On the “Identity Self-Defence Course” …

Have a look at this interesting post by Doug Pollack, titled “Are you Well Protected?”:

“As we look forward to what is in store for us in 2008, The Identity Theft Resource Center is projecting an increase in both the number of security breaches and incidents of identity theft. With this as a backdrop, we've developed a set of recommendations for people to protect themselves. As part of our ID Self-Defense Academy, a component of our subscription services member website, this Self-Defense Checklist includes both common sense suggestions that you are likely to be familiar with, as well as others that are new this year given the evolution in the use of the internet and computers in identity theft.”

Actually, this post provides an “ID self-defence check list” about:

• Protecting yourself at home
• Protecting your computer and Internet access
• Protecting yourself on the road

Of course, all this is pretty much based on common sense, but it provides a useful reminder …

--- NOTE: my original HP blog can be found here ---

What are the actual ID Card plans in UK?

An interesting article by Telegraph.co.uk highlights some of the “confusion” that exists in current UK plans for ID cards:

“The future of the Government's identity card scheme is in confusion as it emerged that plans for a national fingerprint database may be quietly dropped.

At the same time, it appears that ministers are considering introducing a compulsory ID scheme by stealth, with plans that would require young people to obtain a card before being granted a driving licence.

The proposals were disclosed in two leaked Home Office documents and expose the lack of agreement within the Government over the extent to which ministers should continue with the commitment to ID cards. …”

More details can be found in the Telegraph’s article.

--- NOTE: my original HP blog can be found here ---

Article on Identity Governance Framework (IGF) published by SOX Compliance Journal

As already announced in Phil Hunt’s blog, an article has recently been published by the SOX Compliance Journal about how Identity Governance Framework can help to address Privacy and SOX Compliance aspects.

This article is called “Identity Governance Framework: Liberty Alliance’s Initiative Addressing Privacy and SOX” and its authors are: Phil Hunt (Oracle) and Marco Casassa Mont (HP Labs).

As pointed out by Phil, “this article is a good introduction to the problems of privacy and compliance as it relates to personal information and how IGF is intended to make the compliance of applications and the businesses that deploy them much easier to achieve.”

More information about the Liberty Alliance’s Identity Governance Framework initiative can be found here.

--- NOTE: my original HP blog can be found here ---

PLING Interest Group: Additional Policy Use Cases/Requirements

I'd like to share two additional (high-level) policy use cases and related requirements with this community (I’ve already submitted them to the Policy Languages Interest Group – PLING mailing list) about:

(1) Privacy Policy Management;
(2) Federated Policy Management - Use Case & Requirements

Details follow.

1) Privacy Policy Management - Use Case & Requirements

A recurrent use case that I came across in various contexts (EU PRIME Project, interactions with customers, etc.) is how to use policies to deal with privacy enforcement and compliance checking in organisational contexts. This is pretty much consistent with some of the points already highlighted in Michael Wilson's use case.

Organisations and enterprises collect a lot of personal data and sensitive information, in order to enable their businesses. In doing this, they need to comply with laws, legislation (HIPAA, COPPA, EU Data Protection, etc.) standards of business conduct, guidelines, etc.

Threw key aspects are of interest:
(a) policy representation
(b) enforcement of (privacy) policies
(c) policy compliance checking

Basic privacy constraints require handling users' consent, allowing access to the data only for agreed purposes and managing the lifecycle (e.g. data transformation, minimisation, deletion, etc.) of personal data driven by privacy principles. However, also other aspects such has security and business constraints need to be kept into account.

Personal data can be stored in a variety of data repositories (databases, LDAP directories, file systems, etc.) and be accesses by people, applications, services. This data can be processed and disclosed to third parties.

A "blend" of personal preferences, business, security and privacy constraints need to be kept into account into "policies" dictating how to access, use process and disclose this information.

Some common requirements that I came across are:

- need for more "integration" of business, security and privacy policies
- need to leverage state-of-the-art Identity Management solutions (that might use, in some cases, proprietary/ad-hoc policy languages ...)
- need to measure and demonstrate compliance to guidelines, laws and legislation

Policies (and policy management frameworks) can play a key role to deal with privacy enforcement and compliance checking tasks. However, one of the current limitations is that these aspects are currently addressed in a "compartmentalised" way, by using different policy languages and policy management systems (for security, privacy, etc.) that do not interoperate i.e. act in stand-alone ways. This creates issues in terms of alignment of policies, their consistency and overall impact.

How to make progress by recognising than on one hand there are multiple policy languages and policy management systems and, on the other hand, more coordination and integration is required?

2) Federated Policy Management - Use Case & Requirements

This use case is, in some way, a generalisation of the previous one: I came across it both in enterprise and telecom contexts.

An enterprise/organisation uses a broad variety of IT tools and solutions. The enterprise IT infrastructure includes systems, tools and solutions deployed at different levels of abstractions: network, system, OS, information, application, service, business, etc. levels.

Many of the involved systems, tools and solutions are configured with and driven by "local policies", defined by using specific (sometimes ad-hoc ...) languages. These "local policies" are often the effect of (human-based) "refinements" and "deployments" of high level business/security/etc. policies. Different policies, policy decision points and policy enforcement points are used for security, business, privacy and other aspects.

- How to make sense of all of them?
- How to ensure that their overall impact on the IT infrastructure is consistent with the high level policies and guidelines?
- How to understand what the impact of changes of "local policies" (let's say at network level or at the application level) is on the
high level policies?
- How to understand what the impact of changes of high-level policies is on some of these "local policies"?

This is what I call a "federated policy management" use case i.e. a use case where there is the need to understand and keep into account the overall set of policies deployed in an IT infrastructure and have an "integrated, coordinated and consistent" management of these policies.

In this use case many different policy languages are used, operating on different IT entities (at different levels of abstraction) and enforced by different policy enforcement points. It is unlikely that all these existing (local) policy languages are going to be replaced by a unique "comprehensive" language ...

Some requirements are about having a consistent "meta-representation/abstraction" of the core principles/aspects/constraints expressed by various "local policies" along with ways of defining dependencies and relationships between them.

This would help to better understand the overall heterogeneous set of operational policies, link them back to high-level policies and reason on top of it.

Did you come across similar use cases? What is your view?

--- NOTE: my original HP blog can be found here ---

Central Identity Management is a High Priority, whilst Biometrics is Not …

An interesting article (called “Securing the Future: Central identity management systems are now a chief priority, but biometric technologies continue to disappoint”), recently published by Information Age, discusses how Central Identity Management is becoming a high priority in enterprises, whilst the adoption level of Biometrics is low:

“… Identity (ID) management is a case in point. The technology, which is intended to restrict access to vital information, ranked second out of 30 technology strategies IT directors are planning to implement within the next 12 months. Of those 25% of corporations that have already implemented such a system, an encouraging 45% regard the technology as ‘quite effective’ with a further 31% responding that it is ‘very effective’.

With a total of 76% of respondents rating the technology as ‘effective’ or ‘very effective’, ID management does well in the overall rankings, coming in as the 6th most effective IT strategy overall. These results also indicate a slight improvement on last year.

Analyst group Gartner identifies five broad classes of identity and access management tools: directory technologies, identity administration, identity auditing, identity verification and access management.

However, of these broad groups, one – identity verification – remains highly problematic for today’s enterprise. Biometrics – the use of a variety of unique physical characteristics such as fingerprints, voice patterns or facial contours to identify individuals – has long been touted as the ideal enterprise identity-verification tool, being supposedly both easy-to-use and highly secure; it has consistently failed to deliver.

As the survey shows, adoption levels of biometrics remain woefully low – just 9% of respondents use biometrics today. A meagre 11% more plan to implement the technology within the next year.”

--- NOTE: my original HP blog can be found here ---

Liberty Alliance “Identity Assurance Special Interest Group (IASIG)”

The kick-off meeting of the Liberty Alliance “Identity Assurance Special Interest Group (IASIG)” is going to happen on January, 30th 2008 to discuss the Identity Assurance Framework and the proliferation of standard Levels of Assurance in digital commerce:

“The IASIG was formed alongside the Identity Assurance Expert Group (IAEG), as a public Special Interest Group (SIG) within the Liberty Alliance to continue and extend the Trust Framework of the EAP (Electronic Authentication Partnership), the Credential Assessment Framework of the US E-Authentication Initiative, and other industry contributions, into a harmonized, best-of-breed industry standard operational framework for managing trusted credentials across identity federations to foster inter-federation on a global scale.”

More details about this event can be found here.

--- NOTE: my original HP blog can be found here ---

Webinar (17 January 2008, 3:00 PM, GMT) – “Internal Threats to Your Data. From erring employees to malicious infiltrators - how do you protect ...?"

I received an email from Elsevier/InfoSecurity advertising a public webinar, called “Internal Threats to Your Data. From erring employees to malicious infiltrators - how do you protect against the unknown?”.

I think this might be of interest to this community (due to its identity and privacy implications):

“Database attacks have long been associated with the problem of external hackers, who, whilst searching for vulnerabilities in an organisation's IT resource and often using SQL injection techniques, seek to steal data for their own - or third party - malicious usage. Recently, however, the number of security breaches occurring in the public and private sector, has raised the topic to the top of the list as far as board level management is concerned. The risks involved are many, ranging from employees stealing confidential data for personal gain, right through to a lack of corporate governance and policies allowing staff access to information they should not normally have access to in their day-to-day duties. …

This webinar will:

• Give clear insight in to the complex and changing nature of insider threats, with a look at original research
• Show how accidental misuse can lead to disastrous consequences
• Offer proven strategies to secure your data, including practical advice on how to determine what is normal behaviour and what is an abuse of privilege
• Explain what to look for in an employee's abuse of privilege”

The webinar is free and it is going to take place on Thursday, January 17th at 3:00 PM (GMT). Attendees are requested to register online. Of course, read the Webcast Registration Policy …

Apparently, CISSPs and SSCPs will receive 1 CPE credit for attending this webinar.

--- NOTE: my original HP blog can be found here ---

More on PLING Interest Group and PLING Wiki Site

As announced sometimes ago, the PLING (Policy Languages Interest Group) Wiki site is now up and running: http://www.w3.org/Policy/pling/wiki/Main_Page.

This community is invited to contribute and populate its pages with thoughts, input and comments about three main topics:

1) Use Cases
2) Policy Frameworks
3) Related Initiatives

Please notice that the "Use Cases" section currently contains the policy use case highlighted by Michael Wilson along with a comment of mine. Feel free to add your use cases and/or comments.

The "Policy Language" section has been populated with an initial draft page, categorising some of the current policy languages and frameworks.

Finally, the "Related Initiatives" section has also been populated with an initial list of projects/activities of some relevance to PLING. This is a very draft list, open to contributions.

Feel free to register to the PLING Wiki site and add your contributions.

--- NOTE: my original HP blog can be found here ---

Is the Increase in Security Failures and Privacy Breaches Often Due to Wrongsourcing?

This is the point made by Claudiu Popa, Informatica’s president, as reported by this article:

“Toronto-based Informatica Security Research estimates that the vast majority of issues involving the security and privacy of data, identity theft breaches, compliance failures and other information risk issues are due to poor strategic planning and IT governance.

Informatica’s president, Claudiu Popa is a recognized information risk consultant who sees the issue as a management problem: “we have seen a general trend in North America where we often talk to companies that opt to force their internal IT departments to also manage security. Many organizations fail to realize that security management is not a core competency that neatly fits within IT governance activities. In fact, as companies scramble to achieve compliance with numerous standards and legislation, they often mismanage their operations and impact productivity. It makes no sense to in-source activities that are complex, expensive and often mismanaged instead of hiring qualified experts to get the job done. The flip side of what I call ‘wrong-sourcing’ is that organizations too often choose to outsource their core capabilities. This is backwards and executives should revisit their business objectives."”

--- NOTE: my original HP blog can be found here ---

HP Helps Healthcare Providers Improve Patient Care and Regulatory Compliance

A recent Press Release, published by Yahoo! Finance and called “HP Helps Healthcare Providers Improve Patient Care, Regulatory Compliance with Medical Archiving Solution”, might be of some interest to the Identity and Privacy Management Community:

“HP today introduced a specialized archiving platform to help global healthcare providers, hospitals and imaging clinics of all sizes meet rapidly expanding retention requirements for medical images.

HP MAS 3.0 delivers factory-integrated HP ProLiant servers, HP StorageWorks SAN and MSA disk storage with indexing, policy management and search software to provide long-term retention of medical fixed content. The grid architecture of MAS satisfies the scalability and performance requirements of healthcare providers at an affordable price. The tiered storage of the MAS grid ensures healthcare providers can align the business value of images with appropriate retention policies.”

The management of privacy when handling personal data (in this case medical data) in healthcare contexts is very important. This is critical information. I am glad that commercial solutions are making their way to the market to address some of the related privacy management aspects.

More details are available in the article mentioned above.

--- NOTE: my original HP blog can be found here ---

Information Security Management: Top Priority in 2008?

An article, published by Reuters and called “Information Security Management Still Number One Concern”, provides an overview of the recent American Institute of Certified Public Accountants (AICPA)' 19th Annual Top Technology Initiatives survey:

“The AICPA poll was conducted in late 2007 with ISACA, the Institute of Internal Auditors (IIA) and the Information Technology Alliance (ITA). Respondents identified the top 10 most important technology initiatives for 2008 as follows:

1. 1. Information Security Management
2. 2. IT Governance
3. 3. Business Continuity Management and Disaster Recovery Planning
4. 4. Privacy Management
5. 5. Business Process Improvement, Workflow, and Process Exceptions Alerts
6. 6. Identity and Access Management
7. 7. Conforming to Assurance and Compliance Standards
8. 8. Business Intelligence
9. 9. Mobile and Remote Computing
10. 10. Document, Forms, Content and Knowledge Management

A selective group of 1,169 finance, accounting and technology participants ranked 29 technology initiatives they felt would have the most significant impact on their organizations in the next 12 to 18 months.”

Please notice that both Privacy Management and Identity Management appear in this list.

This article also reports that Lynn Lawton, International President of ISACA, made this interesting statement: "Recent studies show that investors are willing to pay a premium of up to 20 percent more for shares of enterprises with reputations for good IT governance practices; properly governed IT is critical to an organization's success."

--- NOTE: my original HP blog can be found here ---

Risk Management, Privacy and Corporate Priorities

A recent ComputerWeek article by Jeremy Smith, called “Data Privacy Must Become a Corporate Priority” makes a good point in suggesting that “privacy” should be a corporate priority, part of its risk management processes:

“The ever-changing business environment has a direct effect on a company's risk profile, often changing in unison as new business models develop. The expansion of global supply chains and the heightened dependence on outsourcing means that security risks are becoming harder to quantify and prevent. The new risks associated with relying on networks and using digital data must be addressed by risk managers in the same manner they would consider the more traditional risks.”

I really agree on this point. This article uses the recent UK HMRC incident as an example and further suggests that:
“If a private corporation had been the culprit instead of HMRC, the financial loss to that firm would have been substantial, possibly running into hundreds of millions of pounds to cover costs such as consumer notification, call-centre capacity (to deal with customers whose records had been compromised), ongoing third-party credit monitoring, claims for identity fraud, litigation expenses and damages and regulatory defence and settlement.
Most organisations probably do not have sufficient, if any, insurance for such an event, as normal property and liability policies only provide cover for tangible assets and specifically exclude the new risks associated with data and IT networks. Specialist data privacy and network security policies have been developed, particularly in the London insurance market, to address these exposures including providing coverage for notification expenses and regulatory fines and penalties.”

Insurance can indeed be a way to mitigate some of the “implications” for the company, but it is not the final answer for end-users and the consequences that privacy incidents might have on them.

I believe that the corporate “risk mitigation” process should also include “proactive” control points (involving technologies, data handling processes and education) aiming at minimising the occurrence of these incidents.

--- NOTE: my original HP blog can be found here ---

Report – Enterprise@Risk: 2007 Privacy and Data Protection Survey

A recent report, called “2007 Privacy and Data Protection Survey” (available online), has been released by Deloitte:

“The survey results indicate an increasing understanding within the organization of what is required to address the risks of managing and protecting private data. However, it also demonstrates that the challenge remains for the enterprise privacy function to move from the current reactive mode to a more proactive and strategic approach.”

This survey describes key findings in these areas:

• Privacy Incidents and Breaches requiring notification
• Incident Response – time allocation
• Incident Response – notification
• Privacy Programs – implementation
• Privacy Function – reporting structure
• Privacy Function – resource allocation
• Enterprise Training
• Technology Solutions
• Encryption Technologies
• Professional Profiles

An interesting point, made in this survey, is that “Given the varying adoption rates and current maturity of the enterprise privacy programs, the risks associated with privacy and data protection can be expected to continue for some time to come.”

--- NOTE: my original HP blog can be found here ---

Consent-centric Identity Management

An aspect I believe will have more and more relevance in the space of Identity Management is “Consent Management” i.e. the active management and enforcement of users’ consent when collecting, storing, accessing, processing and disclosing personal data.

This includes: the management of users’ preferences and users’ constraints on personal data, once this data has been disclosed; (potential) active involvement of users during the overall lifecycle of identity information; consent-driven identity lifecycle management. This includes aspects of privacy management, but it is wider that this – as it is about the overall process of handling identity information.

Given the current trends towards user-centric identity management, federation and “identity-aware devices”, people will increasingly realise how valuable their identities are (as an asset they should own) and demand more control and active involvement in their overall management.

This is opportunity for the IdM research community (and the industry) to contribute to this space.

--- NOTE: my original HP blog can be found here ---