A new UK IT collaborative project has been officially announced: EnCoRe – Ensuring Consent and Revocation (some initial press releases: here and here):
“As more and more personal information flows from individuals to organisations when they interact online, people are becoming more and more concerned that they can not effectively control what this information is used for, with which other organisations it is shared, and where it is stored. They may have given their consent, often in vague terms and implicitly, for its use, sharing and storage, but they have no real control over the specifics of these, nor the ability to revoke their consent and be sure that their wish is respected. In summary, they are not able to control where their personal information flows to, and this makes them uneasy about interacting online.
The overall vision of this project is to make giving consent as reliable and easy as turning on a tap, and revoking that consent as reliable and easy as turning it off again.”
This £3.6m project consortium is multi-disciplinary, spanning across a number of IT and social science specialisms. The project partners are Hewlett-Packard Laboratories, HW Communications, QinetiQ, the London School of Economics, the Ethox Centre of the University of Oxford and the University of Warwick.
The EnCoRe project runs from June 2008 to November 2011. It receives funding from the UK Government’s Technology Strategy Board, Economic & Social Research Council and Engineering & Physical Sciences Research Council.
--- NOTE: my original HP blog can be found here ---
Friday, September 19, 2008
Thursday, September 11, 2008
On Gartner’s Magic Quadrant for Identity Management
You might be interested in having a look at Gartner’s Magic Quadrants for Identity Management. In particular, a recent article (15 August 2008) published by Earl Perkins and Perry Carpenter focused on the “Magic Quadrant for User Provisioning”:
“User provisioning delivers capabilities to manage users' identities across systems, applications and resources. Driven by compliance (security effectiveness) and security efficiency, the market is maturing, but identity governance and role-based access concerns raise new issues for customers.”
On one hand this kind of reports provides good insights about the current state of the art (in this case about user provisioning). On the other hand, some criticisms have been given about the overall evaluation of current IdM solutions and their positioning in the “magic quadrant”. For example, have a look at this article by Dave Kearns.
--- NOTE: my original HP blog can be found here ---
“User provisioning delivers capabilities to manage users' identities across systems, applications and resources. Driven by compliance (security effectiveness) and security efficiency, the market is maturing, but identity governance and role-based access concerns raise new issues for customers.”
On one hand this kind of reports provides good insights about the current state of the art (in this case about user provisioning). On the other hand, some criticisms have been given about the overall evaluation of current IdM solutions and their positioning in the “magic quadrant”. For example, have a look at this article by Dave Kearns.
--- NOTE: my original HP blog can be found here ---
Thursday, September 4, 2008
Part II: Risk Management for Unstructured Data in Enterprises
In a recent post published on the Netweaver Identity Manager Weblog, the author has made a few comments about my post on “Risk Management for Unstructured Data in Enterprises” (well, actually the published URL to my post is apparently broken …).
Thanks for this input, in particular about three main points that I (tried to) summarise as it follows:
1) Meaning of unstructured data (or the fact that unstructured data does not exist by definition …)
2) Narrowness of perception of approaches and incompleteness of my list of required solutions
3) Availability of comprehensive methodology for implementing enterprise wide risk management
About point 1), this looks pretty much a philosophical discussion. No doubt that, at the end, we talk about information that has some sort of structure (well, an email has a header, a body with some texts and attachments; a document is made of paragraphs or lines of text; …). However, the (maybe over-hyped) “unstructured data” term is currently used to (a) identify specific types of information and (b) contrast it against classic “structured data” (e.g. information stored in RDBMS repositories, etc.). I think I will stick with this terminology …
Back to the key point, recent reports (including the Ponemon Institute’s survey on “Governance of Unstructured Data” and other market and research reports) indeed highlight that the management of unstructured data in enterprises is a raising concern for enterprises, both in terms of governance and risk management. I think this is what really matters – independently from the terminology.
No doubt that classification of data is an important point, especially if you ever manage to “find” where this “unstructured data” is, within a complex enterprise environment … I would say that, given the particular nature of “unstructured data”, a preliminary “data discovery” phase might be required, indeed followed by a classification and assessment of its value (considering though, that the value of some of this information might also come from aggregations and correlations …).
About point 2), by no means my post was meant to provide a definitive or comprehensive assessment and answer to the problem of information risk management or, more specifically, on “unstructured” information risk management. It was just a statement of some “desirable” properties and capabilities that I would like to see (and I know it would be of some help to customers …).
I am well aware of the complexity of the overall (security) “enterprise risk assessment and management” problem, its extent and the fact that, when assessing and managing (security) risks, many factors are involved, including business goals, IT, other assets, people, processes, awareness/education, etc.
(Security) risk assessment and management techniques/methodologies/frameworks and standards/etc. are indeed out there (e.g. ISO 27005/2700x, CoBIT, etc.). These “standards” provide guidelines and criteria to be carefully refined, grounded and contextualized in various “operational” realities, along with some good, common sense …
So, no doubt that there are already “comprehensive methodology for implementing enterprise wide risk management”, at least from a consulting perspective, but this was not my main point.
My main point was not so focused on these methodologies but rather on the need to better understand and possibly improve the process of exploring, explaining and predicting the consequences and impacts of strategic (policy) choices and decisions in enterprise contexts and environments, in particular when dealing with security matters.
An approach that we are currently exploring is based on modeling and simulation techniques in the security field, coupled with economic theory and social science. Please have a look at the HPL Technical Report on “Identity Analytics” that I mentioned a few times – to see what I mean, in more details (at least from an “IdM perspective”).
Specifically, one of my R&D interests is in “(semi-) automation” tools and solutions in this space that can indeed help and support professional and consulting services in their risk assessment & management activities. This includes providing decision support and “what-if analysis”, involving modeling and simulation, providing trade-off analysis, etc.
Given the complexity of this space, I deliberately focused on the aspect of “management of unstructured data” and the IdM perspective, well conscious this is just a part of the overall problem and space.
I hope I clarified this point.
About point 3), no doubt about this, as I mentioned above.
However the statement that “comprehensive methodology for implementing enterprise wide risk management is done” sounds (at least to me) sounds a little bit abstract to me …
It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company … :-)).
--- NOTE: my original HP blog can be found here ---
Thanks for this input, in particular about three main points that I (tried to) summarise as it follows:
1) Meaning of unstructured data (or the fact that unstructured data does not exist by definition …)
2) Narrowness of perception of approaches and incompleteness of my list of required solutions
3) Availability of comprehensive methodology for implementing enterprise wide risk management
About point 1), this looks pretty much a philosophical discussion. No doubt that, at the end, we talk about information that has some sort of structure (well, an email has a header, a body with some texts and attachments; a document is made of paragraphs or lines of text; …). However, the (maybe over-hyped) “unstructured data” term is currently used to (a) identify specific types of information and (b) contrast it against classic “structured data” (e.g. information stored in RDBMS repositories, etc.). I think I will stick with this terminology …
Back to the key point, recent reports (including the Ponemon Institute’s survey on “Governance of Unstructured Data” and other market and research reports) indeed highlight that the management of unstructured data in enterprises is a raising concern for enterprises, both in terms of governance and risk management. I think this is what really matters – independently from the terminology.
No doubt that classification of data is an important point, especially if you ever manage to “find” where this “unstructured data” is, within a complex enterprise environment … I would say that, given the particular nature of “unstructured data”, a preliminary “data discovery” phase might be required, indeed followed by a classification and assessment of its value (considering though, that the value of some of this information might also come from aggregations and correlations …).
About point 2), by no means my post was meant to provide a definitive or comprehensive assessment and answer to the problem of information risk management or, more specifically, on “unstructured” information risk management. It was just a statement of some “desirable” properties and capabilities that I would like to see (and I know it would be of some help to customers …).
I am well aware of the complexity of the overall (security) “enterprise risk assessment and management” problem, its extent and the fact that, when assessing and managing (security) risks, many factors are involved, including business goals, IT, other assets, people, processes, awareness/education, etc.
(Security) risk assessment and management techniques/methodologies/frameworks and standards/etc. are indeed out there (e.g. ISO 27005/2700x, CoBIT, etc.). These “standards” provide guidelines and criteria to be carefully refined, grounded and contextualized in various “operational” realities, along with some good, common sense …
So, no doubt that there are already “comprehensive methodology for implementing enterprise wide risk management”, at least from a consulting perspective, but this was not my main point.
My main point was not so focused on these methodologies but rather on the need to better understand and possibly improve the process of exploring, explaining and predicting the consequences and impacts of strategic (policy) choices and decisions in enterprise contexts and environments, in particular when dealing with security matters.
An approach that we are currently exploring is based on modeling and simulation techniques in the security field, coupled with economic theory and social science. Please have a look at the HPL Technical Report on “Identity Analytics” that I mentioned a few times – to see what I mean, in more details (at least from an “IdM perspective”).
Specifically, one of my R&D interests is in “(semi-) automation” tools and solutions in this space that can indeed help and support professional and consulting services in their risk assessment & management activities. This includes providing decision support and “what-if analysis”, involving modeling and simulation, providing trade-off analysis, etc.
Given the complexity of this space, I deliberately focused on the aspect of “management of unstructured data” and the IdM perspective, well conscious this is just a part of the overall problem and space.
I hope I clarified this point.
About point 3), no doubt about this, as I mentioned above.
However the statement that “comprehensive methodology for implementing enterprise wide risk management is done” sounds (at least to me) sounds a little bit abstract to me …
It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company … :-)).
--- NOTE: my original HP blog can be found here ---
Monday, September 1, 2008
Risk Management for Unstructured Data in Enterprises
In the context of the HP Labs’ Security and Identity Analytics project I have been investigating the implications of “unstructured data” (i.e. emails, documents, multimedia files, pages in data sharing sites, messages exchanged with Instant Messaging tools, blog posts, data mash-ups, etc.) within organizations, along with how to explain and predict involved risks and explore the consequences of related security (policy) choices.
Is “unstructured data” really a problem for organizations? If so, where is this problem? Well, the content of unstructured data (and/or an aggregation of it) can be confidential as it might include personal, financial and business-critical information. Because of the nature of unstructured data (and associated, emerging tools to handle and share it), there are many ways this data could leak and/or be misused, ranging from accidental disclosures to aggregations of information posted in public areas.
The threat landscape (including threats to data confidentiality, integrity and availability) is potentially broad as many contextual elements, IT components, processes and behavioral aspects are involved.
Most of the current approaches (I am aware of), that mitigate some of the involved risks, are based on traditional IT security and identity “control points” (such as access control, interception points, complex document lifecycle management tools, etc.), addressing “point problems”.
I believe this is not enough. Solutions are required to help organizations (and decision makers) to: (1) fully understand the nature of the problem, based on their specific context and environment; (2) have a picture of their overall risk exposure; (3) make informed decisions on which approaches to follow, explain and predict the consequences and define appropriate policies; (3) explore trade-offs.
So far I have found no comprehensive approach/solution providing these features. Is anybody aware of any?
--- NOTE: my original HP blog can be found here ---
Is “unstructured data” really a problem for organizations? If so, where is this problem? Well, the content of unstructured data (and/or an aggregation of it) can be confidential as it might include personal, financial and business-critical information. Because of the nature of unstructured data (and associated, emerging tools to handle and share it), there are many ways this data could leak and/or be misused, ranging from accidental disclosures to aggregations of information posted in public areas.
The threat landscape (including threats to data confidentiality, integrity and availability) is potentially broad as many contextual elements, IT components, processes and behavioral aspects are involved.
Most of the current approaches (I am aware of), that mitigate some of the involved risks, are based on traditional IT security and identity “control points” (such as access control, interception points, complex document lifecycle management tools, etc.), addressing “point problems”.
I believe this is not enough. Solutions are required to help organizations (and decision makers) to: (1) fully understand the nature of the problem, based on their specific context and environment; (2) have a picture of their overall risk exposure; (3) make informed decisions on which approaches to follow, explain and predict the consequences and define appropriate policies; (3) explore trade-offs.
So far I have found no comprehensive approach/solution providing these features. Is anybody aware of any?
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)