Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Wednesday, July 22, 2009

About IEEE Policy 2009 Symposium

I attended the 10th edition of the IEEE Policy 2009 Symposium - http://www.policy-workshop.org/program.html.

This year it has been a particularly interesting conference. Good Keynotes and very interesting presentations, covering various aspects of policies and their management – including IT Governance, Analytics, Security and Privacy, Access Control, Formal Representations, Reasoning, Semantic Web and extensions of current languages (e.g. XACML).

I gave a presentation on “Using Modeling and Simulation for Policy Decision Support in Identity Management. This is part of ongoing HP Labs work on Security and Identity Analytics. My presentation slideset is available here.

All other presentations are also going to be made available online, in the Policy 2009 web site.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

New HP Labs Technical Report – “Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management”

A new HP Labs Technical Report has been released, in the area of Security and Identity Analytics, called “Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management” by Adrian Baldwin, Marco Casassa Mont, David Pym and Simon Shiu:

“Identity and Access Management (IAM) is a key issue for systems security managers such as CISOs. More specifically, it is a difficult problem to understand how different investments in people, process, and technology affect the intended security outcomes. We position this problem within the framework of optimal control models in macroeconomics, and use a process model to understand the dynamics of the utility of possible trade-offs between investment, access, and security incidents (breaches). A utility function is used to express the security manager's IAM preferences, and the functional behaviour of its components is described via a process model. Executing our process model as Monte Carlo simulations, we illustrate the behaviour of the utility function for varying levels of investment and threat, and so provide the beginnings of a decision-support tool for systems security managers.”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Wednesday, July 15, 2009

Blog under spamming attack – end of anonymous comments?

I just noticed that my blog on “Research on Identity Management”, hosted by the HP portal, is under “comment spamming” attack.

This is not a major issue as the current blog platform’s security controls just filter these undesired comments.

However, in my view, this shows how the capability of having anonymous posting of comments can be easily abused.

I believe this capability will be increasingly disabled in most blog sites. The same could happen for “authenticated” comments, as most of the time this just requires a user setting an account with a fake profile, hence enabling spammers to post again their comments.

Switching-off the capability of posting comments or introducing further controls will make the blog experience harder and harder …

--- Posted by Marco Casassa Mont (here and here) ---


--- NOTE: my original HP blog can be found here ---

Interesting BBC article – “Cyber crooks get business savvy”

This article, called “Cyber crooks get business savvy” is particularly interesting as it illustrates how cybercrime is evolving and maturing:

“Cyber crooks are increasingly operating like successful businesses, deploying the same tools legitimate companies use to boost their profits. Networking giant Cisco said online criminals were increasingly using proven business practices.
In its mid-year security report, Cisco said this new approach puts the bad guys way ahead. "When your enemy is financially motivated you have to be on alert," said Cisco fellow Patrick Peterson.”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

IEEE Policy 2009 Symposium – Ready to Go

The 10th IEEE Policy 2009 Symposium (www.ieee-policy.org) is coming, 20-22 July 2009, Imperial College, London, UK.

This year’s programme is particularly interesting, with Keynote Speeches from Dr. Anne Adams (The Open University), Dr. Claudio Bartolini (HP Labs) and Dr. Mark Ryan (University of Birmingham).

I will present a paper describing recent HP Labs work on Identity Analytics, i.e. on how to use modeling and simulation to explore investment trade-offs and predict the impact of decisions in the space of Identity and Access Management. A related HPL Technical Report, on this topic, can be found here.

Registrations to the conference are still open.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---