W3C has agreed to extend the W3C PLING Interest Group till February 2011.
I’ll keep co-chairing it along with Renato Iannella. Rigo Wenning and Thomas Roessler are the staff contacts.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, December 4, 2009
Interesting article – What is a CSO?
Here is an interesting article discussing the role of the Chief Security Officer (CSO) within organisations.
The CISO/CSO role is going to dramatically change in the coming years, in particular considering current trends involving IT department shrinking, consumerization of IT and the adoption of cloud computing/services …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
The CISO/CSO role is going to dramatically change in the coming years, in particular considering current trends involving IT department shrinking, consumerization of IT and the adoption of cloud computing/services …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
New Study calling for Cyber Security Overhaul in US
Interesting article providing an overview of a new study that argues that:
“Government needs to focus on offering businesses incentives to fix security problems and educating corporate leaders about the benefits of enhanced cybersecurity …”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Government needs to focus on offering businesses incentives to fix security problems and educating corporate leaders about the benefits of enhanced cybersecurity …”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, November 27, 2009
New HP Labs Technical Report - Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation
A new HP Labs Technical Report has been recently released: “Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation” (Authors: Kounga, Gina; Casassa Mont, Marco; Bramhall, Pete):
“Data protection regulations, such as the UK Data Protection Act, require organisations to process personal data according to the conditions consented by the data subjects. Such conditions can be expressed with data items or preferences collected from data subjects and stored in data repositories. Then, enforcing consent requires the policy decision point (PDP) to return authorization decisions based on access control policies and preferences. However, as security good practice requires using different entities for making authorisation decisions and accessing data, the PDP cannot return privacy-aware authorisation decisions if no solution is defined which allows the PDP to identify whether access requests fulfil the consented conditions without accessing the preferences. Existing standards do not solve this issue and previously proposed solutions transfer the decision making to the policy enforcement point. In this paper, we propose a solution that extends the eXtensible Access Control Markup Language standard and improves privacy-aware access control.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Data protection regulations, such as the UK Data Protection Act, require organisations to process personal data according to the conditions consented by the data subjects. Such conditions can be expressed with data items or preferences collected from data subjects and stored in data repositories. Then, enforcing consent requires the policy decision point (PDP) to return authorization decisions based on access control policies and preferences. However, as security good practice requires using different entities for making authorisation decisions and accessing data, the PDP cannot return privacy-aware authorisation decisions if no solution is defined which allows the PDP to identify whether access requests fulfil the consented conditions without accessing the preferences. Existing standards do not solve this issue and previously proposed solutions transfer the decision making to the policy enforcement point. In this paper, we propose a solution that extends the eXtensible Access Control Markup Language standard and improves privacy-aware access control.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
New MS Research paper: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users"
An interesting paper, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users", has been recently published by Cormac Herley (MS Research) exploring the reasons why often users reject security advices:
"It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.
Looking at various examples of security advice we Find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.
Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
"It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.
Looking at various examples of security advice we Find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.
Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, November 20, 2009
ENISA Cloud Computing Risk Assessment Report
ENISA has recently released three documents related to Cloud Computing, all of them available online:
· Cloud Computing Risk Assessment
· Cloud Computing Information Assurance
· Cloud Computing SME Perspective Survey
Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
· Cloud Computing Risk Assessment
· Cloud Computing Information Assurance
· Cloud Computing SME Perspective Survey
Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
On the T-Mobile Incident and Open Questions on Trading Personal Data Online
There has been an incident this week where employees of T-Mobile have been caught selling customer data.
On one hand this has shown that there is a thriving market for this kind of data …
On the other hand, this has also highlighted “interesting issues as under the Data protection Act, it is a criminal offence knowingly or recklessly to obtain or disclose personal data (or to get someone else to do it for you) without the consent of the organisation responsible for that data. ...", as discussed in this article.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
On one hand this has shown that there is a thriving market for this kind of data …
On the other hand, this has also highlighted “interesting issues as under the Data protection Act, it is a criminal offence knowingly or recklessly to obtain or disclose personal data (or to get someone else to do it for you) without the consent of the organisation responsible for that data. ...", as discussed in this article.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Whitepaper – Avoid the 7 Most Common Mistakes of Compliance
Here is a recent whitepaper that might be of interest to the IAM and security community, “Avoiding the 7 Most Common Mistakes of Compliance” (registration is required to get a copy …):
“At the most basic level, there is no single standardized framework or terminology that explicitly defines what your organization must do for compliance. Instead, there are many frameworks with conflicting requirements. Terminology is often vague or interpreted differently within organizations and between geographic regions. Ambiguity abounds due to lack of a universal philosophy of compliance.
A big challenge for security professionals is navigating this ambiguity. Check out this white paper for an in-depth review of the seven most common mistakes of security compliance and tips on using these lessons to meet your compliance goals.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“At the most basic level, there is no single standardized framework or terminology that explicitly defines what your organization must do for compliance. Instead, there are many frameworks with conflicting requirements. Terminology is often vague or interpreted differently within organizations and between geographic regions. Ambiguity abounds due to lack of a universal philosophy of compliance.
A big challenge for security professionals is navigating this ambiguity. Check out this white paper for an in-depth review of the seven most common mistakes of security compliance and tips on using these lessons to meet your compliance goals.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, November 16, 2009
W3C Workshop on Access Control Application Scenarios – Papers Available Online
The position papers submitted to the W3C Workshop on Access Control Application Scenarios (17/18 November 2009, Luxembourg) are now available online.
A few interesting positions have been made by various authors: I am sure the debates at the workshop are going to be useful and interesting for the security and access control community.
The workshop agenda, shows the accepted papers and planned presentations.
One of the accepted position papers is the one I co-authored with a few colleagues:
“Towards an Integrated Approach to the Management, Specification and Enforcement of Privacy Policies, Marco Casassa Mont, Siani Pearson (Systems Security Lab, HP Labs, Bristol, UK), and Sadie Creese, Michael Goldsmith, Nick Papanikolaou (International Digital Library, University of Warwick, UK)”
We make a strong position point about the existing gap between risk assessment and management - driven by a variety of business, legal, social and security requirements - and current low level technical access control languages, policies and frameworks (control points), that can only partially take into account the richness and variety of these requirements.
We believe that the community, instead of focusing their effort in producing yet another access control language and framework might need to make progress on bridging this gap – to get their proposals leveraged by the industry. In our paper we make an initial proposal based on introducing an intermediate “conceptual model” to reason and identify the nature of existing gaps – as well as ways to address them/drive new technical requirements.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
A few interesting positions have been made by various authors: I am sure the debates at the workshop are going to be useful and interesting for the security and access control community.
The workshop agenda, shows the accepted papers and planned presentations.
One of the accepted position papers is the one I co-authored with a few colleagues:
“Towards an Integrated Approach to the Management, Specification and Enforcement of Privacy Policies, Marco Casassa Mont, Siani Pearson (Systems Security Lab, HP Labs, Bristol, UK), and Sadie Creese, Michael Goldsmith, Nick Papanikolaou (International Digital Library, University of Warwick, UK)”
We make a strong position point about the existing gap between risk assessment and management - driven by a variety of business, legal, social and security requirements - and current low level technical access control languages, policies and frameworks (control points), that can only partially take into account the richness and variety of these requirements.
We believe that the community, instead of focusing their effort in producing yet another access control language and framework might need to make progress on bridging this gap – to get their proposals leveraged by the industry. In our paper we make an initial proposal based on introducing an intermediate “conceptual model” to reason and identify the nature of existing gaps – as well as ways to address them/drive new technical requirements.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
CfP Workshop – Security and Privacy of Pervasive Systems and Smart Devices
Please consider submitting a paper at the WISTP 2010 workshop focusing on security and privacy topics for pervasive systems and smart devices. The submission deadline is November, 10th:
“The impact of pervasive and smart devices on our daily lives is ever increasing, and the rapid technological development of information technologies ensures that this impact is constantly changing. It is imperative that these complex and resource constrained technologies are not vulnerable to attack. This workshop will consider the full impact of the use of pervasive and smart technologies on individuals, and society at large, with regard to the security and privacy of the systems that make use of them.The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of pervasive systems and smart devices, as well as experimental studies of fielded systems.We encourage submissions that address the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“The impact of pervasive and smart devices on our daily lives is ever increasing, and the rapid technological development of information technologies ensures that this impact is constantly changing. It is imperative that these complex and resource constrained technologies are not vulnerable to attack. This workshop will consider the full impact of the use of pervasive and smart technologies on individuals, and society at large, with regard to the security and privacy of the systems that make use of them.The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of pervasive systems and smart devices, as well as experimental studies of fielded systems.We encourage submissions that address the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Updated HPL Web Page with my R&D Work and Other Topics
I eventually found time to update my HP Labs personal web page, where I describe my current R&D work in the security and identity management, research activities.
I received a few emails related to a recent post of mine (where I announced an extension of the topics discussed in this blog) asking for more details. Now you can find additional details in my HPL web page.
My focus is indeed on Security, Identity Management and Privacy. In my web page you can find project descriptions, recent publications and HPL technical reports of mine. Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
I received a few emails related to a recent post of mine (where I announced an extension of the topics discussed in this blog) asking for more details. Now you can find additional details in my HPL web page.
My focus is indeed on Security, Identity Management and Privacy. In my web page you can find project descriptions, recent publications and HPL technical reports of mine. Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, November 2, 2009
Security Trends Report by Microsoft and McAfee: Phishing Scams Relying More Heavily on Worms and Trojans
Based on a recent security trends report by Microsoft and MAfee, it looks like that social networks have been targeted with phishing scams and relying more heavily on worms and Trojans to attack computers. Rogue security software also remains a big issue.
Some related articles on this topic can also be found here and here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Some related articles on this topic can also be found here and here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
3rd PrivacyOS meeting
The 3rd PrivacyOS meeting has taken place in Vienna, 26-27 October 2009.
I attended, along with a few colleagues from HP Labs Bristol, the 3rd PrivacyOS meeting, in Vienna.
It has been a very interesting meeting, with presentations from various stakeholders of the privacy community and debates.
A summary of presentations and related notes can be found here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
I attended, along with a few colleagues from HP Labs Bristol, the 3rd PrivacyOS meeting, in Vienna.
It has been a very interesting meeting, with presentations from various stakeholders of the privacy community and debates.
A summary of presentations and related notes can be found here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Article - Malware is bound to hit smartphone devices as users do not consider security
Interesting article, by Dan Raywood (called “Malware is bound to hit smartphone devices as users do not consider security”):
“Smartphone attacks are likely to increase, as users are encouraged to take as much care with their device as with their PC. According to a report by CNN, smartphone security threats are likely to rise as the popularity of smartphones is on the rise and malware could be heading for them. …”
I believe this is a real threat. At risk, among many, are business corporate executives and senior people relying in and using more and more smartphones as their core device for their communications, including handling emails and storing confidential data.
I predict that more efforts (in terms of products, solutions, services) will be paid to address these issues, at least at a corporate level …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Smartphone attacks are likely to increase, as users are encouraged to take as much care with their device as with their PC. According to a report by CNN, smartphone security threats are likely to rise as the popularity of smartphones is on the rise and malware could be heading for them. …”
I believe this is a real threat. At risk, among many, are business corporate executives and senior people relying in and using more and more smartphones as their core device for their communications, including handling emails and storing confidential data.
I predict that more efforts (in terms of products, solutions, services) will be paid to address these issues, at least at a corporate level …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Update about TSB UK EnCoRe Project – Ensuring Consent and Revocation
The 5th Quarter Summary of EnCoRe (http://www.encore-project.info) R&D activities in the space of Consent and Revocation management is now available online at: http://www.encore-project.info/press_archive/Q5%20summary.pdf
In addition, a new “service” has been launched, about “Latest EnCoRe Tidbits” aiming at providing links to snippets of news related to consent and revocation: http://www.encore-project.info/news.html#story1
More to come. Enjoy.
]--- NOTE: my original HP blog can be found here ---
In addition, a new “service” has been launched, about “Latest EnCoRe Tidbits” aiming at providing links to snippets of news related to consent and revocation: http://www.encore-project.info/news.html#story1
More to come. Enjoy.
]--- NOTE: my original HP blog can be found here ---
Friday, October 9, 2009
Research on Security and Identity Management
The time has come to update the topic (and focus) of this blog.
In the last few years my R&D work and research at HP Labs has been involving a variety of aspects, including security, identity management and privacy.
Most of my posts have actually been reflecting this – hence my decision to update my blog. Hope this will further increase the community of people that are interested and follow my blog.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
In the last few years my R&D work and research at HP Labs has been involving a variety of aspects, including security, identity management and privacy.
Most of my posts have actually been reflecting this – hence my decision to update my blog. Hope this will further increase the community of people that are interested and follow my blog.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
New W3C PLING General Phone Call – 14 October 2009, 12:00 UTC
The next W3C Policy Language Interest Group (PLING) general meeting is going to happen on October, 14th – 12:00 UTC.
Topics to be discussed include: (1) Best practices for privacy awareness; (2) web policy language working group proposal.
Please consider attending.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Topics to be discussed include: (1) Best practices for privacy awareness; (2) web policy language working group proposal.
Please consider attending.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Article – Phishing or not, leaked passwords show lazy habits
This article, called Phishing or not, leaked passwords show lazy habits, by Elinor Mills, is quite interesting.
It is not a novelty the fact that there are bad practices when dealing with passwords – but it is also true that people are usually good at making risk assessments and judge which level of protection to choose, depending on the value of the asset to protect …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
It is not a novelty the fact that there are bad practices when dealing with passwords – but it is also true that people are usually good at making risk assessments and judge which level of protection to choose, depending on the value of the asset to protect …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, September 28, 2009
3rd PrivacyOS Conference, Vienna, 25-27 October 2009
The Third PrivacyOS conference is going to take place in Vienna, 25-27 October 2009:
http://www.amiando.com/3rdprivacyos.html
“The third PrivacyOS Conference focuses on “rising awareness – functions and impact of data protection”.
Participants are invited to join the Austrian Big Brother Awards Gala on the evening of the 25th of October and to discuss about privacy issues or their experiences in this field. The conference provides a unique opportunity to articulate and exchange best practices, challenges and solutions in privacy and data protection on the 26th and 27th of October.
The conference primarily addresses legal and technical IT experts, interested manufacturers of IT products or services as well as data protection authorities. All persons interested in privacy or data protection aspects are welcome to register for the event. “
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
http://www.amiando.com/3rdprivacyos.html
“The third PrivacyOS Conference focuses on “rising awareness – functions and impact of data protection”.
Participants are invited to join the Austrian Big Brother Awards Gala on the evening of the 25th of October and to discuss about privacy issues or their experiences in this field. The conference provides a unique opportunity to articulate and exchange best practices, challenges and solutions in privacy and data protection on the 26th and 27th of October.
The conference primarily addresses legal and technical IT experts, interested manufacturers of IT products or services as well as data protection authorities. All persons interested in privacy or data protection aspects are welcome to register for the event. “
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Workshop on Access Control (and Privacy) Application Scenarios
Please consider submitting a position paper at the W3C Workshop on Access Control (and Privacy) Application Scenarios, by October 23rd:
http://www.w3.org/2009/policy-ws/cfp.html
"W3C invites people to participate in a Workshop on Access Control Application Scenarios on 17-18 November 2009 in Luxembourg. This Workshop is intended to explore evolving application scenarios for access control technologies, such as XACML. Results from a number of recent European research projects in the grid, cloud computing, and privacy areas show overlapping use cases for these technologies that extend beyond classical intra-enterprise applications. The Workshop, co-financed by the European Commission 7th framework program via the PrimeLife project, is free of charge and open to anyone, subject to review of their statement of interest and space availability.
The workshop is intended to discuss issues around access control in very wide sense, encompassing conditions and rules derived from the fact of accessing information. Topics that might serve as appropriate discussion points for position papers include, but are not limited to:
The workshop will examine experiences and recent research results in these areas, their need for agreed semantics, the need for extensions to existing access control languages, and perhaps for radically new approaches.
Position papers are due 23 October. See the call for participation for more information."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
http://www.w3.org/2009/policy-ws/cfp.html
"W3C invites people to participate in a Workshop on Access Control Application Scenarios on 17-18 November 2009 in Luxembourg. This Workshop is intended to explore evolving application scenarios for access control technologies, such as XACML. Results from a number of recent European research projects in the grid, cloud computing, and privacy areas show overlapping use cases for these technologies that extend beyond classical intra-enterprise applications. The Workshop, co-financed by the European Commission 7th framework program via the PrimeLife project, is free of charge and open to anyone, subject to review of their statement of interest and space availability.
The workshop is intended to discuss issues around access control in very wide sense, encompassing conditions and rules derived from the fact of accessing information. Topics that might serve as appropriate discussion points for position papers include, but are not limited to:
- interaction between access control and privacy policies
- language extensions to connect access control languages to novel types of credentials
- large-scale cloud and grid computing use cases for access control technologies
- policy management
- mechanisms for controlling progressive disclosure of information by user agents and servers
- the emerging role of trust delegation and supportive mechanisms in cloud computing, grid, and Web use cases
- mechanisms for richer user control over downstream data controllers
The workshop will examine experiences and recent research results in these areas, their need for agreed semantics, the need for extensions to existing access control languages, and perhaps for radically new approaches.
Position papers are due 23 October. See the call for participation for more information."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Interesting article – “Phishing Fraud hits two year high”
http://www.theregister.co.uk/2009/09/28/phishing_fraud_trends/
“Phishing attacks reached a record high during the second quarter of 2009, with 151,000 unique attacks, according to a study by brand reputation firm MarkMonitor. …”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Phishing attacks reached a record high during the second quarter of 2009, with 151,000 unique attacks, according to a study by brand reputation firm MarkMonitor. …”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Tuesday, September 8, 2009
On Enterprise Security Playbooks
I am interested in getting a few real-world examples of enterprise “Security Playbooks” and explore them.
What is an enterprise Security Playbook? It is the “outcome” of organisation’s scenario planning and security risk assessment exercises, describing what should be done in presence of specific events and threats, for given contexts.
A security playbook can relate both to current and foreseeable situations where decisions must be taken by one or more “decision makers” and courses of actions carried out by specific people.
Why are “security playbooks” important? They are strategic for organisations as they synthesize what has to be done in critical situations (and who has to carry out actions) when very little time is allowed for debates and reactions.
Interestingly enough, “playbooks” are available in many fields, related to traditional business risk management (in case of faults, natural disasters, etc.).
I am interested in learning more about enterprise playbook that specifically focus on “IT security and cybercrime” aspects: I am wondering if any public template, example or guideline has ever been produced. I struggled to find anything really relevant …
I am also interested in better understanding what the implications are in the IAM space, which impact playbooks have on people, IAM processes and related IT operations …
Any input or links would be greatly appreciated.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
What is an enterprise Security Playbook? It is the “outcome” of organisation’s scenario planning and security risk assessment exercises, describing what should be done in presence of specific events and threats, for given contexts.
A security playbook can relate both to current and foreseeable situations where decisions must be taken by one or more “decision makers” and courses of actions carried out by specific people.
Why are “security playbooks” important? They are strategic for organisations as they synthesize what has to be done in critical situations (and who has to carry out actions) when very little time is allowed for debates and reactions.
Interestingly enough, “playbooks” are available in many fields, related to traditional business risk management (in case of faults, natural disasters, etc.).
I am interested in learning more about enterprise playbook that specifically focus on “IT security and cybercrime” aspects: I am wondering if any public template, example or guideline has ever been produced. I struggled to find anything really relevant …
I am also interested in better understanding what the implications are in the IAM space, which impact playbooks have on people, IAM processes and related IT operations …
Any input or links would be greatly appreciated.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
On my Experience in Using Twitter …
I’ve now been using my Twitter account for a few months, in order to provide quick updates about my work and activities.
My overall experience is positive. The 140 chars limitation is actually a pros, imposing some discipline on what to say and focus.
I have used Twitter many times to complement my blogging activities, to provide short pointers to blog posts of interest, to a wide community of followers.
I noticed that the communities operating in Twitter are nowadays much more active and dynamic than the ones operating in the traditional blogging space.
But this is just based on my personal experience and discussed topics …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
My overall experience is positive. The 140 chars limitation is actually a pros, imposing some discipline on what to say and focus.
I have used Twitter many times to complement my blogging activities, to provide short pointers to blog posts of interest, to a wide community of followers.
I noticed that the communities operating in Twitter are nowadays much more active and dynamic than the ones operating in the traditional blogging space.
But this is just based on my personal experience and discussed topics …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
W3C Policy Languages Interest Group (PLING) - Public Teleconference - 09 September 2009 – 12:00 AM (UTC)
The next W3C Policy Languages Interest Group (PLING) public teleconference is going to be held on 09 September 2009, at 12:00 AM (UTC).
Among many other topics, the agenda includes:
Among many other topics, the agenda includes:
- PLING Note on Best Practices for Privacy Awareness. See W3C GeoLocation API WD and FireFox Location-Aware Browsing for inspiration
- HTML 5 Licensing Works
- Proposal for a new Web Policy Language Working Group
Please consider attending this teleconference.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Tuesday, August 25, 2009
Good R&D Progress in the Space of Identity (and Security) Analytics
Good progress has been made in the R&D space of Identity Analytics at HP Labs (in the broader context of Security Analytics).
Various IAM case studies have been explored, investigating how event-driven probabilistic modelling, coupled with economic studies, can be used to help decision makers to make decision on investments, identify suitable metrics & policies, better understand the impact of choices, trade-offs and risk implications.
We got a few papers accepted in international conferences, in particular at IEEE Policy 2009 Symposium, Trust Economics 2009 Workshop and IEEE MetriSec 2009 – covering various IAM aspects.
A few HP Labs Technical Reports are now publicly available:
- HPL-2009-173 Adrian Baldwin, Marco Casassa Mont, David Pym, Simon Shiu - System Modelling for Economic Analysis of Security Investments: A Case Study in Identity and Access Management - HPL-2009-173
- HPL-2009-142 Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu - Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes - HPL-2009-142
- HPL-2009-138 Anna Squicciarini, Marco Casassa Mont, Sathya Dev Rajasekaran - Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks - HPL-2009-138
- HPL-2009-57 Marco Casassa Mont, Adrian Baldwin, Simon Shiu - Identity Analytics - User provisioning Case Study: Using Modelling and Simulation for Policy Decision Support - HPL-2009-57, 2009
- HPL-2009-56 Adrian Baldwin, Marco Casassa Mont, Simon Shiu - Using Modelling and Simulation for Policy Decision Support in Identity Management - HPL-2009-56, 2009
- HPL-2008-84 Marco Casassa Mont, Adrian Baldwin, Simon Shiu - On Identity Analytics: Setting the Context- HPL-2008-84, 2008
I am looking for input and feedback, in particular additional case studies where to apply our approach and techniques.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Serving in the Technical Program Committee of International Conferences
This year I have been serving as a member of many Technical Program Committees, in various International (IEEE, ACM, etc.) Conferences, including: ACSAC 2009, IEEE BIDS 2009, IEEE InSpec 2009, ACM DIM 2009, IEEE ICSC 2009, TrustBus 2009 and ICIMP 2009.
I found this experience very rewarding. Despite the need to allocate some amount of time for peer reviewing papers, this really provides good overviews of the state-of-art of research (and applied research) in the field of interest – in my case security, identity management and privacy.
I would encourage the members of this community in having a similar role, especially the one interested in R&D and research.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
I found this experience very rewarding. Despite the need to allocate some amount of time for peer reviewing papers, this really provides good overviews of the state-of-art of research (and applied research) in the field of interest – in my case security, identity management and privacy.
I would encourage the members of this community in having a similar role, especially the one interested in R&D and research.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Call for Actions: W3C Policy Languages Interest Group (PLING)
We are looking for active contributions in the context of the W3C PLING Interest Group, in the space of: use cases, policy language reviews, policy initiatives and open issues.
Of particular interest are any input related to the implication of using policies and policy management in the space of cloud computing.
The charter of W3C PLING ha now been extended to December 2009. We are looking for your input and contributions.
The next general phone meeting (open to everybody) is planned to happen on 09 September 2009, 12:00 AM (UTC)
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Of particular interest are any input related to the implication of using policies and policy management in the space of cloud computing.
The charter of W3C PLING ha now been extended to December 2009. We are looking for your input and contributions.
The next general phone meeting (open to everybody) is planned to happen on 09 September 2009, 12:00 AM (UTC)
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Good progress in the TSB EnCoRe Project – Ensuring Consent and Revocation
The TSB EnCoRe project (Ensuring Consent and Revocation) is making good progress towards his various objectives, involving the provision and management of consent and revocation.
This topic has been tackled from various perspectives including: legal and social aspects, user requirements, architectural and technological aspects, risk assessment and compliance.
More information is available on the EnCoRe web site, including a brief summary of the project’s fourth quarter activities.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
This topic has been tackled from various perspectives including: legal and social aspects, user requirements, architectural and technological aspects, risk assessment and compliance.
More information is available on the EnCoRe web site, including a brief summary of the project’s fourth quarter activities.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
New HP Labs Technical Report – “Secure Delivery of Services: The HP Labs Vision and Framework”
A new HP Labs Technical Report has been released, in the area of Security management, called “Secure Delivery of Services: The HP Labs Vision and Framework” by Marco Casassa Mont and Patrick Goldsack:
“The secure delivery and management of services and information is complex and subject to a multitude of factors and issues. Key challenges are posed by current trends towards outsourcing of services/decentralization, loss of control over the IT infrastructure, remote access to services by citizens and civil servants, an increasingly mobile workforce along with mutable threat environments and new risks posed by new devices and ways to store, process and transport information. Traditional approaches to security and related controls (e.g. Vulnerability Management, Identity and Access Management, Data Protection, etc.) need to be reassessed and adapted to cope with this ever changing IT environment. To ensure secure delivery, IT consultants, government planners, decision makers and IT Operations teams need to have a holistic approach to security and understand the implications and impact of these aspects. At HP Labs we are developing a vision and framework for the secure delivery of services and related information, based on an integrated approach underpinned by four core capabilities and technologies developed in HP Laboratories: Security Analytics to model policy and reason about the security and other risks; Secure IT Configuration and Deployment to act as the automated engine of policy implementation; Trusted Infrastructure which is the basic building block for the secure delivery of services; and finally Continuous Compliance and Monitoring which ensures that the systems behave as intended in the policy description.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“The secure delivery and management of services and information is complex and subject to a multitude of factors and issues. Key challenges are posed by current trends towards outsourcing of services/decentralization, loss of control over the IT infrastructure, remote access to services by citizens and civil servants, an increasingly mobile workforce along with mutable threat environments and new risks posed by new devices and ways to store, process and transport information. Traditional approaches to security and related controls (e.g. Vulnerability Management, Identity and Access Management, Data Protection, etc.) need to be reassessed and adapted to cope with this ever changing IT environment. To ensure secure delivery, IT consultants, government planners, decision makers and IT Operations teams need to have a holistic approach to security and understand the implications and impact of these aspects. At HP Labs we are developing a vision and framework for the secure delivery of services and related information, based on an integrated approach underpinned by four core capabilities and technologies developed in HP Laboratories: Security Analytics to model policy and reason about the security and other risks; Secure IT Configuration and Deployment to act as the automated engine of policy implementation; Trusted Infrastructure which is the basic building block for the secure delivery of services; and finally Continuous Compliance and Monitoring which ensures that the systems behave as intended in the policy description.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Wednesday, July 22, 2009
About IEEE Policy 2009 Symposium
I attended the 10th edition of the IEEE Policy 2009 Symposium - http://www.policy-workshop.org/program.html.
This year it has been a particularly interesting conference. Good Keynotes and very interesting presentations, covering various aspects of policies and their management – including IT Governance, Analytics, Security and Privacy, Access Control, Formal Representations, Reasoning, Semantic Web and extensions of current languages (e.g. XACML).
I gave a presentation on “Using Modeling and Simulation for Policy Decision Support in Identity Management. This is part of ongoing HP Labs work on Security and Identity Analytics. My presentation slideset is available here.
All other presentations are also going to be made available online, in the Policy 2009 web site.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
This year it has been a particularly interesting conference. Good Keynotes and very interesting presentations, covering various aspects of policies and their management – including IT Governance, Analytics, Security and Privacy, Access Control, Formal Representations, Reasoning, Semantic Web and extensions of current languages (e.g. XACML).
I gave a presentation on “Using Modeling and Simulation for Policy Decision Support in Identity Management. This is part of ongoing HP Labs work on Security and Identity Analytics. My presentation slideset is available here.
All other presentations are also going to be made available online, in the Policy 2009 web site.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
New HP Labs Technical Report – “Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management”
A new HP Labs Technical Report has been released, in the area of Security and Identity Analytics, called “Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management” by Adrian Baldwin, Marco Casassa Mont, David Pym and Simon Shiu:
“Identity and Access Management (IAM) is a key issue for systems security managers such as CISOs. More specifically, it is a difficult problem to understand how different investments in people, process, and technology affect the intended security outcomes. We position this problem within the framework of optimal control models in macroeconomics, and use a process model to understand the dynamics of the utility of possible trade-offs between investment, access, and security incidents (breaches). A utility function is used to express the security manager's IAM preferences, and the functional behaviour of its components is described via a process model. Executing our process model as Monte Carlo simulations, we illustrate the behaviour of the utility function for varying levels of investment and threat, and so provide the beginnings of a decision-support tool for systems security managers.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Identity and Access Management (IAM) is a key issue for systems security managers such as CISOs. More specifically, it is a difficult problem to understand how different investments in people, process, and technology affect the intended security outcomes. We position this problem within the framework of optimal control models in macroeconomics, and use a process model to understand the dynamics of the utility of possible trade-offs between investment, access, and security incidents (breaches). A utility function is used to express the security manager's IAM preferences, and the functional behaviour of its components is described via a process model. Executing our process model as Monte Carlo simulations, we illustrate the behaviour of the utility function for varying levels of investment and threat, and so provide the beginnings of a decision-support tool for systems security managers.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Wednesday, July 15, 2009
Blog under spamming attack – end of anonymous comments?
I just noticed that my blog on “Research on Identity Management”, hosted by the HP portal, is under “comment spamming” attack.
This is not a major issue as the current blog platform’s security controls just filter these undesired comments.
However, in my view, this shows how the capability of having anonymous posting of comments can be easily abused.
I believe this capability will be increasingly disabled in most blog sites. The same could happen for “authenticated” comments, as most of the time this just requires a user setting an account with a fake profile, hence enabling spammers to post again their comments.
Switching-off the capability of posting comments or introducing further controls will make the blog experience harder and harder …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
This is not a major issue as the current blog platform’s security controls just filter these undesired comments.
However, in my view, this shows how the capability of having anonymous posting of comments can be easily abused.
I believe this capability will be increasingly disabled in most blog sites. The same could happen for “authenticated” comments, as most of the time this just requires a user setting an account with a fake profile, hence enabling spammers to post again their comments.
Switching-off the capability of posting comments or introducing further controls will make the blog experience harder and harder …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Interesting BBC article – “Cyber crooks get business savvy”
This article, called “Cyber crooks get business savvy” is particularly interesting as it illustrates how cybercrime is evolving and maturing:
“Cyber crooks are increasingly operating like successful businesses, deploying the same tools legitimate companies use to boost their profits. Networking giant Cisco said online criminals were increasingly using proven business practices.
In its mid-year security report, Cisco said this new approach puts the bad guys way ahead. "When your enemy is financially motivated you have to be on alert," said Cisco fellow Patrick Peterson.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Cyber crooks are increasingly operating like successful businesses, deploying the same tools legitimate companies use to boost their profits. Networking giant Cisco said online criminals were increasingly using proven business practices.
In its mid-year security report, Cisco said this new approach puts the bad guys way ahead. "When your enemy is financially motivated you have to be on alert," said Cisco fellow Patrick Peterson.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
IEEE Policy 2009 Symposium – Ready to Go
The 10th IEEE Policy 2009 Symposium (www.ieee-policy.org) is coming, 20-22 July 2009, Imperial College, London, UK.
This year’s programme is particularly interesting, with Keynote Speeches from Dr. Anne Adams (The Open University), Dr. Claudio Bartolini (HP Labs) and Dr. Mark Ryan (University of Birmingham).
I will present a paper describing recent HP Labs work on Identity Analytics, i.e. on how to use modeling and simulation to explore investment trade-offs and predict the impact of decisions in the space of Identity and Access Management. A related HPL Technical Report, on this topic, can be found here.
Registrations to the conference are still open.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
This year’s programme is particularly interesting, with Keynote Speeches from Dr. Anne Adams (The Open University), Dr. Claudio Bartolini (HP Labs) and Dr. Mark Ryan (University of Birmingham).
I will present a paper describing recent HP Labs work on Identity Analytics, i.e. on how to use modeling and simulation to explore investment trade-offs and predict the impact of decisions in the space of Identity and Access Management. A related HPL Technical Report, on this topic, can be found here.
Registrations to the conference are still open.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, June 29, 2009
EEMA e-Identity: Presentation on the Future of the Identity in the Cloud
I recently attended the EEMA e-Identity Conference, in London, 25-26 June 2009. There have been interesting presentation and good talks.
I also gave a presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities”:
“This presentation aims at: setting the context about Identity in the Cloud; discussing related identity management issues along with core requirements (coming from users and organisations); illustrating, from an HP Labs’ perspective, future possible models, approaches and IT infrastructures to handle Identity in the Cloud.
The introduction of the presentation sets some background: it gives an overview of Cloud Computing and its implications, in terms of service provisioning, security, privacy and identity management. In particular it discusses the paradigm shift from a close & controlled approach (within enterprises) to potentially, on-the-fly composable and customisable services, in the Cloud.
Use cases are introduced to illustrate “common” usage and management tasks involving Identity in the Cloud - from both user and organisational perspectives, including the implications of having to deal with Identity in composable and dynamic services. New emerging, related threats and risks are briefly discussed, such as the potential growth of bogus service providers, targeted attacks to the weakest points in the service provisioning chain and identity thefts.
This will lead to a discussion of key requirements, determined by new interaction models and service-provisioning paradigms in the Cloud, including: control of identity flows and management of distributed user accounts; trust and reputation about service providers in the Cloud; identity assurance; transparency about security practices; privacy (including consent and revocation).
I will then discuss current (categories of) identity management solutions and approaches that deal with aspects of Identity in the Cloud (such as identity federation, identity brokering, Identity 2.0, etc.), along with their pros and cons and failures to address some of the core requirements (such as assurance, trust and privacy control).
The final part of this presentation challenges current assumptions and approaches and illustrates future directions, by presenting HP Labs’ medium and long–term vision about how the underlying Cloud infrastructure is going to evolve along with its implication in terms of Identity and Identity Management. This includes the paradigm shifts introduced by the usage of trusted virtualisation, remote attestation of platform capabilities (Trusted Computing Platforms) and identity-driven computational environment (coming from the cloud) that could run on local systems (e.g. at the user side); new emerging identity management models driven by identity-aware platforms and policy-driven delegation of credentials; the role that Security and Identity Analytics can play, by using modelling and simulation, to help organisations to evaluating and predicting the consequences of using services in the Cloud, based on assumptions made on the underlying identity management model and existing threats.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
I also gave a presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities”:
“This presentation aims at: setting the context about Identity in the Cloud; discussing related identity management issues along with core requirements (coming from users and organisations); illustrating, from an HP Labs’ perspective, future possible models, approaches and IT infrastructures to handle Identity in the Cloud.
The introduction of the presentation sets some background: it gives an overview of Cloud Computing and its implications, in terms of service provisioning, security, privacy and identity management. In particular it discusses the paradigm shift from a close & controlled approach (within enterprises) to potentially, on-the-fly composable and customisable services, in the Cloud.
Use cases are introduced to illustrate “common” usage and management tasks involving Identity in the Cloud - from both user and organisational perspectives, including the implications of having to deal with Identity in composable and dynamic services. New emerging, related threats and risks are briefly discussed, such as the potential growth of bogus service providers, targeted attacks to the weakest points in the service provisioning chain and identity thefts.
This will lead to a discussion of key requirements, determined by new interaction models and service-provisioning paradigms in the Cloud, including: control of identity flows and management of distributed user accounts; trust and reputation about service providers in the Cloud; identity assurance; transparency about security practices; privacy (including consent and revocation).
I will then discuss current (categories of) identity management solutions and approaches that deal with aspects of Identity in the Cloud (such as identity federation, identity brokering, Identity 2.0, etc.), along with their pros and cons and failures to address some of the core requirements (such as assurance, trust and privacy control).
The final part of this presentation challenges current assumptions and approaches and illustrates future directions, by presenting HP Labs’ medium and long–term vision about how the underlying Cloud infrastructure is going to evolve along with its implication in terms of Identity and Identity Management. This includes the paradigm shifts introduced by the usage of trusted virtualisation, remote attestation of platform capabilities (Trusted Computing Platforms) and identity-driven computational environment (coming from the cloud) that could run on local systems (e.g. at the user side); new emerging identity management models driven by identity-aware platforms and policy-driven delegation of credentials; the role that Security and Identity Analytics can play, by using modelling and simulation, to help organisations to evaluating and predicting the consequences of using services in the Cloud, based on assumptions made on the underlying identity management model and existing threats.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Another New HP Labs Technical Report: Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes
Another new HP Labs Technical Report has been recently released, called “Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes” (authors: Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu):
“It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations' security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what- if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations' security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what- if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
New HP Labs Technical Report: Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks
A new HP Labs Technical Report has been recently released, called “Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks” (authors: Anna Squicciarini, Marco Casassa Mont, Sathya Dev Rajasekaran):
“This paper aims at exploring the impact on enterprises of the adoption of Social Networks by employees. It analyses the risks that enterprises could face and suggests a methodology to answer questions, such as: what are the actual risks for an organization, given a specific context? How to assess these risks? What are the most significant approaches that can be taken to mitigate them? What are the financial and organizational implications for an organization in implementing any of the possible approaches?”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“This paper aims at exploring the impact on enterprises of the adoption of Social Networks by employees. It analyses the risks that enterprises could face and suggests a methodology to answer questions, such as: what are the actual risks for an organization, given a specific context? How to assess these risks? What are the most significant approaches that can be taken to mitigate them? What are the financial and organizational implications for an organization in implementing any of the possible approaches?”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Tuesday, June 16, 2009
HP Labs - Second Annual Innovation Research Awards
HP Labs have announced the Recipients of the Second Annual Innovation Research Awards (http://finance.yahoo.com/news/HP-Announces-Recipients-of-bw-15522893.html?.v=1):
“Sixty projects from 46 universities in 12 countries will receive awards from HP Labs, the company’s central research arm. The program is designed to create opportunities for colleges, universities and research institutes to conduct breakthrough collaborative research with HP.
Building on the success of last year’s program, HP increased the number of projects it will fund by more than 30 percent – up from 45 projects at 35 institutions worldwide in 2008. Furthermore, given the significant contributions achieved in last year’s program – including 61 published papers and 13 invention disclosures – HP extended a second year of funding to 31 professors in 2009. …”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Sixty projects from 46 universities in 12 countries will receive awards from HP Labs, the company’s central research arm. The program is designed to create opportunities for colleges, universities and research institutes to conduct breakthrough collaborative research with HP.
Building on the success of last year’s program, HP increased the number of projects it will fund by more than 30 percent – up from 45 projects at 35 institutions worldwide in 2008. Furthermore, given the significant contributions achieved in last year’s program – including 61 published papers and 13 invention disclosures – HP extended a second year of funding to 31 professors in 2009. …”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
W3C Policy Interest Group (PLING) Charter Extended
The W3C Policy Interest Group (PLING) Charter has been extended till 31 December 2009.
We are looking for additional case studies and requirements, in particular in emerging areas such as Cloud Computing and Social Networking.
Please share your thoughts, input and experience. Feel free to subscribe to the PLING mailing list to get periodic updates on discussions and topics of interest.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
We are looking for additional case studies and requirements, in particular in emerging areas such as Cloud Computing and Social Networking.
Please share your thoughts, input and experience. Feel free to subscribe to the PLING mailing list to get periodic updates on discussions and topics of interest.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Wednesday, May 27, 2009
A few Thoughts on Security Assurance …
Based on various interactions and discussions that I had with organizations, customers and various people, I understand that dealing with “Security Assurance” is currently a major concern and issue.
How can a CIO/CISO be sure that their organization is making the right bets on the right security investments? How to be sure that these investments are effectively addressing the right security issues (of relevance to the business), especially in an ever changing IT and social environment (with dynamic threat environments)? How to get proper feedback about the current, overall situation, have a reasonable understanding of involved risks and exposures and be in the position to make informed decisions?
This is actually a “recursive problem” involving various decision makers and managers in the organization ladder. It impacts their ability to define proper policies and protect organizational assets.
“Security Assurance” is of particular relevance in case of outsourcing and/or usage of services in the Cloud, when organization loses control on their IT stacks and related “control points”. Just relying on contractual agreements and hoping that everything is going to be fine is not a satisfactory approach.
I do not think that current bottom-up “security monitoring” and risk assessment tools/solutions can address this kind of challenges. This is really and area open to contributions and innovation.
Incidentally, all the above points also apply to the “Identity Management” vertical (Identity Assurance …).
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
How can a CIO/CISO be sure that their organization is making the right bets on the right security investments? How to be sure that these investments are effectively addressing the right security issues (of relevance to the business), especially in an ever changing IT and social environment (with dynamic threat environments)? How to get proper feedback about the current, overall situation, have a reasonable understanding of involved risks and exposures and be in the position to make informed decisions?
This is actually a “recursive problem” involving various decision makers and managers in the organization ladder. It impacts their ability to define proper policies and protect organizational assets.
“Security Assurance” is of particular relevance in case of outsourcing and/or usage of services in the Cloud, when organization loses control on their IT stacks and related “control points”. Just relying on contractual agreements and hoping that everything is going to be fine is not a satisfactory approach.
I do not think that current bottom-up “security monitoring” and risk assessment tools/solutions can address this kind of challenges. This is really and area open to contributions and innovation.
Incidentally, all the above points also apply to the “Identity Management” vertical (Identity Assurance …).
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Part III: The Future of Identity in the Cloud: Requirements, Risks and Opportunities
I am surprised by the number of people and organizations that have been asking me to give a rerun of the presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities” - that I previously gave at the Open Group Security Practitioners Conference, London, 27 April 2009.
A copy of this presentation is now available here, in my web page.
I am currently working on a new version of it (for the EEMA e-Identity Conference 2009), to keep into account recent developments and new interesting aspects/concerns related to Identity in the Cloud.
I still believe that “Security Assurance” is the hot topic for Cloud Computing and specifically “Identity Assurance” is a key concern for Identity in the Cloud.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
A copy of this presentation is now available here, in my web page.
I am currently working on a new version of it (for the EEMA e-Identity Conference 2009), to keep into account recent developments and new interesting aspects/concerns related to Identity in the Cloud.
I still believe that “Security Assurance” is the hot topic for Cloud Computing and specifically “Identity Assurance” is a key concern for Identity in the Cloud.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, May 4, 2009
IEEE Policy 2009 – Call for Sponsorship
The IEEE Policy 2009 Symposium (http://www.ieee-policy.org/), to be held in London, UK, 20-22 July 2009, has now received the sponsorship of both IEEE Computer Society and IEEE Communication Society (technical co-sponsorship).
A draft program is also available at http://www.policy-workshop.org/program.html.
We are now looking for sponsors from the industry and academy. Have a look at the “Call for Sponsors” (http://www.policy-workshop.org/POLICY2009-CallForPatrons.pdf),
In case of interest, please contact ieeepolicy2009@googlemail.com.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
A draft program is also available at http://www.policy-workshop.org/program.html.
We are now looking for sponsors from the industry and academy. Have a look at the “Call for Sponsors” (http://www.policy-workshop.org/POLICY2009-CallForPatrons.pdf),
In case of interest, please contact ieeepolicy2009@googlemail.com.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Identity and Privacy Forum, 14-15 May 2009, London
This community might be interested in attending the Identity and Privacy Forum, London, 14-15 May 2009, http://www.identityandprivacy.com/
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Part II: The Future of Identity in the Cloud: Requirements, Risks and Opportunities
The presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities” that I gave at the Open Group Security Practitioners Conference, London, 27 April 2009, is now available online, at http://www.opengroup.org/conference-live/ along with the ones of the other presenters (Security Plenary Presentation Section).
Thanks to the people who provided me with inputs and material about this topic.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Thanks to the people who provided me with inputs and material about this topic.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, April 17, 2009
The Future of Identity in the Cloud: Requirements, Risks and Opportunities
I am preparing my presentation, called “The Future of Identity in the Cloud: Requirements, Risks and Opportunities” (http://www.opengroup.org/london2009-spc/mont.htm) for the coming Open Group Security Practitioners Conference, London, 27 April 2009.
In particular I am very keen in discussing current models and architectures underpinning both Cloud Computing and Identity in the Cloud, along with discussions of risks, issues and (users’ and organisations’) requirements.
This is a good opportunity to get additional input from this community, in particular related to Identity in the Cloud, if you have specific concerns, issues or you would like to share requirements.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
In particular I am very keen in discussing current models and architectures underpinning both Cloud Computing and Identity in the Cloud, along with discussions of risks, issues and (users’ and organisations’) requirements.
This is a good opportunity to get additional input from this community, in particular related to Identity in the Cloud, if you have specific concerns, issues or you would like to share requirements.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
CfP for 5th ACM Workshop on Digital Identity Management – DIM 2009
The CfP of the 5th ACM Workshop on Digital Identity Management, DIM 2009, is now available online: http://www2.pflab.ecl.ntt.co.jp/dim2009/
Please consider submitting a paper.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Please consider submitting a paper.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Thursday, April 16, 2009
BIdS 2009
The CfP of the first IEEE International Conference on Biometrics, Identity and Security is now available online: http://ieee-biometrics.org/bids2009/
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, April 3, 2009
Cloud Security Alliance
You might be interested in knowing that a Cloud Security Alliance has been recently created and it will be launched at RSA.
I am interested in getting more details about their approach to handle IAM (and related issues) in the Cloud …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
I am interested in getting more details about their approach to handle IAM (and related issues) in the Cloud …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, March 20, 2009
The Economics of Identity and Access Management (IAM)
What are the Economics of Identity and Access Management (IAM)? This is a key area that needs to be explored, to really understand, from an economic perspective, the actual value that IAM provides to organizations based on its impact on aspects of relevance to decision makers (such as loss prevention and risk mitigation) and the threat landscape.
A few core aspects need to be researched:
1) What are the key “aspects/metrics” that characterize the impact of IAM investments on an enterprise, for example in terms of preventing/reducing losses? In a first analysis important “macro” aspects include: security breaches (B), productivity loss (P), compliance violations (C) and costs (K)…
2) How do these aspects/metrics relate to the basic IAM “levers” that decision makers (e.g. CIO/CISO/Risk Managers) can act on i.e. configuration, enforcement and audit reporting tools (compliance checking tools)? We need to capture the relevant causal dependencies, for example: what are the consequences and the impact of investing more on audit/compliance checking, rather than in configuration or enforcement? What are the consequences of acting on enforcement in terms of productivity and costs?
3) Which utility functions, U(B,P,C,K) can effectively model the impact of IAM (e.g. in terms of losses) on security breaches, productivity loss, compliance violations and costs by factoring in the investments in the “configuration, enforcement and audit” levers?
4) How to effectively use systems modeling to estimate these utility functions, by animating the causal dependencies and inter-relationships among these “levers” and their impact on metrics, inclusive of assumptions on the threat landscape?
So far I found very little literature and related work in this space – I would be keen to get any reference or link, if available.
I am going to pursue research in this space, in the context of the Identity Analytics activity (HP Labs Security Analytics project, Systems Security Lab), as I believe this (as for the Economics of Privacy and the Economics of Information Security) can:
- provide a more rational way to describe and analyse the impact and value that IAM actually offers to organizations;
- provide key decision makers with a decision support tool that operates at their level of abstraction.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
A few core aspects need to be researched:
1) What are the key “aspects/metrics” that characterize the impact of IAM investments on an enterprise, for example in terms of preventing/reducing losses? In a first analysis important “macro” aspects include: security breaches (B), productivity loss (P), compliance violations (C) and costs (K)…
2) How do these aspects/metrics relate to the basic IAM “levers” that decision makers (e.g. CIO/CISO/Risk Managers) can act on i.e. configuration, enforcement and audit reporting tools (compliance checking tools)? We need to capture the relevant causal dependencies, for example: what are the consequences and the impact of investing more on audit/compliance checking, rather than in configuration or enforcement? What are the consequences of acting on enforcement in terms of productivity and costs?
3) Which utility functions, U(B,P,C,K) can effectively model the impact of IAM (e.g. in terms of losses) on security breaches, productivity loss, compliance violations and costs by factoring in the investments in the “configuration, enforcement and audit” levers?
4) How to effectively use systems modeling to estimate these utility functions, by animating the causal dependencies and inter-relationships among these “levers” and their impact on metrics, inclusive of assumptions on the threat landscape?
So far I found very little literature and related work in this space – I would be keen to get any reference or link, if available.
I am going to pursue research in this space, in the context of the Identity Analytics activity (HP Labs Security Analytics project, Systems Security Lab), as I believe this (as for the Economics of Privacy and the Economics of Information Security) can:
- provide a more rational way to describe and analyse the impact and value that IAM actually offers to organizations;
- provide key decision makers with a decision support tool that operates at their level of abstraction.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Wednesday, March 18, 2009
Do Enterprises know where they store personal data?
Apparently most of enterprises don’t, at least based on this survey, called “Safeguarding the Currency of Business”, where they found that "71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored".
This has strong implications (among other things …) from a privacy perspective, in particular from a consent and revocation management angle – as also currently highlighted in a recent HP Labs report of ours (“On the Management of Consent and Revocation in Enterprises: Setting the Context”).
Hopefully we will explore how to tackle some of the related issues in the UK TSB EnCoRe project.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
This has strong implications (among other things …) from a privacy perspective, in particular from a consent and revocation management angle – as also currently highlighted in a recent HP Labs report of ours (“On the Management of Consent and Revocation in Enterprises: Setting the Context”).
Hopefully we will explore how to tackle some of the related issues in the UK TSB EnCoRe project.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Thursday, March 12, 2009
Twitter and its Privacy and Identity Management Implications
I recently started using Twitter (my link: http://twitter.com/MCasassaMont).
Twitter it getting more and more popular within (and across) organisations in particular for geographically distributed teams, to share their activities and whereabouts.
I am interested to better understand this tool, in particular in terms of its identity and privacy implications and long term repercussions for individuals and organisations.
I see some interesting research to be potentially carried out in the context of the Identity Analytics R&D project at HP Labs and UK TSB EnCoRe project.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Twitter it getting more and more popular within (and across) organisations in particular for geographically distributed teams, to share their activities and whereabouts.
I am interested to better understand this tool, in particular in terms of its identity and privacy implications and long term repercussions for individuals and organisations.
I see some interesting research to be potentially carried out in the context of the Identity Analytics R&D project at HP Labs and UK TSB EnCoRe project.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Wednesday, March 4, 2009
Identity Management and the IT Monoculture
A recent article (called “IT Monoculture: Security Risks and Defenses”) published by the IEEE Security and Privacy magazine, discusses pros and cons of having an IT Monoculture, i.e. where no diversity is introduced for specific IT solutions deployed within organizations.
Quite interestingly this applies also for Identity Management. On one side deploying the same Identity Management (IAM) solutions across an organization increases efficiency, central control and uniformity. On the other hand, it might potentially increases the exposure of the organization to threats and related risks.
I guess that, at the end, it is a matter of economics, involving trade-offs between involved costs, security and productivity.
This is an area where modeling and simulation (see Security and Identity Analytics ) might be of some help, to explore, predict and identify the most suitable approach for an organization, given the organization profile and the underlying threat environment.
Just wondering if there is any recent, official study (I have not yet found it …) exploring the current level of “IAM-diversity” within organizations. Any pointer/link would be welcome …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Quite interestingly this applies also for Identity Management. On one side deploying the same Identity Management (IAM) solutions across an organization increases efficiency, central control and uniformity. On the other hand, it might potentially increases the exposure of the organization to threats and related risks.
I guess that, at the end, it is a matter of economics, involving trade-offs between involved costs, security and productivity.
This is an area where modeling and simulation (see Security and Identity Analytics ) might be of some help, to explore, predict and identify the most suitable approach for an organization, given the organization profile and the underlying threat environment.
Just wondering if there is any recent, official study (I have not yet found it …) exploring the current level of “IAM-diversity” within organizations. Any pointer/link would be welcome …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Wednesday, February 18, 2009
IAM and top IT initiatives in 2009
This article, called “Encryption top IT Security Initiatives in 2009”, provides an overview of a recent Forrester’s report, about IT security spending in 2009:
“Full-disk encryption was cited as the top client security technology
…
The survey's respondents also indicated interest in deploying identity and access-management (IAM) technologies, particularly single sign-on, unified monitoring of users' rights and activities and provisioning. The main reason given for adopting IAM was security and governance along with regulatory compliance. Among the technologies least anticipated to be piloted or adopted is application lockdown for endpoint control”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“Full-disk encryption was cited as the top client security technology
…
The survey's respondents also indicated interest in deploying identity and access-management (IAM) technologies, particularly single sign-on, unified monitoring of users' rights and activities and provisioning. The main reason given for adopting IAM was security and governance along with regulatory compliance. Among the technologies least anticipated to be piloted or adopted is application lockdown for endpoint control”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, February 9, 2009
AICPA’s Top Technology Initiatives Survey – Information Security Management
AICPA has released the 2009 Top Technology Initiatives Survey results:
“The initiatives included in the survey are intended to represent the CPA’s unique perspective regarding the initiatives they believe will impact financial management and the fulfillment of other fiduciary responsibilities such as safeguarding of business assets, oversight of business performance, and compliance with regulatory requirements.”
Based on this survey, these top 10 ten technology initiatives are:
1. Information Security Management
2. Privacy Management
3. Secure Data File Storage, Transmission and Exchange
4. Business Process Improvement, Workflow, and Process Exceptions Alerts
5. Mobile and Remote Computing
6. Training and Competency
7. Identity and Access Management
8. Improved Application and Data Integration
9. Document, Forms and Content Knowledge Management
10. Electronic Data Retention Strategy
Additional details can be found here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“The initiatives included in the survey are intended to represent the CPA’s unique perspective regarding the initiatives they believe will impact financial management and the fulfillment of other fiduciary responsibilities such as safeguarding of business assets, oversight of business performance, and compliance with regulatory requirements.”
Based on this survey, these top 10 ten technology initiatives are:
1. Information Security Management
2. Privacy Management
3. Secure Data File Storage, Transmission and Exchange
4. Business Process Improvement, Workflow, and Process Exceptions Alerts
5. Mobile and Remote Computing
6. Training and Competency
7. Identity and Access Management
8. Improved Application and Data Integration
9. Document, Forms and Content Knowledge Management
10. Electronic Data Retention Strategy
Additional details can be found here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Tuesday, January 27, 2009
WEIS 2009 – Workshop on the Economics of Information Security
WEIS 2009 is a workshop focusing on the Economics of Information Security, including Economics of Privacy:
“The 2009 Workshop on the Economics of Information Security invites original research papers focused on any aspect of the economics of information security, including the economics of privacy. We encourage economists, computer scientists, psychologists, business and management school researchers, law scholars, security and privacy specialists, as well as industry experts, to submit their research and attend the Workshop”.
Paper submissions are due by 28 February 2009.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
“The 2009 Workshop on the Economics of Information Security invites original research papers focused on any aspect of the economics of information security, including the economics of privacy. We encourage economists, computer scientists, psychologists, business and management school researchers, law scholars, security and privacy specialists, as well as industry experts, to submit their research and attend the Workshop”.
Paper submissions are due by 28 February 2009.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, January 12, 2009
“Risk Taxonomy Technical Standard” Published by Open Group
Open Group has recently released a “Risk Taxonomy Technical Standard”, aiming at bringing some clarity to the terminology and concepts related to risk and risk management by introducing a taxonomy, definitions and their relationships:
Ian Dobson, whom announced this release, wrote:
“I'm pleased to announce that the Security Forum's Risk Taxonomy technical standard (C081) is now published. It is freely available from The Open Group's Online Bookstore. Through the link below you can either download the file, or read it on-line:
http://www.opengroup.org/onlinepubs/9699919899/toc.pdf
…
This Risk Taxonomy standard provides a taxonomy describing the factors that drive risk - their definitions and relationships. It also provides an overview on how to use the taxonomy. It responds to the problem that the risk management community worldwide has not yet adopted a consistent definition for even the most fundamental terms in its vocabulary - e.g. threat, vulnerability, even risk itself.
This Risk Taxonomy provides the necessary foundation vocabulary, based on a fundamental analysis of what risk is, and then shows how to apply it to produce the objective, meaningful, and consistent results that business managers need in order to make informed business decisions on how to manage risk.
The intended audience for this standard includes anyone who needs to understand and/or analyze a risk condition. A particular feature of this taxonomy is that it is not limited to application in the information security space; it can be applied to any risk scenario. This scenario-agnostic characteristic enables the taxonomy to be used as a foundation for normalizing the results of risk analyses across varied risk domains.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Ian Dobson, whom announced this release, wrote:
“I'm pleased to announce that the Security Forum's Risk Taxonomy technical standard (C081) is now published. It is freely available from The Open Group's Online Bookstore. Through the link below you can either download the file, or read it on-line:
http://www.opengroup.org/onlinepubs/9699919899/toc.pdf
…
This Risk Taxonomy standard provides a taxonomy describing the factors that drive risk - their definitions and relationships. It also provides an overview on how to use the taxonomy. It responds to the problem that the risk management community worldwide has not yet adopted a consistent definition for even the most fundamental terms in its vocabulary - e.g. threat, vulnerability, even risk itself.
This Risk Taxonomy provides the necessary foundation vocabulary, based on a fundamental analysis of what risk is, and then shows how to apply it to produce the objective, meaningful, and consistent results that business managers need in order to make informed business decisions on how to manage risk.
The intended audience for this standard includes anyone who needs to understand and/or analyze a risk condition. A particular feature of this taxonomy is that it is not limited to application in the information security space; it can be applied to any risk scenario. This scenario-agnostic characteristic enables the taxonomy to be used as a foundation for normalizing the results of risk analyses across varied risk domains.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Tuesday, January 6, 2009
Economics of Identity Management & Risk-driven Identity Management
Kim Cameron’s post called “The economics of vulnerabilities …”, highlights a few key points made in Gunnar Peterson’s notes about the importance - when making security decisions - of keeping into account the (1) assets at stake in an organization and (2) their value.
Specifically, I found the following point very interesting:
“… If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!”.
I tend to agree that quite often decisions and investments made in the security space are not really driven by risk management and/or “value-at-risk” criteria.
This is also true in the Identity Management (IdM) space. Quite often the starting point, when making investment decisions in this field, is purely on IdM functionalities and the “general” added-value that they could provide to a business: it would help coupling this with the analysis of the actual business assets at stake, to be protected (business processes and services, information, etc.), their values, the involved threats and related risks.
As previously mentioned in my blog, I believe that we should start discussing about the “Economics of Identity Management”, in the wider context of “Economics of Information Security” …
In the medium/long run, what are the consequences (in terms of costs, risk exposure, usability, agility, reputation loss, etc.) of decisions made in the space of identity management, given the context and the involved assets? What are the feasible trade-offs and available options? Which key factors are truly relevant and need to be kept into account to make informed decisions?
So far, I have found no major discussions about the “Economics of Identity Management” and the above points. I am very keen in getting your input, observations and links.
In the context of the Identity Analytics R&D project, I am indeed interested in researching and exploring this area.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Specifically, I found the following point very interesting:
“… If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!”.
I tend to agree that quite often decisions and investments made in the security space are not really driven by risk management and/or “value-at-risk” criteria.
This is also true in the Identity Management (IdM) space. Quite often the starting point, when making investment decisions in this field, is purely on IdM functionalities and the “general” added-value that they could provide to a business: it would help coupling this with the analysis of the actual business assets at stake, to be protected (business processes and services, information, etc.), their values, the involved threats and related risks.
As previously mentioned in my blog, I believe that we should start discussing about the “Economics of Identity Management”, in the wider context of “Economics of Information Security” …
In the medium/long run, what are the consequences (in terms of costs, risk exposure, usability, agility, reputation loss, etc.) of decisions made in the space of identity management, given the context and the involved assets? What are the feasible trade-offs and available options? Which key factors are truly relevant and need to be kept into account to make informed decisions?
So far, I have found no major discussions about the “Economics of Identity Management” and the above points. I am very keen in getting your input, observations and links.
In the context of the Identity Analytics R&D project, I am indeed interested in researching and exploring this area.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Sunday, January 4, 2009
Entitlement Management: Any Study/Factual Data about their Impact on Enterprises?
Entitlement Management solutions aim, in a nutshell, at ensuring that the right people (users) have the right access, at the right time to (sensitive) enterprise resources – by factoring in business, legislative and security requirements/constraints.
Usually a centralized approach is proposed as a way to ensure up-to-date control and management of access rights, coupled with the automation of user account provisioning and their lifecycle management.
I am looking for any type of study/survey/data that provides some factual information about the impact that “entitlement management” has within enterprises (e.g. in terms of handling/improving access control, costs, governance, etc.), compared with more traditional, ad-hoc approaches (e.g. relying on ad-hoc systems to manage users’ rights and related access control).
Any pointer to material on this topic would really be welcome.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Usually a centralized approach is proposed as a way to ensure up-to-date control and management of access rights, coupled with the automation of user account provisioning and their lifecycle management.
I am looking for any type of study/survey/data that provides some factual information about the impact that “entitlement management” has within enterprises (e.g. in terms of handling/improving access control, costs, governance, etc.), compared with more traditional, ad-hoc approaches (e.g. relying on ad-hoc systems to manage users’ rights and related access control).
Any pointer to material on this topic would really be welcome.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)