2009-2010: Predictions about Identity and Privacy Management

During the next two years (2009-2010), the Identity and Privacy Management areas are going to be subject to the consolidation and cost cutting trends that are already happening in security and, more in general, in IT.

In my view investments in Identity Management (IdM) are going to be very pragmatic, also driven by the need to: manage a very “variable” workforce; cope with an increase of internal enterprise reorganizations and consolidations; deal with an increased number of identity thefts and related attacks.

As such I believe that the IdM areas that will get most of the market attentions are going to be in the areas of:

• Entitlement management (and automated user provisioning)
• Enterprise SSO
• Authentication strategies
  

I don’t believe that client-based federated identity management and advanced authorization solutions will be driving the Identity Management space, during this period of time.

From a Privacy Management perspective, I still believe that most of the action will happen in R&D contexts.

Of course, this is my view, based on some evidence and intuitions. I would be interested in getting your opinions.

I am also planning to compile a list of world-wide R&D projects and (industrial/university-based) R&D activities in the space of Identity and Privacy Management. I will post information about this. Of course, feel free to send me your input and relevant URLs.

--- NOTE: my original HP blog can be found here ---

Identity Analytics: from a compliance-based to a risk-based approach

Here is a recent, interesting article called “Banks Need to Take Risk-Based Approach to Data Management”:

“Banks need to approach their data privacy and security from a risk point of view, according to experts with New York-based Deloitte. The firm held a webcast Tuesday that discussed how financial institutions can transform themselves from being compliance-driven organizations to risk-driven organizations, two models that are distinct, Edward Powers, a principal with the firm's security and privacy practice, said.
Over the last six to eight months, Powers said he has seen a continued sensitive to risk among financial institutions. "At the same time, I've seen significant moves to downsize budgets and human resources. This is creating strain. Most organizations are now optimizing around the things that are most urgent."”

Interestingly, this reiterates a trend and approach that I have been describing for a while, especially from a security and identity management perspective. I would extend this not only to Banks (and the FI sector), but also to enterprises and Government Agencies.

I believe that, from an identity and privacy perspective, modeling and simulation (coupled with social science and economics) can provide additional support to help decision makers to better understand the consequences of their risk posture along with explaining and predicting the impact of their choices.

Further information about our vision, based on Identity Analytics, has been provided in a few recent blog posts of mine (here, here and here), where I also discussed our view towards strategic decision support for Identity Management (and privacy …).

--- NOTE: my original HP blog can be found here ---

Identity Analytics: Providing Strategic Decision Support for Identity Management

I believe that “Enterprise Identity Management” is quickly maturing and, in some way, commoditizing, at least from a product and solution perspective. In this context, thinking about Identity Management (IdM) purely from a technical perspective is showing its limitations.

Decisions on IdM aspects are increasingly made at the strategic level, as outsourcing, cost saving, balancing security with enterprise agility and usability are becoming the main drivers. Strategic discussions on IdM include understanding the implications of new emerging scenarios and risks, such as the adoption of web 2.0 technologies within enterprises, new identity attacks (phishing, whaling, etc.), increased numbers of M&A and workforce reorganizations, IdM Outsourcing and adopting IdM as a Service.

Key decision makers in this space, i.e. CIOs/CISOs, are driven by business needs and risk management. Some of the questions we have been exposed to include:

• What is the trade-off between reducing risk in tightening the access to critical applications vs. the loss in productivity as access rights are more limited and time taken to gain these access rights will increase?
• Is it better to spend a limited budget on user education or implementing a given technical control, such as automating user provisioning/deprovisioning or providing two-factor authentication?
• Should users and business units be allowed to run their own IT solutions or is it better to have centrally managed services?
• What is the impact of emerging collaboration technologies such as blogging, Wikis and second life?
• Do changes to working patterns such as greater mobility lead to additional risks?
  

In a few recent blog posts of mine (here and here) I discussed our view and approach towards strategic decision support for Identity Management, based on Identity Analytics.

Your input is always welcome, in particular in terms of providing additional case studies and IdM areas we could apply our approach to.

--- NOTE: my original HP blog can be found here ---

EU Commission has set an Advisory Panel to revise EU Data Protection Directive

As highlighted in this article, you might be interest in knowing that the European Commission has set an Advisory Panel, including executives from Google and Intel, to help revising the European Union laws on Data Protection:

"The aim of the group is to identify issues and challenges raised by new technologies. We are not reviewing the main data protection laws at present, but this could be a first step," said European Commission spokesman Michele Cercone. He added that the executives were chosen in a private capacity, rather than as representatives of their companies."

--- NOTE: my original HP blog can be found here ---

Built-in Data Loss Prevention and Analogy with Privacy Management

I have just read this interesting article, called “Microsoft, RSA Partner to Develop Next-Gen data Loss Prevention”, by Lawrence Walsh:

“The alliance between Microsoft and RSA will move data loss prevention technology into the fabric of the IT infrastructure and improve protection by associating data with identities and classifications. Analysts are already calling the idea a "game changer.””

The main message I got is that we need to move away from bolt-on solutions, towards “built-in DLP approaches”. I tend to agree with this approach, despite being much harder to achieve.

This has some interesting analogies with privacy and the way privacy management is currently carried out, at least with most of current privacy-enhancing technology (PET) approaches. I believe that we need to move toward built-in approaches too, that require deep understanding of the interconnections with the relevant “IT infrastructure fabric”, related business processes (and needs), along with involved risks and their potential impact.

So, I believe this is something to consider very carefully, for example, in the context of the “Consent and Revocation Management” R&D area, within the TSB EnCoRe project.

--- NOTE: my original HP blog can be found here ---

A Fine Balance 2008: Privacy Technologies in Action

On November, 27th I attended the UK “A Fine Balance 2008: Privacy Technologies in Action” event. It provided different and interesting perspectives (from the technological, social and legislative angles) on privacy. Presentations are soon going to be made available online:

“Following the success of the 2006 and 2007 Fine Balance events, four of the government's Knowledge Transfer Networks present the third in this series of independent forums that are already helping industry, government and academia achieve a balance between ensuring privacy and enjoying the benefits of new technology.”

--- NOTE: my original HP blog can be found here ---

Article: Changing business landscape makes IAM key to IT Security

Here is a recent, interesting article, called “Changing business landscape makes identity and access management key to IT security”:

“In an age of significant layoffs and corporate restructuring, the burgeoning problem of identity and access management for IT operations and data centers has escalated into a critical security issue. Managing who gets access to which resources for how long — and under what circumstances — has become a huge and thorny problem. Improper and overextended access to sensitive data and powerful applications can cause massive risk as many employees find themselves in flux.”

This article provides some excerpts from a discussion with Dan Rueckert (worldwide practice director for security and risk management in HP’s Consulting and Integration group); Archie Reed (distinguished technologist in HP’s security office in the Enterprise Storage and Server Group), and Mark Tice (vice president of identity management at Oracle).

Part II: On Applying Modelling and Simulation Techniques to Identity Management

Thanks to the readers that sent comments to me (interestingly, by email …), about my previous post on “Applying Modeling and Simulation techniques to Identity Management”. Feel also free to post your comments directly on the blog.

An interesting question I received was about the overall scope of the R&D work on Identity Analytics, i.e. if it only strictly applies to the Identity Management space.

I would say that the scope is wide. The goal is to include also economics aspects, people’s behaviours, privacy and privacy management elements along with any IT and business aspects of relevance for the analysed scenario/case study. Our models and simulations indeed represent the (risk mitigation) effects of identity controls: they do it in the context of the scenario of interest, by including the representation of involved processes, data storage, information flows along with relevant applications and services.

The outcomes of our models can vary, depending on the questions we want to answer, such as ROIs in using specific IdM solutions, trade-offs in investments, impact of controls and security on usability, etc.

Hope this answer the question.

Please have also a look at the Demos2k model attached to our recent HP Labs Technical Report HPL-2008-186, for a few illustrative examples of the above points.

--- NOTE: my original HP blog can be found here ---

On Applying Modelling and Simulation Techniques to Identity Management

At HP Labs, within the “Identity Analytics” project, we are researching how to apply modeling and simulation techniques to the domain of Identity Management, to explore and predict:

• the consequences of potential decisions made by decision makers (e.g. in terms of strategic policies and adoption of controls) on key aspects such as security risks, costs, impact on reputation, etc.;
• the impact of identity management solutions on IT infrastructures, people and business contexts;
• the implications of people behaviours on security and privacy aspects.

The aim is to help decision makers to assess the consequences of their decisions and explore investment trade-offs. In particular, assessing the impacts on security risks and costs is very important: given the current global financial situation, the “cost” dimension is going to play more and more a key role.

We published a few HP Labs Technical Reports to provide an overview of our R&D work, including HPL-2008-186 and HPL-2008-84. In particular, the most recent HPL-2008-186 report provides and example of a model (based on the Demos2K simulation framework) we used to carry out our simulations and trade-off analysis in a “data sharing collaborative scenario”.

Many case studies can potentially be explored with our approach, including Web 2.0 collaborative services, access and protection of critical business applications and services, user account lifecycle management processes, data flows and lifecycle management, identity theft scenarios, etc.

I would be interested in discussing this topic with this community, in particular about related work and exploring any specific requirement or case study you might have in this space.


--- NOTE: my original HP blog can be found here ---

Research Study: Huge Amount of Sensitive Data Still on Redundant Computer Hard Disk

This interesting article, called “Identity Theft Risks: Huge Amount of Sensitive Data Still on Redundant Computer Hard Disk” provides an overview of a research study to be published soon – warning about the risk of data left on devices to be decommissioned:

"Ongoing research to be published in the International Journal of Liability and Scientific Enquiry suggests that there is a huge amount of sensitive data still on redundant computer hard disks. These devices are often disposed of or sold into the second-hand market by corporations, organizations, and individuals with the data intact. The report's authors say that this data represents a significant level of risk for commercial sabotage, identity theft, and even political compromise, and suggest that better education is essential to reduce the risk of harm. ...
The 2007 study is being made available in its entirety through the International Journal of Liability and Scientific Enquiry. The team is now completing the 2008 analysis and will announce those results shortly as well. However, the initial results for the 2008 study show that there is still a long way to go regarding the decommissioning of computer hard disk drives. The team expects that the complete 2008 study will be made available for publication by the end of the year."
This is an area where “classic” identity management (based on control points) shows its limits. The explicit management of IdM strategic policies, related processes and risks should be a key part of “identity management”.

“Identity Analytics” could also be of some help here, to understand the implications of policies and possible strategic decisions (given specific IT and IdM frameworks), along with exploring investment trade-offs.

--- NOTE: my original HP blog can be found here ---

Policy 2009: International Symposium on Policies for Distributed Systems and Networks

The CfP for Policy 2009 (International Symposium on Policies for Distributed Systems and Networks) is now available online. Topics of interest include, but are not limited to:

• Privacy and Security
• Policy Models and Languages
• Policy Applications

This year, Policy features a special track on the policy lifecycle and usability issues related to policy-based management of privacy and security.

Of course, papers discussing the application of policies to the identity management domain are welcome.

Abstracts are due by 23 February 2009, whilst papers are due by 02 March 2009.


--- NOTE: my original HP blog can be found here ---

Top 5 Mistakes of Privacy Awareness Programs?

Jay Cline, in an interesting article called “Opinion: Top 5 Mistakes of Privacy Awareness Programs”, lists the top five shortcuts that many large corporations take when dealing with privacy awareness programs:

• Doing separate training for privacy, security, records management and code of ethics
• Equating "campaign" with "program"
• Equating "awareness" with "training"
• Using one or two communications channels
• No measurement

Have a look.

--- NOTE: my original HP blog can be found here ---

Part II: TSB EnCoRe Project – Ensuring Consent and Revocation

In a previous post of mine, I announced the UK TSB EnCoRe project, focusing on research on Consent and Revocation.

A new version of the EnCoRe web site is now available online.

I would be interested in getting your views and input on two aspects:

• Prior art and work in the space of consent and revocation. In a first analysis, very little work is available in terms of automation of revocation of consent, in a wide sense. Any known work/solution in this space?
• Your (user) requirements in the space of consent and revocation

--- NOTE: my original HP blog can be found here ---

PrivacyOS: Thematic Network for Privacy Protection

PrivacyOS (Privacy Open Space) is “a thematic network for privacy protection infrastructure within the current European Commission´s ICT Policy Support Programme. The Project has started at the beginning of June 2008 and brings together industry, SMEs, Government, Academia and Civil Society to foster development and deployment of privacy infrastructures for Europe.”

More details can be found here.

Last week I attended the first PrivacyOS Conference (Strasbourg, 13-15 October 2008). It has been very interesting and stimulating, considering the heterogeneous background of the audience, their presentations and subsequent discussions. I would encourage the members of this community to attend in the future (the next conference is going to happen in April 2009).

In this context, I gave a presentation on "Enabling Privacy-aware Information Lifecycle Management in Enterprises", describing work done at HP Labs and in the EU PRIME project (Framework VI), in the space of “Management of Parametric Privacy Obligation Policies”.

--- NOTE: my original HP blog can be found here ---

Online Dialog on Health Information Technology and Privacy

As highlighted by this article, called “OMB sponsors online discussion of privacy issues”:

“The Office of Management and Budget has asked the National Academy of Public Administration to hold a public discussion this month of health care privacy issues through an interactive Web site.”

This online dialog will take place the week of October, 27, at: http://www.thenationaldialogue.org/.

--- NOTE: my original HP blog can be found here ---

Identity Management in the Cloud

This article, called “ID Management In the World of Cloud Services” (and a related podcast) is quite interesting, as it is thought provoking.

The advent of cloud services and services on demand is indeed likely to change the identity management landscape: most of current identity management solutions are focused on the enterprise and/or a very controlled, static environment. User-centric identity management solutions (such as various federated identity management) also make some assumptions on the involved parties (e.g. SP, IdP parties) and their related services.

In a world where services are offered on demand, in the cloud and they can continuously evolve, some of these models are going to be challenged, for example, in terms of trust assumptions, privacy implications and operational aspects of authentication and authorization.

Is anybody aware of studies in this space? What is your view?

--- NOTE: my original HP blog can be found here ---

Announcing EnCoRe (Ensuring Consent and Revocation): a new UK IT Collaborative Project

A new UK IT collaborative project has been officially announced: EnCoRe – Ensuring Consent and Revocation (some initial press releases: here and here):

“As more and more personal information flows from individuals to organisations when they interact online, people are becoming more and more concerned that they can not effectively control what this information is used for, with which other organisations it is shared, and where it is stored. They may have given their consent, often in vague terms and implicitly, for its use, sharing and storage, but they have no real control over the specifics of these, nor the ability to revoke their consent and be sure that their wish is respected. In summary, they are not able to control where their personal information flows to, and this makes them uneasy about interacting online.

The overall vision of this project is to make giving consent as reliable and easy as turning on a tap, and revoking that consent as reliable and easy as turning it off again.”

This £3.6m project consortium is multi-disciplinary, spanning across a number of IT and social science specialisms. The project partners are Hewlett-Packard Laboratories, HW Communications, QinetiQ, the London School of Economics, the Ethox Centre of the University of Oxford and the University of Warwick.

The EnCoRe project runs from June 2008 to November 2011. It receives funding from the UK Government’s Technology Strategy Board, Economic & Social Research Council and Engineering & Physical Sciences Research Council.


--- NOTE: my original HP blog can be found here ---

On Gartner’s Magic Quadrant for Identity Management

You might be interested in having a look at Gartner’s Magic Quadrants for Identity Management. In particular, a recent article (15 August 2008) published by Earl Perkins and Perry Carpenter focused on the “Magic Quadrant for User Provisioning”:

“User provisioning delivers capabilities to manage users' identities across systems, applications and resources. Driven by compliance (security effectiveness) and security efficiency, the market is maturing, but identity governance and role-based access concerns raise new issues for customers.”

On one hand this kind of reports provides good insights about the current state of the art (in this case about user provisioning). On the other hand, some criticisms have been given about the overall evaluation of current IdM solutions and their positioning in the “magic quadrant”. For example, have a look at this article by Dave Kearns.


--- NOTE: my original HP blog can be found here ---

Part II: Risk Management for Unstructured Data in Enterprises

In a recent post published on the Netweaver Identity Manager Weblog, the author has made a few comments about my post on “Risk Management for Unstructured Data in Enterprises” (well, actually the published URL to my post is apparently broken …).

Thanks for this input, in particular about three main points that I (tried to) summarise as it follows:

1) Meaning of unstructured data (or the fact that unstructured data does not exist by definition …)
2) Narrowness of perception of approaches and incompleteness of my list of required solutions
3) Availability of comprehensive methodology for implementing enterprise wide risk management

About point 1), this looks pretty much a philosophical discussion. No doubt that, at the end, we talk about information that has some sort of structure (well, an email has a header, a body with some texts and attachments; a document is made of paragraphs or lines of text; …). However, the (maybe over-hyped) “unstructured data” term is currently used to (a) identify specific types of information and (b) contrast it against classic “structured data” (e.g. information stored in RDBMS repositories, etc.). I think I will stick with this terminology …

Back to the key point, recent reports (including the Ponemon Institute’s survey on “Governance of Unstructured Data” and other market and research reports) indeed highlight that the management of unstructured data in enterprises is a raising concern for enterprises, both in terms of governance and risk management. I think this is what really matters – independently from the terminology.

No doubt that classification of data is an important point, especially if you ever manage to “find” where this “unstructured data” is, within a complex enterprise environment … I would say that, given the particular nature of “unstructured data”, a preliminary “data discovery” phase might be required, indeed followed by a classification and assessment of its value (considering though, that the value of some of this information might also come from aggregations and correlations …).

About point 2), by no means my post was meant to provide a definitive or comprehensive assessment and answer to the problem of information risk management or, more specifically, on “unstructured” information risk management. It was just a statement of some “desirable” properties and capabilities that I would like to see (and I know it would be of some help to customers …).

I am well aware of the complexity of the overall (security) “enterprise risk assessment and management” problem, its extent and the fact that, when assessing and managing (security) risks, many factors are involved, including business goals, IT, other assets, people, processes, awareness/education, etc.

(Security) risk assessment and management techniques/methodologies/frameworks and standards/etc. are indeed out there (e.g. ISO 27005/2700x, CoBIT, etc.). These “standards” provide guidelines and criteria to be carefully refined, grounded and contextualized in various “operational” realities, along with some good, common sense …

So, no doubt that there are already “comprehensive methodology for implementing enterprise wide risk management”, at least from a consulting perspective, but this was not my main point.

My main point was not so focused on these methodologies but rather on the need to better understand and possibly improve the process of exploring, explaining and predicting the consequences and impacts of strategic (policy) choices and decisions in enterprise contexts and environments, in particular when dealing with security matters.

An approach that we are currently exploring is based on modeling and simulation techniques in the security field, coupled with economic theory and social science. Please have a look at the HPL Technical Report on “Identity Analytics” that I mentioned a few times – to see what I mean, in more details (at least from an “IdM perspective”).

Specifically, one of my R&D interests is in “(semi-) automation” tools and solutions in this space that can indeed help and support professional and consulting services in their risk assessment & management activities. This includes providing decision support and “what-if analysis”, involving modeling and simulation, providing trade-off analysis, etc.

Given the complexity of this space, I deliberately focused on the aspect of “management of unstructured data” and the IdM perspective, well conscious this is just a part of the overall problem and space.

I hope I clarified this point.

About point 3), no doubt about this, as I mentioned above.

However the statement that “comprehensive methodology for implementing enterprise wide risk management is done” sounds (at least to me) sounds a little bit abstract to me …

It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company … :-)).

--- NOTE: my original HP blog can be found here ---

Risk Management for Unstructured Data in Enterprises

In the context of the HP Labs’ Security and Identity Analytics project I have been investigating the implications of “unstructured data” (i.e. emails, documents, multimedia files, pages in data sharing sites, messages exchanged with Instant Messaging tools, blog posts, data mash-ups, etc.) within organizations, along with how to explain and predict involved risks and explore the consequences of related security (policy) choices.

Is “unstructured data” really a problem for organizations? If so, where is this problem? Well, the content of unstructured data (and/or an aggregation of it) can be confidential as it might include personal, financial and business-critical information. Because of the nature of unstructured data (and associated, emerging tools to handle and share it), there are many ways this data could leak and/or be misused, ranging from accidental disclosures to aggregations of information posted in public areas.

The threat landscape (including threats to data confidentiality, integrity and availability) is potentially broad as many contextual elements, IT components, processes and behavioral aspects are involved.

Most of the current approaches (I am aware of), that mitigate some of the involved risks, are based on traditional IT security and identity “control points” (such as access control, interception points, complex document lifecycle management tools, etc.), addressing “point problems”.

I believe this is not enough. Solutions are required to help organizations (and decision makers) to: (1) fully understand the nature of the problem, based on their specific context and environment; (2) have a picture of their overall risk exposure; (3) make informed decisions on which approaches to follow, explain and predict the consequences and define appropriate policies; (3) explore trade-offs.

So far I have found no comprehensive approach/solution providing these features. Is anybody aware of any?

--- NOTE: my original HP blog can be found here ---

Coming Digital ID World Conference 2008, 8-10 September 2008

The Digital ID World Conference 2008 is going to take place in Anaheim, California on 8-10 September 2008. A complete agenda is available online. Some of the Keynotes include:

• Identity Assurance: A Backbone for the Identity Marketplace, Peter Alterman, Assistant CIO for E-Authentication and Chair, US Federal PKI Policy Authority, National Institutes of Health; Andrew Nash, Senior Director, Information and Risk Management, PayPal; Frank Villavicencio, Director, Citigroup
• Making Identity Work End to End, Craig Wittenberg, Architect, Microsoft
• State of the Industry, Jamie Lewis, CEO & Research Chair, Burton Group
• Have I Seen You Before? An Industry Discussion About User-Centric Identity, Kim Cameron, Chief Architect of Identity, Microsoft
• On VRM and Identity, Doc Searls, Fellow, Berkman Center, Harvard Law School

--- NOTE: my original HP blog can be found here ---

New UK TSB Project: Developing the Next Generation of Identity Management Systems

As announced by this article, a new UK government-founded project is going to start in October, aiming at developing the next generation of identity management systems:

“A research project will see a team of experts team up for three years to develop the next generation of identity management systems. The government-funded project will launch in October and will include academics from Cranfield University, Royal Holloway University of London, Salford University, Consult Hyperion and Sunderland City Council.

The research team will look at topics of privacy and consent for identity management, with the aim of helping people and organisations make well-informed judgements about their choice of online services, how they use them, and what information they give out.

"There is a concern that people aren't really clear about the value of their unique identity," said Debi Ashenden, Cranfield's lead researcher. "Our research will engage people in current debates about privacy and consent issues, find out how they think about their identity and what decisions they make. We hope the discussions will provide invaluable information to help develop new identity management tools."The funding for the project is part of a £5.5m investment by the Technology Strategy Board (TSB), Engineering and Physical Sciences Research Council (EPSRC), and Economic and Social Research Council (ESRC).

Two other identity management related projects will also be funded by the investment. Andrew Tyrer, the TSB's lead for its network security innovation platform said this research will be key to "ensuring that the hardware and software required will meet public expectations about these important issues".”

--- NOTE: my original HP blog can be found here ---

An Essential Guide to Identity Management for IT Professionals

Ian Grant has recently published an article on ComputerWeekly.com, called “Identity Management: An Essential Guide for IT Professionals”.

It is actually an overview of some IdM initiatives and related aspects (thanks for mentioning my blog when referring to HP’s initiatives in the IdM space).

Is anybody aware of an online “Complete and Up-to-Date” Guide to Identity Management and various related initiatives?

--- NOTE: my original HP blog can be found here ---

Firefox and 50 add-ons for Private and Secure Web Surfing

A recent article by Laura Milligan, called “50 Firefox add-ons to achieve private and secure web surfing” provides a comprehensive list of add-ons for Firefox to achieve degreees of security and privacy whilst surfing the web:

“Firefox is generally considered a secure web browser, but if you’re interested in keeping your activity on certain websites private or giving yourself extra protection against phishing, hackers and viruses, you may want to consider beefing up your Firefox’s security in general. Thankfully, there are lots of options available that make achieving privacy and security online as easy as downloading a simple add-on or application that was designed just for Firefox users.”

This article classifies these 50 add-ons (and provides links for each of them) in the following categories: Secrecy and Encryption; add-ons that beef-up security; cookies; testing your system; passwords; protect your privacy online.

Have you had any direct experience using these add-ons? Are they up to their promises?

--- NOTE: my original HP blog can be found here ---

Part III: Identity Analytics and Unstructured Data Analysis

In previous posts of mine (here and here) I introduced our vision of Identity Analytics and the focus and purposes of our R&D activities.

I received a few emails and queries asking to clarify the link between Identity Analytics and Unstructured Data, considering that this was mentioned in the “On Identity Analytics: Setting the Context” HPL Technical Report.

We believe that “Unstructured Data” is a possible, fertile and rich “case study”/scenario where to explore the concept of Identity Analytics, the applicability of our approach and potential limitations..

The adoption of new “web 2.0” collaborative tools within organizations (TWiki, Sharepoint, IM, etc.) and social networks (Facebook, LinkedIn, del.icio.us, etc.) provides users with better ways to collaborate, create and share contents. At the same time this poses new threats and security risks, due to the nature of unstructured data, the fact that confidentiality issues could emerge from aggregated, simpler pieces of information and the difficulty to retain control on this data. This is where traditional Identity management solutions can show their limitations and where decision makers need to better understand the implications of their choices and/or the impact of defining new policies.

Our R&D work in Identity Analytics really aims, in this context, to explore how modeling and simulation can help to explain and predict the impact of some of these decisions on the organizations (e.g. in terms of risks, reputation, costs, etc.) and explore options and “trade-offs” by providing “what-if” analysis.

Of course the “unstructured data” scenario is just one of the various scenarios we are exploring. I would be interested in hearing from you about other areas you think the “Identity Analytics” approach could provide help and/or address (decision support) issues you might have.

--- NOTE: my original HP blog can be found here ---

Security Metrics: NIST “Performance Measurement Guide for Information Security”

NIST has recently released the Revision 1 of their “Special Publication 800-55”, called “Performance Measurement Guide for Information Security”, which focuses on Security Metrics.

This is of some relevance also for people working in the “Identity Management” space and related control points (despite primarily targeting US federal agencies):

“This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance and increase accountability through the collection, analysis, and reporting of relevant performance-related data—providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency’s success in achieving its mission. The performance measures development process described in this guide will assist agency information security practitioners in establishing a relationship between information system and program security activities under their purview and the agency mission, helping to demonstrate the value of information security to their organization.”

--- NOTE: my original HP blog can be found here ---

W3C PLING Interest Group – Charter extended until June 2009

Good news. The W3C Policy Languages Interest Group (PLING - co-chairs: Renato Iannella, Marco Casassa Mont) charter has been extended until June 2009.

Please have a look at the PLING Twiki site for current outcomes of phone meetings, discussions and collection of material, about the following policy-related topics: use cases, policy languages review, related initiatives, interesting cases, open issues and scientific resources. Feel free to contribute and ensure that your positions and views are covered.

The PLING Twiki site also provides up-to-date information about coming PLING phone meetings. These meetings are open to anybody interested in the policy topic.

We are looking for speakers that are willing to provide a short presentation (30 min), during our phone conferences, illustrating their work in the space of policy/policy management, open/new issues, interesting use cases and their vision in this space.

--- NOTE: my original HP blog can be found here ---

Survey: Only Eight Percent of American are “Very Confident” their Personal Data is Properly Managed

This is the outcome of a recent survey by The Strategic Counsel, at least based on the overview provided by this article (called “Only Eight Percent of Americans are 'Very Confident' Their Personal Data is Safe With Retailers, Banks and Governments”):

“Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc., and conducted by The Strategic Counsel. The CA 2008 Security and Privacy Survey was done as in follow-up to the 2006 survey. Additionally, the consumer survey indicated that an average of 79 percent of American consumers cite loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of major security and privacy breaches suffered by the business or government organizations that they deal with.”

Even more interesting is this statement, mentioned by the above article:

“Businesses used to worry about the hackers and thieves launching denial of service attacks from outside the firewall, now they recognize that their greatest danger lurks within the organization. The good news is that increasingly businesses are turning to identify and access management solutions to ensure that confidential data is safeguarded and available only to the people within the organization who genuinely need to have it.”

Well, I just partially agree with the final part of this statement. Turning to identity and access management solutions is indeed important, but this is just one step towards really ensuring that personal and confidential data is managed according to legislation and users’ preferences.

First of all, most of current IdM solutions are not really privacy-aware and/or do not provide privacy enhancing capabilities (e.g. privacy-aware access control) – aspects that are at the base for preventing that PII data is accessed and used beyond agreed purposes and for the wrong intents … Secondly, IdM solutions can address the problem till at one point if accidents, social engineering, actions by traitors/insiders, and the effects of bad processes and practices can still happen …

So, the other part of the story, for the enterprise, is putting in place proper “data governance processes” and dealing (upfront and periodically) with the necessary risk assessment and management steps. These steps (that should be carried out before deploying any “control point” in the IT infrastructure) are much, much harder to achieve and maintain than simply deploying IdM solutions …

--- NOTE: my original HP blog can be found here ---

On Identity Analytics - Part II

In a previous post of mine I announced the release of a new HPL Technical Report, titled “On Identity Analytics: Setting the Context” (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu), providing an overview of an HP Labs R&D project in the space of “Identity Analytics”.

I received a few emails asking (among other things) about HP/HPL strategies in Identity Management and how Identity Analytics fits in all this. Some additional details follow, based on what I can publicly discuss.

Identity Analytics is an HP Labs project, in the context of the Security Analytics project (Systems Security Lab). The R&D goal of this project is to innovate in the space of Identity Management (in a broad sense, i.e. including also human, social and economic aspects) by moving from an approach purely based on operational Identity Management solutions to an approach that also takes into accounts the “strategic” needs and requirements of key decision makers (e.g. CIOs/CISOs).

What is the impact on an organisation (e.g. in terms of costs, risks, reputation, trust, etc.) when making strategic decisions and/or defining policies in the space of Identity Management? Are current policies adequate based on current (business, security, etc.) objectives? How technical, educational, human, social and business aspects are going to affect the (economic, security and business) outcomes, based on choices and decisions made? What are the relevant trade-offs that need to be analysed and how to evaluate them? How to provide strategic, forward-looking, “what-if” analysis to decision makers? These are some of the questions to be answered …

This is a green field, open to innovation. In this context, technical Identity Management solutions are just one aspect of the overall equation (and sometimes not the most important …), that also includes costs, (security and business) risks, business priorities and economic aspects.

I am confident that there are new business and market opportunities in this space, considering also the current shift (backed by key decision makers) from a pure “compliance-based” approach to a “risk-based” approach …

--- NOTE: my original HP blog can be found here ---

On Identity Analytics: New HP Labs Technical Report

This community might be interested to a new HPL Technical Report, just released, titled “On Identity Analytics: Setting the Context” (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu).

This report reflects R&D work we are doing at HP Labs, Systems Security Lab. I am very keen in getting your views and input. The abstract of this technical report follows:

“This paper aims at setting the context for “Identity Analytics” within enterprises and paving the path towards new R&D opportunities. In our vision, Identity Analytics is about explaining and predicting the impact of identity and identity management (along with other related aspects, such as users’ behaviours) on key factors of relevance to decision makers (e.g. CIOs, CISOs), in complex enterprise scenarios – based on their initial assumptions and investment decisions.

Ultimately the goal is to provide rigorous techniques to help decision makers gain a better understanding of the investment trade-offs within the identity space (e.g. investing in technologies vs. changing processes vs. investing in users’ education, etc.). This means providing “decision support” and “what-if analysis” capabilities to decision makers enabling them to explore these investment trade-offs, formulate new policies and/or justify existing ones. Our vision of “Identity Analytics” is introduced and discussed, along with the methodology that we intend to adopt.

There are many research opportunities and challenges in this space: we believe that a scientific approach is required, involving the usage of modelling and simulation techniques, coupled with the understanding of involved technologies and processes, human behaviours and economic aspects. To ground some of the concepts discussed in this paper, we provide an illustration of Identity Analytics focusing on emerging “web 2.0 enterprise collaborative data sharing”, where unstructured information is created, stored and shared by people in collaborative contexts, within and across organisations. We demonstrate how trade-offs can be explored using the modelling approach hence allowing decision makers to explore the different impacts of policy choices.”

--- NOTE: my original HP blog can be found here ---

Gartner’s Report: Top Seven Cloud-computing Security Risks

I tend to agree with the outcomes of a recent Gartner’s Report on the top seven cloud-computing security risks. A related article, by Jon Brodkin, provides a nice overview and summary of the key taking points of this report:

“Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions, and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.”

Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing,” Gartner says.”

In particular I believe that the aspects related to “privileged user access”, “regulatory compliance” and “data location/data segregation/privacy management” are potential key issues that, if not properly addressed, can expose organizations (and users) to high risks.

--- NOTE: my original HP blog can be found here ---

FTC Planning to Conduct a Wide-Range Study on Identity Theft Victims

As highlighted in this recent article (called “FTC recruiting identity theft victims”), FTC is planning to conduct a wide-range study on identity theft victims:

“In an effort to buttress its enforcement and better understand the scourge that is identity theft, the Federal Trade Commission said today its plans to conduct a wide-ranging study of victims of the crime.

The FTC is looking for people harmed by the crime and said the survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge.”

More details are in the article mentioned above, including the URL of the FTC survey site (NOTE: at the moment of writing I tried to connect to this site but it does not work …).

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

The Future of Identity Management? It is all about Managing Risk …

As I have been posting for a while, I believe that Identity Management will evolve, during the next few years, from a pure “control point and compliance”-based approach towards an approach that will increasingly factor in the management of Risk.

Decision makers (CIOs, CISOs, etc.) are shifting from a “compliance management” mentality to a “risk management” mentality, when making investment decisions on IT security solutions. Their investment decisions (including the ones on Identity Management) are going to be increasingly questioned, due to the shrinking of resources available. Hence the need to prioritise based on real business objectives and needs.

I am glad that Burton Group is now making some statements in the same direction, as it is possible to evince from this article:

“Identity management is evolving to include a closer recognition of risk and how to manage it rather than trying to eliminate it using technology, according to the head of the Burton Group consulting firm.

“Companies are looking at controls from a risk perspective instead of trying to control everything,” said Jamie Lewis, CEO of the Burton Group during the opening day of the firm’s annual Catalyst Conference. “It is about people managing risk and not about technology trying to make risk disappear.””

I believe there is a whole new set of research and commercial opportunities in this space (i.e. beyond compliance management and control points), whilst traditional Identity Management solutions are becoming more and more a commodity.

--- NOTE: my original HP blog can be found here ---

Do CIOs care about Data Privacy?

Apparently they don't, at least based on a recent Ernst & Young report, whose outcomes have been summarised in this article written by Adrie van der Luijt :

“IT fraud and data privacy fail to sound the alarm for CIOs and internal audit chiefs, a survey shows. Sixty-five per cent internal audit chiefs do not recognise data privacy and IT fraud as a serious threat to their business.

A survey, released by Ernst & Young, found that internal audit chiefs ranked corporate breaches and data privacy regulation sixth in their top ten IT risks for the organisation, while for CIOs it barely made it onto the list at just ninth.

In addition just 14 per cent of internal audit chiefs said that their staff had been trained in fraud investigation. …”

I would be interested in having a look at this survey, if only I could find a copy online …

--- NOTE: my original HP blog can be found here ---

The “Information Card Foundation” (ICF) has been launched

The Information Card Foundation has been launched on Monday, as reported by this article published by news.com:

“A group including Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community announced on Monday the creation of the Information Card Foundation (ICF) with the goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards. …”

The ICF foundation web site should be live on Tuesday i.e. today.

I think this is a great opportunity for improving interoperability in the identity federation space, including interoperability with other initiatives, such as Liberty Alliance’s.

--- NOTE: my original HP blog can be found here ---

Liberty Alliance releases the Identity Assurance Framework (IAF) and Identity Governance Framework (IGF) Specifications

Today, Liberty Alliance has publicly announced the release of the Identity Assurance Framework (IAF) and Identity Governance Framework (IGF) Specifications:

"Liberty Alliance, the global identity community working to build a more trust-worthy internet for consumers, governments and businesses worldwide, today announced an industry milestone in driving trust and privacy into enterprise and identity-enabled applications based on the release of the Liberty Identity Assurance Framework (IAF) and the Liberty Identity Governance Framework (IGF). Today’s news is the result of the collaborative development of standardized frameworks and technologies designed to meet cross-industry requirements for policy-based security and privacy systems, with a focus on streamlining the establishment and management of identity and trust across user-driven applications and networks."

I believe this is a first, important steps towards providing a more systemic approach to assurance and privacy management in complex organisational (and cross-organisational) contexts.

More details can be found in the Liberty Alliance’s announcement, here.

--- NOTE: my original HP blog can be found here ---

DoD and Funding Research into Information Sharing

As reported by this article, the US Defence Department (DoD) is going to fund research on information sharing:

"The Defense Department has awarded $7.5 million to six universities for a five-year research program to help solve the problem of sharing sensitive information while ensuring privacy and security.

The failure of intelligence and law enforcement organizations to share information was one of the problems that contributed to the terrorist attacks of Sept. 11, 2001, according to the commission that studied the attacks. But connecting the dots has proved to be a knotty problem for organizations built on secrecy and control. …”

--- NOTE: my original HP blog can be found here ---

Future Security Architecture enabling “Multiple Personae”

I would like to thank David Lacey for highlighting, in a recent blog post of him (appeared in his Security Blog) , some R&D work done at HP Labs, Systems Security Lab (SSL),that has recently been presented at GC 2008. Here are David’s notes and comments:

“… For several years HP and others have doing some excellent research on how to develop a secure architecture to enable a client platform to run multiple applications of varying sensitivity and risk, whether business or personal.
The future solution, if it can be realised, is to maintain a single client platform with a secure firmware base that can switch between numerous operating system environments, each running a particular environment. This would enable you to separate your business, personal, banking and other operations, reducing the risks to business systems from personal devices and eliminating the phishing.
This approach also transforms the nature of identity management. You can have as many individual persona as you wish. It sounds perfect. But there is one further challenge. The firmware has to be bullet-proof. A single flaw can undermine the whole concept. Let's hope HP can get this right. “

P.S.: to be clear, I am not directly involved in this project – just creating awareness about excellent work done by my colleagues.

--- NOTE: my original HP blog can be found here ---

Identity Thefts, The US FACT Act and Red Flag rules …

How may of you were aware of the fact that US Financial institutions face a mandatory deadline of November 1, 2008 to comply with 3 new US Fair and Accurate Credit Transactions Act (FACT Act) regulations referred to as the Red Flag rules?

As explained (in a nutshell) in this wikipedia page, these are 3 new regulations:

• “One that requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft;
• Another that requires users of consumer reports to respond to Notices of Address Discrepancies that they receive;
• A third that places special requirements on issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterward they receive a request for an additional or replacement card for the same account.”

I wonder how much these new measures will be effective in mitigating the risks of identity thefts …

--- NOTE: my original HP blog can be found here ---

Article: “50 Ways to Take Back Control of Your Personal Data”

Have a look at this very interesting article, called “50 Ways to Take Back Control of Your Personal Data”, by InsideCRM providing a useful list of tips and “common sense” (but quite often forgotten …) ways to protect your personal data, maintaining degrees of control on it and reduce your risk exposure to identity thefts, financial losses and other crimes.

These tips are organised by categories, in terms of:

• Web Privacy
• Credit and Finance
• General Privacy
• Cell Phones and Online Phone Services
• Rules to follow to Protect Your Privacy
• Tools and tips

--- NOTE: my original HP blog can be found here ---

WEIS 2008 and “Economics of Identity Management”

R&D papers and work presented at the Workshops on Economics of Information Security (WEIS) discuss and explore how economic theory and economic analysis can be successfully applied to information security, instead of focusing just on the traditional technology-driven approaches.

What are the “Economics of Identity Management”? Something I believe it would be worth exploring too, with a scientific approach.

The 7th workshop on Economics of Information Security - WEIS 2008 is going to take place in Hanover, HN, June 25-28, 2008:

“Information security requires not only technology, but a clear understanding of risks, decision-making behaviors and metrics for evaluating business and policy options. How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?
The 2008 Workshop on the Economics of Information Security, the seventh workshop, will build on a strong and growing interdisciplinary tradition, bringing together information technology academics and practitioners with social scientists and business and legal scholars to better understand security and privacy threats. Until recently, research in security and dependability focused almost exclusively on technical factors, rather than incentives. However, we know that economic, behavioral, and legal factors often contribute as much as technology to the dependability of information and information systems. The application of economic analysis to these problems has proven to be an exciting and fruitful area of research.”

Most of the above points also apply to the “Identity Management” field. An opportunity to contribute.

--- NOTE: my original HP blog can be found here ---

Data Breach Disclosure Laws Are Not so Effective in Reducing Identity Theft …

This is the message I got from a very interesting paper, titled “Do Data Breach Disclosure Laws Reduce Identity Theft?” (Authors: Sasha Romanosky, Rahul Telang, Alessandro Acquisti), that is going to be presented at the 7th workshop on Economics of Information Security - WEIS 2008, Hanover, HN, June 25-28, 2008.

Based on their current studies, the authors found “no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce”. The full abstract of a draft version of their paper (accessible online) follows:

“Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured.
We use panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.”

--- NOTE: my original HP blog can be found here ---

My HP blog is Back in the new HP Communities Hosting Site …

My HP Blog on “Research on Identity Management” is now back, in the in the new HP Communities Hosting Site.

Enjoy …

--- NOTE: my original HP blog can be found here ---

OECD Working Paper - “At a Crossroads: Personhood and Digital Identity in the Information Society”

OECD has recently released a working paper, called “At a Crossroads: Personhood and Digital Identity in the Information Society”.

This paper discusses about the relationship between the properties of identity, identity management and the concept of personhood. Specifically, it argues that:

“Law and technology must be crafted to respect certain "Properties of Identity" in identity management in order for the information society to be free and open. Respect for the Properties of Identity is necessary for data protection; data protection is necessary for accountability; and accountability is necessary for trust”.

This work has been led by Mary Rundle. Co-authors include: Bob Blakley, Jeff Broberg, Anthony Nadalin, Dale Olds, Mary Ruddy, Marcelo Thompson Mello Guimarães, and Paul Trevithick.

--- NOTE: my original HP blog can be found here ---

ACM Digital Identity Management (DIM) 2008 – Deadline extended to 6 June 2008

The submission deadline of the 4th ACM DIM 2008 has been extended to 6 June 2008.

This year theme is on “Services and Identity”. The complete Call-for-Paper can be found here. Please consider submitting a paper.

--- NOTE: my original HP blog can be found here ---

Part II: HP and Novell Announce Migration Program for HP Identity Management Customers

In a previous post of mine I created awareness about a recent HP News Release, saying that: “HP and Novell announced an exclusive alliance to migrate HP Identity Center customers to Novell identity and security management solutions”.

My HP colleague, Archie Reed, has gone further: he has provided additional background and described HP current approach to Identity Management. Please have a look at his post on “HP and Identity Management”.

Archie, well done: I received a few requests for more information too – your post is addressing them all.

--- NOTE: my original HP blog can be found here ---

HP and Novell Announce Migration Program for HP Identity Management Customers

HP Identity Management customers might be interested in this recent News Release by HP:

“HP and Novell today announced an exclusive alliance to migrate HP Identity Center customers to Novell identity and security management solutions.

As part of an agreement between the companies, HP and Novell will jointly offer migration services, HP will resell Novell identity and security management solutions and Novell will license HP Identity Center technology.

Earlier this year, HP announced it will focus its investment in identity management products on existing customers rather than selling the products to new customers. To ensure that they continue to have access to exemplary identity management solutions, existing HP customers can take advantage of this program and migrate to Novell’s industry-leading offerings. Customers who choose not to migrate will continue to be supported by HP. …”

--- NOTE: my original HP blog can be found here ---

Phorm Spoiler Launched by a Privacy Group

As reported in this article, a privacy group (The Anti-Phorm Group) has launched a “Phorm Spoiler”, to deal with the fact that ISPs and Phorm Advertising Services are increasingly collecting personal data and profiles based un users’ surfing behaviours. An Anti-Phorm application is available for download online:

“The AntiPhorm group - which describes itself as "a loose conglomeration of concerned individuals comprised of artists, programmers and designers" - says it wants to prevent ISPs from profiting from their customers' personal surfing habits. …

To throw Phorm off the scent, the team has developed an application called AntiPhormLite that sits in the background, visiting random sites. "It connects to the web and intelligently simulates natural surfing behaviour across thousands of customisable topics," the site claims.”

--- NOTE: my original HP blog can be found here ---

Seminar (23 May 2008): An Empirical Analysis of Phishing Attack and Defense

People in UK might be interested in this Seminar by Tyler Moore, titled “An Empirical Analysis of Phishing Attack and Defense”, that is going to take place at the University of Bath, UK, on Friday, 23 May 2008. The abstract follows:

“A key way in which banks mitigate the effects of phishing attacks is to remove the fraudulent websites and abusive domain names hosting them. We have gathered and analyzed empirical data on phishing website removal times and the number of visitors that the websites attract. We find that website removal is part of the answer to phishing, but it is not fast enough to completely mitigate the problem. Phishing-website lifetimes follow a long-tailed lognormal distribution -- while many sites are removed quickly, others remain much longer. We have found evidence that one group responsible for half of all phishing, the rock-phish gang, cooperates by pooling hosting resources and by targeting many banks simultaneously. The gang's architectural innovations have significantly extended their websites' average lifetime. Using response data obtained from the servers hosting phishing websites, we also provide a ballpark estimate of the total losses due to phishing. Phishing-website removal is often subcontracted to specialist companies. We analyze three months of 'feeds' of phishing website URLs from multiple sources, including two such companies. We demonstrate that in each case huge numbers of websites may be known to others, but the company with the take-down contract remains unaware, or learns of sites only belatedly. Upon calculating the resultant increase in lifetimes caused by the take-down company's lack of action, the results categorically demonstrate that significant amounts of money are being put at risk by the failure to share proprietary feeds of URLs.”

EU PICOS Project: Investigating Trust, Privacy and IdM in Mobile Communities

The EU PICOS Project (FP7) is a consortium consisting of eleven partners from seven different countries of the EU. It involves specialists from the fields of science, research and industry.

PICOS stands for “Privacy and Identity Management for Community Services”:

“Within 3 years, PICOS will investigate and develop a state-of-the-art platform for providing trust, privacy and identity management in mobile communities”.

The official PICOS web site is now available online. On this site you can also access the PICOS fact-sheet.

--- NOTE: my original HP blog can be found here ---

“IdM Risk Management” and “Identity Analytics”: Anything Else Apart From “Bottom-Up” Approaches?

I was wondering if anybody in this community could share references to relevant material/links/documents/research projects illustrating the current status of:

(1) Risk Analysis and Management in the space of Identity Management
(2) Identity Analytics

My current search and assessment of this space has identified various technologies, solutions and work coming from a “compliance management” perspective i.e. (a) assessing events and evidence (e.g. logs) against expected processes/policies and (b) providing results that indicate the level of compliance and risk exposure. This is what I call the “bottom-up” approach where the “risk assessment” is done against predefined policies and/or well defined situations.

So far I have not found good examples of “top-down” solutions that help decision makers (e.g. CIOs, CISOs, etc.) to explore trade-offs in the Identity Management space (e.g. making investments in education vs IT solutions vs outsourcing vs etc.) to understand the impact on factor of relevance for an organisation (e.g. costs, reputation, losses, trust, etc.), make compelling decisions and potentially help them to define suitable policies.

A specific example would be decision support solutions that help understanding the trade-offs between adopting (in an organisation) the usage of strong passwords, SSO, multi-factor authentication, etc. against involved costs, the value of the assets to be protected, the kind of involved users and the actual benefits in terms of security. More in general these solutions should provide insights about potential trade-offs between various possible choices in the IdM space (in terms of authentication, authorization, provisioning, federation/SSO, privacy, etc.) against complex organisational realities and their business objectives. Modelling and simulation might be required to cope with the involved complexity …

Is anybody aware of specific research/work/solutions in this space?

CIOs/CISOs are increasingly asked to justify the reasons behind their security investments and/or have to make investment choices that must “maximise” their “expected outcomes” based on ever-shrinking budgets. I see the opportunity for “top-down” decision support, modelling and simulation solutions that can effectively help these decision makers, specifically in the Identity Management space …

--- NOTE: my original HP blog can be found here ---

PLING panel at WWW 2008

A PLING panel has been held at the WWW 2008 conference (Beijing 23-25 April), discussing policies and Policy-aware Web.

The list of panellists includes: Renato Iannella (Moderator), Piero Bonatti, Llana Kagal, Thomas Roessler.

The slides presented in this panel are now available online.

--- NOTE: my original HP blog can be found here ---

HP Labs Opens Research Opportunities to Academia

As announced in a recent press release, HP Labs are opening research opportunities to academia:

“HP today made it possible for colleges, universities and research institutions worldwide to participate in joint research with HP Labs, the company’s central research facility, through an open and competitive process.
The new HP Labs Innovation Research Program invites the worldwide academic community to submit proposals related to current research in the areas of information explosion, dynamic cloud services, content transformation, intelligent infrastructure and sustainability.
The program is the first offering of the HP Labs Open Innovation Office, which was established earlier this year as part of HP Labs’ new approach to research. The office is responsible for deepening HP Labs’ strategic collaborations with academia, the government and the commercial sector to produce mutually beneficial, high-impact research.
…
Program guidelines and the online submission tool are available at www.hpl.hp.com/open_innovation/irp. Proposals will go through an extensive review process within HP Labs. Selected winners will be notified in late 2008.”

--- NOTE: my original HP blog can be found here ---

New HPL Technical Report: On Identity-aware Devices

A new HPL Technical report, “On Identity-aware Devices: Putting Users in Control across Federated Services”, has been recently published:

“This paper describes R&D work on "Identity-aware Devices", in the context of federated services. The aim is to put users in control of their credentials and identities and enable simple, secure, trustworthy and transparent access to federated services. Current users' experience in networked and federated services is difficult and painful, especially when using mobile devices (e.g. mobile phones, laptops, PDAs, etc.): users need to contact online service providers and authenticate against them; additional credentials might be issued and required to access services; credentials need to be stored in a safe and secure place. Users have little control over the release of their identity information and related processes. A solution to address these issues is presented, based on the concept of "Identity-aware Devices" and federated "Provisioning Services". "Identity-aware Devices" leverage trusted modules and are driven by policies and users' preferences. Part of this work has been carried out in the context of a Liberty Alliance initiative, in collaboration with BT and Intel teams, aiming at driving the next generation of interoperable identity solutions. A full working prototype has been developed and successfully demonstrated in a joint project. This is work in progress. Next steps and plans are presented and discussed.”

Authors: Casassa Mont, Marco; Balacheff, Boris; Rouault, Jason; Drozdzewski, Daniel

--- NOTE: my original HP blog can be found here ---

Are Patients’ Medical Records at Risk?

I found a recent Wall Street Journal’s article, called “Are your Medical Record at Risk” (by Sarah Rubenstein), very interesting. It provides good insights about the trade-offs adopted by the Healthcare industry when considering privacy against Quality Care:

“When it comes to protecting the privacy of patients' computerized information, the main threat the health-care industry faces isn't from hackers, but from itself …”.

This article focuses on the US reality – but some of the points it raises can be of concern also in other countries …

--- NOTE: my original HP blog can be found here ---

From “Operational Identity Management” to “Identity Analytics”

Most of current work in the space of Identity Management is around “operational” identity management, i.e. systems and solutions providing security control points to be deployed within an IT infrastructure.

In addition, IdM solutions in the space of “compliance management” will also have to come to terms with the current shift towards “risk management”, where decision makers/CISOs/CIOs are more and more heavily scrutinising their security investments and making their investment bets based on priorities and actual risks.

I believe that an important “next step” in the Identity Management space is going to be towards “Identity Analytics” and related “Identity Risk Management”.

Here are a few interesting research questions in the “Identity Analytics” space:

• What are the basic principles that underpin and characterize enterprise’s identity & privacy management processes (and related human behaviors) and their impact on organizations?
• How to abstract them with models and ways to generate predictions (e.g. with simulation tools) that can be leveraged by decision makers/CISOs/CIOs?
• How to enable decision makers/CISOs/CIOs to better understand (in advance) the impact and implications of their decisions in terms of security risks, costs and potential losses, impact on reputation, etc.?

--- NOTE: my original HP blog can be found here ---

Announcing ACSAC 2008

This community might be interested in knowing that the Call-for-Paper for the 24th Annual Computer Security Application Conference (ACSAC 2008) is now available online – the submission deadline is June, 1st:

“ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. Papers offering novel contributions in any aspect of computer and application security are solicited. Papers may present technique, applications, or practical experience, or theory that has a clear practical impact. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application.

Topics of interest include, but are not limited to:

- Access control
- Applied cryptography
- Audit and audit reduction
- Biometrics
- Boundary control devices
- Certification and accreditation
- Database security
- Defensive information warfare
- Denial of service protection
- Distributed systems security
- Electronic commerce security
- Enterprise security
- Forensics
- Identification and authentication
- Identity management
- Incident response planning
- Information survivability
- Insider threat protection
- Integrity
- Intellectual property rights protection
- Intrusion detection
- Malware
- Mobile and wireless security
- Multimedia security
- Operating systems security
- Peer-to-peer security
- Privacy and data protection
- Product evaluation criteria and compliance
- Risk/vulnerability assessment
- Secure location services
- Security engineering and management
- Security in IT outsourcing
- Service Oriented Architectures
- Software assurance
- Trust management
- Virtualization security
- VoIP security”

--- NOTE: my original HP blog can be found here ---

Liberty Alliance’s Privacy Summits

A recent press release issued by Liberty Alliance announced the first of three webcasts from its 2008 Privacy in Perspective series:

“Taking place at 8:00am US PT (3:00 UTC) on Wednesday, April 16, the public event is hosted by Robin Wilton, Corporate Architect for Federated Identity, Sun Microsystems and co-chair of the Liberty Alliance Public Policy Group. The webcast will review findings and next steps from the ongoing series of global Liberty Alliance privacy summits held so far in Basel, Berlin, Brussels, London and Washington DC.

The Liberty Alliance privacy summits bring privacy stakeholders from the global commercial, academic, legal and public sectors together to address privacy concerns and discuss possible solutions," said Wilton. "The April 16 webcast will showcase lessons learned during the summits to help organizations remove obstacles to a productive, multi-stakeholder discussion about privacy issues.””

The registration site for this privacy summit is available here.

Published findings from previous Liberty Alliance’s Privacy Summits are available here.

--- NOTE: my original HP blog can be found here ---

InfoSecurity 2008

InfoSecurity 2008 (Europe) is going to take place in London, 22-24 April 2008.

Of particular interest are the events and presentations happening in the Keynote Theatre, Technical Theatre, Business Strategy Theatre and Interactive Theatre.

--- NOTE: my original HP blog can be found here ---

CfP: IEEE InSPEC 2008 – Workshop on Security and Privacy in Enterprise Computing

The call for paper for the International Workshop on Security and Privacy in Enterprise Computing. InSPEC 2008, is now available online.

This workshop is going to be held in conjunction with IEEE EDOC 2008. Please consider submitting a paper. The deadline is June, 13 2008:

“Several technologies have emerged for enterprise computing. Workflows are now widely adopted by industry and distributed workflows have been atopic of research for many years. Today, services are becoming the new building blocks of enterprise systems and service-oriented architecturesare combining them in a flexible and novel way. Business applications, such as Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and Supplier Relationship Management (SRM) systems form the core of enterprise systems. In addition, with wide adoption of e-commerce, business analytics that exploits multiple, heterogeneous data sources have become an important field. These technological trends are accompanied by new business trends due to globalization that involve innovative forms of collaborations such as virtual organizations. Further, the increased speed of business requires IT systems to become more flexible and highly dynamic.

All of these trends bring with them new challenges to the security and privacy of enterprise computing. We are increasingly relying on IT systems for our daily business including essential utilities such as water and power. The traditional forms of computer security need to be enhanced to address the distributed nature and multiple administrative domains of conducting business. For example, algorithms for incorporating the new business practices need to be identified for access control. Similarly, data confidentiality cannot be provided on the network layer anymore, it needs to be built into applications and processes that span across various domains. The enhanced data sharing calls for innovative algorithms and protocols. Novel cryptographic techniques need to be developed and established ones evaluated for industrial adoption. In addition to the security measures, this new generation of distributed systems requires techniques for ensuring compliance with regulations on governance and privacy of data, including those asserted by government and regulatory agencies.

New concepts for solving these challenges require the combination of many disciplines from computer science and information systems, such as cryptography, networking, distributed systems, process modeling and design, access control, privacy etc. It is the goal of this workshop to provide a forum for exchange of novel research in these areas among the experts from academia and industry. Completed work as well as research in progress is welcome, as we want to foster the exchange ofnovel ideas and approaches.

Topics of interest include but are not limited to:

* Security and privacy in workflow systems
o Access control architectures
o Modeling of security and privacy constraints
o Automatic security augmentation
o Secure/Trusted virtual domains
* Security and privacy in service-oriented architectures
o Secure composition of services
o Semantic aware security
o Security services
o Trustworthy computation
* Identity Management
o Security and Privacy
o Applications to compliance
o Effective use in business IT systems* Data sharing
o Cryptographic protection during data sharing
o Privacy-preserving distributed applications
o Efficient multi-party computations
o Privacy and data sharing policies
* Security and privacy in management information systems
o Novel secure applications
o Secure and private data analytics
o Flexible and seamless security architectures
o Secure operating system design
* Collaborations
o Secure and private supply chains
o Security and privacy in virtual organizations
o Private social network and Web 2.0 applications
o Security and privacy in outsourcing”

--- NOTE: my original HP blog can be found here ---

HPL Technical Report: On Automatic Compliance of Privacy Policies in Federated Identity Management …

An HPL Technical report has been recently published on the topic of “Automatic Compliance of Privacy Policies in Federated Identity Management”:

“Privacy in the digital world is an important problem which is becoming even more pressing as new collaborative applications are developed. The lack of privacy preserving mechanisms is particularly problematic in federated identity management contexts. In such a context, users can seamlessly interact with a variety of federated web services, through the use of single-sign-on mechanisms and the capability of sharing personal data among these web services. Because of the latter feature, user's privacy is at a stake, if the sharing of such data among federated service providers is not properly controlled to ensure that privacy is preserved and user's privacy preferences are complied with. Current federated identity managed solutions adopt simplistic approaches to privacy management, based on contractual/legal approaches and/or limited simple checks on users' privacy preferences. We argue that more comprehensive privacy policies (consisting of access control and obligation constraints, along with privacy preferences) should be stated by federated service providers and proactively checked by these providers, before disclosing users' data to federated partners. To address such requirements, we introduce mechanisms and algorithms for policy compliance checking between federated service providers, based on an innovative policy subsumption approach. We formally introduce and analyze our approach. We also show how our approach is suitable for deployment and application in existing federated identity management solutions, such as Liberty Alliance, WS-* and Shibboleth.”

Authors: Anna Squicciarini (The Pennsylvania State University), Marco Casassa Mont, Abhilasha Bhargav-Spantzel (Purdue University), Elisa Bertino (Purdue University).

A short paper derived from this technical report has been accepted at IEEE Policy 2008.

--- NOTE: my original HP blog can be found here ---

On Making a Business Case for Identity Management …

A recent article, by Katherine Walsh, titled “How to Make a Business Case for Identity Management” provides a few tips on how to articulate a business case for Identity Management:

• Decide what IdM means to you
• Articulate the Business Performance and Productivity Benefits of IDM
• Create a Tangible, Phased Implementation Plan
• Don't Forget to Have a 'Mr. or Ms. IDM'--Is This You?
• Avoid Scare Tactics or Pigeonholing

I think that, from a CSO/CISO perspective, it would also make sense to clearly articulate the Business Risk Mitigation factors that IdM could bring …

--- NOTE: my original HP blog can be found here ---

New HPL Technical Report: “Assurance for Federated Identity Management”

A new HP Labs technical report (called “Assurance for Federated Identity Management” - revisiting and extending a previous one, on the same topic), has been published:

"Federated Identity Management is an emerging paradigm that is rightly getting a lot of standardization and research attention. One aspect that is not receiving enough attention is assurance. Given the challenges enterprises faced trying to demonstrate appropriate control of their internal and monolithic identity management systems, the problem of how to provide assurance to multiple stakeholders that controls, operations and technologies that cut across organisational boundaries, are appropriately mitigating risk, looks daunting. The paper provides an exposition of the assurance process, how it applies to identity management and particularly to federated identity management. Our contribution is to show technology can be used to overcome many of trust, transparency and information reconciliation problems. Specifically we show how declarative assurance models can orchestrate and automate much of the assurance work, how certain enforcement technologies can radically improve identity assurance, and how an assurance framework can provide a basis for judging the assurance value of security technologies."

HPL Authors: Baldwin, Adrian; Casassa Mont, Marco; Beres, Yolanda; Shiu, Simon

--- NOTE: my original HP blog can be found here ---

There is Life after PRIME: PrimeLife …

As you might be aware, after 4 years the EU PRIME Project (Privacy for Identity Management in Europe) has come to an end. But it is not all over … The EU PrimeLife Project is going to be one of its follow-ups:

“The European Union is to spend £7.8m on a three-year project to enhance users' privacy in social networks, virtual communities and other Web 2.0 technologies. PrimeLife's short-term goal is to provide scalable and configurable privacy and identity management in new and emerging internet services and applications. In the longer term, it aims to develop tools that will protect individuals' privacy throughout their life.
Jan Camenisch, PrimeLife's technical leader, said everyone who used the internet left "virtual footprints" that others could collect and use without their knowledge. This was made possible by advances in technologies for data collection, unlimited storage, and reuse and lifelong linkage of these digital traces, he said. …” (more details are available in Ian Grant’s article).

Additional details are available in another article by Bryan Betts, Techword:

“PrimeLife's co-ordinator is IBM's Zurich research laboratory, and it follows on from an earlier EU-backed project into identity management systems, called Prime (Privacy and Identity Management in Europe). Where Prime was mostly concerned with identity management (see its white paper here), PrimeLife will go beyond that to address privacy management and trust issues across a user's entire lifespan from childhood to old age, said IBM cryptography researcher Jan Camenisch, who is the project's technical leader.
…”

Finally, this article provides some additional information on its scope and participants:

“Several PrimeLife partners are participants in industry and standardization groups such as the World Wide Web Consortium’s PLING, Liberty Alliance, ISO/IEC JTC 1, and ITU. Furthermore, PrimeLife will work and interact with relevant open-source communities such as Higgins, as well as with other research projects in order to achieve the sustainability of these project results.

PrimeLife’s multidisciplinary consortium consists of the coordinator, the IBM Zurich Research Laboratory, Switzerland, and project partners from various countries: Center for Usability Research & Engineering, Austria; Katholieke Universiteit Leuven, Belgium; GEIE ERCIM, France; Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, Technische Universität Dresden, Johann Wolfgang Goethe-Universität Frankfurt am Main, Europäisches Microsoft Innovations Center GmbH, Giesecke & Devrient GmbH and SAP AG, Germany; Università degli Studi di Bergamo and Università degli Studi di Milano, Italy; Stichting Katholieke Universiteit Brabant, The Netherlands; Karlstads Universitet, Sweden; and Brown University, United States of America.”

--- NOTE: my original HP blog can be found here ---