Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Friday, July 25, 2008

Part III: Identity Analytics and Unstructured Data Analysis

In previous posts of mine (here and here) I introduced our vision of Identity Analytics and the focus and purposes of our R&D activities.

I received a few emails and queries asking to clarify the link between Identity Analytics and Unstructured Data, considering that this was mentioned in the “On Identity Analytics: Setting the Context” HPL Technical Report.

We believe that “Unstructured Data” is a possible, fertile and rich “case study”/scenario where to explore the concept of Identity Analytics, the applicability of our approach and potential limitations..

The adoption of new “web 2.0” collaborative tools within organizations (TWiki, Sharepoint, IM, etc.) and social networks (Facebook, LinkedIn, del.icio.us, etc.) provides users with better ways to collaborate, create and share contents. At the same time this poses new threats and security risks, due to the nature of unstructured data, the fact that confidentiality issues could emerge from aggregated, simpler pieces of information and the difficulty to retain control on this data. This is where traditional Identity management solutions can show their limitations and where decision makers need to better understand the implications of their choices and/or the impact of defining new policies.

Our R&D work in Identity Analytics really aims, in this context, to explore how modeling and simulation can help to explain and predict the impact of some of these decisions on the organizations (e.g. in terms of risks, reputation, costs, etc.) and explore options and “trade-offs” by providing “what-if” analysis.

Of course the “unstructured data” scenario is just one of the various scenarios we are exploring. I would be interested in hearing from you about other areas you think the “Identity Analytics” approach could provide help and/or address (decision support) issues you might have.

--- NOTE: my original HP blog can be found here ---

Security Metrics: NIST “Performance Measurement Guide for Information Security”

NIST has recently released the Revision 1 of their “Special Publication 800-55”, called “Performance Measurement Guide for Information Security”, which focuses on Security Metrics.

This is of some relevance also for people working in the “Identity Management” space and related control points (despite primarily targeting US federal agencies):

“This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance and increase accountability through the collection, analysis, and reporting of relevant performance-related data—providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency’s success in achieving its mission. The performance measures development process described in this guide will assist agency information security practitioners in establishing a relationship between information system and program security activities under their purview and the agency mission, helping to demonstrate the value of information security to their organization.”

--- NOTE: my original HP blog can be found here ---

Sunday, July 20, 2008

W3C PLING Interest Group – Charter extended until June 2009

Good news. The W3C Policy Languages Interest Group (PLING - co-chairs: Renato Iannella, Marco Casassa Mont) charter has been extended until June 2009.

Please have a look at the PLING Twiki site for current outcomes of phone meetings, discussions and collection of material, about the following policy-related topics: use cases, policy languages review, related initiatives, interesting cases, open issues and scientific resources. Feel free to contribute and ensure that your positions and views are covered.

The PLING Twiki site also provides up-to-date information about coming PLING phone meetings. These meetings are open to anybody interested in the policy topic.

We are looking for speakers that are willing to provide a short presentation (30 min), during our phone conferences, illustrating their work in the space of policy/policy management, open/new issues, interesting use cases and their vision in this space.

--- NOTE: my original HP blog can be found here ---

Wednesday, July 16, 2008

Survey: Only Eight Percent of American are “Very Confident” their Personal Data is Properly Managed

This is the outcome of a recent survey by The Strategic Counsel, at least based on the overview provided by this article (called “Only Eight Percent of Americans are 'Very Confident' Their Personal Data is Safe With Retailers, Banks and Governments”):

“Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc., and conducted by The Strategic Counsel. The CA 2008 Security and Privacy Survey was done as in follow-up to the 2006 survey. Additionally, the consumer survey indicated that an average of 79 percent of American consumers cite loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of major security and privacy breaches suffered by the business or government organizations that they deal with.”

Even more interesting is this statement, mentioned by the above article:

“Businesses used to worry about the hackers and thieves launching denial of service attacks from outside the firewall, now they recognize that their greatest danger lurks within the organization. The good news is that increasingly businesses are turning to identify and access management solutions to ensure that confidential data is safeguarded and available only to the people within the organization who genuinely need to have it.”

Well, I just partially agree with the final part of this statement. Turning to identity and access management solutions is indeed important, but this is just one step towards really ensuring that personal and confidential data is managed according to legislation and users’ preferences.

First of all, most of current IdM solutions are not really privacy-aware and/or do not provide privacy enhancing capabilities (e.g. privacy-aware access control) – aspects that are at the base for preventing that PII data is accessed and used beyond agreed purposes and for the wrong intents … Secondly, IdM solutions can address the problem till at one point if accidents, social engineering, actions by traitors/insiders, and the effects of bad processes and practices can still happen …

So, the other part of the story, for the enterprise, is putting in place proper “data governance processes” and dealing (upfront and periodically) with the necessary risk assessment and management steps. These steps (that should be carried out before deploying any “control point” in the IT infrastructure) are much, much harder to achieve and maintain than simply deploying IdM solutions …

--- NOTE: my original HP blog can be found here ---

Saturday, July 12, 2008

On Identity Analytics - Part II

In a previous post of mine I announced the release of a new HPL Technical Report, titled “On Identity Analytics: Setting the Context” (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu), providing an overview of an HP Labs R&D project in the space of “Identity Analytics”.

I received a few emails asking (among other things) about HP/HPL strategies in Identity Management and how Identity Analytics fits in all this. Some additional details follow, based on what I can publicly discuss.

Identity Analytics is an HP Labs project, in the context of the Security Analytics project (Systems Security Lab). The R&D goal of this project is to innovate in the space of Identity Management (in a broad sense, i.e. including also human, social and economic aspects) by moving from an approach purely based on operational Identity Management solutions to an approach that also takes into accounts the “strategic” needs and requirements of key decision makers (e.g. CIOs/CISOs).

What is the impact on an organisation (e.g. in terms of costs, risks, reputation, trust, etc.) when making strategic decisions and/or defining policies in the space of Identity Management? Are current policies adequate based on current (business, security, etc.) objectives? How technical, educational, human, social and business aspects are going to affect the (economic, security and business) outcomes, based on choices and decisions made? What are the relevant trade-offs that need to be analysed and how to evaluate them? How to provide strategic, forward-looking, “what-if” analysis to decision makers? These are some of the questions to be answered …

This is a green field, open to innovation. In this context, technical Identity Management solutions are just one aspect of the overall equation (and sometimes not the most important …), that also includes costs, (security and business) risks, business priorities and economic aspects.

I am confident that there are new business and market opportunities in this space, considering also the current shift (backed by key decision makers) from a pure “compliance-based” approach to a “risk-based” approach …

--- NOTE: my original HP blog can be found here ---

Wednesday, July 9, 2008

On Identity Analytics: New HP Labs Technical Report

This community might be interested to a new HPL Technical Report, just released, titled “On Identity Analytics: Setting the Context” (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu).

This report reflects R&D work we are doing at HP Labs, Systems Security Lab. I am very keen in getting your views and input. The abstract of this technical report follows:

“This paper aims at setting the context for “Identity Analytics” within enterprises and paving the path towards new R&D opportunities. In our vision, Identity Analytics is about explaining and predicting the impact of identity and identity management (along with other related aspects, such as users’ behaviours) on key factors of relevance to decision makers (e.g. CIOs, CISOs), in complex enterprise scenarios – based on their initial assumptions and investment decisions.

Ultimately the goal is to provide rigorous techniques to help decision makers gain a better understanding of the investment trade-offs within the identity space (e.g. investing in technologies vs. changing processes vs. investing in users’ education, etc.). This means providing “decision support” and “what-if analysis” capabilities to decision makers enabling them to explore these investment trade-offs, formulate new policies and/or justify existing ones. Our vision of “Identity Analytics” is introduced and discussed, along with the methodology that we intend to adopt.

There are many research opportunities and challenges in this space: we believe that a scientific approach is required, involving the usage of modelling and simulation techniques, coupled with the understanding of involved technologies and processes, human behaviours and economic aspects. To ground some of the concepts discussed in this paper, we provide an illustration of Identity Analytics focusing on emerging “web 2.0 enterprise collaborative data sharing”, where unstructured information is created, stored and shared by people in collaborative contexts, within and across organisations. We demonstrate how trade-offs can be explored using the modelling approach hence allowing decision makers to explore the different impacts of policy choices.”

--- NOTE: my original HP blog can be found here ---

Friday, July 4, 2008

Gartner’s Report: Top Seven Cloud-computing Security Risks

I tend to agree with the outcomes of a recent Gartner’s Report on the top seven cloud-computing security risks. A related article, by Jon Brodkin, provides a nice overview and summary of the key taking points of this report:

“Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions, and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.”

Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing,” Gartner says.”

In particular I believe that the aspects related to “privileged user access”, “regulatory compliance” and “data location/data segregation/privacy management” are potential key issues that, if not properly addressed, can expose organizations (and users) to high risks.

--- NOTE: my original HP blog can be found here ---

Thursday, July 3, 2008

FTC Planning to Conduct a Wide-Range Study on Identity Theft Victims

As highlighted in this recent article (called “FTC recruiting identity theft victims”), FTC is planning to conduct a wide-range study on identity theft victims:

“In an effort to buttress its enforcement and better understand the scourge that is identity theft, the Federal Trade Commission said today its plans to conduct a wide-ranging study of victims of the crime.

The FTC is looking for people harmed by the crime and said the survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge.”

More details are in the article mentioned above, including the URL of the FTC survey site (NOTE: at the moment of writing I tried to connect to this site but it does not work …).

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---