I have found on the web this interesting “Living List of Identity Management Forums”.
Despite being incomplete, it provides a pretty much good overview of (most of) public initiatives in the space of Identity Management.
An opportunity for the Identity Management Community to get references and create awareness about the missing ones …
--- NOTE: my original HP blog can be found here ---
Friday, November 30, 2007
Wednesday, November 28, 2007
US Federal Trade Commission: about 8 million US people estimated being victims of Identity Theft …
A recent report published by the US Federal Trade Commission, called “Federal Trade Commission – 2006 Identity Theft Survey Report” (the report is available online, here) provides an analysis and estimate of Identity Thefts happened in US, in 2005.
Based on this report, “A total of 3.7 percent of survey participants indicated that they had discovered they were victims of ID theft in 2005. This result suggests that approximately 8.3 million U.S. adults discovered that they were victims of some form of ID theft in 2005”.
Identity thefts have been classified in the following categories:
- New Accounts & Other Frauds
- Misuse of Existing Non-Credit Card Accounts or Account Number
- Misuse of Existing Credit Card or Credit Card Number
This report estimates that “The median value of goods and services obtained by the identity thieves for all categories of ID theft was $500. Ten percent of victims reported that the thief obtained $6,000 or more, while 5 percent reported that the thief obtained at least $13,000 in goods and services.
…
In more than 50 percent of ID thefts, victims incurred no out-of-pocket expenses. (Out-of-pocket expenses include any lost wages, legal fees, any payment of fraudulent debts, and miscellaneous expenses such as notarization, copying, and postage.) In the New Accounts & Other Frauds category, the median value of out-of-pocket expenses was $40”.
This report also compares these recent findings against findings of a similar investigation carried out in 2003: “The 2003 survey found that 4.6% of the survey population had experienced ID theft during the one year period before the survey was conducted. The 2006 survey found that 3.7% of the survey population had experienced ID theft during 2005. The difference between the rates is not statistically significant. Given the sample sizes and the variances within the samples, one cannot conclude that the apparent difference between the two figures is the result of a real decrease in ID theft rather than a result of random variation.”
--- NOTE: my original HP blog can be found here ---
Monday, November 26, 2007
On Policies and Policy Management: Present and Future …
I have recently given a presentation on the topic of Policies and Policy Management. My presentation is available online, here.
This topic is extremely complex, considering the variety of aspects to be kept into account. This presentation reflects my (high-level) view about current status and some of the potential future research areas.
In the introduction part I tried to describe the concepts of policy and policy management from a wide perspective, highlighting some of the open issues and involved complexity. I’ve also described some of current HPL R&D work in the space of policy management applied to identity and privacy management.
I have then highlighted a few future R&D activities in this space that might be worth exploring. They include:
This topic is extremely complex, considering the variety of aspects to be kept into account. This presentation reflects my (high-level) view about current status and some of the potential future research areas.
In the introduction part I tried to describe the concepts of policy and policy management from a wide perspective, highlighting some of the open issues and involved complexity. I’ve also described some of current HPL R&D work in the space of policy management applied to identity and privacy management.
I have then highlighted a few future R&D activities in this space that might be worth exploring. They include:
- Policy Refinement Process
- “Federated Policy Management” in Organisations
- Management of “Sticky Policies” in Information Flow
- Content-aware Access Control in Collaborative (Enterprise Web 2.0) Environments driven by Policies
- Overall Policy Lifecycle Management
Last but not least, I described again the opportunity of getting involved in the newly created W3C Policy Languages Interest Group and contributing to it.
Your comments and input are welcome.
--- NOTE: my original HP blog can be found here ---
Friday, November 23, 2007
Conference Event: Ethics, Technology and Identity
I’d like to create awareness about the “Ethics, Technologies and Identity” conference (June 18-20, 2008 - The Hague, the Netherlands):
“Information technology plays an increasingly important role in society and in human lives. Identity Management Technologies (e.g. biometrics, profiling, surveillance), in combination with a variety of identification procedures and personalized services are ubiquitous and pervasive. This calls for careful consideration and design of collecting, mining, storing and use of personal information. This conference aims to discuss the theme of ‘identity’ in light of new (information) technology. Key-note speakers are David Velleman, Oscar Gandy, Robin Dellon and David Shoemaker.”
The deadline to submit abstracts is 07 December 2007. The full call for papers is available here.
--- NOTE: my original HP blog can be found here ---
“Information technology plays an increasingly important role in society and in human lives. Identity Management Technologies (e.g. biometrics, profiling, surveillance), in combination with a variety of identification procedures and personalized services are ubiquitous and pervasive. This calls for careful consideration and design of collecting, mining, storing and use of personal information. This conference aims to discuss the theme of ‘identity’ in light of new (information) technology. Key-note speakers are David Velleman, Oscar Gandy, Robin Dellon and David Shoemaker.”
The deadline to submit abstracts is 07 December 2007. The full call for papers is available here.
--- NOTE: my original HP blog can be found here ---
Wednesday, November 21, 2007
UK: Personal data of 25 million people have gone missing by Postal Service
A recent BBC article (called “UK’s families put on fraud alert”) provides more details about a recent incident happened in UK, where two CDs containing the personal details of all families in the UK with a child under 16 that have gone missing:
“The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.
Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts "for unusual activity". The chancellor blamed mistakes by junior officials at HMRC, who he said had ignored security procedures when they sent information to the National Audit Office (NAO) for auditing.
Mr Darling told MPs: "Two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”
It looks like good practices and processes were in place but nevertheless the system failed. I see the limitations of any privacy enforcement system, in this context.
I wonder if a “Risk-Driven Decision Support System” would have been of some use in this context, to discourage this action (given the existing policies and the potential involved risks) and suggest more compliant ways to proceed …
--- NOTE: my original HP blog can be found here ---
“The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.
Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts "for unusual activity". The chancellor blamed mistakes by junior officials at HMRC, who he said had ignored security procedures when they sent information to the National Audit Office (NAO) for auditing.
Mr Darling told MPs: "Two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”
It looks like good practices and processes were in place but nevertheless the system failed. I see the limitations of any privacy enforcement system, in this context.
I wonder if a “Risk-Driven Decision Support System” would have been of some use in this context, to discourage this action (given the existing policies and the potential involved risks) and suggest more compliant ways to proceed …
--- NOTE: my original HP blog can be found here ---
Monday, November 19, 2007
What is your “Identity Footprint” on the Web?
Very few people actually know what their “Identity Footprint” is (e.g. various pieces of information and details related to them, given away on the web …), especially if they have been exposed for a while to the Internet, have accessed and interacted with various social network services or simply have been involved in web service interactions.
What are going to be the risk induced by these “Identity Footprints”? Could “personal profiles” be inferred from this information at a point to become a threat e.g. enable identity thefts, frauds or simply have future impact on people’s reputation, etc.?
I believe that understanding and managing this kind of risk is going to become a priority in a not so far away future … Its implications are already becoming obvious today, as it is possible to gather reasonable amount of “personal” information on individuals by searching in various sites (e.g. Google, FaceBook, Linkedin, Del.icio.us, Technorati, etc.).
I see an opportunity for researching and developing new identity management services in this space to help people assessing risks and potentially mitigating them (for example, the “Personal Guardian Angel” service, that I described in a previous post, “2012: A Day in the Life of John Webber”).
--- NOTE: my original HP blog can be found here ---
What are going to be the risk induced by these “Identity Footprints”? Could “personal profiles” be inferred from this information at a point to become a threat e.g. enable identity thefts, frauds or simply have future impact on people’s reputation, etc.?
I believe that understanding and managing this kind of risk is going to become a priority in a not so far away future … Its implications are already becoming obvious today, as it is possible to gather reasonable amount of “personal” information on individuals by searching in various sites (e.g. Google, FaceBook, Linkedin, Del.icio.us, Technorati, etc.).
I see an opportunity for researching and developing new identity management services in this space to help people assessing risks and potentially mitigating them (for example, the “Personal Guardian Angel” service, that I described in a previous post, “2012: A Day in the Life of John Webber”).
--- NOTE: my original HP blog can be found here ---
Friday, November 16, 2007
Technologies and Solutions to Help Fighting Identity Thefts …
A recent article by Brad Stone, titled “In ID Theft, some victims see opportunities”, provides an interesting overview of some emerging technologies and solutions that can help people to be more aware of identity thefts and potentially fight them.
Some emerging companies have interesting ideas and proposals in this space. Have a look …
--- NOTE: my original HP blog can be found here ---
Some emerging companies have interesting ideas and proposals in this space. Have a look …
--- NOTE: my original HP blog can be found here ---
Wednesday, November 14, 2007
Event - Privacy Enhancing Technology: How to Create a Trusted Information Society …
A Conference/Forum is going to be held in London, UK, on 21 November, focusing on “Privacy enhancing technologies: How to create a trusted information society”:
“Organised by three of the UK’s Knowledge Transfer Networks (KTN), and supported by the European Commission, A Fine Balance 2007 is an independent forum for discussing privacy in relation to the development of new technology. Building on last year’s event of the same name, this year’s conference discusses the development and integration of technologies which can build privacy into new devices and services at the design stage.
Privacy Enhancing Technologies (PETs) will encourage industry to recognise that valuable emerging technologies can be designed with privacy and data security in-mind from the outset. On May 2nd, the European Commission adopted a Communication "Promoting Data Protection by Privacy enhancing Technologies (PETs)" in which it calls for stepping up research in and development of PETs. In this context, the outcomes of this event will be taken under consideration by the European Commission in its formulation of upcoming work programmes for funding calls in this area of the FP7 - ICT programme and will influence the direction of future research in the fields of privacy and technology.”
Apparently part of this forum/conference can also be followed in a “Web 2.0 workshop” on Second Life.
More information about EU initiatives on PET can be fond here. PRIME Project is mentioned as one of them …
--- NOTE: my original HP blog can be found here ---
“Organised by three of the UK’s Knowledge Transfer Networks (KTN), and supported by the European Commission, A Fine Balance 2007 is an independent forum for discussing privacy in relation to the development of new technology. Building on last year’s event of the same name, this year’s conference discusses the development and integration of technologies which can build privacy into new devices and services at the design stage.
Privacy Enhancing Technologies (PETs) will encourage industry to recognise that valuable emerging technologies can be designed with privacy and data security in-mind from the outset. On May 2nd, the European Commission adopted a Communication "Promoting Data Protection by Privacy enhancing Technologies (PETs)" in which it calls for stepping up research in and development of PETs. In this context, the outcomes of this event will be taken under consideration by the European Commission in its formulation of upcoming work programmes for funding calls in this area of the FP7 - ICT programme and will influence the direction of future research in the fields of privacy and technology.”
Apparently part of this forum/conference can also be followed in a “Web 2.0 workshop” on Second Life.
More information about EU initiatives on PET can be fond here. PRIME Project is mentioned as one of them …
--- NOTE: my original HP blog can be found here ---
Monday, November 12, 2007
What’s the Future of Enterprise Identity Management? Risk Management …
I believe that Risk Management is going to have a deep impact on Enterprise Identity Management.
On one hand “Traditional” Enterprise Identity Management solutions (e.g. provisioning solutions, AAA, storage solutions, etc.) are under consolidation.
On the other hand, there is an increased urge to assess and (automatically) deal with risks and vulnerabilities affecting enterprise “assets”, driven by business and security perspectives. In this context, it is going to be important to accurately assess risks, vulnerabilities and threats for identity (and privacy) management practices, processes, solutions and related assets.
Of course, a few “Identity Risk Management” solutions are already aware on the market and there is a consolidation process in the consulting space. However, the big challenge has to come in a few years, because of the increased adoption of open “web 2.0” solutions by enterprises, the blurring of enterprise boundaries and a workforce that is more and more “accustomed” to use “social networking solutions” in their private and professional activities (and consequently expose enterprise information and assets to the external world).
It will be very important to be able to assess and mitigate risks about “confidential information” that has been directly or indirectly exposed to the web in terms of enterprise systems, plans, projects or activities and whose discovery and correlation (by third parties) can provide relevant insights and intelligence about enterprise “high-value” strategies and practices.
Ultimately “risk analysis” solutions will be used to assess threats concerning the overall “identity” of an enterprise in addition to the ones related to its assets …
--- NOTE: my original HP blog can be found here ---
On one hand “Traditional” Enterprise Identity Management solutions (e.g. provisioning solutions, AAA, storage solutions, etc.) are under consolidation.
On the other hand, there is an increased urge to assess and (automatically) deal with risks and vulnerabilities affecting enterprise “assets”, driven by business and security perspectives. In this context, it is going to be important to accurately assess risks, vulnerabilities and threats for identity (and privacy) management practices, processes, solutions and related assets.
Of course, a few “Identity Risk Management” solutions are already aware on the market and there is a consolidation process in the consulting space. However, the big challenge has to come in a few years, because of the increased adoption of open “web 2.0” solutions by enterprises, the blurring of enterprise boundaries and a workforce that is more and more “accustomed” to use “social networking solutions” in their private and professional activities (and consequently expose enterprise information and assets to the external world).
It will be very important to be able to assess and mitigate risks about “confidential information” that has been directly or indirectly exposed to the web in terms of enterprise systems, plans, projects or activities and whose discovery and correlation (by third parties) can provide relevant insights and intelligence about enterprise “high-value” strategies and practices.
Ultimately “risk analysis” solutions will be used to assess threats concerning the overall “identity” of an enterprise in addition to the ones related to its assets …
--- NOTE: my original HP blog can be found here ---
Friday, November 9, 2007
Identity Management @ HP Labs: Challenges and Opportunities
I have recently given a few public presentations about HPL R&D activities on Identity Management. I would like to share a presentation (.ppt), called “Identity Management @ HP Labs: Challenges and Opportunities” where I discuss:
- Challenges and Opportunities (in the next 5 years) in the Identity Management space
- A few HPL research activities in the space of Identity Management. This includes work done on “Enterprise Privacy Management for Identity Management” and “Device-based Identity Management in Enterprises”
- A few Identity Management initiatives HPL have been involved in. This includes the “Identity Capable Platforms (ICP)” initiative and the “Identity Governance Framework” initiative.
My presentation is available online and can be downloaded here.
--- NOTE: my original HP blog can be found here ---
Wednesday, November 7, 2007
Health Information Exchanges and Privacy Concerns
A recent article, by Diana Manos, called “Privacy Concerns Remain Barrier to Health Information Exchanges (HIE)” provides an overview on a report released by the American Health Information Management Association (AHIMA) and the Office of the National Coordinator (ONC) for Health Information Technology:
“A new report on health information exchange says state public-private health information exchange organizations are making progress in some areas, but the question of privacy remains a hurdle. … ONC chief Robert Kolodner, MD, said one barrier to HIE growth is the lack of trust across all stakeholders. Governance must include all stakeholders or “solutions are sub-optimized,” he said. Now is “a pivotal time” for building sustainable health information exchange, he added.”
This report, titled “State-Level Health Information Exchange: Roles in Ensuring Governance and Advancing Interoperability” is available online and can be downloaded here:
“It outlines a potential framework for organizing HIE functions and formalizing organizational and sector roles and responsibilities. It synthesizes field research and provides recommendations to be considered for strengthening and expanding HIE capacity, capitalizing on the important contributions of state-level HIE initiatives.”
--- NOTE: my original HP blog can be found here ---
“A new report on health information exchange says state public-private health information exchange organizations are making progress in some areas, but the question of privacy remains a hurdle. … ONC chief Robert Kolodner, MD, said one barrier to HIE growth is the lack of trust across all stakeholders. Governance must include all stakeholders or “solutions are sub-optimized,” he said. Now is “a pivotal time” for building sustainable health information exchange, he added.”
This report, titled “State-Level Health Information Exchange: Roles in Ensuring Governance and Advancing Interoperability” is available online and can be downloaded here:
“It outlines a potential framework for organizing HIE functions and formalizing organizational and sector roles and responsibilities. It synthesizes field research and provides recommendations to be considered for strengthening and expanding HIE capacity, capitalizing on the important contributions of state-level HIE initiatives.”
--- NOTE: my original HP blog can be found here ---
Tuesday, November 6, 2007
ACM DIM 2007 Workshop: more on Identity Assurance
ACM Digital Identity Management (DIM) 2007 Workshop (2, November 2007) presentations are going to be available online, here. A few of them can already be downloaded.
Presentations have been given in sessions covering the following topics:
Presentations have been given in sessions covering the following topics:
- Usability and Authentication
- Identity Assurance and Linkability
- Network-based Approach
- Reputation and Trust
- (Discussion) What are Usability issues for Identity Management?
HP Labs had a paper accepted, called “On Identity Assurance in the Presence of Federated Identity Management Systems” (authors: Adrian Baldwin, Yolanta Beres, Marco Casassa Mont, Simon Shiu). It has been presented by Yolanta Beres.
Our main goal was to raise awareness about the importance of assurance in the context of identity management, in particular for federated identity management. A related HP Labs Technical Report on this topic is available here.
--- NOTE: my original HP blog can be found here ---
Monday, November 5, 2007
ENISA Event – “Information Risk Management: Why Businesses need it?”
ENISA (in collaboration with INTECO) is organising an event on Information Risk Management, on 8-9 November, 2007 – Barcelona, Spain:
“On this event, the experience drawn from the implementation of the Risk Management process in various European countries will be presented. To this end, representatives from several countries from the EU will present their views on the matter and will report on their experience in this area. This unique event will shed light on how to make SMEs safer and less liable to technological incidents.”
Specifically, this event is going to cover “Information Risk Management” cases from the following EU countries: Spain, Germany, UK, France and Austria. The full program is available here.
--- NOTE: my original HP blog can be found here ---
“On this event, the experience drawn from the implementation of the Risk Management process in various European countries will be presented. To this end, representatives from several countries from the EU will present their views on the matter and will report on their experience in this area. This unique event will shed light on how to make SMEs safer and less liable to technological incidents.”
Specifically, this event is going to cover “Information Risk Management” cases from the following EU countries: Spain, Germany, UK, France and Austria. The full program is available here.
--- NOTE: my original HP blog can be found here ---
Sunday, November 4, 2007
HP’s Security Handbook
The HP’s Security Handbook is available online (2006 edition):
“The HP Security handbook provides a view into all the different threads of security that HP works in. Much of the content is focused on the three pillars of our security strategy: Identity Management, Proactive Security Management and Trusted Infrastructures. The handbook also describes how Governance issues fit into our security strategy and provides an insight into the security research work done by HP Labs.”
In particular, the Identity Management community might be interested in having a look at the section on Identity Management.
--- NOTE: my original HP blog can be found here ---
“The HP Security handbook provides a view into all the different threads of security that HP works in. Much of the content is focused on the three pillars of our security strategy: Identity Management, Proactive Security Management and Trusted Infrastructures. The handbook also describes how Governance issues fit into our security strategy and provides an insight into the security research work done by HP Labs.”
In particular, the Identity Management community might be interested in having a look at the section on Identity Management.
--- NOTE: my original HP blog can be found here ---
Thursday, November 1, 2007
The Basics of Identity Management?
An interesting article has been recently written by John Dunn, Techworld, called “The Basics of Identity Management”.
This article actually focuses on “Federated Identity Management (FIM)”. It analyses aspects of FIM and provides the author’s view about what FIM can offer to IT planners. A key point is made by the author:
“To succeed, FIM has to undo half a century of IT, based on the idea that IT is constructed around the logical arrangement and securing of systems into which users are placed. FIM, by contrast, has the potential to be radically user-centric, making users the centrepiece of an IT system, around which systems are built as digital supports. A systems mentality looks on users as existing on a hierarchy of privilege, with higher rungs gaining more authorisation and power, but within defined geographical and logical limits. A FIM way of looking at users is to see these systems from their point of view. That information, or the ability to transact, resides on the network of another company matters not if that it essential to the business objective. It should be accessible.
For the time-being, FIM will most likely be restricted to specific projects – getting two partners working together - with defined goals and timescales. Longer term, it has the potential to transform even the humblest IT operation into something quite new. But as a concept, federation surely represents the future of networks, so that they become not as islands of digital power, but overlapping ‘networks of networks’. It is happening already. But it will force companies to re-examine their own security processes before they jump into its whirlpool of potential difficulties.”
--- NOTE: my original HP blog can be found here ---
This article actually focuses on “Federated Identity Management (FIM)”. It analyses aspects of FIM and provides the author’s view about what FIM can offer to IT planners. A key point is made by the author:
“To succeed, FIM has to undo half a century of IT, based on the idea that IT is constructed around the logical arrangement and securing of systems into which users are placed. FIM, by contrast, has the potential to be radically user-centric, making users the centrepiece of an IT system, around which systems are built as digital supports. A systems mentality looks on users as existing on a hierarchy of privilege, with higher rungs gaining more authorisation and power, but within defined geographical and logical limits. A FIM way of looking at users is to see these systems from their point of view. That information, or the ability to transact, resides on the network of another company matters not if that it essential to the business objective. It should be accessible.
For the time-being, FIM will most likely be restricted to specific projects – getting two partners working together - with defined goals and timescales. Longer term, it has the potential to transform even the humblest IT operation into something quite new. But as a concept, federation surely represents the future of networks, so that they become not as islands of digital power, but overlapping ‘networks of networks’. It is happening already. But it will force companies to re-examine their own security processes before they jump into its whirlpool of potential difficulties.”
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)