OECD has recently released a working paper, called “At a Crossroads: Personhood and Digital Identity in the Information Society”.
This paper discusses about the relationship between the properties of identity, identity management and the concept of personhood. Specifically, it argues that:
“Law and technology must be crafted to respect certain "Properties of Identity" in identity management in order for the information society to be free and open. Respect for the Properties of Identity is necessary for data protection; data protection is necessary for accountability; and accountability is necessary for trust”.
This work has been led by Mary Rundle. Co-authors include: Bob Blakley, Jeff Broberg, Anthony Nadalin, Dale Olds, Mary Ruddy, Marcelo Thompson Mello GuimarĂ£es, and Paul Trevithick.
--- NOTE: my original HP blog can be found here ---
Friday, May 30, 2008
Tuesday, May 27, 2008
ACM Digital Identity Management (DIM) 2008 – Deadline extended to 6 June 2008
The submission deadline of the 4th ACM DIM 2008 has been extended to 6 June 2008.
This year theme is on “Services and Identity”. The complete Call-for-Paper can be found here. Please consider submitting a paper.
--- NOTE: my original HP blog can be found here ---
This year theme is on “Services and Identity”. The complete Call-for-Paper can be found here. Please consider submitting a paper.
--- NOTE: my original HP blog can be found here ---
Friday, May 23, 2008
Part II: HP and Novell Announce Migration Program for HP Identity Management Customers
In a previous post of mine I created awareness about a recent HP News Release, saying that: “HP and Novell announced an exclusive alliance to migrate HP Identity Center customers to Novell identity and security management solutions”.
My HP colleague, Archie Reed, has gone further: he has provided additional background and described HP current approach to Identity Management. Please have a look at his post on “HP and Identity Management”.
Archie, well done: I received a few requests for more information too – your post is addressing them all.
--- NOTE: my original HP blog can be found here ---
My HP colleague, Archie Reed, has gone further: he has provided additional background and described HP current approach to Identity Management. Please have a look at his post on “HP and Identity Management”.
Archie, well done: I received a few requests for more information too – your post is addressing them all.
--- NOTE: my original HP blog can be found here ---
Thursday, May 22, 2008
HP and Novell Announce Migration Program for HP Identity Management Customers
HP Identity Management customers might be interested in this recent News Release by HP:
“HP and Novell today announced an exclusive alliance to migrate HP Identity Center customers to Novell identity and security management solutions.
As part of an agreement between the companies, HP and Novell will jointly offer migration services, HP will resell Novell identity and security management solutions and Novell will license HP Identity Center technology.
Earlier this year, HP announced it will focus its investment in identity management products on existing customers rather than selling the products to new customers. To ensure that they continue to have access to exemplary identity management solutions, existing HP customers can take advantage of this program and migrate to Novell’s industry-leading offerings. Customers who choose not to migrate will continue to be supported by HP. …”
--- NOTE: my original HP blog can be found here ---
“HP and Novell today announced an exclusive alliance to migrate HP Identity Center customers to Novell identity and security management solutions.
As part of an agreement between the companies, HP and Novell will jointly offer migration services, HP will resell Novell identity and security management solutions and Novell will license HP Identity Center technology.
Earlier this year, HP announced it will focus its investment in identity management products on existing customers rather than selling the products to new customers. To ensure that they continue to have access to exemplary identity management solutions, existing HP customers can take advantage of this program and migrate to Novell’s industry-leading offerings. Customers who choose not to migrate will continue to be supported by HP. …”
--- NOTE: my original HP blog can be found here ---
Phorm Spoiler Launched by a Privacy Group
As reported in this article, a privacy group (The Anti-Phorm Group) has launched a “Phorm Spoiler”, to deal with the fact that ISPs and Phorm Advertising Services are increasingly collecting personal data and profiles based un users’ surfing behaviours. An Anti-Phorm application is available for download online:
“The AntiPhorm group - which describes itself as "a loose conglomeration of concerned individuals comprised of artists, programmers and designers" - says it wants to prevent ISPs from profiting from their customers' personal surfing habits. …
To throw Phorm off the scent, the team has developed an application called AntiPhormLite that sits in the background, visiting random sites. "It connects to the web and intelligently simulates natural surfing behaviour across thousands of customisable topics," the site claims.”
--- NOTE: my original HP blog can be found here ---
“The AntiPhorm group - which describes itself as "a loose conglomeration of concerned individuals comprised of artists, programmers and designers" - says it wants to prevent ISPs from profiting from their customers' personal surfing habits. …
To throw Phorm off the scent, the team has developed an application called AntiPhormLite that sits in the background, visiting random sites. "It connects to the web and intelligently simulates natural surfing behaviour across thousands of customisable topics," the site claims.”
--- NOTE: my original HP blog can be found here ---
Seminar (23 May 2008): An Empirical Analysis of Phishing Attack and Defense
People in UK might be interested in this Seminar by Tyler Moore, titled “An Empirical Analysis of Phishing Attack and Defense”, that is going to take place at the University of Bath, UK, on Friday, 23 May 2008. The abstract follows:
“A key way in which banks mitigate the effects of phishing attacks is to remove the fraudulent websites and abusive domain names hosting them. We have gathered and analyzed empirical data on phishing website removal times and the number of visitors that the websites attract. We find that website removal is part of the answer to phishing, but it is not fast enough to completely mitigate the problem. Phishing-website lifetimes follow a long-tailed lognormal distribution -- while many sites are removed quickly, others remain much longer. We have found evidence that one group responsible for half of all phishing, the rock-phish gang, cooperates by pooling hosting resources and by targeting many banks simultaneously. The gang's architectural innovations have significantly extended their websites' average lifetime. Using response data obtained from the servers hosting phishing websites, we also provide a ballpark estimate of the total losses due to phishing. Phishing-website removal is often subcontracted to specialist companies. We analyze three months of 'feeds' of phishing website URLs from multiple sources, including two such companies. We demonstrate that in each case huge numbers of websites may be known to others, but the company with the take-down contract remains unaware, or learns of sites only belatedly. Upon calculating the resultant increase in lifetimes caused by the take-down company's lack of action, the results categorically demonstrate that significant amounts of money are being put at risk by the failure to share proprietary feeds of URLs.”
“A key way in which banks mitigate the effects of phishing attacks is to remove the fraudulent websites and abusive domain names hosting them. We have gathered and analyzed empirical data on phishing website removal times and the number of visitors that the websites attract. We find that website removal is part of the answer to phishing, but it is not fast enough to completely mitigate the problem. Phishing-website lifetimes follow a long-tailed lognormal distribution -- while many sites are removed quickly, others remain much longer. We have found evidence that one group responsible for half of all phishing, the rock-phish gang, cooperates by pooling hosting resources and by targeting many banks simultaneously. The gang's architectural innovations have significantly extended their websites' average lifetime. Using response data obtained from the servers hosting phishing websites, we also provide a ballpark estimate of the total losses due to phishing. Phishing-website removal is often subcontracted to specialist companies. We analyze three months of 'feeds' of phishing website URLs from multiple sources, including two such companies. We demonstrate that in each case huge numbers of websites may be known to others, but the company with the take-down contract remains unaware, or learns of sites only belatedly. Upon calculating the resultant increase in lifetimes caused by the take-down company's lack of action, the results categorically demonstrate that significant amounts of money are being put at risk by the failure to share proprietary feeds of URLs.”
Friday, May 16, 2008
EU PICOS Project: Investigating Trust, Privacy and IdM in Mobile Communities
The EU PICOS Project (FP7) is a consortium consisting of eleven partners from seven different countries of the EU. It involves specialists from the fields of science, research and industry.
PICOS stands for “Privacy and Identity Management for Community Services”:
“Within 3 years, PICOS will investigate and develop a state-of-the-art platform for providing trust, privacy and identity management in mobile communities”.
The official PICOS web site is now available online. On this site you can also access the PICOS fact-sheet.
--- NOTE: my original HP blog can be found here ---
PICOS stands for “Privacy and Identity Management for Community Services”:
“Within 3 years, PICOS will investigate and develop a state-of-the-art platform for providing trust, privacy and identity management in mobile communities”.
The official PICOS web site is now available online. On this site you can also access the PICOS fact-sheet.
--- NOTE: my original HP blog can be found here ---
Tuesday, May 13, 2008
“IdM Risk Management” and “Identity Analytics”: Anything Else Apart From “Bottom-Up” Approaches?
I was wondering if anybody in this community could share references to relevant material/links/documents/research projects illustrating the current status of:
(1) Risk Analysis and Management in the space of Identity Management
(2) Identity Analytics
My current search and assessment of this space has identified various technologies, solutions and work coming from a “compliance management” perspective i.e. (a) assessing events and evidence (e.g. logs) against expected processes/policies and (b) providing results that indicate the level of compliance and risk exposure. This is what I call the “bottom-up” approach where the “risk assessment” is done against predefined policies and/or well defined situations.
So far I have not found good examples of “top-down” solutions that help decision makers (e.g. CIOs, CISOs, etc.) to explore trade-offs in the Identity Management space (e.g. making investments in education vs IT solutions vs outsourcing vs etc.) to understand the impact on factor of relevance for an organisation (e.g. costs, reputation, losses, trust, etc.), make compelling decisions and potentially help them to define suitable policies.
A specific example would be decision support solutions that help understanding the trade-offs between adopting (in an organisation) the usage of strong passwords, SSO, multi-factor authentication, etc. against involved costs, the value of the assets to be protected, the kind of involved users and the actual benefits in terms of security. More in general these solutions should provide insights about potential trade-offs between various possible choices in the IdM space (in terms of authentication, authorization, provisioning, federation/SSO, privacy, etc.) against complex organisational realities and their business objectives. Modelling and simulation might be required to cope with the involved complexity …
Is anybody aware of specific research/work/solutions in this space?
CIOs/CISOs are increasingly asked to justify the reasons behind their security investments and/or have to make investment choices that must “maximise” their “expected outcomes” based on ever-shrinking budgets. I see the opportunity for “top-down” decision support, modelling and simulation solutions that can effectively help these decision makers, specifically in the Identity Management space …
--- NOTE: my original HP blog can be found here ---
(1) Risk Analysis and Management in the space of Identity Management
(2) Identity Analytics
My current search and assessment of this space has identified various technologies, solutions and work coming from a “compliance management” perspective i.e. (a) assessing events and evidence (e.g. logs) against expected processes/policies and (b) providing results that indicate the level of compliance and risk exposure. This is what I call the “bottom-up” approach where the “risk assessment” is done against predefined policies and/or well defined situations.
So far I have not found good examples of “top-down” solutions that help decision makers (e.g. CIOs, CISOs, etc.) to explore trade-offs in the Identity Management space (e.g. making investments in education vs IT solutions vs outsourcing vs etc.) to understand the impact on factor of relevance for an organisation (e.g. costs, reputation, losses, trust, etc.), make compelling decisions and potentially help them to define suitable policies.
A specific example would be decision support solutions that help understanding the trade-offs between adopting (in an organisation) the usage of strong passwords, SSO, multi-factor authentication, etc. against involved costs, the value of the assets to be protected, the kind of involved users and the actual benefits in terms of security. More in general these solutions should provide insights about potential trade-offs between various possible choices in the IdM space (in terms of authentication, authorization, provisioning, federation/SSO, privacy, etc.) against complex organisational realities and their business objectives. Modelling and simulation might be required to cope with the involved complexity …
Is anybody aware of specific research/work/solutions in this space?
CIOs/CISOs are increasingly asked to justify the reasons behind their security investments and/or have to make investment choices that must “maximise” their “expected outcomes” based on ever-shrinking budgets. I see the opportunity for “top-down” decision support, modelling and simulation solutions that can effectively help these decision makers, specifically in the Identity Management space …
--- NOTE: my original HP blog can be found here ---
Monday, May 12, 2008
PLING panel at WWW 2008
A PLING panel has been held at the WWW 2008 conference (Beijing 23-25 April), discussing policies and Policy-aware Web.
The list of panellists includes: Renato Iannella (Moderator), Piero Bonatti, Llana Kagal, Thomas Roessler.
The slides presented in this panel are now available online.
--- NOTE: my original HP blog can be found here ---
The list of panellists includes: Renato Iannella (Moderator), Piero Bonatti, Llana Kagal, Thomas Roessler.
The slides presented in this panel are now available online.
--- NOTE: my original HP blog can be found here ---
Wednesday, May 7, 2008
HP Labs Opens Research Opportunities to Academia
As announced in a recent press release, HP Labs are opening research opportunities to academia:
“HP today made it possible for colleges, universities and research institutions worldwide to participate in joint research with HP Labs, the company’s central research facility, through an open and competitive process.
The new HP Labs Innovation Research Program invites the worldwide academic community to submit proposals related to current research in the areas of information explosion, dynamic cloud services, content transformation, intelligent infrastructure and sustainability.
The program is the first offering of the HP Labs Open Innovation Office, which was established earlier this year as part of HP Labs’ new approach to research. The office is responsible for deepening HP Labs’ strategic collaborations with academia, the government and the commercial sector to produce mutually beneficial, high-impact research.
…
Program guidelines and the online submission tool are available at www.hpl.hp.com/open_innovation/irp. Proposals will go through an extensive review process within HP Labs. Selected winners will be notified in late 2008.”
--- NOTE: my original HP blog can be found here ---
“HP today made it possible for colleges, universities and research institutions worldwide to participate in joint research with HP Labs, the company’s central research facility, through an open and competitive process.
The new HP Labs Innovation Research Program invites the worldwide academic community to submit proposals related to current research in the areas of information explosion, dynamic cloud services, content transformation, intelligent infrastructure and sustainability.
The program is the first offering of the HP Labs Open Innovation Office, which was established earlier this year as part of HP Labs’ new approach to research. The office is responsible for deepening HP Labs’ strategic collaborations with academia, the government and the commercial sector to produce mutually beneficial, high-impact research.
…
Program guidelines and the online submission tool are available at www.hpl.hp.com/open_innovation/irp. Proposals will go through an extensive review process within HP Labs. Selected winners will be notified in late 2008.”
--- NOTE: my original HP blog can be found here ---
Thursday, May 1, 2008
New HPL Technical Report: On Identity-aware Devices
A new HPL Technical report, “On Identity-aware Devices: Putting Users in Control across Federated Services”, has been recently published:
“This paper describes R&D work on "Identity-aware Devices", in the context of federated services. The aim is to put users in control of their credentials and identities and enable simple, secure, trustworthy and transparent access to federated services. Current users' experience in networked and federated services is difficult and painful, especially when using mobile devices (e.g. mobile phones, laptops, PDAs, etc.): users need to contact online service providers and authenticate against them; additional credentials might be issued and required to access services; credentials need to be stored in a safe and secure place. Users have little control over the release of their identity information and related processes. A solution to address these issues is presented, based on the concept of "Identity-aware Devices" and federated "Provisioning Services". "Identity-aware Devices" leverage trusted modules and are driven by policies and users' preferences. Part of this work has been carried out in the context of a Liberty Alliance initiative, in collaboration with BT and Intel teams, aiming at driving the next generation of interoperable identity solutions. A full working prototype has been developed and successfully demonstrated in a joint project. This is work in progress. Next steps and plans are presented and discussed.”
Authors: Casassa Mont, Marco; Balacheff, Boris; Rouault, Jason; Drozdzewski, Daniel
--- NOTE: my original HP blog can be found here ---
“This paper describes R&D work on "Identity-aware Devices", in the context of federated services. The aim is to put users in control of their credentials and identities and enable simple, secure, trustworthy and transparent access to federated services. Current users' experience in networked and federated services is difficult and painful, especially when using mobile devices (e.g. mobile phones, laptops, PDAs, etc.): users need to contact online service providers and authenticate against them; additional credentials might be issued and required to access services; credentials need to be stored in a safe and secure place. Users have little control over the release of their identity information and related processes. A solution to address these issues is presented, based on the concept of "Identity-aware Devices" and federated "Provisioning Services". "Identity-aware Devices" leverage trusted modules and are driven by policies and users' preferences. Part of this work has been carried out in the context of a Liberty Alliance initiative, in collaboration with BT and Intel teams, aiming at driving the next generation of interoperable identity solutions. A full working prototype has been developed and successfully demonstrated in a joint project. This is work in progress. Next steps and plans are presented and discussed.”
Authors: Casassa Mont, Marco; Balacheff, Boris; Rouault, Jason; Drozdzewski, Daniel
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)