Committee are actually about principles (on consent, notifications, access to data, accountability, etc. - see OECD privacy guidelines - http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html) that are at the very base of privacy rights – rights that should be taken for granted in these days. Hopefully there will be enough time to take these recommendations into account …
Posted by at No comments:

The Open Group's “Guide to Architectures for Identity Management”

I’ve just learnt that The Open Group's “Guide to Architectures for Identity Management” is available for download (for free) from The Open Group's online bookstore:
http://www.opengroup.org/bookstore/catalog/g072.htm
“This Guide is aimed primarily at the enterprise architect undertaking the design of an information infrastructure to support internal and external user-based collaboration and commerce. It addresses the key issues that an enterprise architect needs to consider in the process of developing an enterprise identity management architecture, and discusses practical aspects which influence decision-making during that process. It focuses on the business perspective, but also includes consideration of individual, social, governmental, and economic perspectives” (source: Ian Dobson’s announcement e-mail).
I would have expected a deeper analysis of “privacy management” aspects and related implications (and requirements) on identity management architectures - to comply with incumbent privacy legislation (HIPPA, COPPA, EU Data protection, etc.), privacy guidelines (e.g. OECD, etc.) and end-users’ expectations …
Posted by at No comments:

Liberty Alliance and Concordia Program

Recent post by Paul Madsen on his ConnectID blog, titled “Liberty Alliance – 50% less evil” (http://connectid.blogspot.com/2007/05/liberty-alliance-50-less-evil.html) was really amusing. Here is some further “evidence” showing that there is indeed some good willingness in being open and “collaborating” with other parties …
The “Concordia Program” (announced at RSA 2007) supported by Liberty Alliance (http://wiki.projectliberty.org/index.php/Concordia) “is designed as an umbrella initiative to drive harmonization and interoperability of identity specifications and protocols. The goal of this group is to help drive the development of use case scenarios where multiple identity specifications, standards and/or other initiatives might co-exist, recognizing heterogeneous deployment environments of the marketplace”.
I believe this is a first positive attempt/step to deal with the current “uncertainty” in the “federated identity management” and SSO space due to competing and not really compatible proposals (see Liberty Alliance, OpenID, InfoCard/CardSpace, etc.).
Progress in this direction now depends on the willingness of various solution providers, technology developers and technology adopters to collaborate and reconcile/armonise their different views (for the ultimate benefit of end-users and common people …).
Watch this space (and the Concordia wiki site …). There are soon going to be opportunities for discussions in workshops and meetings …
Posted by at No comments:

On Federated Policy Management …

An area of relevance to Identity Management is “Federated Policy Management”.
Policies are used to drive access control decisions and enforce accesses to resources. How to “synchronise” policies that are used at different levels of abstraction – for example in complex telecom or enterprise environments?
Ideally an organisation might want to define high-level policies, check for their compliance and manage them in a centralised way. However, the idea of having a general purpose policy language is unfeasible, given the current legacy systems and the complexity of the real world.
In practice, different policies are defined and enforced at each different IT layers (e.g. network, system, OSs, middleware, application/services, etc.). Keeping these policies aligned with (high-level) business and security objectives and fully understanding the impact of local changes to the global context is often a challenging experience.
I believe there are great R&D opportunities in this space (and some initial work has already been done, of course …).
Posted by at No comments:

More on Device-based Identity Management in Enterprises …

I have just published a HP Labs Technical Report (jointly written with a colleague) on device-based identity management, in an enterprise context:
http://hplabs.hp.com/techreports/2007/HPL-2007-53.html
This report describes R&D work done at HP Labs (a few months ago) to model and associate “strong” identities to devices; handle their provisioning within an organisation; deal with access control systems keeping into account combinations of users’ identities and devices’ identities.
This work aims at helping enterprises to better handle their appliances and devices by leveraging their current identity management solutions (at a middleware level) and ensure a reasonable degree of security and trustworthiness. We are also exploring links to “lower-level” aspects of “devices’ identities” (e.g. network-based identity aspects) – also taking into account input received in a previous post.
Your comments and input are welcome.
And … do you see a similar interest in handling devices’ identities from an end-user’s perspective? What would be users’ motivations?
Posted by at No comments:

On Identity Predictions: what about Liberty Alliance and OpenId?

I’ve found an interesting post about “Identity Predictions for 2007” (http://duckdown.blogspot.com/2007/04/identity-predictions-for-2007.html) in the “Enterprise Architecture: Thought Leadership” blog. A prediction is that: “The vast majority of enterprises will remain confused about user-centric approaches to identity and will stick to what they know best, building site-centric identity providers. This trend will occur for at least another five years...”.
What is your view on this? As a researcher I recognise the potentials and value of user-centric identity management approaches and the need to contribute with R&D activities in this space – along with exploring their implications for enterprises - but at the same time I see a lot of confusion and hype in this space.
For example, it is currently unclear how Liberty Alliance and OpenID are respectively positioning their approaches and solutions (in the user centric IdM space), with regards to single-sign-on, federation and user identifiers. An interesting presentation from Eve Maler (http://colab.cim3.net/file/work/Expedition_Workshop/2007-02-27_IdentityManagementExploration/Maler_SAML_Liberty_20070227.pdf) only provides some high-level hints.
These initiatives have (at least conceptually) many aspects in common. So far I’ve not found detailed comparative analysis and discussions about the future of these initiatives, discussions on their potential “convergence” and their plans to bring user-centric IdM in the enterprise space. I am quite sure there must be something out there …
Are you aware of any document/discussion/forum about the above aspects that could provide more insights?
Posted by at No comments:

Identity Services: Hype or Reality?

I’ve noticed that there is a (relatively) new buzzword in the Identity Management space: “Identity Services”. This term is already overloaded, as it is used to refer both to technological solutions/services and consulting services.
Sticking with the “technological view”, an interesting post in the Burton Group Identity Blog (http://identityblog.burtongroup.com/bgidps/2007/03/the_latticework.html) provides some insights, a view on their work on “Latticework of Identity Services” and the fact that customers might need multiple Identity Services (such as authentication, authorization, provisioning, credentialing services, etc.).
I noticed that Liberty Alliance provides an “Identity Service Interface Specification” (http://www.projectliberty.org/resource_center/specifications/liberty_alliance_id_sis_1_0_specifications).
Another post in the Loosely Coupled blog (http://www.looselycoupled.com/blog/lc00aa00124.html) makes a case for the need of “Identity Services” (as killer apps) in SOA and Web 2.0 contexts.
However, I am still struggling to see (at the very core) what the novelty on “Identity Services” is and how this would be different from what is already available today. Would an Identity Provider (IdP) be an example of an entity providing “Identity Services”, such as authentication, SSO, etc.?
What characterises an “Identity Service”? What are its key properties and features? What should be done differently from today? Are standardisation, interoperability and openness key requirements?
In my quest for better understanding of “Identity Services” and their implications for organisations and end-users, your input and views are really welcome …
Posted by at No comments:

Identity Assurance for Federated Identity Management – More on this topic …

I (and two colleagues of mine) have just published a HP Labs Technical Report providing more details about our vision of “Identity Assurance”, in particular in Federated Identity Management contexts (see my previous related post: http://h20325.www2.hp.com/blogs/mcm/archive/2007/03/27/2876.html) and related technologies.
Given the current status of Federated Identity Management solutions, we believe that more work is required to convey trust among the stakeholders (i.e. IdPs, SPs and end-users) both by communicating the nature of the assurance framework and that risks are successfully being mitigated. We aim at improving assurance when managing identities also by automating key enforcement points. Here is the link to our technical report: http://www.hpl.hp.com/techreports/2007/HPL-2007-47.html
Enjoy and feel free to comment …
Posted by at No comments:

So what is the next big thing in the Identity Management space?

In my previous posts I started discussing my view and predictions. Much more to come … For the time being, I focused on a few topics that I believe will shape the future landscape of Identity Management:
  • User-centric Identity Management
  • Device-based Identity Management
  • Identity-capable Devices
  • Identity Management across multiple IT layers & heterogeneous domains
  • Federated Identity Management
  • Identity Assurance
  • Privacy Management
What is your view? What do you think will really matter to businesses and solution providers? What would instead be relevant to end-users?
Your comments are welcome …
Posted by at No comments:

On Privacy Management and Future R&D Directions …

I believe that Privacy Management is another important area that will shape the future of Identity Management. Too many misuses of personal data, unauthorized disclosures, identity thefts, etc. are happening today because of poor security and weak privacy management practices. Reputation and brand of enterprises and people’s lives are heavily impacted and undermined.
Privacy management, at the very core, is about handling, disclosing and managing personal data, user profiles and identities in a way that is consistent with people’s expectations, laws, legislation and enterprises’ guidelines.
From an enterprise perspective, privacy management is still mainly addressed by means of human processes and best-effort approaches that are costly and prone to mistakes. Very little automation is currently available and poor integration with current identity management solutions. I believe that more automation is required to cover the following aspects:
Operational aspects: this involves dealing with privacy-aware access control policies (i.e. how to access personal data based on stated purposes, consent, security constraints, etc.) and obligations policies (dictating expectations and duties on data retention, deletion, data transformation, notifications, etc.);
Compliance aspects: how to demonstrate that enterprise processes and identity management solutions are compliant with best practices, guidelines and policies, report on compliance and spot violations. This links to a previous post of mine on Identity Assurance (http://h20325.www2.hp.com/blogs/mcm/archive/2007/03/27/2876.html).
Key requirements include automation, scalability and easiness of integration with current identity management solutions and enterprise applications/services. This area is open to innovation and R&D contributions.
From a user perspective, privacy management solutions are required to help people to better handle their personal data, control their data disclosures and their interactions with organizations. Key requirements are effectiveness in achieving this, simplicity and usability. In particular I believe that work on reputation and trust management can provide a different angle and approach to achieve this, rather than just checking/matching for privacy properties – as done in P3P-based (and related) approaches.
A key role can also be played by future generation of “Identity-Capable Devices” (see current work in Liberty Alliance – Advanced Client Technologies) that can help and assist end-users when interacting with other parties, by assessing the overall interaction context and compliance to built-in policies.
At HP Labs we have been working for a while in the privacy management area. You might be interested in having a look at some of our current results and related technical reports (http://www.hpl.hp.com/personal/mcm/Documents/Documents.htm). Much more work is required…
You might also find some interesting material about work going on in the privacy management space in the EU PRIME project (https://www.prime-project.eu/).
Posted by at No comments:

On Identity Assurance in Enterprises …

What is “Identity Assurance”? Why should enterprises care? If you browse the web you will find a wide set of “answers”, mainly centred on “solutions” that range from “biometric” products to more comprehensive approaches involving management of identity processes and involved risk.
Actually, an IAAC position paper on Identity Assurance brings some clarity to this space (http://www.iaac.org.uk/Portals/0/identity_management_paper_v1-7.pdf). It makes a good job at describing this concept and identifying the relevant aspects and issues.
Identity Assurance is ultimately concerned with the proper management of risks associated with identity management. It is about the “process” of ensuring that identity management is under appropriate control.
Why enterprises should care? In many senses identity management is a mature discipline within enterprises. There are standard technologies for single-sign-on, directories and for group or role based access control. However, many aspects remain procedural and reliant on people doing the right things. This makes identity assurance difficult.
As industries move more to outsourcing of IT, business processes, and ultimately to federated services the reliance on process and people becomes more problematic. Such approaches seem unlikely to address questions such as: how a business can convince an auditor that they have sufficient control and visibility of the people and processes being applied by service providers a few steps away and outside of their control. Identity assurance is all about ensuring that these processes are well controlled and therefore risk is mitigated.
This is particularly true in the context of federated identity management where identity providers and service providers rely on each other to ensure that the right identity management processes are in place, that identity information is disclosed and used for the right purposes, consistently with users’ expectations.
So, I believe that Identity Assurance is another key area that will be subject to investments and R&D activities in the coming years – in order to deal with a growing demand in the compliance management and risk mitigation areas. I will come back to this topic with future posts …
A “spin-off” of this area would be bringing aspects of Identity Assurance back to end-users (e.g. customers), in a suitable and intuitive way, to boost their trust and reputation in organizations. How this can be done, in a suitable way, is really open to investigation and research …
Have you had any experience in the Identity Assurance space? What is your view?
Posted by at No comments:

A Longer-Term View on Federated Identity Management …

There is no doubt that Federated Identity Management is a hot topic and an area where more and more investments, activities and R&D efforts are going to take place.
However, I personally believe that the current situation is quite confusing – in particular for enterprises and organizations that want to be early adopters. There are too many initiatives, standardisation activities and toolkits (e.g. Liberty Alliance, WS-Federation, InfoCard/CardSpace, OpenId, etc. – just to mention a few) to track - some of them technically divergent, others overlapping in terms of functionalities. The current lack of coordination and (sometimes) cooperation is not easing the pain.
It is true that aims and goals in a few cases are reasonably different (e.g. Liberty Alliance --> Identity Federation whilst WS-Federation --> federation of Web Services – even if they partially overlap and in some points they technically diverge - http://projectliberty.org/liberty/files/whitepapers/liberty_alliance_ws_federation_a_comparative_overview) but the increasing number of “emerging” initiatives does not help to bring clarity. I believe lot of effort will be required in the months/years to come, to clearly position these initiatives in the “federated identity management” space along with the value they bring.
A key aspect that I believe will further influence the “federated identity management” area is the increasing needs (for trust, security and privacy reasons) to reconcile different types of identities at different level of abstraction in the IT stack (e.g. users’ identities, devices’ identities, network identities, etc.) and potentially allow their usage in a coordinated way within federated scenarios. This is an interesting - and at the same time very complex - research area.
Again, I would like to stress my point that in addition to the current “horizontal” federated identity management efforts, there is going to be an increased need and attention for “vertical identity federation” within an organization’s IT infrastructure – to reconcile and handle different types of identities (at different IT stack levels) to provide more secure and trustworthy authentication and access to enterprise resources. Could a blend of “SOA initiatives”, SAML assertions and federated SSO be a possible way to move forwards (e.g. http://news.zdnet.com/2100-1009_22-5535345.html)? It is not so obvious to me. I see this as another very interesting research space, quite overlooked for the time being.
What is your view on the future of Federated Identity Management (either across organizations or within an enterprise)? What do you believe are the key issues, aspects, needs and requirements that will shape this space? Feel free to comment …
Posted by at No comments:

On Identity Management across multiple IT Layers - in Enterprises …

Different “types” of identities are currently used in enterprises, including:

  • Network identities
  • System/device identities
  • Application/Service identities
  • User identities

Each type of identity is mainly “relevant” at a specific layer in the enterprise “IT stack”: however all together concur in defining the current operational context, important to make decisions and impact businesses (e.g. in case of access control – the current context might be determined by a user’s identity, his/her roles, the fact he/she is trying to access an application/service, from a specific device connected to a portion of the corporate network).
So far the management of these identities has been done in a “compartmentalized” way, at different levels of abstractions: different provisioning, access control and auditing solutions are required, each of them operating almost independently from the others. Different type of policies and enforcement mechanisms are used. This creates duplication of resources/efforts, headaches to IT administrators and potential security holes.
I believe that in the future there will be more and more demand for integration of identity management solutions to uniformly and consistently handle heterogeneous types of identities, improve control and further simplify related processes. Hence, in addition to “horizontal” identity federation - across multiple players/organizations, I predict there will be an increased need and attention for “vertical” identity federation within an organization’s IT infrastructure. Have a look at http://www.hpl.hp.com/techreports/2003/HPL-2003-149.pdf for some initial thoughts about this concept and a related “Adaptive Identity Management” framework …
I believe this is a challenging area and, at the same time, a great opportunity in the Identity Management space.

Posted by at No comments:

On Identity-capable Devices and Liberty Alliance related Work …

Do you trust your appliances and devices to store your (identity) information and release it only in well defined circumstances? Which *real* control do you have on data stored on your devices? How to avoid unwanted accesses and disclosures of your personal information?
Wouldn’t be nice thinking of your device as a trusted “Personal Identity Hub” where you can safely store identity information and which enables seamless connections, authentications and interactions with a variety of systems, service providers and other parties?
In my opinion there is no practical solution available today to address the above points that can provide - at the same time - the required level of simplicity, usability, trust and security.
This space is a green field, open to research and innovation. I think that some advance in this field has been recently done in Liberty Alliance with their specs proposal for Identity-capable Platforms (Advanced Client Technology specs). Have a look at http://www.projectliberty.org/resource_center/specifications/liberty_alliance_id_wsf_advanced_client_1_0_draft_specifications.
An Identity-capable Platform (ICP) is a platform/device that consists of a Trusted Environment in which an “Identity Manager” operates to handle the lifecycle of one or more “Manageable Identities”. This platform has mechanisms supporting Policy-controlled access to data and operations (e.g. which user can access each “Manageable Identity” and what can be done with it). An ICP can be provisioned with “identity tokens” in a secure, simple and trusted way via federated Provisioning Services and enable its users to participate in Federated Services scenarios.
Have also a look at the work done by Intel, BT and HP/HP Labs about a related demonstrator shown at a Liberty Alliance workshop at RSA 2007 - http://projectliberty.org/resource_center/presentations_webcasts/rsa_conference_workshop_liberty_alliance_identity_standards ...
Posted by at No comments:

On Device-based Identity Management in Enterprises …

Here are some thoughts on devices, devices’ identities and implications for identity management solutions in enterprises … What is your experience in this space? Your comments are welcome.
There is no doubt that devices (laptops, PDAs, mobile phones, etc.) are pervasive in today’s society. Some of these devices are normally used both for work-related matters and for personal matters: the separation between work, public and private aspects of people’s life is more and more blurred.
From an enterprise perspective, this introduces additional risks and threats, in particular about the integrity of these devices and their trustworthiness to access enterprise intranets and networked resources. Private devices (e.g. personal laptops, etc.) can as well be used at work - with potential lower security and assurance levels (e.g. about installed software, patch control, local access control settings, etc.) than the ones mandated by enterprise security administrators. Current enterprise services, applications and information are mainly protected by traditional access control systems that usually only take into account human-based identities (via login/passwords, digital certificates, etc.) or (in more advanced situations) only human-based identities that are strongly bound to a given device.
I believe that, to have better control of managed resources, it is going to be more and more important for enterprises to explicitly identify devices, along with their properties i.e. consider the identity of a device as a self-standing entity or the identity of a device as one of a group of known entities. Furthermore, trust and assurance is required about the authenticity and validity of a device’s identity.
Dealing with devices’ identities and various degrees of associations to human identities is not trivial. This has an impact on current identity management solutions, as it involves:
making decisions on how to model devices’ identities;
provisioning them to enterprise systems and solutions;
dealing with their lifecycle;
setting proper access control policies (covering various “combinations” of users’ identities and devices’ identities) and enforcing them;
dealing with trust and assurance aspects.
I am not aware of any solution/approach addressing all these aspects and “simultaneously” handling different types of identities (e.g. network-level identities, device identities, users’ identities, etc.). Any comment?
Posted by at No comments:

On User-centric Identity Management …

I think this area is really key to the future of Identity Management. In the past Identity Management (IDM) has primarily been Enterprise-centric (see my technical report on “Adaptive Identity Management” at http://www.hpl.hp.com/techreports/2003/HPL-2003-149.html ). Of course, this was and *is* very important, to enable enterprise businesses and their interactions with people. However, for a while, the “end-user” perspective has been considered a secondary aspect and overlooked: for example, users’ interactions are not simple and intuitive, little space is left to customisation and preferences, little control is left to users when their data is disclosed.
Current initiatives are putting the user back to the centre of Identity Management solutions and making steps to cover these gaps. In particular, I think that some noticeable initiatives are:
a) Liberty Alliance (LA) work to enable simpler users’ interactions in federated service contexts. Particularly interesting are recent draft specs on “Advanced-client Technologies” to provide a simplified user experience by means of trusted and secure devices that can be provisioned with “identity token” and can operate in a disconnected way (from Identity Providers) whilst accessing federated services (http://www.projectliberty.org/resource_center/specifications/liberty_alliance_id_wsf_advanced_client_1_0_draft_specifications). A related Pilot based on these specifications has been presented and demonstrated at a RSA 2007 Workshop (http://projectliberty.org/resource_center/presentations_webcasts/rsa_conference_workshop_liberty_alliance_identity_standards).
b) Various "Identity 2.0" initiatives (in the context of Web 2.0), in particular Microsoft InfoCard and OpenId. These initiatives are covered and discussed in details in many blogs, e.g. Identity 2.0 Blog (http://identity20.com/) and Kim Cameron’s Identity Blog (http://www.identityblog.com/).
All good stuff. However, I believe that to succeed and gain wider adoption at the User-side, Identity Management solutions still need to address additional key aspects that are currently underestimated:
1) Trust, reputation, privacy and assurance aspects of identities. Handling them in a simple and intuitive way from a user perspective (I’ll come back with future postings on these points …);
2) Integration of “User-centric Identity Management” aspects with “Enterprise-based Identity Management” solutions – to provide a seamless experience to people when playing multiple roles (at home, at work, etc.);
3) Portability of identities (along with related policies dictating usage criteria) and their seamless access and usage across multiple devices and services.What is your view about the future of User-centric Identity Management?
Posted by at No comments:

What is the future of Identity Management?

As you might guess, there is no unique or trivial answer …
We are currently assisting to a fast acceleration of innovation in this space, consisting in the introduction of new technologies and solutions, standards and initiatives – which target people, their social interactions and organisations. Various material is available online with predictions of which identity management topics will be relevant in the short term – including some interesting blogs: for example, Eric Norlin’s Predictions for 2007 (http://blogs.zdnet.com/digitalID/?p=80) or Mark Dixon’s Identity Trends (http://blogs.sun.com/identity/entry/identity_trends_what_do_you) – just to mention a few.
However, what is going to happen in 10 years time? Here is my guess of key aspects that will shape the future:
User-centric Identity Management
Device-based Identity Management
Identity-capable Devices
Identity Management across multiple IT layers & heterogeneous domains
Federated Identity Management
Identity Assurance
Privacy Management
I am going to be posting entries covering these topics and my thoughts on their long-term impact … Stay tuned!
Posted by at No comments:

Welcome to my new blog

Welcome to my new blog on Identity Management. This blog aims at discussing trends, new technologies/solutions and innovative aspects of Identity Management - in a variety of contexts. I have been working for a few years in the space of Identity and Privacy Management as a researcher at HP Labs (http://www.hpl.hp.com/personal/mcm/). The Identity Management space is rapidly changing and evolving: let’s discuss about its medium/long-term implications and new opportunities.
Posted by at No comments:
Subscribe to: Posts (Atom)