Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Monday, June 29, 2009

EEMA e-Identity: Presentation on the Future of the Identity in the Cloud

I recently attended the EEMA e-Identity Conference, in London, 25-26 June 2009. There have been interesting presentation and good talks.

I also gave a presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities”:

“This presentation aims at: setting the context about Identity in the Cloud; discussing related identity management issues along with core requirements (coming from users and organisations); illustrating, from an HP Labs’ perspective, future possible models, approaches and IT infrastructures to handle Identity in the Cloud.
The introduction of the presentation sets some background: it gives an overview of Cloud Computing and its implications, in terms of service provisioning, security, privacy and identity management. In particular it discusses the paradigm shift from a close & controlled approach (within enterprises) to potentially, on-the-fly composable and customisable services, in the Cloud.
Use cases are introduced to illustrate “common” usage and management tasks involving Identity in the Cloud - from both user and organisational perspectives, including the implications of having to deal with Identity in composable and dynamic services. New emerging, related threats and risks are briefly discussed, such as the potential growth of bogus service providers, targeted attacks to the weakest points in the service provisioning chain and identity thefts.
This will lead to a discussion of key requirements, determined by new interaction models and service-provisioning paradigms in the Cloud, including: control of identity flows and management of distributed user accounts; trust and reputation about service providers in the Cloud; identity assurance; transparency about security practices; privacy (including consent and revocation).
I will then discuss current (categories of) identity management solutions and approaches that deal with aspects of Identity in the Cloud (such as identity federation, identity brokering, Identity 2.0, etc.), along with their pros and cons and failures to address some of the core requirements (such as assurance, trust and privacy control).
The final part of this presentation challenges current assumptions and approaches and illustrates future directions, by presenting HP Labs’ medium and long–term vision about how the underlying Cloud infrastructure is going to evolve along with its implication in terms of Identity and Identity Management. This includes the paradigm shifts introduced by the usage of trusted virtualisation, remote attestation of platform capabilities (Trusted Computing Platforms) and identity-driven computational environment (coming from the cloud) that could run on local systems (e.g. at the user side); new emerging identity management models driven by identity-aware platforms and policy-driven delegation of credentials; the role that Security and Identity Analytics can play, by using modelling and simulation, to help organisations to evaluating and predicting the consequences of using services in the Cloud, based on assumptions made on the underlying identity management model and existing threats.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Another New HP Labs Technical Report: Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes

Another new HP Labs Technical Report has been recently released, called “Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes” (authors: Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu):

“It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations' security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what- if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

New HP Labs Technical Report: Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks

A new HP Labs Technical Report has been recently released, called “Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks” (authors: Anna Squicciarini, Marco Casassa Mont, Sathya Dev Rajasekaran):

“This paper aims at exploring the impact on enterprises of the adoption of Social Networks by employees. It analyses the risks that enterprises could face and suggests a methodology to answer questions, such as: what are the actual risks for an organization, given a specific context? How to assess these risks? What are the most significant approaches that can be taken to mitigate them? What are the financial and organizational implications for an organization in implementing any of the possible approaches?”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Tuesday, June 16, 2009

HP Labs - Second Annual Innovation Research Awards

HP Labs have announced the Recipients of the Second Annual Innovation Research Awards (http://finance.yahoo.com/news/HP-Announces-Recipients-of-bw-15522893.html?.v=1):

“Sixty projects from 46 universities in 12 countries will receive awards from HP Labs, the company’s central research arm. The program is designed to create opportunities for colleges, universities and research institutes to conduct breakthrough collaborative research with HP.

Building on the success of last year’s program, HP increased the number of projects it will fund by more than 30 percent – up from 45 projects at 35 institutions worldwide in 2008. Furthermore, given the significant contributions achieved in last year’s program – including 61 published papers and 13 invention disclosures – HP extended a second year of funding to 31 professors in 2009. …”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

W3C Policy Interest Group (PLING) Charter Extended

The W3C Policy Interest Group (PLING) Charter has been extended till 31 December 2009.

We are looking for additional case studies and requirements, in particular in emerging areas such as Cloud Computing and Social Networking.

Please share your thoughts, input and experience. Feel free to subscribe to the PLING mailing list to get periodic updates on discussions and topics of interest.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---