Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Monday, October 29, 2007

New ENISA Position Paper: Security Issues and Recommendations for Online Social Networks

ENISA has recently released a position paper, called “Security Issues and Recommendations for Online Social Networks” (available online, here) – Editor: Giles Hogben (ENISA):

“This paper aims to provide a useful introduction to security issues in the area of Social Networking, highlight the most important threats and make recommendations for action and best practices to reduce the security risks to users.”

Specifically, it focuses on the following threats and recommendations:

  • Principal Threats: privacy related threats, information security threats, identity related threats and social threats);
  • Recommendations and Countermeasures: government policy recommendations, provider and corporate policy recommendations, technical recommendations, research and standardisation recommendations.

    “This paper is aimed at corporate and political decision-makers as well as Social Network application-providers. It also seeks to raise awareness among political and corporate decision-makers of the legal and social implications of new developments in Social Networking technologies. In particular, the findings should have important implications for education and data protection policy.”

--- NOTE: my original HP blog can be found here ---

Thursday, October 25, 2007

2012: A Day in the Life of John Webber

How digital-personae, identity management and web 2.0 will impact, influence and reshape people lives and organisations during the next 5 years? What is going to be “hot” in 2012?

Difficult questions … A few colleagues of mine and I tried to explore future scenarios and opportunities in the space of digital identity and identity management. We wrote a story, “2012: A Day in the Life of John Webber”. We would like to share it with this community, to open a debate and exchange opinions. Enjoy it …

--- 2012: A Day in the Life of John Webber ---

“John Webber is a young, ambitious professional. He has a very intense life with interests spanning work, social and political aspects, many friends spread all over the world and a girlfriend. He is accustomed to using new technologies and web 3.0 services: he sees them as a way to simplify his life and enable the broad, rich set of personal and digital interactions that he requires on daily basis in his life.

John works for a multinational enterprise. He uses his mobile appliances (laptop, office PC, smartphone, etc.) in an interchangeable way, to interact with colleagues, send/receive multimedia e-mails and edit reports and critical information for his company. On a daily basis he accesses state-of-the art enterprise services, to collaborate with project colleagues all over the word. This is a simple and gratifying experience thanks to the latest generation, enterprise web 3.0 collaborative, integrated services – where multimedia information is easily collected, stored and indexed for future usage, as well as securely and privately protected, based on the “value” of the content.

John gets access to all these services with his “personae-selector” (virtual) device, installed on his Smartphone. Recognizing John using multiple biometric sensors, the device suggests a persona relevant to the current context or allows John to override the automatic selection. This (virtual) device securely interacts with other of John’s devices and authorised enterprise devices (including that new, secure Printer, and associated Print 3.0 services, recently deployed in John’s office).

John is aware that to be successful in his job, he needs to have constant interactions with other professionals and experts around the world: he wants to exchange opinions and have an early understanding of new trends and exciting initiatives. This is now a recognised need and common practice within modern enterprises.

John runs a few, interactive, multimedia external blogs to expose his views, start discussions and get feedback. He is aware of confidentiality aspects that might rise from his interactions with external people: he uses ad-hoc personae to interact with these services, by exposing a profile and information compatible with his company’s business policies and his privacy preferences. An online, trusted “personal guardian angel” service, accessible via his “personae-selector” (virtual) device, helps him to handle these different personae and to get reminders about the context he is interacting with.

The multinational he works for is aware that people and information are the most valuable assets in these days. On one hand it recognises the need to enable collaborative interactions of its employees with the external world. On the other hand it is aware of potential risks and threads for its own security and businesses.
Thanks to the new generation of “Identity Risk Management and Assessment” services jointly run by the CIO/CPO Offices, enterprise officers periodically scan various sources on the web (including social networks, blogs, etc.) against any improper leak of confidential data or information that could harm enterprise business and employees. This service provides reports on critical issues and confidential and personalised suggestions (on how to mitigate risks) to employees, in case of any problem.

Today, John works from home. It is his girlfriend’s (Alice) birthday. This is special occasion he wants to properly celebrate. By using his home laptop he accesses his preferred “federated service provider community” and in few minutes makes all the required arrangements to celebrate this event: buying Alice’s preferred flowers at “Flowers’R Us”, arranging for an exclusive dinner at the “Genuine Italian Food Restaurant” and buying that jewellery ring that Alice desired so much.
From his laptop John securely links to his “personae-selector” (virtual) device to authenticate and access these various service providers in a transparent way – thanks to their integrated single-sign-on capabilities (via interoperable Liberty Alliance 3.0, OpenId 3.0 and CardSpace 3.0 protocols). In 5 minutes, he buys flowers (to be delivered at the restaurant), arranges for a table at the restaurant and buys the present for Alice. His interactions with these service providers is smooth and simple, as it is mediated by a “joint-collaboration” between his “personae-selector” device and the “personal guardian angel” service, that ensure that a “personae-handover” process happens across various service providers (i.e. different personae are automatically used in different contexts) and the right credentials (including credit card details) and contextual data are exposed based on John’s privacy preferences and interaction policies.

The service providers involved above use the latest, state-of-the-art “Personae-aware” Identity and Privacy Management Services to seamlessly engage in federated contexts and properly handle and process personal information disclosed by John. They ensure his privacy preferences are enforced along with current world-wide (privacy and data protection) legislation. They also use a new generation of “Risk Management and Assessment” services to check their own compliance to business objectives and legislation and automatically report any violation (and start remediation steps). Consistently with this, they offer John a tailored (persona-aware) service experience, in suggesting a customised but not invasive interaction.

It is still early for John to meet with Alice. A good opportunity for John to socialise with his friends spread all over the world and engage in these social networks he likes so much. John connects to a few of them by using appropriate personae (thanks to the help of his “personae-selector” device) and starts posting and chatting.

John is aware that he his using multiple personae and the implications and possible risks that exposing information on the web could have, such as correlation, deductions and misuse of this information to commit crimes. His trusted “personal guardian angel” service helps him to keep track of John’s personae, automatically updating changes and providing additional, useful services. John chooses to have all his interactions on the internet monitored by his trusted “personal guardian angel” service: he configures it to monitor his social network interactions and warn him of any danger, in particular related to disclosure of personal details and information. This has been a wise choice: the interactions with a new guy - Charles, a friend of his friend Bob is strange. His questions and request for work information are going in a direction that could be dangerous. The “personal guardian angel” service warns John of the risks of disclosing some information and the implications this could have for his work and social life. John decides that it is best to drop the call …

Reminded of these potential dangers, John, whilst he is dressing up to go out with Alice, starts a “Personae-Risk Scan” check via his “personal guardian angel” service. This checks for any information directly/indirectly exposed on the web or via his various social network links (Facebook 3.0, MySpace 3.0, LinkedIn 3.0, YouTube 3.0, Second and Third Life 3.0, etc.) and service accounts. It compares retrieved information against perceived threads and risks and provides a meaningful, user friendly report along with suggestion on how to mitigate problems. This time John is lucky: nothing to worry about.

Alice is going to be a little bit late. Why not doing a back-up of John “personae-selector” (virtual) device – as prompted by the device itself? After all it is a “virtual” device: a few seconds and its entire content is securely copied and protected in his new Smartphone along with an image of its personae and preferences.

This was a good move: at the restaurant, perhaps distracted by the good Italian food, a thief steals his current Smartphone with his “personae-selector” (virtual) device. No problem: just the hassle of reporting this (online) to the police. He can carry on celebrating with Alice.

The thief didn’t realise he had no way to access the content and use the device, thanks to its biometric-based protection and encrypted content. It is a “useless tool” to be thrown away at the first opportunity. So he does.
This is good for John: the discarded device is quickly located via GPS and the collaboration with its “personal guardian angel” service. The device is back home the next day.”

--- NOTE: my original HP blog can be found here ---

Tuesday, October 23, 2007

Part II: CIMIP to Release Landmark Study on Identify Theft

As anticipated in my previous post, “CIMIP to Release Landmark Study on Identify Theft”, The CIMIP report, called “Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement”, has been released. It can be downloaded, for free, here.

The executive summary of this report mentions that: “The purpose of this study was to provide empirical evidence on which law enforcement can base enhanced proactive identity theft control and prevention efforts. It focuses on identity theft offenders, which sets it apart from previous surveys and other research which have centered on identity theft victims. As a result of the study of closed United States Secret Service cases with an identity theft component (2000-2006), empirical data concerning the key factors relevant to the criminal behavior of identity thieves and the conditions under which that behavior occurs are available to law enforcement agencies and corporate security and fraud investigators for the first time.”

This report covers various topics, including: Goals and Values of the Study, The Empirical Approach, Findings, The Offenders,The Commission of the Crime, Victimization, Recommendations and Conclusions. It is worth reading it: it provides an interesting perspective and analysis on Identity Thefts based on factual information.

--- NOTE: my original HP blog can be found here ---

Sunday, October 21, 2007

CIMIP to Release Landmark Study on Identify Theft

This could be of interest to the Identity Management Community. A recent article written by Amanda Damiano (“CMIP to Release Landmark Study”) reveals that:

“On Monday (Oct. 22), Utica College’s Center for Identity Management and Information Protection (CIMIP) will release the results of a landmark study of closed U.S. Secret Service cases involving identity theft. The study, which will reveal new findings about identity theft perpetrators, victims, and methods, marks the first time the U.S. Secret Service has allowed review of its closed case files on identity theft and fraud. The research will be of particular value to government, law enforcement and corporate entities whose mission is to prevent, detect, investigate or prosecute identity theft crimes, said Gary R. Gordon, executive director of CIMIP and professor of economic crime at Utica College. Information on insider threats, points of compromise, and vulnerabilities will be of specific interest to chief security and chief information officers across many industries, including financial services and retail corporations, Gordon said.”

These results will be released at the 18th annual ECI (Economic Crime Institute) Conference (October, 21-23), this year focusing on the topic: “Identity Management and Information Protection: Research and Action”.

--- NOTE: my original HP blog can be found here ---

Friday, October 19, 2007

On the Joy of Having Multiple (Digital) Personae …

Having multiple “digital personae” (i.e. identity profiles that provide a different “view” about an individual, depending on the context, service, location, etc.) is undoubtedly useful. Different concerns, roles, interest and priorities can be conveyed in this way and your interactions on the web can be simplified (and in some way “compartimentalised”).

But what about its potential risks? What about the potential correlations that can happens by linking together and analysing your personae (for example the ones you use at works, in social networks - Facebook, LinkedIn, MySpace, in your service accounts, on your blog postings (…), etc). What would be the future consequences?

Having a sort of Personal “Identity Leak” Service providing an overview of your “current situations” and warning you about potential threats and risks would not be bad …

--- NOTE: my original HP blog can be found here ---

Wednesday, October 17, 2007

Making a case for the “Identity Leak” Service …

A recent article by Tom Bowers, called “Smart security testing on the cheap”, makes a few good points:

“Most executives in a company are focused on building on the company's strengths. The chief information security officer, however, must look through a different lens. The job of the security chief is to measure the risks to the business, and then to work to reduce them. That means focusing on weaknesses, namely on weaknesses in the company's networks, systems, and business processes. It's a big job that requires a comprehensive plan, strong skills, and a good set of tools.

The time and skills necessary for effective security assessment will never be free, but a terrific plan and excellent tools are readily available at no cost, courtesy of the open source community. I'm a big believer in tapping open source solutions whenever possible, but there is a catch. Open source is free in cost, but not free in time. Be prepared to spend time learning how to use open source tools and techniques properly. …”

Now, have a look at the mentioned “Google Hacking Database”. The key point that Tom makes here is that similar techniques could be used to “find privacy data of your employees that may have leaked to the Internet from your network”. This is actually important.

Given an enterprise, which confidential information has been disclosed/leaked (and for which reasons) on the web? Which (personal/business) information about people (in their roles as employees and private people) has been disclosed that could be used for cross-correlations and inferences about enterprises businesses or individuals?

In the context of current discussions about “Identity Providers”, it might also make sense to think about “Identity Leak” Services (or if you prefer, more in general, “Information Leak” Services) … providing (on payment?) consolidated information about leaked data (for a user, an organisation, in a specific area/context) AND potential predictions about risks and threats for the involved entities.

Something to think about …

--- NOTE: my original HP blog can be found here ---

Monday, October 15, 2007

On the “Identity Oracle” and Improper Disclosures

I have been following with great interest the thread of discussions about the business concept of “Identity Oracle” and related posts by Bob Blakley, Kim Cameron (here and here), Jeff Bohren and Phil Hunt.

I wondered for a while about business models and business scenarios for “Identity Providers” (e.g. see here and here): the idea of the Identity Oracle can have some good, interesting potential.

However, there is one thing, about the Identity Oracle, that is puzzling me, based on what Bob Blakley wrote in his post:

“… The Identity Oracle charges GiCorp and other relying-party customers money for its services. The asset on the basis of which the Identity Oracle is able to charge money is its database of personal information. Because personal information is its only business asset, the Identity Oracle guards personal information very carefully.
Because disclosing personal information to relying-party customers like GiCorp would be giving away its only asset for free, it strongly resists disclosing personal information to its relying-party customers. In the rare cases in which relying parties need to receive actual personal data (not just metadata) to do their jobs, the Identity Oracle requires its relying-party customers to sign a legally binding contract stating what they are and are not allowed to do with the information. This contract contains indemnity clauses – if GiCorp signs the contract and then misuses or improperly discloses the personal information it receives from the Identity Oracle about Bob, the contract requires GiCorp to pay a large amount of cash money to the Identity Oracle, which then turns around and reimburses Bob for his loss. …”

How are (in practice) improper disclosures of personal data going to be detected? And what would be (in practice) an “improper disclosure”? Some misuse of credit card details? Spamming emails?

I guess that to be a viable business, the Identity Oracle needs to have relationships with many Relying Parties – which themselves might have relationships with other parties. How to track the source of improper leakages/data misuses? Wouldn’t the cost of “forensic analysis” be potentially very high for the Identity Oracle (which I assume it must make the first steps in investigating the incident and in finding the source of improper disclosure)?

Wouldn’t this also be a potential source of frauds against the Identity Oracle, paradoxically generated by some of its own “customers”, trying to get money/compensations back by orchestrating “improper disclosures” and relying on the fact that it will be hard to pinpoint the culprit?

How would the legal framework help the Identity Oracle in these situations? I am afraid this might end-up with very restrictive “terms & condition” imposed by the Identity Oracle (to protect its own interests) that eventually won’t be of any benefit to honest users (the very large majority) in case of genuine identity misuses.

I would be very interested in getting opinions and views about the above aspects.

--- NOTE: my original HP blog can be found here ---

Call for Papers: IEEE Workshop Policy 2008 (2-4 June 2008, NY)

The call for papers for Policy 2008 is now available online:

“POLICY 2008 is the 9th in a series of successful workshops, which since 1999 have provided a forum for discussion and collaboration between researchers, developers, and users of policy-based systems. This year, in addition to the latest research results from the communities working in any area of policy-based management and computing, we encourage contributions on policy-based techniques in support of all types of wireless networks: cellular, Wi-Fi, Mobile Ad Hoc, hybrids, etc.
Policy 2008 aims to bring together researchers and practitioners working on policy-based systems across a wide range of application areas including networking, privacy and security management, storage area networking, enterprise systems, and the Web.”

Topics of interest are classified in the following categories:
  • Policy models and Languages
  • Policy Applications
  • Policies in Wireless Networks

Identity management, privacy and security are key topics of this workshop. Please consider submitting a paper.

More information about call for papers, Organising Committee and Program Committee is available online.

--- NOTE: my original HP blog can be found here ---

Friday, October 12, 2007

The Open Group: Whitepaper on “Information Security Strategy” - Version 1.0

The Open Group has announced that their Information Security Strategy white paper is now published on The Open Group's online bookstore (a free PDF version is available on the Web). It is about a “Framework for Information-Centric Security Governance”:

“This White Paper proposes a new framework for ensuring enterprise-level information security that reflects current realities of enterprise, network, and information sharing and access. … It was developed by the Security Forum in collaboration with the Cyberspace Law Committee, Business Law Section, of the American Bar Association, who are also publishing it.”

This document is a high-level, strategic-oriented white paper but it should be of interest to the Identity Management community. After all, identity is a “special kind” of information …

--- NOTE: my original HP blog can be found here ---

Wednesday, October 10, 2007

Part III - PLING: the W3C Policy Languages Interest Group

I have been asked by a few people what a new group member should discuss once involved in the W3C Policy Languages Interest Group (PLING).

I am sure that the discussions of this interest group and priorities will evolve and adapt over time, also based on the interests of this group. Of course, Renato and I will provide some input and guidance.

For the time being, I would personally encourage a new group member to start by sharing his/her own perspective/experience on:
  • Which kind of policies (and languages) do you (or your organisation) use and for which purposes (e.g. security, access control, privacy, federated IdM, etc.)?
  • In which contexts, environments (e.g. network, system, application, service, business levels, etc.) are policies deployed and used?
  • Do you need to deal with heterogeneous set of policies? Do you have interoperability problems? How do you currently keep them consistent and up-to-date?
  • Any relevant use cases and scenarios you would like to share with the group/community?
  • Which issues did you come across (if any) when handling policies?
  • What are the major pain points and limitations (if any) of current policy languages and related policy management systems?
  • Any policy requirement or need you would like to share with the group?

--- NOTE: my original HP blog can be found here ---

Tuesday, October 9, 2007

Part II - Announcing PLING: the W3C Policy Languages Interest Group

In a previous post, I announced the creation of the W3C Policy Languages Interest Group (PLING) and briefly discussed the scope and mission of this group.

As a first step, I would like to invite people, interested in discussions on policies, policy interoperability, use cases, issues and requirements, to subscribe to the PLING Mailing list and start sharing their experiences and views.

We are also considering organising a PLING panel at WWW 2008. Your input on topics of interest to be discussed in this panel (along with your priorities) is welcome.

--- NOTE: my original HP blog can be found here ---

Monday, October 8, 2007

Call for Papers: 23rd International Information Security Conference – SEC 2008

The Call for Papers for SEC 2008 (Milan, Italy – September, 8-10, 2008), is now available online:

“The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of computer security, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing argument for the practical significance of the results.”

In particular, topics of relevance include topics in the “Identity Management” area:
  • Access control
  • Electronic frauds
  • Anonymity
  • Accounting and Audit
  • Smartcards
  • Data and application security
  • Risk analysis and risk management
  • Data protection
  • Privacy-enhancing technology
  • Trust management
  • Trust models
Paper submissions are due by January 10, 2008. More details about Important Dates and Committees are also available online.

--- NOTE: my original HP blog can be found here ---

Thursday, October 4, 2007

Announcing PLING: the W3C Policy Languages Interest Group

I am proud to announce the creation of the W3C Policy Languages Interest Group (PLING). Roberto Iannella (Research Scientist, NICTA, Australia) and I (Marco Casassa Mont, Senior Researcher, HP Labs, UK) are going to be the co-Chairs. Thomas Roessler and Rigo Wenning (W3C) are the initial Team Contacts:

“The Policy Languages Interest Group, part of the Privacy Activity, is a forum for W3C Members and non-Members to discuss interoperability questions that arise when different policy languages are used in integrated use cases, along with related requirements and needs”.

I would like to encourage people that have interests in the area of policy languages, interoperability, privacy, etc. to engage and share their experience, requirements, use cases and open issues. A PLING Mailing list is available.

The PLING Charter provides information about PLING mission, scope, deliverables, participation, communication and obligations. The proceedings of this Interest Group (mailing list archives, minutes, etc.) are going to be publicly visible.

The mission of this interest group is the following:

“The Policy Languages Interest Group is a forum for W3C Members and the public to discuss interoperability issues - along with related requirements and needs - that arise when using a variety of policy languages where there is a need to compute results across these multiple languages. The Interest Group follows up on the October 2006 W3C Privacy Workshop, and addresses areas of work identified as a key common interest of participants. An important function of the Interest Group is information sharing within and between application communities. …”

The scope of PLING is:

“The Policy Languages Interest Group is designed as a forum to support researchers, developers, solution providers, and users of policy languages such as XACML (eXtensible Access Control Markup Language), the IETF's Common Policy framework and related work, and P3P (W3C's Platform for Privacy Preferences Project). It provides a forum to enable broader collaboration, through use of email discussion, scheduled IRC topic chats, Wikis, and Weblog tools.

The group will primarily focus on policy languages that are already specified and broadly address the privacy, access control, and obligation management areas; it is not expected to engage in the design of new policy or rule languages. The Interest Group will work towards identifying obstacles to a joint deployment of such languages, and suggest requirements and technological enablers that may help overcome such obstacles.”

More information will follow.

--- NOTE: my original HP blog can be found here ---

Wednesday, October 3, 2007

Part II: Privacy Management in Enterprises? It is a matter of Enforcement and Automation …

I find James McGovern’s feedback always useful and relevant to trigger further thoughts. This is particularly true for his last post (see the “Links for 2007-10-01” part), related to a recent post of mine (on “Privacy Management in Enterprises? It is a matter of Enforcement and Automation …”):

“I really hate posts such as these as they start with technology discussions and abstract notions such as policies while ignoring simple facts of business. Have you ever considered that some industries simply couldn't function if privacy were so pervasive? Consider what happens when you win the Lottery and decide to buy yourself and me a Porsche Boxster. If you spend cash, you will have your privacy violated by the Patriot to ensure that you aren't laundering money. If you pay by credit, folks will be able to see everyone else you have done business with in the past. Likewise, you will need insurance on your Porsche Boxster where they will also check with the Department of Motor Vehicles to tell how many accidents you have gotten into. They will also check into past claims you have filed even if it was with another insurance carrier. How about a conversation that talks about the business model of privacy first?”

Interesting view and position! I think I never said that privacy needs to be “pervasive” and/or should disrupt current businesses (we are talking about businesses that are compliant to laws and legislation as well as legitimate user’s expectations and rights, aren’t we?).

My main message was simply that, to improve current privacy practices, there is a need for more enforcement and automation – as (1) human-based processes and “good willingness” are usually prone to mistakes and (2) an approach entirely based on “compliance checking and remediation” has its own limitations …

Privacy for the “sake of privacy” is indeed pointless, if not by considering it in the overall context – being the business one (important) aspect of it. However, it must not be forgotten, that the perception of “privacy” (and what is important) is not the same everywhere, see the different mentality, philosophy and approaches to privacy in US and EU!

I thought to be clear on this point, when in my previous post I said: “I argue that the decision on the “actual blend” of policy enforcement and auditing/compliance checking should be the outcome of a “risk analysis” process, which must keep into account the specific enterprise context and the assets to be protected.”

Having said this, I disagree on the part of the comment saying “… start with technology discussions and abstract notions while ignoring simple facts of business”.

The requirement of having more “privacy enforcement and automation” is not an invention of mine. It is the (consistent) outcome of various investigative projects, customers’ feedback and related survey reports – keeping into account a variety of aspects and dimensions (including the business perspective).

See for example the EU PRIME project and its outcome, that has kept into account (during its entire duration – almost 4 years) input, requirements and needs coming from business, social, economical, legislative and “personal” sources. Similarly, the outcome of a recent effort in the context of Identity Governance Framework (in particular the MRD use case document) has highlighted the importance of enforcement and compliance, it has been the outcome of a collaborative work involving multiple business groups (including HP) and it has illustrated use cases and business scenarios.

James makes a good point when he says: “How about a conversation that talks about the business model of privacy first?”

James – any input or suggestion, based on your experience and/or needs of businesses and customers you have been interacting with?

What would be, in your view (or in your customers’ view), a suitable business model of privacy? Are there, in your view, any emerging patterns or approaches to be kept into account? Would there be “the business model of privacy” or many of them, depending on the context (e.g. geographical location, legislation, etc.) and the business/organisations? How to reconcile in this model all requirements and needs?

--- NOTE: my original HP blog can be found here ---

Tuesday, October 2, 2007

Introducing a “Privacy Week” in Enterprises?

Marc Groman, Chief Privacy Officer for the (US) Federal Trade Commission, makes the case for having Privacy Weeks (see this article):

“Annual computer security and privacy awareness training for all employees is a good start, but it is just the beginning. Planning an agencywide “privacy week” or similar event is an excellent way to put privacy center stage and demonstrate your agency’s commitment to building a culture of privacy and security. The theme for the Federal Trade Commission’s privacy week held this past March was “Info — Handle With Care.” Your privacy week can include events such as educational seminars on compliance issues, training sessions on technology resources that protect sensitive information, or an all-day privacy fair. Thought-provoking or “catchy” posters in high-traffic areas, brochures and contests and prizes help to generate enthusiasm for the week’s activities and to communicate the message. Finally, to reinforce your agency’s commitment — in terms of resource investment and leadership buy-in — have your agency head host an event or deliver a speech explaining why privacy and security are important. …”

This is an interesting idea and good initiative, that potentially could apply (in general) also to enterprises and other organisations: educating employees, creating awareness of risks and threats and requirements in terms of security and privacy is a good way to improve privacy practices.

However, as I argued in a previous post, I believe this should be coupled with a more proactive approach (within organisations) to privacy policy enforcement and automation: “human-based” processes are indeed prone to mistakes and interpretations (and education …).

--- NOTE: my original HP blog can be found here ---

Monday, October 1, 2007

Lots of Warnings about “Enterprise Web 2.0” Risks – What about Identity 2.0?

A recent article by Robert Mullins, called “Enterprises warned to approach Web 2.0 with caution”, says:

“Danny Allan of IBM had just finished his primer on potential security risks of Web 2.0 applications when enterprise software developers filing out were overheard telling each other, “That was scary!” and “Now I’m depressed.” Allan says he didn’t mean to scare, but to educate. “The lesson is not to run away but to prepare,” said Allan, director of security research at Watchfire, an IBM-owned security firm”

This is also consistent with what HP SPIDynamics said sometimes ago, in particular about security risks and issues with Enterprise Web 2.0 (see here and here).

In a previous post of mine, called “Web 2.0/Ajax “Submission Throttling” and Privacy Concerns” I also highlighted a (simple) example of a potential Web 2.0 privacy threat (ok, this was primarily from a B2C perspective, but this could also apply to enterprise and federated IdM contexts …). I am sure this is just the tip of the iceberg …

I would be interested in knowing what the outcome of a similar risk/security/threat analysis/assessment would *specifically* be for “Identity 2.0”-based solutions (including Liberty Alliance, of course …) – in B2C, Enterprise and federated IdM contexts.

I believe there will be interesting findings, from a privacy and data security perspective, in particular when dealing with personal and confidential information.

--- NOTE: my original HP blog can be found here ---