Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Wednesday, November 19, 2008

Article: Changing business landscape makes IAM key to IT Security

Here is a recent, interesting article, called “Changing business landscape makes identity and access management key to IT security”:

“In an age of significant layoffs and corporate restructuring, the burgeoning problem of identity and access management for IT operations and data centers has escalated into a critical security issue. Managing who gets access to which resources for how long — and under what circumstances — has become a huge and thorny problem. Improper and overextended access to sensitive data and powerful applications can cause massive risk as many employees find themselves in flux.”

This article provides some excerpts from a discussion with Dan Rueckert (worldwide practice director for security and risk management in HP’s Consulting and Integration group); Archie Reed (distinguished technologist in HP’s security office in the Enterprise Storage and Server Group), and Mark Tice (vice president of identity management at Oracle).

Friday, November 14, 2008

Part II: On Applying Modelling and Simulation Techniques to Identity Management

Thanks to the readers that sent comments to me (interestingly, by email …), about my previous post on “Applying Modeling and Simulation techniques to Identity Management”. Feel also free to post your comments directly on the blog.

An interesting question I received was about the overall scope of the R&D work on Identity Analytics, i.e. if it only strictly applies to the Identity Management space.

I would say that the scope is wide. The goal is to include also economics aspects, people’s behaviours, privacy and privacy management elements along with any IT and business aspects of relevance for the analysed scenario/case study. Our models and simulations indeed represent the (risk mitigation) effects of identity controls: they do it in the context of the scenario of interest, by including the representation of involved processes, data storage, information flows along with relevant applications and services.

The outcomes of our models can vary, depending on the questions we want to answer, such as ROIs in using specific IdM solutions, trade-offs in investments, impact of controls and security on usability, etc.

Hope this answer the question.

Please have also a look at the Demos2k model attached to our recent HP Labs Technical Report HPL-2008-186, for a few illustrative examples of the above points.

--- NOTE: my original HP blog can be found here ---

Friday, November 7, 2008

On Applying Modelling and Simulation Techniques to Identity Management

At HP Labs, within the “Identity Analytics” project, we are researching how to apply modeling and simulation techniques to the domain of Identity Management, to explore and predict:
  • the consequences of potential decisions made by decision makers (e.g. in terms of strategic policies and adoption of controls) on key aspects such as security risks, costs, impact on reputation, etc.;
  • the impact of identity management solutions on IT infrastructures, people and business contexts;
  • the implications of people behaviours on security and privacy aspects.


The aim is to help decision makers to assess the consequences of their decisions and explore investment trade-offs. In particular, assessing the impacts on security risks and costs is very important: given the current global financial situation, the “cost” dimension is going to play more and more a key role.

We published a few HP Labs Technical Reports to provide an overview of our R&D work, including HPL-2008-186 and HPL-2008-84. In particular, the most recent HPL-2008-186 report provides and example of a model (based on the Demos2K simulation framework) we used to carry out our simulations and trade-off analysis in a “data sharing collaborative scenario”.

Many case studies can potentially be explored with our approach, including Web 2.0 collaborative services, access and protection of critical business applications and services, user account lifecycle management processes, data flows and lifecycle management, identity theft scenarios, etc.

I would be interested in discussing this topic with this community, in particular about related work and exploring any specific requirement or case study you might have in this space.


--- NOTE: my original HP blog can be found here ---

Wednesday, November 5, 2008

Research Study: Huge Amount of Sensitive Data Still on Redundant Computer Hard Disk

This interesting article, called “Identity Theft Risks: Huge Amount of Sensitive Data Still on Redundant Computer Hard Disk” provides an overview of a research study to be published soon – warning about the risk of data left on devices to be decommissioned:

"Ongoing research to be published in the International Journal of Liability and Scientific Enquiry suggests that there is a huge amount of sensitive data still on redundant computer hard disks. These devices are often disposed of or sold into the second-hand market by corporations, organizations, and individuals with the data intact. The report's authors say that this data represents a significant level of risk for commercial sabotage, identity theft, and even political compromise, and suggest that better education is essential to reduce the risk of harm. ...
The 2007 study is being made available in its entirety through the International Journal of Liability and Scientific Enquiry. The team is now completing the 2008 analysis and will announce those results shortly as well. However, the initial results for the 2008 study show that there is still a long way to go regarding the decommissioning of computer hard disk drives. The team expects that the complete 2008 study will be made available for publication by the end of the year."
This is an area where “classic” identity management (based on control points) shows its limits. The explicit management of IdM strategic policies, related processes and risks should be a key part of “identity management”.

“Identity Analytics” could also be of some help here, to understand the implications of policies and possible strategic decisions (given specific IT and IdM frameworks), along with exploring investment trade-offs.

--- NOTE: my original HP blog can be found here ---

Monday, November 3, 2008

Policy 2009: International Symposium on Policies for Distributed Systems and Networks

The CfP for Policy 2009 (International Symposium on Policies for Distributed Systems and Networks) is now available online. Topics of interest include, but are not limited to:

  • Privacy and Security
  • Policy Models and Languages
  • Policy Applications

This year, Policy features a special track on the policy lifecycle and usability issues related to policy-based management of privacy and security.

Of course, papers discussing the application of policies to the identity management domain are welcome.

Abstracts are due by 23 February 2009, whilst papers are due by 02 March 2009.


--- NOTE: my original HP blog can be found here ---