This is what is reported by a recent NetworkWorld article, based on the findings of a Ponemon Survey:
“The average cost of a data breach is £47 ($94) per compromised record, according to a path breaking survey from the Ponemon Institute.
For security blunders in the financial services sector, that cost rises to £55 per compromised record.
Lost or stolen laptops and mobile devices account for most data breaches in the U.K., according to the research … Thirty six per cent of data breaches resulted from lost and stolen laptops or other mobile devices.”
This says a lot about current practices, in terms of storing data and protecting it. The remaining part of the article provides additional details on the impact this has on businesses and end users.
--- NOTE: my original HP blog can be found here ---
Thursday, February 28, 2008
Thursday, February 21, 2008
Updated Liberty ID-WSF Open Source Toolkits …
This might be of interest to those monitoring developments in the Liberty Alliance’s “Advanced Client Technologies” specs… Conor Cahill, in a recent blog post, announced that he has updated his Liberty ID-WSF Open Source Toolkits. See below:
“I've updated my Liberty ID-WSF Open Source Toolkits again. This time to reflect the minor changes made in the Advanced Client specifications as they were finalized within the Alliance.
For those of you who aren't familiar with this code, I have two toolkits available -- a C++ client and an Axis1/Java Server -- which implement the Liberty ID-WSF protocols (both the basic framework and substantial portions of several services).
This new release of the toolkit does not add new functionality -- it only brings the code up to match the final specifications.
Have fun!”
--- NOTE: my original HP blog can be found here ---
“I've updated my Liberty ID-WSF Open Source Toolkits again. This time to reflect the minor changes made in the Advanced Client specifications as they were finalized within the Alliance.
For those of you who aren't familiar with this code, I have two toolkits available -- a C++ client and an Axis1/Java Server -- which implement the Liberty ID-WSF protocols (both the basic framework and substantial portions of several services).
This new release of the toolkit does not add new functionality -- it only brings the code up to match the final specifications.
Have fun!”
--- NOTE: my original HP blog can be found here ---
Sunday, February 17, 2008
Four-part Webcast series on Identity Assurance
Liberty Alliance has announced a four-part Webcast series on Identity Assurance that can be attended by registering online:
“Date: February 20, 8 am PT
Topic: Identity Assurance Framework: Common Organization Service Assessment Criteria
Moderator: Jim Gross, Sr. Vice President, WellsSecure Identity Assurance, Wells FargoThis webcast will discuss and gather feedback on the Common Organization Service Assessment Criteria section of the IAF. This section outlines the criteria for a Credential Service Provider's general business and organizational conformity of its services and its providers as it pertains to the four Levels of Assurance in the IAF. The review session will have a particular focus on elements such as enterprise & service maturity, information security management, operational infrastructure, external services & components, secure communications, etc.
Registration: https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=102106312&UID=141346749
Date: March 5, 8 am PT
Topic: Identity Assurance Framework: Credential Management Service Assessment Criteria
Moderator: Vijay Takanti, Exostar VP, Security Services; CertiPath, CTO and Policy Chair; TSCP, Design Authority Lead
This webcast will focus on the Credential Management Service Assessment Criteria. This section outlines the criteria for the functional conformity of a CSP's credential management services and those of its providers to comply with the Four Levels of Assurance. The review session will focus on the various credential-related processes including the operating environment, issuance, revocation, status management and validation/authentication of credentials.
Registration: https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=102106602&UID=322922647
Date: March 12, 8 am PT
Topic: Identity Assurance Framework: Identity Proofing Service Assessment Criteria
Moderator: Dr. Peter Alterman, Asst. CIO for EAuthentication, NIH and Chair, Federal PKI Policy AuthorityThis webcast will focus on the Identity Proofing Service Assessment Criteria section of the IAF. This section outlines the criteria for a CSP's functional conformity of its identity proofing practices within the Four Levels of Assurance. The review session will focus on identity proofing elements such as Identity Proofing Policy, Identity verification practices, verification records, etc.Registration: https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=102106317&UID=948676821
Date: March 26, 8 am PT
Topic: Identity Assurance Framework: Certification/Accreditation Business Rules
Moderator: Nathan Faut, Senior Associate, Federal practice, KPMGThis webcast will focus on the Certification/Accreditation Business Rules -This section covers the business rules associated with participation in the Liberty Framework. The review session will focus on roles and responsibilities of CSP's, the role of the Federation Operator and a best practices guideline for relying parties. In addition, this section will discuss the process for accrediting assessors/auditors of CSP's for certification to the Liberty IAF.
Registration: https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=102106687&UID=926656135”
--- NOTE: my original HP blog can be found here ---
“Date: February 20, 8 am PT
Topic: Identity Assurance Framework: Common Organization Service Assessment Criteria
Moderator: Jim Gross, Sr. Vice President, WellsSecure Identity Assurance, Wells FargoThis webcast will discuss and gather feedback on the Common Organization Service Assessment Criteria section of the IAF. This section outlines the criteria for a Credential Service Provider's general business and organizational conformity of its services and its providers as it pertains to the four Levels of Assurance in the IAF. The review session will have a particular focus on elements such as enterprise & service maturity, information security management, operational infrastructure, external services & components, secure communications, etc.
Registration: https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=102106312&UID=141346749
Date: March 5, 8 am PT
Topic: Identity Assurance Framework: Credential Management Service Assessment Criteria
Moderator: Vijay Takanti, Exostar VP, Security Services; CertiPath, CTO and Policy Chair; TSCP, Design Authority Lead
This webcast will focus on the Credential Management Service Assessment Criteria. This section outlines the criteria for the functional conformity of a CSP's credential management services and those of its providers to comply with the Four Levels of Assurance. The review session will focus on the various credential-related processes including the operating environment, issuance, revocation, status management and validation/authentication of credentials.
Registration: https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=102106602&UID=322922647
Date: March 12, 8 am PT
Topic: Identity Assurance Framework: Identity Proofing Service Assessment Criteria
Moderator: Dr. Peter Alterman, Asst. CIO for EAuthentication, NIH and Chair, Federal PKI Policy AuthorityThis webcast will focus on the Identity Proofing Service Assessment Criteria section of the IAF. This section outlines the criteria for a CSP's functional conformity of its identity proofing practices within the Four Levels of Assurance. The review session will focus on identity proofing elements such as Identity Proofing Policy, Identity verification practices, verification records, etc.Registration: https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=102106317&UID=948676821
Date: March 26, 8 am PT
Topic: Identity Assurance Framework: Certification/Accreditation Business Rules
Moderator: Nathan Faut, Senior Associate, Federal practice, KPMGThis webcast will focus on the Certification/Accreditation Business Rules -This section covers the business rules associated with participation in the Liberty Framework. The review session will focus on roles and responsibilities of CSP's, the role of the Federation Operator and a best practices guideline for relying parties. In addition, this section will discuss the process for accrediting assessors/auditors of CSP's for certification to the Liberty IAF.
Registration: https://ieee-istolargeroom.webex.com/ieee-istolargeroom/k2/j.php?ED=102106687&UID=926656135”
--- NOTE: my original HP blog can be found here ---
Wednesday, February 13, 2008
EU PRIME “Primer” available online …
The EU “Privacy for Identity Management in Europe” (PRIME) Project is going to officially finish by the end of February 2008.
Lots of material is available online, and new documents will be added in this final phase of the project. A PRIME Primer has been recently released in the PRIME web site.
--- NOTE: my original HP blog can be found here ---
Lots of material is available online, and new documents will be added in this final phase of the project. A PRIME Primer has been recently released in the PRIME web site.
--- NOTE: my original HP blog can be found here ---
Monday, February 11, 2008
New Forrester’s Report: “Identity Management Market Forecast: 2007 to 2014”
An article written by Tim Wilson, called “Identity Management Ready to Skyrocket”, provides an overview of the content of a new Forrester’s Report, “Identity Management Market Forecast: 2007 to 2014”. Have a look to get same insights …
The executive summary of this Forrester’s report follows:
“The identity management — or identity and access management (IAM) — market will grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014 (including revenues from both products and implementation services). Provisioning accounts for half of IAM market revenues today, but it will account for nearly two-thirds of all IAM revenues by 2014. Even after years of healthy adoption rates, the IAM market is actually just beginning its trajectory toward broad adoption and deep penetration. Moreover, during the next seven years, we will also see buying behavior migrating from point products to identity suites — and, to a lesser extent, from products to managed services. Meanwhile, vendors will decompose products into service-oriented architecture (SOA)-enabled functions, repackaged in the form of identity-as-a-service (IDaaS)”.
I read the actual report. I found the section on “Future Directions for Identity Management” interesting but, in my view, there are no major surprises …
--- NOTE: my original HP blog can be found here ---
The executive summary of this Forrester’s report follows:
“The identity management — or identity and access management (IAM) — market will grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014 (including revenues from both products and implementation services). Provisioning accounts for half of IAM market revenues today, but it will account for nearly two-thirds of all IAM revenues by 2014. Even after years of healthy adoption rates, the IAM market is actually just beginning its trajectory toward broad adoption and deep penetration. Moreover, during the next seven years, we will also see buying behavior migrating from point products to identity suites — and, to a lesser extent, from products to managed services. Meanwhile, vendors will decompose products into service-oriented architecture (SOA)-enabled functions, repackaged in the form of identity-as-a-service (IDaaS)”.
I read the actual report. I found the section on “Future Directions for Identity Management” interesting but, in my view, there are no major surprises …
--- NOTE: my original HP blog can be found here ---
Friday, February 8, 2008
Update on PLING Interest Group …
New use cases have been recently added to the W3C PLING Interest Group Wiki Site, related to:
- Location-based Access Control Policies and Privacy in Pervasive and Distributed Environments
- Federated Policy Management
- Privacy Policy Management
An up-to-date list of use cases is available here. It would help if you could share your experiences in terms of the following points:
- Are you using, in practice (e.g. in some operational environments), any policy language at all? Which ones and in which context?
- If so, what are the pros and cons of this language?
- Any open issue, problem and/or requirement?
- Any interoperability need in case multiple policy languages/frameworks are used?
The Wiki page containing a review of known Policy Languages and Framework has also been updated. Please have a look and feel free to contribute.
--- NOTE: my original HP blog can be found here ---Wednesday, February 6, 2008
2008 National Survey on Access Governance: Business Risks and Challenges
A new survey on “access governance” has been released by the Ponemon Institute, as anticipated by this Businesswire article:
“According to the 2008 National Survey on Access Governance released on February 5th by the research firm Ponemon Institute, organizations are facing significant business risks because of inconsistent approaches to access management across the enterprise.
This survey of almost 700 experienced IT practitioners show that vast majority believe that employees, temporary employees and independent contractors have too much access to information assets that are not pertinent to their job function, and that access policies are not being regularly checked or enforced by their organization. This report describes the five major challenges identified by the survey respondents to implementing an effective access governance framework:
--- NOTE: my original HP blog can be found here ---
“According to the 2008 National Survey on Access Governance released on February 5th by the research firm Ponemon Institute, organizations are facing significant business risks because of inconsistent approaches to access management across the enterprise.
This survey of almost 700 experienced IT practitioners show that vast majority believe that employees, temporary employees and independent contractors have too much access to information assets that are not pertinent to their job function, and that access policies are not being regularly checked or enforced by their organization. This report describes the five major challenges identified by the survey respondents to implementing an effective access governance framework:
- User access rights are poorly assigned
- Policies are not regularly checked and enforced
- Organizations are not able to keep pace with changes to users’ roles and they face serious noncompliance and business risk as a result
- Senior management lacks understanding of the importance of access governance
- Collaboration is viewed as critical but is not being achieved”
This survey can be downloaded online, from here.
--- NOTE: my original HP blog can be found here ---
Monday, February 4, 2008
Announcing TrustBus 2008
The Call for Papers of 5th International Conference on Trust, Privacy and Security in Digital Business (TrustBus’08) is now available, online.
This conference aims at providing an international forum for researchers and practitioners to exchange information regarding advancements in the state of the art and practice of trust and privacy in digital business.
The submission deadline is March, 3rd. TrustBus 2008 is interested in papers, work-in-progress reports, and industrial experiences describing advances in all areas of digital business applications related to trust and privacy, including, but not limited to:
- Anonymity and pseudonymity in business transactions
- Common practice, legal and regulatory issues
- Delivery technologies and scheduling protocols
- Economics of Information Systems Security
- Enterprise management and consumer protection
- Intellectual property and digital rights management
- Languages for description of services and contracts
- Models for access control and authentication
- New cryptographic building-blocks for e-business applications
- PKI & PMI
- P2P transactions and scenarios
- Reliability and security of content and data
- Reputation in services provision
- Security and Privacy models for Pervasive Information Systems
- Shopping, trading, and contract management tools
- Transactional Models
- Usability of security technologies and services
- Business architectures and underlying infrastructures
- Cryptographic protocols
- Design of businesses models with security requirements
- Electronic cash, wallets and pay-per-view systems
- Identity and Trust Management
- Intrusion detection and information filtering
- Management of privacy & confidentiality
- Multimedia web services
- Online transaction processing
- Public administration, governmental services
- Real-time Internet E-Services
- Reliable auction, e-procurement and negotiation technology
- Secure process integration and management
- Security Policies
- Smartcard technology
- Trust and privacy issues in mobile commerce environments
--- NOTE: my original HP blog can be found here ---
This conference aims at providing an international forum for researchers and practitioners to exchange information regarding advancements in the state of the art and practice of trust and privacy in digital business.
The submission deadline is March, 3rd. TrustBus 2008 is interested in papers, work-in-progress reports, and industrial experiences describing advances in all areas of digital business applications related to trust and privacy, including, but not limited to:
- Anonymity and pseudonymity in business transactions
- Common practice, legal and regulatory issues
- Delivery technologies and scheduling protocols
- Economics of Information Systems Security
- Enterprise management and consumer protection
- Intellectual property and digital rights management
- Languages for description of services and contracts
- Models for access control and authentication
- New cryptographic building-blocks for e-business applications
- PKI & PMI
- P2P transactions and scenarios
- Reliability and security of content and data
- Reputation in services provision
- Security and Privacy models for Pervasive Information Systems
- Shopping, trading, and contract management tools
- Transactional Models
- Usability of security technologies and services
- Business architectures and underlying infrastructures
- Cryptographic protocols
- Design of businesses models with security requirements
- Electronic cash, wallets and pay-per-view systems
- Identity and Trust Management
- Intrusion detection and information filtering
- Management of privacy & confidentiality
- Multimedia web services
- Online transaction processing
- Public administration, governmental services
- Real-time Internet E-Services
- Reliable auction, e-procurement and negotiation technology
- Secure process integration and management
- Security Policies
- Smartcard technology
- Trust and privacy issues in mobile commerce environments
--- NOTE: my original HP blog can be found here ---
Sunday, February 3, 2008
Are Legal Obstacles Delaying Federated Identity Management?
This is a key point made in Thomas J. Smedinghoff’s article, titled “Legal Obstacles Delaying Federated Identity Management”:
“Without some type of a legal framework to address these issues, however, a federated identity model will likely not scale. At least in the case of economically significant transactions, the risks to each of the parties of such unresolved issues are simply too great to justify reliance on the federated process. These questions, and others like them, are the legal land mines that stand in the way of a viable federated identity management infrastructure.”
The issues mentioned above are about: Identification Process, Personal Information, Scope of Assertion, Use of Assertion and Liability.
I agree that having a proper legal framework in place can help. I would argue, though, that proper “identity assurance” must also be put in place in the context of federated identity management, as discussed in a HPL Technical Report.
--- NOTE: my original HP blog can be found here ---
“Without some type of a legal framework to address these issues, however, a federated identity model will likely not scale. At least in the case of economically significant transactions, the risks to each of the parties of such unresolved issues are simply too great to justify reliance on the federated process. These questions, and others like them, are the legal land mines that stand in the way of a viable federated identity management infrastructure.”
The issues mentioned above are about: Identification Process, Personal Information, Scope of Assertion, Use of Assertion and Liability.
I agree that having a proper legal framework in place can help. I would argue, though, that proper “identity assurance” must also be put in place in the context of federated identity management, as discussed in a HPL Technical Report.
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)