As I have been posting for a while, I believe that Identity Management will evolve, during the next few years, from a pure “control point and compliance”-based approach towards an approach that will increasingly factor in the management of Risk.
Decision makers (CIOs, CISOs, etc.) are shifting from a “compliance management” mentality to a “risk management” mentality, when making investment decisions on IT security solutions. Their investment decisions (including the ones on Identity Management) are going to be increasingly questioned, due to the shrinking of resources available. Hence the need to prioritise based on real business objectives and needs.
I am glad that Burton Group is now making some statements in the same direction, as it is possible to evince from this article:
“Identity management is evolving to include a closer recognition of risk and how to manage it rather than trying to eliminate it using technology, according to the head of the Burton Group consulting firm.
“Companies are looking at controls from a risk perspective instead of trying to control everything,” said Jamie Lewis, CEO of the Burton Group during the opening day of the firm’s annual Catalyst Conference. “It is about people managing risk and not about technology trying to make risk disappear.””
I believe there is a whole new set of research and commercial opportunities in this space (i.e. beyond compliance management and control points), whilst traditional Identity Management solutions are becoming more and more a commodity.
--- NOTE: my original HP blog can be found here ---
Saturday, June 28, 2008
Thursday, June 26, 2008
Do CIOs care about Data Privacy?
Apparently they don't, at least based on a recent Ernst & Young report, whose outcomes have been summarised in this article written by Adrie van der Luijt :
“IT fraud and data privacy fail to sound the alarm for CIOs and internal audit chiefs, a survey shows. Sixty-five per cent internal audit chiefs do not recognise data privacy and IT fraud as a serious threat to their business.
A survey, released by Ernst & Young, found that internal audit chiefs ranked corporate breaches and data privacy regulation sixth in their top ten IT risks for the organisation, while for CIOs it barely made it onto the list at just ninth.
In addition just 14 per cent of internal audit chiefs said that their staff had been trained in fraud investigation. …”
I would be interested in having a look at this survey, if only I could find a copy online …
--- NOTE: my original HP blog can be found here ---
“IT fraud and data privacy fail to sound the alarm for CIOs and internal audit chiefs, a survey shows. Sixty-five per cent internal audit chiefs do not recognise data privacy and IT fraud as a serious threat to their business.
A survey, released by Ernst & Young, found that internal audit chiefs ranked corporate breaches and data privacy regulation sixth in their top ten IT risks for the organisation, while for CIOs it barely made it onto the list at just ninth.
In addition just 14 per cent of internal audit chiefs said that their staff had been trained in fraud investigation. …”
I would be interested in having a look at this survey, if only I could find a copy online …
--- NOTE: my original HP blog can be found here ---
Tuesday, June 24, 2008
The “Information Card Foundation” (ICF) has been launched
The Information Card Foundation has been launched on Monday, as reported by this article published by news.com:
“A group including Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community announced on Monday the creation of the Information Card Foundation (ICF) with the goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards. …”
The ICF foundation web site should be live on Tuesday i.e. today.
I think this is a great opportunity for improving interoperability in the identity federation space, including interoperability with other initiatives, such as Liberty Alliance’s.
--- NOTE: my original HP blog can be found here ---
“A group including Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community announced on Monday the creation of the Information Card Foundation (ICF) with the goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards. …”
The ICF foundation web site should be live on Tuesday i.e. today.
I think this is a great opportunity for improving interoperability in the identity federation space, including interoperability with other initiatives, such as Liberty Alliance’s.
--- NOTE: my original HP blog can be found here ---
Monday, June 23, 2008
Liberty Alliance releases the Identity Assurance Framework (IAF) and Identity Governance Framework (IGF) Specifications
Today, Liberty Alliance has publicly announced the release of the Identity Assurance Framework (IAF) and Identity Governance Framework (IGF) Specifications:
"Liberty Alliance, the global identity community working to build a more trust-worthy internet for consumers, governments and businesses worldwide, today announced an industry milestone in driving trust and privacy into enterprise and identity-enabled applications based on the release of the Liberty Identity Assurance Framework (IAF) and the Liberty Identity Governance Framework (IGF). Today’s news is the result of the collaborative development of standardized frameworks and technologies designed to meet cross-industry requirements for policy-based security and privacy systems, with a focus on streamlining the establishment and management of identity and trust across user-driven applications and networks."
I believe this is a first, important steps towards providing a more systemic approach to assurance and privacy management in complex organisational (and cross-organisational) contexts.
More details can be found in the Liberty Alliance’s announcement, here.
--- NOTE: my original HP blog can be found here ---
"Liberty Alliance, the global identity community working to build a more trust-worthy internet for consumers, governments and businesses worldwide, today announced an industry milestone in driving trust and privacy into enterprise and identity-enabled applications based on the release of the Liberty Identity Assurance Framework (IAF) and the Liberty Identity Governance Framework (IGF). Today’s news is the result of the collaborative development of standardized frameworks and technologies designed to meet cross-industry requirements for policy-based security and privacy systems, with a focus on streamlining the establishment and management of identity and trust across user-driven applications and networks."
I believe this is a first, important steps towards providing a more systemic approach to assurance and privacy management in complex organisational (and cross-organisational) contexts.
More details can be found in the Liberty Alliance’s announcement, here.
--- NOTE: my original HP blog can be found here ---
Friday, June 20, 2008
DoD and Funding Research into Information Sharing
As reported by this article, the US Defence Department (DoD) is going to fund research on information sharing:
"The Defense Department has awarded $7.5 million to six universities for a five-year research program to help solve the problem of sharing sensitive information while ensuring privacy and security.
The failure of intelligence and law enforcement organizations to share information was one of the problems that contributed to the terrorist attacks of Sept. 11, 2001, according to the commission that studied the attacks. But connecting the dots has proved to be a knotty problem for organizations built on secrecy and control. …”
--- NOTE: my original HP blog can be found here ---
"The Defense Department has awarded $7.5 million to six universities for a five-year research program to help solve the problem of sharing sensitive information while ensuring privacy and security.
The failure of intelligence and law enforcement organizations to share information was one of the problems that contributed to the terrorist attacks of Sept. 11, 2001, according to the commission that studied the attacks. But connecting the dots has proved to be a knotty problem for organizations built on secrecy and control. …”
--- NOTE: my original HP blog can be found here ---
Tuesday, June 17, 2008
Future Security Architecture enabling “Multiple Personae”
I would like to thank David Lacey for highlighting, in a recent blog post of him (appeared in his Security Blog) , some R&D work done at HP Labs, Systems Security Lab (SSL),that has recently been presented at GC 2008. Here are David’s notes and comments:
“… For several years HP and others have doing some excellent research on how to develop a secure architecture to enable a client platform to run multiple applications of varying sensitivity and risk, whether business or personal.
The future solution, if it can be realised, is to maintain a single client platform with a secure firmware base that can switch between numerous operating system environments, each running a particular environment. This would enable you to separate your business, personal, banking and other operations, reducing the risks to business systems from personal devices and eliminating the phishing.
This approach also transforms the nature of identity management. You can have as many individual persona as you wish. It sounds perfect. But there is one further challenge. The firmware has to be bullet-proof. A single flaw can undermine the whole concept. Let's hope HP can get this right. “
P.S.: to be clear, I am not directly involved in this project – just creating awareness about excellent work done by my colleagues.
--- NOTE: my original HP blog can be found here ---
“… For several years HP and others have doing some excellent research on how to develop a secure architecture to enable a client platform to run multiple applications of varying sensitivity and risk, whether business or personal.
The future solution, if it can be realised, is to maintain a single client platform with a secure firmware base that can switch between numerous operating system environments, each running a particular environment. This would enable you to separate your business, personal, banking and other operations, reducing the risks to business systems from personal devices and eliminating the phishing.
This approach also transforms the nature of identity management. You can have as many individual persona as you wish. It sounds perfect. But there is one further challenge. The firmware has to be bullet-proof. A single flaw can undermine the whole concept. Let's hope HP can get this right. “
P.S.: to be clear, I am not directly involved in this project – just creating awareness about excellent work done by my colleagues.
--- NOTE: my original HP blog can be found here ---
Monday, June 16, 2008
Identity Thefts, The US FACT Act and Red Flag rules …
How may of you were aware of the fact that US Financial institutions face a mandatory deadline of November 1, 2008 to comply with 3 new US Fair and Accurate Credit Transactions Act (FACT Act) regulations referred to as the Red Flag rules?
As explained (in a nutshell) in this wikipedia page, these are 3 new regulations:
As explained (in a nutshell) in this wikipedia page, these are 3 new regulations:
- “One that requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft;
- Another that requires users of consumer reports to respond to Notices of Address Discrepancies that they receive;
- A third that places special requirements on issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterward they receive a request for an additional or replacement card for the same account.”
I wonder how much these new measures will be effective in mitigating the risks of identity thefts …
--- NOTE: my original HP blog can be found here ---
Wednesday, June 11, 2008
Article: “50 Ways to Take Back Control of Your Personal Data”
Have a look at this very interesting article, called “50 Ways to Take Back Control of Your Personal Data”, by InsideCRM providing a useful list of tips and “common sense” (but quite often forgotten …) ways to protect your personal data, maintaining degrees of control on it and reduce your risk exposure to identity thefts, financial losses and other crimes.
These tips are organised by categories, in terms of:
These tips are organised by categories, in terms of:
- Web Privacy
- Credit and Finance
- General Privacy
- Cell Phones and Online Phone Services
- Rules to follow to Protect Your Privacy
- Tools and tips
--- NOTE: my original HP blog can be found here ---
Tuesday, June 10, 2008
WEIS 2008 and “Economics of Identity Management”
R&D papers and work presented at the Workshops on Economics of Information Security (WEIS) discuss and explore how economic theory and economic analysis can be successfully applied to information security, instead of focusing just on the traditional technology-driven approaches.
What are the “Economics of Identity Management”? Something I believe it would be worth exploring too, with a scientific approach.
The 7th workshop on Economics of Information Security - WEIS 2008 is going to take place in Hanover, HN, June 25-28, 2008:
“Information security requires not only technology, but a clear understanding of risks, decision-making behaviors and metrics for evaluating business and policy options. How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?
The 2008 Workshop on the Economics of Information Security, the seventh workshop, will build on a strong and growing interdisciplinary tradition, bringing together information technology academics and practitioners with social scientists and business and legal scholars to better understand security and privacy threats. Until recently, research in security and dependability focused almost exclusively on technical factors, rather than incentives. However, we know that economic, behavioral, and legal factors often contribute as much as technology to the dependability of information and information systems. The application of economic analysis to these problems has proven to be an exciting and fruitful area of research.”
Most of the above points also apply to the “Identity Management” field. An opportunity to contribute.
--- NOTE: my original HP blog can be found here ---
What are the “Economics of Identity Management”? Something I believe it would be worth exploring too, with a scientific approach.
The 7th workshop on Economics of Information Security - WEIS 2008 is going to take place in Hanover, HN, June 25-28, 2008:
“Information security requires not only technology, but a clear understanding of risks, decision-making behaviors and metrics for evaluating business and policy options. How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?
The 2008 Workshop on the Economics of Information Security, the seventh workshop, will build on a strong and growing interdisciplinary tradition, bringing together information technology academics and practitioners with social scientists and business and legal scholars to better understand security and privacy threats. Until recently, research in security and dependability focused almost exclusively on technical factors, rather than incentives. However, we know that economic, behavioral, and legal factors often contribute as much as technology to the dependability of information and information systems. The application of economic analysis to these problems has proven to be an exciting and fruitful area of research.”
Most of the above points also apply to the “Identity Management” field. An opportunity to contribute.
--- NOTE: my original HP blog can be found here ---
Friday, June 6, 2008
Data Breach Disclosure Laws Are Not so Effective in Reducing Identity Theft …
This is the message I got from a very interesting paper, titled “Do Data Breach Disclosure Laws Reduce Identity Theft?” (Authors: Sasha Romanosky, Rahul Telang, Alessandro Acquisti), that is going to be presented at the 7th workshop on Economics of Information Security - WEIS 2008, Hanover, HN, June 25-28, 2008.
Based on their current studies, the authors found “no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce”. The full abstract of a draft version of their paper (accessible online) follows:
“Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured.
We use panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.”
--- NOTE: my original HP blog can be found here ---
Based on their current studies, the authors found “no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce”. The full abstract of a draft version of their paper (accessible online) follows:
“Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured.
We use panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.”
--- NOTE: my original HP blog can be found here ---
Monday, June 2, 2008
My HP blog is Back in the new HP Communities Hosting Site …
My HP Blog on “Research on Identity Management” is now back, in the in the new HP Communities Hosting Site.
Enjoy …
--- NOTE: my original HP blog can be found here ---
Enjoy …
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)