Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Monday, December 29, 2008

2009-2010: Predictions about Identity and Privacy Management

During the next two years (2009-2010), the Identity and Privacy Management areas are going to be subject to the consolidation and cost cutting trends that are already happening in security and, more in general, in IT.

In my view investments in Identity Management (IdM) are going to be very pragmatic, also driven by the need to: manage a very “variable” workforce; cope with an increase of internal enterprise reorganizations and consolidations; deal with an increased number of identity thefts and related attacks.

As such I believe that the IdM areas that will get most of the market attentions are going to be in the areas of:
  • Entitlement management (and automated user provisioning)
  • Enterprise SSO
  • Authentication strategies

I don’t believe that client-based federated identity management and advanced authorization solutions will be driving the Identity Management space, during this period of time.

From a Privacy Management perspective, I still believe that most of the action will happen in R&D contexts.

Of course, this is my view, based on some evidence and intuitions. I would be interested in getting your opinions.

I am also planning to compile a list of world-wide R&D projects and (industrial/university-based) R&D activities in the space of Identity and Privacy Management. I will post information about this. Of course, feel free to send me your input and relevant URLs.

--- NOTE: my original HP blog can be found here ---

Thursday, December 18, 2008

Identity Analytics: from a compliance-based to a risk-based approach

Here is a recent, interesting article called “Banks Need to Take Risk-Based Approach to Data Management”:

“Banks need to approach their data privacy and security from a risk point of view, according to experts with New York-based Deloitte. The firm held a webcast Tuesday that discussed how financial institutions can transform themselves from being compliance-driven organizations to risk-driven organizations, two models that are distinct, Edward Powers, a principal with the firm's security and privacy practice, said.
Over the last six to eight months, Powers said he has seen a continued sensitive to risk among financial institutions. "At the same time, I've seen significant moves to downsize budgets and human resources. This is creating strain. Most organizations are now optimizing around the things that are most urgent."”

Interestingly, this reiterates a trend and approach that I have been describing for a while, especially from a security and identity management perspective. I would extend this not only to Banks (and the FI sector), but also to enterprises and Government Agencies.

I believe that, from an identity and privacy perspective, modeling and simulation (coupled with social science and economics) can provide additional support to help decision makers to better understand the consequences of their risk posture along with explaining and predicting the impact of their choices.

Further information about our vision, based on Identity Analytics, has been provided in a few recent blog posts of mine (here, here and here), where I also discussed our view towards strategic decision support for Identity Management (and privacy …).

--- NOTE: my original HP blog can be found here ---

Monday, December 15, 2008

Identity Analytics: Providing Strategic Decision Support for Identity Management

I believe that “Enterprise Identity Management” is quickly maturing and, in some way, commoditizing, at least from a product and solution perspective. In this context, thinking about Identity Management (IdM) purely from a technical perspective is showing its limitations.

Decisions on IdM aspects are increasingly made at the strategic level, as outsourcing, cost saving, balancing security with enterprise agility and usability are becoming the main drivers. Strategic discussions on IdM include understanding the implications of new emerging scenarios and risks, such as the adoption of web 2.0 technologies within enterprises, new identity attacks (phishing, whaling, etc.), increased numbers of M&A and workforce reorganizations, IdM Outsourcing and adopting IdM as a Service.

Key decision makers in this space, i.e. CIOs/CISOs, are driven by business needs and risk management. Some of the questions we have been exposed to include:
  • What is the trade-off between reducing risk in tightening the access to critical applications vs. the loss in productivity as access rights are more limited and time taken to gain these access rights will increase?
  • Is it better to spend a limited budget on user education or implementing a given technical control, such as automating user provisioning/deprovisioning or providing two-factor authentication?
  • Should users and business units be allowed to run their own IT solutions or is it better to have centrally managed services?
  • What is the impact of emerging collaboration technologies such as blogging, Wikis and second life?
  • Do changes to working patterns such as greater mobility lead to additional risks?

In a few recent blog posts of mine (here and here) I discussed our view and approach towards strategic decision support for Identity Management, based on Identity Analytics.

Your input is always welcome, in particular in terms of providing additional case studies and IdM areas we could apply our approach to.

--- NOTE: my original HP blog can be found here ---

Thursday, December 11, 2008

EU Commission has set an Advisory Panel to revise EU Data Protection Directive

As highlighted in this article, you might be interest in knowing that the European Commission has set an Advisory Panel, including executives from Google and Intel, to help revising the European Union laws on Data Protection:

"The aim of the group is to identify issues and challenges raised by new technologies. We are not reviewing the main data protection laws at present, but this could be a first step," said European Commission spokesman Michele Cercone. He added that the executives were chosen in a private capacity, rather than as representatives of their companies."

--- NOTE: my original HP blog can be found here ---

Friday, December 5, 2008

Built-in Data Loss Prevention and Analogy with Privacy Management

I have just read this interesting article, called “Microsoft, RSA Partner to Develop Next-Gen data Loss Prevention”, by Lawrence Walsh:

“The alliance between Microsoft and RSA will move data loss prevention technology into the fabric of the IT infrastructure and improve protection by associating data with identities and classifications. Analysts are already calling the idea a "game changer.””

The main message I got is that we need to move away from bolt-on solutions, towards “built-in DLP approaches”. I tend to agree with this approach, despite being much harder to achieve.

This has some interesting analogies with privacy and the way privacy management is currently carried out, at least with most of current privacy-enhancing technology (PET) approaches. I believe that we need to move toward built-in approaches too, that require deep understanding of the interconnections with the relevant “IT infrastructure fabric”, related business processes (and needs), along with involved risks and their potential impact.

So, I believe this is something to consider very carefully, for example, in the context of the “Consent and Revocation Management” R&D area, within the TSB EnCoRe project.

--- NOTE: my original HP blog can be found here ---

Monday, December 1, 2008

A Fine Balance 2008: Privacy Technologies in Action

On November, 27th I attended the UK “A Fine Balance 2008: Privacy Technologies in Action” event. It provided different and interesting perspectives (from the technological, social and legislative angles) on privacy. Presentations are soon going to be made available online:

“Following the success of the 2006 and 2007 Fine Balance events, four of the government's Knowledge Transfer Networks present the third in this series of independent forums that are already helping industry, government and academia achieve a balance between ensuring privacy and enjoying the benefits of new technology.”

--- NOTE: my original HP blog can be found here ---