Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Wednesday, May 27, 2009

A few Thoughts on Security Assurance …

Based on various interactions and discussions that I had with organizations, customers and various people, I understand that dealing with “Security Assurance” is currently a major concern and issue.

How can a CIO/CISO be sure that their organization is making the right bets on the right security investments? How to be sure that these investments are effectively addressing the right security issues (of relevance to the business), especially in an ever changing IT and social environment (with dynamic threat environments)? How to get proper feedback about the current, overall situation, have a reasonable understanding of involved risks and exposures and be in the position to make informed decisions?

This is actually a “recursive problem” involving various decision makers and managers in the organization ladder. It impacts their ability to define proper policies and protect organizational assets.

“Security Assurance” is of particular relevance in case of outsourcing and/or usage of services in the Cloud, when organization loses control on their IT stacks and related “control points”. Just relying on contractual agreements and hoping that everything is going to be fine is not a satisfactory approach.

I do not think that current bottom-up “security monitoring” and risk assessment tools/solutions can address this kind of challenges. This is really and area open to contributions and innovation.

Incidentally, all the above points also apply to the “Identity Management” vertical (Identity Assurance …).

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Part III: The Future of Identity in the Cloud: Requirements, Risks and Opportunities

I am surprised by the number of people and organizations that have been asking me to give a rerun of the presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities” - that I previously gave at the Open Group Security Practitioners Conference, London, 27 April 2009.

A copy of this presentation is now available here, in my web page.

I am currently working on a new version of it (for the EEMA e-Identity Conference 2009), to keep into account recent developments and new interesting aspects/concerns related to Identity in the Cloud.

I still believe that “Security Assurance” is the hot topic for Cloud Computing and specifically “Identity Assurance” is a key concern for Identity in the Cloud.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Monday, May 4, 2009

IEEE Policy 2009 – Call for Sponsorship

The IEEE Policy 2009 Symposium (http://www.ieee-policy.org/), to be held in London, UK, 20-22 July 2009, has now received the sponsorship of both IEEE Computer Society and IEEE Communication Society (technical co-sponsorship).

A draft program is also available at http://www.policy-workshop.org/program.html.

We are now looking for sponsors from the industry and academy. Have a look at the “Call for Sponsors” (http://www.policy-workshop.org/POLICY2009-CallForPatrons.pdf),

In case of interest, please contact ieeepolicy2009@googlemail.com.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Identity and Privacy Forum, 14-15 May 2009, London

This community might be interested in attending the Identity and Privacy Forum, London, 14-15 May 2009, http://www.identityandprivacy.com/

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Part II: The Future of Identity in the Cloud: Requirements, Risks and Opportunities

The presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities” that I gave at the Open Group Security Practitioners Conference, London, 27 April 2009, is now available online, at http://www.opengroup.org/conference-live/ along with the ones of the other presenters (Security Plenary Presentation Section).

Thanks to the people who provided me with inputs and material about this topic.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---