Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Tuesday, April 29, 2008

Are Patients’ Medical Records at Risk?

I found a recent Wall Street Journal’s article, called “Are your Medical Record at Risk” (by Sarah Rubenstein), very interesting. It provides good insights about the trade-offs adopted by the Healthcare industry when considering privacy against Quality Care:

“When it comes to protecting the privacy of patients' computerized information, the main threat the health-care industry faces isn't from hackers, but from itself …”.

This article focuses on the US reality – but some of the points it raises can be of concern also in other countries …

--- NOTE: my original HP blog can be found here ---

Monday, April 28, 2008

From “Operational Identity Management” to “Identity Analytics”

Most of current work in the space of Identity Management is around “operational” identity management, i.e. systems and solutions providing security control points to be deployed within an IT infrastructure.

In addition, IdM solutions in the space of “compliance management” will also have to come to terms with the current shift towards “risk management”, where decision makers/CISOs/CIOs are more and more heavily scrutinising their security investments and making their investment bets based on priorities and actual risks.

I believe that an important “next step” in the Identity Management space is going to be towards “Identity Analytics” and related “Identity Risk Management”.

Here are a few interesting research questions in the “Identity Analytics” space:
  • What are the basic principles that underpin and characterize enterprise’s identity & privacy management processes (and related human behaviors) and their impact on organizations?
  • How to abstract them with models and ways to generate predictions (e.g. with simulation tools) that can be leveraged by decision makers/CISOs/CIOs?
  • How to enable decision makers/CISOs/CIOs to better understand (in advance) the impact and implications of their decisions in terms of security risks, costs and potential losses, impact on reputation, etc.?
--- NOTE: my original HP blog can be found here ---

Tuesday, April 22, 2008

Announcing ACSAC 2008

This community might be interested in knowing that the Call-for-Paper for the 24th Annual Computer Security Application Conference (ACSAC 2008) is now available online – the submission deadline is June, 1st:

“ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. Papers offering novel contributions in any aspect of computer and application security are solicited. Papers may present technique, applications, or practical experience, or theory that has a clear practical impact. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application.

Topics of interest include, but are not limited to:

- Access control
- Applied cryptography
- Audit and audit reduction
- Biometrics
- Boundary control devices
- Certification and accreditation
- Database security
- Defensive information warfare
- Denial of service protection
- Distributed systems security
- Electronic commerce security
- Enterprise security
- Forensics
- Identification and authentication
- Identity management
- Incident response planning
- Information survivability
- Insider threat protection
- Integrity
- Intellectual property rights protection
- Intrusion detection
- Malware
- Mobile and wireless security
- Multimedia security
- Operating systems security
- Peer-to-peer security
- Privacy and data protection
- Product evaluation criteria and compliance
- Risk/vulnerability assessment
- Secure location services
- Security engineering and management
- Security in IT outsourcing
- Service Oriented Architectures
- Software assurance
- Trust management
- Virtualization security
- VoIP security”

--- NOTE: my original HP blog can be found here ---

Tuesday, April 15, 2008

Liberty Alliance’s Privacy Summits

A recent press release issued by Liberty Alliance announced the first of three webcasts from its 2008 Privacy in Perspective series:

“Taking place at 8:00am US PT (3:00 UTC) on Wednesday, April 16, the public event is hosted by Robin Wilton, Corporate Architect for Federated Identity, Sun Microsystems and co-chair of the Liberty Alliance Public Policy Group. The webcast will review findings and next steps from the ongoing series of global Liberty Alliance privacy summits held so far in Basel, Berlin, Brussels, London and Washington DC.

The Liberty Alliance privacy summits bring privacy stakeholders from the global commercial, academic, legal and public sectors together to address privacy concerns and discuss possible solutions," said Wilton. "The April 16 webcast will showcase lessons learned during the summits to help organizations remove obstacles to a productive, multi-stakeholder discussion about privacy issues.””

The registration site for this privacy summit is available here.

Published findings from previous Liberty Alliance’s Privacy Summits are available here.

--- NOTE: my original HP blog can be found here ---

Saturday, April 12, 2008

InfoSecurity 2008

InfoSecurity 2008 (Europe) is going to take place in London, 22-24 April 2008.

Of particular interest are the events and presentations happening in the Keynote Theatre, Technical Theatre, Business Strategy Theatre and Interactive Theatre.

--- NOTE: my original HP blog can be found here ---

Thursday, April 10, 2008

CfP: IEEE InSPEC 2008 – Workshop on Security and Privacy in Enterprise Computing

The call for paper for the International Workshop on Security and Privacy in Enterprise Computing. InSPEC 2008, is now available online.

This workshop is going to be held in conjunction with IEEE EDOC 2008. Please consider submitting a paper. The deadline is June, 13 2008:

“Several technologies have emerged for enterprise computing. Workflows are now widely adopted by industry and distributed workflows have been atopic of research for many years. Today, services are becoming the new building blocks of enterprise systems and service-oriented architecturesare combining them in a flexible and novel way. Business applications, such as Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and Supplier Relationship Management (SRM) systems form the core of enterprise systems. In addition, with wide adoption of e-commerce, business analytics that exploits multiple, heterogeneous data sources have become an important field. These technological trends are accompanied by new business trends due to globalization that involve innovative forms of collaborations such as virtual organizations. Further, the increased speed of business requires IT systems to become more flexible and highly dynamic.

All of these trends bring with them new challenges to the security and privacy of enterprise computing. We are increasingly relying on IT systems for our daily business including essential utilities such as water and power. The traditional forms of computer security need to be enhanced to address the distributed nature and multiple administrative domains of conducting business. For example, algorithms for incorporating the new business practices need to be identified for access control. Similarly, data confidentiality cannot be provided on the network layer anymore, it needs to be built into applications and processes that span across various domains. The enhanced data sharing calls for innovative algorithms and protocols. Novel cryptographic techniques need to be developed and established ones evaluated for industrial adoption. In addition to the security measures, this new generation of distributed systems requires techniques for ensuring compliance with regulations on governance and privacy of data, including those asserted by government and regulatory agencies.

New concepts for solving these challenges require the combination of many disciplines from computer science and information systems, such as cryptography, networking, distributed systems, process modeling and design, access control, privacy etc. It is the goal of this workshop to provide a forum for exchange of novel research in these areas among the experts from academia and industry. Completed work as well as research in progress is welcome, as we want to foster the exchange ofnovel ideas and approaches.

Topics of interest include but are not limited to:

* Security and privacy in workflow systems
o Access control architectures
o Modeling of security and privacy constraints
o Automatic security augmentation
o Secure/Trusted virtual domains
* Security and privacy in service-oriented architectures
o Secure composition of services
o Semantic aware security
o Security services
o Trustworthy computation
* Identity Management
o Security and Privacy
o Applications to compliance
o Effective use in business IT systems* Data sharing
o Cryptographic protection during data sharing
o Privacy-preserving distributed applications
o Efficient multi-party computations
o Privacy and data sharing policies
* Security and privacy in management information systems
o Novel secure applications
o Secure and private data analytics
o Flexible and seamless security architectures
o Secure operating system design
* Collaborations
o Secure and private supply chains
o Security and privacy in virtual organizations
o Private social network and Web 2.0 applications
o Security and privacy in outsourcing”

--- NOTE: my original HP blog can be found here ---

Monday, April 7, 2008

HPL Technical Report: On Automatic Compliance of Privacy Policies in Federated Identity Management …

An HPL Technical report has been recently published on the topic of “Automatic Compliance of Privacy Policies in Federated Identity Management”:

“Privacy in the digital world is an important problem which is becoming even more pressing as new collaborative applications are developed. The lack of privacy preserving mechanisms is particularly problematic in federated identity management contexts. In such a context, users can seamlessly interact with a variety of federated web services, through the use of single-sign-on mechanisms and the capability of sharing personal data among these web services. Because of the latter feature, user's privacy is at a stake, if the sharing of such data among federated service providers is not properly controlled to ensure that privacy is preserved and user's privacy preferences are complied with. Current federated identity managed solutions adopt simplistic approaches to privacy management, based on contractual/legal approaches and/or limited simple checks on users' privacy preferences. We argue that more comprehensive privacy policies (consisting of access control and obligation constraints, along with privacy preferences) should be stated by federated service providers and proactively checked by these providers, before disclosing users' data to federated partners. To address such requirements, we introduce mechanisms and algorithms for policy compliance checking between federated service providers, based on an innovative policy subsumption approach. We formally introduce and analyze our approach. We also show how our approach is suitable for deployment and application in existing federated identity management solutions, such as Liberty Alliance, WS-* and Shibboleth.”

Authors: Anna Squicciarini (The Pennsylvania State University), Marco Casassa Mont, Abhilasha Bhargav-Spantzel (Purdue University), Elisa Bertino (Purdue University).

A short paper derived from this technical report has been accepted at IEEE Policy 2008.

--- NOTE: my original HP blog can be found here ---

Friday, April 4, 2008

On Making a Business Case for Identity Management …

A recent article, by Katherine Walsh, titled “How to Make a Business Case for Identity Management” provides a few tips on how to articulate a business case for Identity Management:
  • Decide what IdM means to you
  • Articulate the Business Performance and Productivity Benefits of IDM
  • Create a Tangible, Phased Implementation Plan
  • Don't Forget to Have a 'Mr. or Ms. IDM'--Is This You?
  • Avoid Scare Tactics or Pigeonholing

I think that, from a CSO/CISO perspective, it would also make sense to clearly articulate the Business Risk Mitigation factors that IdM could bring …

--- NOTE: my original HP blog can be found here ---

Tuesday, April 1, 2008

New HPL Technical Report: “Assurance for Federated Identity Management”

A new HP Labs technical report (called “Assurance for Federated Identity Management” - revisiting and extending a previous one, on the same topic), has been published:

"Federated Identity Management is an emerging paradigm that is rightly getting a lot of standardization and research attention. One aspect that is not receiving enough attention is assurance. Given the challenges enterprises faced trying to demonstrate appropriate control of their internal and monolithic identity management systems, the problem of how to provide assurance to multiple stakeholders that controls, operations and technologies that cut across organisational boundaries, are appropriately mitigating risk, looks daunting. The paper provides an exposition of the assurance process, how it applies to identity management and particularly to federated identity management. Our contribution is to show technology can be used to overcome many of trust, transparency and information reconciliation problems. Specifically we show how declarative assurance models can orchestrate and automate much of the assurance work, how certain enforcement technologies can radically improve identity assurance, and how an assurance framework can provide a basis for judging the assurance value of security technologies."

HPL Authors: Baldwin, Adrian; Casassa Mont, Marco; Beres, Yolanda; Shiu, Simon

--- NOTE: my original HP blog can be found here ---