Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Thursday, December 16, 2010

On the Benefits of Combining Security Analytics with SIEM Solutions

In previous posts of mine I discussed the importance of Security Information and Event Management (SIEM) solutions in providing organisations with compliance and assurance capabilities, hence improving organisation’s situational awareness.

I often referred to these solutions as based on a bottom-up approach, i.e. starting from the collection of data, correlations and subsequent deductions of alarms, trends and analysis of organisation’s risk exposure.

In other posts I compared and contrasted this approach against the top-down approach provided by Security analytics (in particular in the IAM space – “HP Labs Identity Analytics – What is this all about?”), where models and simulations are used to provide strategic decision support. These models need to be grounded by using empirical data.

I actually believe that these two approaches can be combined to get greater benefits:

  • A key part of Security Analytics activities, is to identify the most relevant parameters, measures and metrics relevant to assess risks, provide suitable decision support and what-if analysis. Now, this information can be used to drive the configuration of SIEM solutions, by recommending which measures and metrics to focus on and their impact in enabling risk assessment and deductions;
  • SIEM solutions can collect, aggregate and process large amounts of data. This capability can be used to provide up-to-date empirical data to fuel Security Analytics models;
  • Finally, Security Analytics can be used to provide strategic decision support in the area of event and incident management, situational awareness compliance. By modelling and simulating processes related to the collection and manipulation of data, correlation of information, deduction, incident and change management, it is possible to explore the presence of potential weaknesses, faults and check for the appropriateness of the allocated resources. This would help to inform security policies and investments


Related to the third point, Security Analytics can enable the exploration of questions such as: “Are the current SIEM investments and related processes appropriate?”; “Am I focusing on the collection of the relevant data? Are my processes adequate to detect and handle specific threats?”; “What are the consequences of changing some of the processes/investing more in specific solutions and resources?”


I indeed believe that an interesting R&D area to work on is exploring how to leverage and combine these two approaches.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Information Security, Security Analytics and IAM

As mentioned in a previous post, HP Information Security has been recently launched.

Security Analytics is one of the new services provided in the context of Business Ready Security Innovation.

Aspects of the work done by HP Labs in the space of Identity Analytics - i.e. applying Security Analytics to the Identity and Access Management space - have been factored in this service:

“By combining our research and practical experience in information security, we are able to offer repeatable, short-term engagements that help you address the people, process, policy, and technology involved in your security management. These engagements cover two key areas:

  • Vulnerability and threat management (VTM)
  • Identity and access management (IAM)

Through these consultations, we’ll explore your (VTM or IAM) system, with prediction and “what-if” capabilities, get a shared multi-stakeholder understanding of the business and security trade-offs, and give you the analytics you need for justified decision-making.”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Launch of HP Information Security and Security Innovation.

HP Information Security has been recently launched. It includes security consulting, security technology, security outsourcing and security innovation.
Some more details about HP Information Security’s “Security Innovation”:
“Together with HP Labs, we lead the market for security innovation, helping you gain competitive advantage and improve service quality through the innovative application of technology.
HP Information Security solutions offer you innovations that are business ready—that we know will deliver significant financial and operational benefits to help move your business forward. Thanks to our unique pedigree in innovation, we’re able to identify future information security issues and create resolutions today. That way, our solutions can spend months being tested and improved before they are ever needed by you.
We're driving information security innovation every day through initiatives like our Chief Information Security Officer (CISO) Club, Information Security Leaders event and our security benchmark research projects.
In conjunction with HP Labs and our clients, we use our insight to deliver relevant research and development that can then be fully incubated across a variety of clients before it is deemed Business Ready Security Innovation. Examples include:


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Digital Risk Report – Managing Digital Risks: Trends, Issues and Implications

Produced by Lloyd's and HP labs, this report suggests that companies are facing a wide range of sophisticated attacks: http://www.lloyds.com/News-and-Insight/360-Risk-Insight/Digital-Risk
“With technology changing rapidly and increasingly sophisticated attackers adapting quickly to the new digital environment, the cyber threats facing business are becoming more complex and growing every day. Companies need to take action now to tackle this threat and make digital risk a board-level concern.”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Wednesday, November 17, 2010

HP G-Cloud Demonstrator (by HP Labs)

The G-Cloud Theatre is a room designed to demonstrate systems management in a mission-critical environment.
The 'G' in G-Cloud stands for "government" and the demonstration in the theatre shows how a cloud hosting many virtual services could automatically resist even a sophisticated security attack intended to destabilise core data and programs (or generally cause mayhem).
A video footage is available at: http://www.youtube.com/watch?v=zMsWaEqQcbI


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Analysis of state-of-the-art of Event Management/SIEM Solutions

I am interested in public documentation providing reviews of the state-of-the-art in the Event Management/SIEM Solutions.

In particular I am looking at how the following critical aspects are supported:
  • Scalability: how these solutions scale in case of complex organisation, supply-chains and future utilisation of IT infrastructure/services in the cloud;
  • Comprehensiveness of the type of data that can actually be gathered and stored
  • Support for unstructured event data: how is unstructured data managed by these systems and processed;
  • Type of supported data mining, correlations and deductions;
  • How cultural and human behaviours are factored in/taken into account by the event management system;
  • How compliance, governance and incident management processes are affected by introducing these solutions

I am interested in exploring how HPL Security Analytics can be of help, in investigating different investment options and provide strategic decision support.

The above information would be extremely valuable to build grounded models and related simulations.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HPL Identity Analytics – Next Generation

After the good success of HPL Identity Analytics case studies and its transfer to Vistorm (in the broader context of Security Analytics), it is now time to think about new potential application areas in the IAM space and even beyond, including governance and assurance aspects.

Some customers’ input highlights the need to better understand the lifecycle management of privilege users. This is a critical aspect with major implications in terms of organisational’s risk exposure.

In this context, we are interested in exploring organisational processes that are complementary to the operational ones, including Personnel Vetting, Compliance Checking, Job Design and SoD Management.

Other application areas for our Analytics approach are in the cloud computing environment, e.g. exploring the impact of adopting different IAM models and approaches in the cloud (public and private) in terms of risks, productivity, compliance, costs, etc.

Does this community has any particular area/topic, in the IAM space, that is perceived being critical and worth exploring?


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

EnCoRe Project – 9th Quarter Summary

The EnCoRe Q9 Summary is available here.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Friday, October 29, 2010

On Situational Awareness in Enterprises

“Situational Awareness” is an area that I am interested in exploring, in particular in the context of enterprises. How can an organisation be reasonable reassured that its risk posture is appropriate and the relevant threats are mitigated?

Indeed both risk assessment and the deployment of suitable control points are key to deal with risks. However situations can change, new threats can materialise or the controls that are put in place could actually be ineffective.

To close the loop, organisations usually invest in monitoring and event management controls to get a “picture” of what is actually going on.

However, how much is this “picture” an accurate representation of the reality? Are the relevant pieces of “intelligence” taken into account? What are their impacts in the overall risk assessment? Which key areas and elements should be cover? Which correlations are necessary to distillate meaningful information? Which investments are required to achieve all this?

Security Incident and Event Management (SIEM) tools and solutions can indeed help, from a technical perspective. But strategic decisions still need to be made (by Risk Managers, CIOs, CTOs, CISOs, etc.). These decisions are usually made in an economic framework.

How to provide decision support in terms of which investments to make, which monitoring areas to cover, which inferences and data correlations to look for, which trade-offs to consider (e.g. costs vs productivity vs risk exposure)?

I am interested in exploring how the HP Labs Security Analytics approach (i.e. applying modelling and simulation to provide decision support) can help in this space, by introspecting current strategic decision making activities and the involved processes, as well as exploring suitable trade-offs and the impact of existing controls, such as SIEM tools.

In this context, I am looking for public case studies, information/documents illustrating the current “assurance processes”, criteria adopted to deploy SIEM tools, as the key decision making steps adopted in this area.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Presentation at ICST CloudComp 2010: Information Stewardship in the Cloud

I recently attended CloudComp 2010 and presented the following paper:

“Information Stewardship in the Cloud: a model based approach
David Pym, Martin Sadler, Simon Shiu, Marco Casassa Mont”

Thanks for your interest and asking for a copy. My presentation is now available online. Here is the abstract of the paper:

“Managing the information stewardship lifecycle is a challenge. In the context of cloud computing, the stakeholders in cloud ecosystems must also take account of the demands of the information stewardship lifecycles of other participants in the ecosystem. We describe a modelling framework incorporating tools from mathematical systems modelling, economics, and policy/user modelling suitable for supporting reasoning and decision making in cloud ecosystems, and so provides a basis for developing model-based service level agreements.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Friday, October 22, 2010

On Providing Assurance within Organisations …

I am interested in exploring how organisations effectively tackle the “assurance” angle, i.e. how they can assess the degree of compliance to their (security and business) policies and which evidence they need to assess how loosely they meet their governance objectives.

I believe this is a complex, multi-facet problem as it involves:

  • Organisational policies
  • Potential threats and related risks
  • Processes and controls put in place to mitigate these risks
  • Areas that are anyway vulnerable and need further monitoring and introspection
  • Technologies and solutions to log, monitor/audit and correlate various information collected within (and potentially across) the IT stack of the organisation
  • Relevant metrics to convey issues and problems to a variety of stakeholders, including IT managers, security and risk managers, business managers, etc.
Indicatively, the above steps are part of a loop that requires periodic reassessment and modification of policies and strategies, as the environment (people, technologies, objectives and threats) are in continuous evolution.

I am looking for case studies, documents and public material providing instances of how the overall process is actually carried out within organisations.

In particular, I am interested in better understanding the decision making process (carried out by strategic decision makers such as CIOs, CISOs) that is at the base of adopting monitoring controls, in particular “Security Incident Event Management (SIEM)” solutions.

Here are a few specific questions I am interested to explore:

  • Which areas are usually perceived being at risk and require further monitoring?
  • How trade-offs between investments and costs are actually dealt with by the various stakeholders?
  • Which evidence is usually provided to the stakeholders to reassure them that specific risks are mitigated by monitoring specific areas (e.g. with SIEM tools)?

Ideally, I’d like to investigate the economic framework. trade-offs and the decision making process that is at the base of making investments in SIEM solutions and how Security Analytics (decision support by means of modelling and simulation) can help in this space …


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Attending and Presenting at CloudComp 2010

I am going to attend CloudComp 2010 and present the following paper:

“Information Stewardship in the Cloud: a model based approach
David Pym, Martin Sadler, Simon Shiu, Marco Casassa Mont”

Here is the abstract of the paper:

“Managing the information stewardship lifecycle is a challenge. In the context of cloud computing, the stakeholders in cloud ecosystems must also take account of the demands of the information stewardship lifecycles of other participants in the ecosystem. We describe a modelling framework incorporating tools from mathematical systems modelling, economics, and policy/user modelling suitable for supporting reasoning and decision making in cloud ecosystems, and so provides a basis for developing model-based service level agreements.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

EnCoRe General meeting

I am just back from the EnCoRe General meeting. It has been a very good meeting with interesting discussions and plans to move forward.

In particular HP Labs gave an update of the EnCoRe Architecture V2, and extension of the first version, aiming at providing new capabilities to improve the management of consent and revocation, in dynamic multi-party domains (e.g. in the Cloud). Extensions include:
- Negotiation capabilities
- Internal and external workflows to deal with data disclosure and privacy management, driven by policies
- Obligation Management
- Sticky policies

More to come …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Core Gnosis System Available for Download

The Core Gnosis system is now available for download, here.

“Executable modelling languages are important tools in science and engineering. They provide methods for exploring of systems that are too complex to be usefully described in simple, analytical terms.
It is very often difficult to validate such models of complex systems, and there are important questions about faithfulness of representation of the underlying system and of the degree to which such models can be predictive. A possible source of errors lies in the modelling language itself, because (contrary to the beliefs of many) languages are themselves complicated artifacts. It is very important to use a modelling language which is well-understood, both by its authors and by its users. This points towards the disciplined use of small, expressive, languages that have a formal semantics, that are implemented with a high-degree of integrity, and which employ constructs that naturally support the modelling idiom.
A landmark achievement was the construction of process modeling languages, particularly Simula (which extends Algol for modelling), which use the notion of concurrent processes to structure models. This was distilled into a small, expressive language called Demos by Birtwistle, which emphasizes the disciplined use of further structure, namely resource, by the processes.
In fields such as program logic, programming language semantics, and concurrency, the introduction of mathematical semantic methods has led to significant insights in expressiveness and improved reliability properties.
In the field of modelling and simulation, however, semantics has made relatively little impact. One significant and elegant exception to this situation is the work of Hillston and her colleagues, in which a process calculus is enriched with stochastic components, together with an account of its stochastic properties in terms of Markov chains. Hillston et al’s framework has been explored in detail, has tool support, and has been deployed in wide range of examples. Our approach differs in that we separate system semantics and modelling language, interpreting the latter in the former.
While the notion of process has been explored in some detail by the semantics community, concepts like resource have almost always been treated as second class. There are many advantages to doing this, from the point-of-view of a theorist. We take the opposite view. That is, we try to see what can be gained by developing an approach in which the structures present in applied modeling languages are given a rigorous treatment as first-class citizens in a theory. This has allowed us to develop our own disciplined approach to applied modelling and an associated tool Core Gnosis”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Thursday, September 30, 2010

Identity and Access Management: The Next Big Thing …

One of the drivers and motivations of this blog is to debate and explore the evolution of Security and Identity and Access Management (IAM) – beyond the current solutions and approaches – and identify new trends and opportunities.

Let’s focus on the IAM area – at least in this blog post.

I must say that in the last 5 years there has been a strong consolidation of the IAM offerings and suites available on the market. They are pretty much equivalent as they offer similar functionalities in a well defined set of areas.

A promising area (perceive as the next big thing, 3-5 years ago), Identity Federation Management, has not really (yet) taken off, as far as I know, outside enterprise environments and for low-risk transactions on the web. New challenges posed by access control and identity management in the Cloud might indeed revamp this area, but it has to be fully proven …

Is “classic” IAM rapidly commoditising? I really think so … Are there major margins of growth for traditional IAM solution providers? I am not convinced (but I’ll like to hear about rigorous and substantiated market forecasts …).

So, what is the next big thing in this space? What is really going to change the IAM landscape and differentiate from what is currently out there?

This is a question open to all readers. Feel free to send your views and opinions.

Here are my initial thoughts.

First of all, it would be more correct to think about what “the next big thing” is going to be for specific verticals (e.g. consumers, enterprises, etc.) …

In the context of enterprises, I am currently reflecting on various inputs and experience that I am maturing by interacting with customers and consultants.

Organisations are increasingly questioning the large and expensive investments in the IAM space. The classic message that “you should buy this IAM suite and related service as it will help you reduce costs & risks and increase productivity (trust us)” is not going down so well anymore. From what I understand, customers increasingly want a clear assessment and evidence underpinning these statements.

This is more and more reflected by an approach to IAM driven by rigorous Risk Assessment – driven by business awareness, knowledge of suitable trade-offs and an understanding of the risk appetite of the organisation as well as the threat landscape. Decision makers in this space are moving up the management ladder, from the lower-level IT/CISO office to Risk Managers and/or CIOs.

Today risk assessment and investment decisions are achieved with ad-hoc approaches by using (effective but) general purpose Risk Assessment frameworks, such as ISO 2700x and equivalent. How to simplify this process? How to provide fine-grained risk assessment that takes into account the analysis of various options and scenarios as well as providing what-if analysis? How to evaluate the actual appropriateness and impact in investing on specific IAM controls? How to package all this as a service to be offered (among others) for making informed decisions in the IAM space?

I am more and more convinced that one of the next big things in IAM will be in addressing this gap, i.e. providing a simplified, rigorous and scientific approach to evaluate risks in organisations and pinning down (among other security aspects) to the suitable IAM investments and solutions, tailored to the specific organisational realities.

This is what we are exploring at HP Labs, in the broader space of security, with Security Analytics and, for IAM, in the specific context of HP Labs Identity Analytics.

I am very interested in your opinion and the (inevitable) different views of what the next big thing in IAM is going to be …


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Monday, September 27, 2010

Enterprise Job Design: What are the current Risks for the Organisation?

An important question that a few customers have been asking us to explore is the following: “What are the Risks associated to our current definition of Job Activities and Roles?”. In other words, “Have we done a good work in our Job Design”?

In a previous blog post of mine, I discussed some of the ideas about how to approach this problem, in terms of exploring and providing an indication of the variability of the risk for an organisation and the impact of different “Job Design” choices.

I am now revamping this study and very keen in doing further progress.

I would be interested in getting more insights (public information) about how different organisations (private and governmental ones) are currently tackling this problem and how they effectively assess their risks.

I would like to compare and contrast these approaches against the approach we used in our Identity and Security Analytics work.

Here is the abstract of the HPL Technical Report documenting some of our initial work:

"Strategic decision makers need to organize their workforce and define policies on how to allocate roles and rights to individuals allowing them to work effectively for the organization, whilst minimizing security risks. Many organizations have a separation of duty matrix specifying certain toxic combinations of access rights that they generally understand present an extreme risk. These matrices do not always contain some of the less understood or smaller risks. The flip side of the rights allocation problem is the need for an organization to keep systems running under various pressures including reducing headcounts. This tension often leads to a practice of providing skilled individuals with wide access rights to many systems. We describe this tension as the Job Design Problem. That is how to manage the trade-offs between allocating roles allowing for flexibility and the possible security impacts. It is not just a matter of technical "role engineering", access right allocation and Identity & Access Management (IAM) provisioning processes. Decision makers need tools that help them understand how to give guidance and set policies associated with role allocations and mechanisms to enable a debate between various stakeholders within the business, IT and Audit concerning the appropriate level of tradeoff and acceptable risk. In this paper, we aim at making progress in this field by presenting an approach and methodology to provide strategic decision support capabilities for the definition and assessment of policies in the context of Job Design. We focus on a problem provided by an IT department within a large organization, where employees (primarily IT admins and IT support staff) operate on sensitive and critical business systems and services. In this context, security risks are a major concern and need to be fully understood. Depending on the motivations and skills of the workforce, accidental or deliberate misuses of access rights and capabilities might take place and have huge economical and reputational consequences for the organizations. The decision makers (e.g. CIOs, CISOs) need to understand the implications and trade-offs of making job design decisions as wells as investing in additional/complementary controls, such as monitoring/auditing systems, IAM solutions, education or vetting/clearance programs. We describe a decision support solution based on modeling and simulation, to provide this kind of policy-decision support. This is work in progress. We present our current results and next steps."



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Applied HPL Identity Analytics: Personnel Vetting Processes

In the context of our Security Analytics work (in particular of HP Labs Identity Analytics) I am looking for public documentation, links and information about how personnel vetting processes are currently carried out in the industry.

Some interesting examples (discussing at high level the steps to get different degrees of security clearance), of relevance to governmental environments, are the following:

The vetting process is indeed very important in reducing organisational risks and in making informed decisions on which credentials and access rights to give to personnel. It complements other two aspects that have been previously discussed in this blog:

  • Operational aspects: provisioning and deprovisioning processes
  • Governance aspects: monitoring, compliance checking and audit

The idea is to use our HP Labs Identity Analytics methodology and tools to model this process and explore the involved risks as well as tension points between business managers/stakeholders (requiring personnel as fast as possible to deal with their business needs) and risk/security assessors (requiring that full due diligence is carried out before granting any access to personnel) – by identifying suitable metrics.

We believe our analytic models can be used not only to explore potential policy compromises (what happens if we relax our vetting policies on certain aspects) and their impact on risk, but also to assess how realistic some of these policies are (i.e. how likely, given the current processes, that they are going to be violated).

Any input on documentation and references is really welcome.

In addition, we are keen in identifying 1-2 potential serious candidates (medium/large organisations) that would be interested in trialling this Identity Analytics activity, in a joint case study with HP Labs.

Saturday, September 18, 2010

Identity Analytics as a Service: Packaging Solutions for Risk Assessment in IAM

As I mentioned in a previous blog post of mine, we successfully delivered an analytic assessment of the risk related to the IAM operational processes for a major HP customer. This provided good insights and key taking points to the customer as well as useful feedback for our Security Analytics work, in particular in the context of HP Labs Identity Analytics.

On one hand we are now liaising with HP businesses in order to transfer this as a service, by packaging our IAM analytic solutions. Some exciting activities are happening with Vistorm and other HP businesses in this space.

On the other hand, I am interested in further expanding the Identity Analytics offering, beyond the risk assessment for provisioning and deprovisioning processes.

More specifically, I aim at creating “various analytic” templates for different critical IAM areas which will be part of the overall “Identity Analytics as a Service” offering and will be used to address specific customer needs.

Based on various inputs received from customers (and from our analysis), a few critical areas have already emerged as relevant for a full assessment of the associated risks. This includes:

Vetting and accreditation processes, specifically for critical users
Compliance checking and governance processes
SoD assessment processes

Of course these three areas go beyond IAM, but they have a specific and important impact on this area.

I am in the process of gathering insights about these key processes, various involved steps and potential failure points. The aim is to model them, define metrics to convey the involved risks and provide decision support to customers by means of “what-if” analysis (simulations).

Your help would be appreciated if you could provide input and/or any public information/links/documents/requirements about:

The above three areas. Which types of process steps are currently in place? Any case study?
Additional areas, related to IAM, you believe you/your customers might be interested in assessing in order to determine their risk exposure


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Labs Presentation at European Commission and RAND EUROPE event on “The Cloud: understanding the Security, Privacy and Trust Aspects”

As mentioned in a previous blog post, I recently attended an event, organised by RAND EUROPE, as a part of an EU project and study commissioned to RAND, time.lex and IDL Warwick:

“This study has undertaken a review of the literature and a number of real-life case studies to identify how challenges in respect of the privacy, security and trust issues were overcome in various implementations of cloud computing.”

It has been a very interesting meeting with key discussions on the implications of privacy, trust and security for Cloud Computing and input from various stakeholders. A full report will be provided RAND, time.lex and IDL Warwick.

In this context I gave a presentation on "Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors” from an Industrial and R&D perspective.

I believe the presentation went very well, with interesting questions and follow-up debates.

Thanks to all the people that provide me with their input, material and suggestions on topics to cover in this presentation.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Paper Accepted at 2nd ICST Conference on Cloud Computing – CloudComp 2010

An HP Labs paper has been accepted at the 2nd International ICST Conference on Cloud Computing (CloudComp 2010):

“Information StewardShip in The Cloud: A model-based approachDavid Pym, Martin Sadler, Simon Shiu, and Marco Casassa Mont”

This paper provides an overview of key R&D research happening at HP Labs Bristol, Systems Security Lab in collaboration with various UK partners, in the UK TSB project called “Cloud Stewardship Economics”.

In this work, aspects of Economics theory and HP Labs Security Analytics have been applied to provide decision support to strategic decision makers when exploring the opportunity to migrate their IT infrastructures and services to the cloud.

More information will be posted both on this TSB project and the presentation that will be given at the conference.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

EnCoRe Presentation at W3C PLING Phone Conference

Pete Bramhall, Senior Research Manager at HP Labs and coordinator of the collaborative UK EnCoRe Project (Ensuring Consent and Revocation), has given an invited talk at the last W3C PLING (Policy Language Interest Group) phone conference.

His presentation his available online, here: it provides a good overview of the objectives, works and current status of the EnCoRe project, as well as a list of needs and requirements to be addressed in the space of privacy management.

This was the first of a series of invited talks we are planning to host in the context of the monthly W3C PLING phone meetings. More to come.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Monday, August 30, 2010

Security Analytics as a Service - Important IAM Case Study Successfully Delivered

Good news. We successfully delivered an important case study in Security Analytics, in the context of IAM (provisioning and deprovisioning processes) for a major customer (no details can be provided due to confidentiality agreements).

This consisted of a detailed risk assessment analysis of their current IAM access management processes – based on agreed metrics – and a related “what-if” analysis of the consequences of adopting degrees of IAM automation.

This provided good insights and key taking points to the customer as well as useful feedback for our Security Analytics work, in particular in the context of HP Labs Identity Analytics.

We indeed want to run Security Analytics as a business Service. In this context, Vistorm is going to play a key role, as described here. Specifically, for Security Analytics applied to IAM, we can think at “Identity Analytics as a Service”.

I can see two main threads of coming activities:

  • Paid Security Analytics Services (carried out by Vistorm, in collaboration with HP Labs) – for standard security analytics assessments, in IAM areas that have already been templated and explored
  • Exploratory case studies (lead by HP Labs, in collaboration with Vistorm) in IAM areas that require additional investigations, for examples a few leading-edge ones, discussed here

Security Analytics as a Service - in particular in the context of IAM, is going to help strategic decision makers to clarify their priorities and support their decisions, in processes and investments that quite often are in the order of million of dollars.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On the Consumerization of the Enterprise and the impact on IAM

Medium and large organisations are affected by an interesting trend: the consumerisation of their IT – as previously mentioned in a post of mine.

This involves: employees increasingly using their own appliances and devices (laptops, smartphones, etc.) to carry out their jobs; the adoption of services in the cloud, both by employees and enterprise organisations to carry out business tasks (quite often as an answer to bureaucracy and long provisioning time); outsourcing of key IT services and infrastructure.

This process is primarily driven by convenience, cost reduction and productivity.

On the other hand it is going to have interesting repercussions on the CIO and CISO offices, that will see their roles increasingly eroded as well as a reduced ability to mandate effective and enforceable security and privacy policies.

Security, assurance, data management, trust and privacy are indeed aspects that are overlooked when dealing with this trend: more studies and analysis need to be done to fully understand the implications.

This is particularly true in the context of IAM. In a consumerised enterprise, what are the identity and the access rights of the employees? How are they effectively allocated, managed and revoked – when “enterprise resources” (now partially in the cloud) are affected? Which identity assurance can be provided? How?

This is an important area of development for IAM, both from a research and products/solutions perspective.

I am currently exploring opportunities in this space, in particular by leveraging our HP Labs Identity Analytics and Trusted Infrastructure capabilities – as well as key consulting services.

I am interested in getting your views and opinions.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

RAND Europe Meeting – The Cloud: understanding the Security, Privacy and Trust Aspects

I am going to attend and present at a RAND Europe meeting on the topic of “The Cloud: understanding the Security, Privacy and Trust Aspects”, as a part of a EU project commissioned to RAND, time.lex and IDL Warwick:

“This study has undertaken a review of the literature and a number of real-life case studies to identify how challenges in respect of the privacy, security and trust issues were overcome in various implementations of cloud computing.”

In particular I am going to give a related presentation, from an industrial and research angle, followed by a panel debate.

If you have any point or aspect you’d like me to cover, please let me know.

Currently my presentation is structured as it follows:

- provide an overview of cloud computing, its main aspects and implications
- highlight current security, trust and privacy issues in cloud computing
- discuss trade-offs and different approaches to cloud computing depending on the type of business, e.g. SMEs, medium-large organisations, goverments
- talk about some standardisation/public initiatives in the security space (Jericho, Cloud Security Alliance, etc.)
- Provide an overview of current approaches and solutions to security, trust and privacy and their limitations
- talk about collaborative (industry driven) R&D activities in cloud computing where HP Labs are currently involved, including UK TSB projects (EnCoRe, Cloud Stewardship Economics, etc.)



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Friday, August 20, 2010

Applying Security/Identity Analytics to Cloud Computing

In previous posts of mine, I provided additional information about what the HP Labs Identity Analytics is and how it relates to the Security Analytics initiative. I then provided an overview of various IAM areas where to apply Identity and Security Analytics.

Related to this, an interesting area where Identity/Security Analytics can be applied is Cloud Computing.

Organisations (and their decision makers) need to make decisions about adopting cloud-based resources and services in their businesses. They need to explore relevant trade-offs, i.e. lower costs (and perhaps better efficiency) vs. potentially losing control on IT and exposing themselves to additional threats and risks.

In this context, IAM solutions and emerging related frameworks can provide some of the required controls (e.g. via trusted federation, cloud-based compliance and assurance management, etc.).

On the other hand, the IAM frameworks and solutions we know are too enterprise-biased/focused: IAM needs to go through a profound transformation to fully address the needs and requirements of managing identities, profiles and user access rights in cloud environments.

This without keeping into account that individuals - both as private people and employees - are themselves increasingly making decisions about adopting cloud computing solutions for personal and work related matters (consumerisation of the enterprise).

I discussed some of these concepts and dynamics in previous presentations, such as “The Future of Identity in the Cloud” and “The Future of the Information Society”

Security/Identity Analytics can help to explore these trade-offs, related investment options and threats.

Furthermore, Security/Identity Analytics can be used to explore “what-if” scenarios, based on different assumptions and risk mitigation capabilities introduced by different IAM frameworks and other related controls (based on different models and assumptions).

I indeed believe that there is a need for a more rigorous, scientific analysis of this space as well as a better understanding of the impact of various IAM approaches in the Cloud and their actual added values.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Tuesday, July 27, 2010

Applying HP Labs Identity Analytics to the IAM area

In two recent posts of mine, I provided additional information about what the HP Labs Identity Analytics is and how it relates to the Security Analytics initiative.

In the past three years we have been doing a lot of work in applying this methodology and approach (along with out tools) to different IAM areas.

At this stage, I thought it would be of interest to share additional details about some of these areas of relevance where HP Labs Identity Analytics has been successfully used and how this has been achieved. This includes:
  • Access Management area: in a few case studies carried out with customers we explored their current access management processes, inclusive of their provisioning and deprovisioning processes. We investigated aspects of concerns, such as their risk exposure and productivity – by agreeing specific metrics. We kept into accounts tradeoffs of relevance to the customers. We considered risk exposure due to: privileged hanging accounts generated by process failures, misbehaviours by employees and managers, steps that could be easily bypassed. We factored in the implications due to specific threat environments. We used modelling and simulations to deal with “what-if” analysis, for example by adding more IAM automation or changing some of the existing processes, etc.
  • Compliance Checking and Auditing area: we explored the effectiveness of an organisation compliance checking teams, their capabilities in identifying and remediating violations and failures (e.g. SOX compliance), based on assumptions coming from the fields, such as applications and services involved, population of users and their accounts, likelihood of failures in the process of managing access rights, etc. We used modelling and simulations to compare and contrast the outcomes of these compliance checking processes against auditing processes, to identify ways of further improvements
  • Data Leakage: we used modelling and simulation to investigate how employees use, store, handle and disclose confidential data and the overall impact in terms of data leakage. We considered the organisational data flows, involving people, systems and organisational groups. We factored in the risk mitigation introduced by existing organisational controls (e.g. DRM, encryption, interception and filtering of emails). We explored how changes in processes, behaviours and control points affect the organisational data leakage. Specific areas of investigation have been around the adoption of (1) social networking by employees and (2) usage of collaborative/sharing tools and the impact on data leakage.
  • Job Design: we used modelling and simulations to explore the implications of specific job designs, i.e. the impact that the definition of roles and the association of access rights (for a population of workers) has on an organisation, under different assumptions and hypothesis. Specifically we investigated the impact in terms of risks and how changes can affect this risk – by keeping into account operational constraints, people skills and potential threats
  • Password Management: we used social studies, coupled with modelling and simulations to explore the impact that people’s behaviours, system constraints and organisational policies have on passwords and their management. We investigated the risk exposure that organisations have, as a consequence of this, and how this risk could vary by changing some of the involved factors, such as password policies and IT control points.

Additional areas I am currently exploring (from an R&D perspective) include:

  • Cloud computing, impact and effectiveness of related IAM solutions in managing accounts and protecting resources - from the perspective of different stakeholders
  • Identity and Privacy assurance: which most suitable approach to adopt to increase the level on assurance on how identities, credentials and personal data are used, managed and disclosed – from the perspective of different stakeholders
  • Role of Federated Identity Management, within and across organisations. Impact on productivity, costs and risk exposure
  • Role of different Authentication mechanisms and their actual impact both in terms of mitigating risks and dealing with productivity & costs aspects
  • Economics of IAM

Again, various case studies, investigations and analysis have been carried out with a top-down approach, driven by customers’ needs, their questions/problems and an understanding of the involved business and IT processes, people behaviours and threat environment.

Additional public material on our HP Labs Identity Analytics work can be found here.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Wednesday, July 21, 2010

On Security Analytics: Putting the Science into Security Management

In a previous post of mine, I mentioned the Security Analytics initiative. I promised to provide more details. Here they are.

I attach a datasheet called “Security Analytics: Putting the Science into Security Management”, by Vistorm (an HP Company).

The IAM area (and the HP Labs Identity Analytics activity) is covered in Security Analytics. Hopefully the datasheet will provide more details.

Here is an extract from the introduction:

“As the pressure on business increases so does the complexity of the security challenges. As a result security teams are finding it increasingly harder to achieve, measure and communicate a measurable reduction in business risk.

So how should a security team determine the best possible strategy: How much should be spent; what should be prioritised; what trades-offs to accept between lowered risk and business disruption; how to champion and justify security decisions to the business?

Vistorm, an HP Company and HP Labs have a shared vision for next generation security management: one that helps our clients achieve a measurable reduction in business risk along with a lower long term investment in information security.

Security Analytics is at the heart of this vision and is about creating tools and methodologies to address rigorously the challenges that security teams face in driving more effective security strategies. …”

Here are more details about the currently available Packaged Security Analytics:

“By combining Vistorm’s expertise in security governance with HP Labs’ expertise in security research we are able to offer a packaged consulting engagement featuring repeatable, short term engagements to address security management challenges (people, process, policy and technology) in two key areas:

  • Vulnerability and threat management (VTM), and
  • Identity and access management (IAM).

The value of these engagements is:

  • a rigorous exploration of your (VTM or IAM) system, with prediction and ‘what-if’ capabilities
  • shared multi-stakeholder understanding of the business and security trade-offs
  • justified decision making
  • the introduction of science into your information security management system (ISMS), and the opportunity to expand.”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Monday, July 19, 2010

HP Labs Identity Analytics – What is this all about?

Thanks to the readers that sent me many comments and questions about my recent post about HP Labs Identity Analytics.

An interesting request I received was to provide more details about HP Labs Identity Analytics and compare and contrast it against other initiatives using a similar “label”.

Indeed, the “Identity Analytics” label is becoming more and more a buzzword, with different meanings depending on who uses it.

In the context of HP Labs (HPL), Identity Analytics is part of the wider Security Analytics R&D project and initiative aiming at providing strategic decision support in the (information) security space.

In a coming post I will describe, in more details, how HP Labs are currently transferring Security Analytics (inclusive of Identity Analytics), its approach, methodology and related tools to HP business groups and the kind of services to be provided to customers.

However, in this post, I am going to address the request mentioned above.

So what is “HPL Identity Analytics” all about? How is it different from other initiatives?

Let’s start by discussing what HPL Identity Analytics is about.

As mentioned in past blogs, HPL Identity Analytics aims at providing strategic decision support to security decision makers (e.g. CISOs) in the space of IAM.

HPL Identity Analytics has so far used in case studies and customer engagements.

We start by understanding customers’ problems and their key questions. For example: what is the risk exposure of my company, related to the management of access control and access rights? How effective are my IAM provisioning and deprovisioning processes? What are the implications of increasing/decreasing my IAM investments, in terms of productivity, security risks, compliance and costs? Which degree of risk mitigation is actually introduced? Which IAM investment trade-offs should I consider?

By using modelling techniques we represent, with a rigorous and scientific approach, current organisational IAM processes (e.g. access management processes, provisioning/deprovisioning, authentication and authorization approaches, compliance management, auditing, etc.) their impact on underlying IT infrastructures, people behaviours and various implications due to internal and external threats. We capture the core cause-effect relationships that are at the base of process failures and of relevance to a variety of concerns, including risk exposure, productivity, costs, etc.

We jointly define the metrics and measures with the customers to ensure that we can convey the relevant findings and outcomes in a way that actually address their questions and problems.

We develop models in collaboration with the customers, by understanding their processes and operational contexts. We iterate models and use simulations to ensure they are representative of the reality.

Then, we use our modelling to carry out what-if analysis, i.e. to explore different scenarios, where, for example, we simulate the introduction of new IAM controls or process changes. We convey the outcomes to the customers by means of report, to create awareness of the implications of their potential choices.

For more information, please read some of the technical reports and documentation available here.

So how is HP Labs Identity Analytics different?

Our approach is top down.

Most of the other approaches are bottom-up. They aim at collecting and processing large amounts of data from the IT infrastructure and IAM solutions. They use business intelligence to aggregate data and present it.

These approaches are definitely valuable and work fine if you have full control of the IT infrastructure, if all your systems are instrumented and if the deployed solution is pervasive. However, my personal experience (based on some evidence gathered from customers …) is that most organisational realities are far from this ideal situation. Different organisational groups within enterprises can have different IAM processes in place, ranging from ad-hoc to automated ones. Different IAM solutions might have been deployed. There is scarcity of information. Processes can be broken, bypassed or adapted to needs. Furthermore, in many cases only coarse grained assumptions are made about the potential (internal and external) threats, their actual impacts and how the current controls effectively address them, on ongoing bases.

In these cases, I believe that it might be problematic making sense of what actually happens in the organisation just with a bottom-up approach. As an analogy, it would be like trying to understand what a complex, distributed solution does at the business level, by trying to analyse snippets of assembler code …

With the top-down Identity Analytics approach, developed at HP Labs, we focus on the root causes; we capture the essence of the involved processes, people behaviours and threats. We model the cause-effect relationships that are of relevance to answer the problems highlighted by the decision makers.

We indeed need data coming from the field (empirical data), however this data consists of very specific information, relevant to describe the processes and modelled entities. In absence of data, various hypotheses are explored, with “what-if” analysis.

In summary, we are talking about two different approaches to Identity Analytics, the HP Labs’ one being the only one (I am aware of) that comes from a top-down perspective.

I personally believe that the best of the two approaches (top-down and bottom up) should be combined and dynamically tuned together, to fully address customers’ needs, based on their specific contexts and organisational situations.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Thursday, July 15, 2010

URGENT: Looking for Public data, Statistics and Surveys about Insider Threats related to Misuses of User Accounts within Enterprises

I am urgently looking for public data, statistics and any information that provide a quantitative analysis of threats related to insider attack and misuses of employees’ user accounts (within organisations).

For example, I found a survey by Cyber-Ark – the annual “Trust, Security and Password” survey - where 400 IT professional (working for UK and US enterprises) were interviewed. This survey revealed that 33% of interviewed people had access to resources and data that was not relevant to their role, When asked if they would consider taking a form of sensitive data from their present employer if they ever left, over 85% said they would.

Other statistics of some interest: here, here and here.

I have been looking for this kind information on the web but so far I found only a few solid analysis of the problem and surveys. Just a lot of words and common sense statements …

I need this kind of information to add references to a set of reports aiming at exploring and analysing the impact of IAM automation on enterprise access management processes.

Any help, consisting in links and references to publicly available information, would really be appreciated.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Tuesday, July 13, 2010

If “Identity Management is a Pain in the Backside” is Identity Analytics the Cure?

I fully agree with the content of this article, called “Identity management is a pain in the backside”.

The IAM area is complex. It requires huge investments (often millions of $) and usually it ends up with expensive deployed IAM solutions that only partially address the needs and mitigate the risk exposure of organisations.

In particular the provisioning and deprovisioning processes are critical as they expose organisations at many security risks. I have been hearing this message from many customers.

Part of the problem is that it is difficult, even for expert decision makers, to understand what the implications (and the impact) are of making decisions and investments in IAM. Various aspects should to be taken into account, including the relevant IAM and business processes, people behaviours, the threat environment, current IT infrastructure and systems, etc.

This is why at HP Labs are exploring approaches to address this type of issues, broadly in the context of security and, more specifically, in the context of IAM.

Our HP Labs Security and Identity Analytics methodology (and modelling & simulation tools) has already been validated in a few core case studies with customers from the financial and government environment.
I would like to remind that this Security and Identity Analytics approach is a top-down approach, based on a rigorous scientific methodology, to provide decision support to strategic decision makers: modelling and simulation techniques are applied to represent the involved processes, IT systems, people behaviours and threats. What-if analysis is carried out to explore options. This is different from more traditional bottom-up analytic approaches, aiming at providing support by analysing and correlating wide sets of low-level data.
As discussed in this blog post of mine, I am interested in applying Identity Analytics in a few additional case studies with customers.

Thanks to the many organisations and people that have already stated their interest in engaging in a case study. I am planning to wait 1-2 additional weeks and then I’ll choose 1-2 companies to start engaging with.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Saturday, July 10, 2010

On Cloud Security Analytics

In previous posts of mine I discussed the work we are doing at HP Labs in the space of Security and Identity Analytics.

Cloud Computing is an area where Security (and Identity) Analytics can help to explore hot questions and tension points. Specifically, it can be used to analyse the implications of moving IT processes and applications/services in the cloud, the impact on Identity and Access Management processes and the involved risks.

In this context, Security Analytics can help to explore trade-offs (e.g. security risks vs. cost cutting) and analyse various decision options, by keeping into account the relevant security and business risks … Economics are going to play a key role here, too, to better understand decision makers’ strategic business priorities and security preferences and provide targeted decision support.

I would like to remind that our Security Analytics approach is a top-down approach, based on a rigorous scientific methodology, to provide decision support to strategic decision makers: modelling and simulation techniques are applied to represent the involved processes, IT systems, people behaviours and threats. What-if analysis is carried out to explore options. This is different from more traditional bottom-up analytic approaches, aiming at providing support by analysing and correlating wide sets of low-level data.

So here is a new buzzword: “Cloud Security Analytics” ...

More to come …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

From “Static” Personal Web Pages to a Personal and Dynamic Information Hub?

I eventually managed to updated my personal web page

Now I can see how traditional, static personal web pages are rapidly getting out of fashion, compared to the up-to-date information you can share with your personal social networking sites, blogs, etc. On the other hand, these pages still enable the owner to have degrees of control on the structure and the organisation of the information – thing that is hard to achieve with other social networking sites …

So, I am running an experiment i.e. exploring an hybrid approach to personal web pages, where in addition to almost “static pages” there are feeds from various “more dynamic” personal sites, such as blogs and twitter.

In other words a personal web page becomes the hub of various personal feeds along with some clever manipulation and mapping of the information … Of course by keeping into account basic privacy aspects …

From a technological perspective nothing new, but I guess the challenge is how to organise and mash-up these personal feeds to provide some sense and a controlled structure to the information …

For the time being, I just wanted to add to my personal web page a “blog feed widget” but so far I haven’t yet found anything satisfactory. Any link or suggestion is welcome … Of course I had no such problem to find and add a Twitter feed from my Twitter account

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Papers accepted at TrustBus 2010 and SECRYPT 2010 Conferences

Two papers that I co-authored with colleagues have been accepted at two International Conferences:

TrustBus 2010:
Authors: Gina Kounga, Marco Casassa Mont, Pete Bramhall
Title: Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation

SECRYPT 2010:
Authors: Nick Papanikolaou, Sadie Creese, Michael Goldsmith, Marco Casassa Mont and Siani Pearson
Title: ENCORE: TOWARDS A HOLISTIC APPROACH TO PRIVACY

Both papers discuss recent R&D work and activities carried out in the context of the EnCoRe project (Ensuring Consent and Revocation).

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Sunday, July 4, 2010

Looking for a customer engagement (case study) in Security Analytics – IAM, Access Management & Provisioning/Deprovisioning Processes

I am in the process of successfully finalising a case study with a major HP customer, in the government area, in collaboration with Vistorm (an HP company).
The customer was interested in better understanding their current risk exposure due to their access management processes and the impact of adopting IAM automation.
An IAM case study has been jointly run to:
1. Identify suitable metrics to convey their risk exposure (e.g. in terms of verall time to provision/deprovision user accounts, impact of hanging accounts, shared accounts, super user accounts, etc.)
2. Model their current access management processes (specifically their provisioning and deprovisioning processes) and run simulations
3. Convey to the customer an estimate of their current risk exposure, based on shared assumptions
4. Model and simulate the impact on the risk exposure in case IAM automation were adopted
In this case study I used our HPL Security and Identity Analytics methodology, jointly with our modelling and simulation tools.
It really helped us to refine our approach, get a template of IAM provisioning/deprovisioning processes and the customer to have a better understanding of their risk exposure and impact of various investment options.
I am now looking for another “customer” (medium-large organisation, possibly), interested in running a similar case study, to have a second validation point and get further input, possibly in a different business context. As counterpart, you will an assessment of your IAM processes and a “what-if” analysis.
Please do not hesitate to contact me for any question and/or to get more details about engaging in a Security Analytics case study with HP Labs.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Part II: Looking for Case studies and information about (Security) Compliance Management Processes with Organisations

In a previous post of mine, I wrote that: “In the context of the HP Labs Security and Identity Analytics projects, I am interested in exploring how to use modelling and simulations to support decision makers in making strategic decisions on compliance management, within their organisations. …”

Thanks to all the people who provided their input and feedback.

I would like to clarify also a few points:

1. I am indeed looking for different case studies involving compliance management, e.g. for SOX, PCI, etc.

2. My specific interest is on the actual organisational processes and steps that have been put in place to deal with the compliance requirements.

The goal is to use our modelling and simulation approach to represent these processes and make further deductions, based on what-if analysis.

Of course, public case studies and/or non-confidential information is welcome in the context mentioned above.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Next W3C PLING Phone Conference – 13 July 2010 – Invited Talk by Pete Bramhall, EnCoRe Director

The next W3XPLING Teleconference is July, 13th: http://www.w3.org/Policy/pling/wiki/2010-07-13

Exciting news. This time we have an Invited Talk.

Pete Bramhall (Senior Project Manager at HP Labs and EnCoRe Director) will present: "On the UK Collaborative EnCoRe Project: Ensuring Consent and Revocation".

Here is an abstract of the talk:
“EnCoRe – Ensuring Consent and Revocation – is a research project, being undertaken by UK industry and academia, to give individuals more control over their personal information. This Invited Talk provides an overview of the project, its goals and requirements and its current achievements in the space of privacy management, policies and privacy-aware access control. Additional information: http://www.encore-project.info/

I encourage this audience to attend and interact with Pete in a Q&A session after the presentation.

Here are some articles related to a recent press and media event about the EnCoRe project:
http://www.economist.com/blogs/babbage/2010/06/personal_data
http://www.v3.co.uk/v3/news/2265665/hp-working-privacy-tool
http://finchannel.com/Main_News/B_Schools/66174_LSE%3A_Turning_off_the_tap_for_online_personal_data_-_prototype_system_unveiled_by_EnCoRe_/

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Wednesday, June 30, 2010

Keynote Speech at IEEE i-Society 2010 – Presentation Available Online

Today, I eventually gave my Keynote speech at IEEE i-Society 2010.

The title was: “On the Future of Information Society: Emerging Trends, Security Threats and Opportunities”.

After discussing a few emerging trends, I presented work done at HP Labs which focused on exploring the Cybercrime ecosystem. This has been followed by an overview of HPL leading-edge R&D activities in the space of Trusted Infrastructure, Security Analytics and Privacy Management.

The speech went very well. Good audience, interesting questions and a few leads for future collaborations.

I have been asked by many people to share my presentation. It is now available online, here.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Looking for Case studies and information about (Security) Compliance Management Processes with Organisations

In the context of the HP Labs Security and Identity Analytics projects, I am interested in exploring how to use modelling and simulations to support decision makers in making strategic decisions on compliance management, within their organisations.

What are the best investments that could be made in a specific organisational context, based on the compliance needs and issues to be addressed? What are the suitable trade-offs? How to best complement this analysis with traditional risk management approaches?

In order to make progress, I am looking for case studies and/or information about processes and steps carried out within organisations to deal with compliance management and related aspects.

Any input is really welcome.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

EnCoRe Project: Press Event and Follow-up Panel of Expert

Yesterday (29 June 2010) there has been a Press Event at London School of Economics related to the collaborative EnCoRe project (Ensuring Consent and Revocation): our approach, current results (technology and prototype) and philosophy have been illustrated and debated.

This event has then been followed by a panel of experts whom provided their view on privacy and the management of consent and revocation.

I must say that the news coverage is very good! Some news highlights are already available here, here and here.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Sunday, June 20, 2010

Is Federated Identity Management Dead (at least for Consumers)?

I am really wondering if, beyond the hype, federated identity management is actually happening – from the end-user/consumer side?

No doubt that federation and SSO solutions are more and more adopted by organisations – primarily driven by the need to cut costs.

But what about the adoption of federated identity management by web service providers, for services accessed by end-users/consumers?

I just read this article, written in 2008, called “Facing the pain of passwords”? Has anything improved? I do not think so …

My personal experience is that more and more accounts (and passwords) need to be created to access ***valuable services*** on the web (from web browsers and/or mobile applications).

Interestingly, this is contrast with the concept of “Personal Cloud” – as, for example, described in this article

Is there any up-to-date statistic describing the adoption rate of federation for this kind of services? What is the actual impact of federation to easy the pain?


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Consumerisation of the (IT) Enterprise and the Future Role of CIOs/CISOs

I have been reading a few interesting articles about the consumerisation of the (IT) enterprise (including here and here). Basically this trend is driven by employees using more and more their personal devices, possibly along with services in the cloud, to carry out their work activities.

This is indeed already happening in a few countries and for SMEs, where cost cutting, little bureaucracy and effectiveness are key driving aspects. However, it looks like that this trend is becoming also important for medium-large organisations.

Inevitably this has some cons: lack of control, potentially confidential data and information disseminated all over the places, data losses, lack of enforcement of basic security policies on devices, increased reliance on third parties and their (security and privacy) practices, etc.

Last but not least, this has profound implications for the roles of CIOs and CISOs: they will increasingly lose control on the enterprise’s IT infrastructure (or whatever will remain of it …) and the way they mandate policies.

I wonder if any study is available providing an analysis of the longer terms transformation of the enterprise and the role of CIOs/CISOs. I am looking for: so far I have not yet found anything too much relevant …



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

ACM Digital Identity Management (DIM) 2010 – Submission Deadline: June, 28th

Please consider submitting to the Sixth ACM Workshop on Digital Identity Management October 8, 2010, Chicago, IL, USA. Collocated with ACM CCS 2010

http://www2.pflab.ecl.ntt.co.jp/dim2010
http://www.sigsac.org/ccs/CCS2010/

Important dates
* Paper submissions due : June 28, 2010
* Notification to the authors : August 6, 2010
* Camera ready papers due : August 16, 2010 (Firm deadline)
* DIM Workshop : October 8, 2010 (CCS Conference : October 4 – 10, 2010)

The Digital Identity Management Workshop brings together academia and industry to explore all aspects of identity management.
Identity management is an endeavor to make identities available to humans, services, and systems in a secure and privacy-protecting manner. Currently we are facing grand challenges, such as financial and ecological crises, which require global collaboration.
Best exemplified in the cloud computing and smart grid movement, ICT-enabled infrastructures are playing a crucial role in facilitating global collaboration for economic and ecological advancement.
Such infrastructures must incorporate identity management capabilities that allow individuals and organizations to identify and trust each other over networks in a scalable and reliable manner, while striking the best balance between usability, security, and privacy.
The goal of this workshop is to share new findings and ideas, discover key issues, and seek opportunities for active collaboration between industry and academia.
The workshop seeks submissions from diverse communities, such as open source projects, standardization fora, government organizations, security and privacy experts, software engineers, and corporate & academic researchers. Topics of interest include, but are not limited to:

* Identity management for cloud computing
* Identity management for critical infrastructure (e.g., smart grid)
* Identity assurance
* Identity governance
* Attribute aggregation
* Identity in service-oriented architecture (SOA)
* Anonymity and pseudonymity
* Accountability in identity management
* Identity management APIs
* Identity management in ubiquitous and mobile computing
* Reputation and incentive systems, and reputation management
* Privacy-enhanced identity management
* Identity solutions for specific areas
(e.g., healthcare, government, education, and telecommunications)
* Identity-based access control
* Identity discovery
* Identity theft prevention
* User-centric identity management
* User experience models and integrity
* Standardization of IDM and policies thereof, standards harmonization
* Case studies and lessons from large scale deployment
* Vulnerabilities, threat analysis and risk assessment of IDM solutions (e.g., threat of malware affecting identity theft)
* Analysis of differences between requirements for consumer and enterprise IDM

________________________
Submission Instructions

Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings.
Papers should be at most 10 pages, using at least 10.5-point font and reasonable margins on A4 or US letter-size paper (8.5 inch x 11 inch).
Committee members are not required to read the appendices, and so submissions should be intelligible without them. Each submission should start with the title, abstract, and names and contact information of authors. The introduction should give background and summarize the contributions of the paper at a level appropriate for a non-specialist reader. Authors of accepted papers must guarantee that their paper will be presented at the workshop.

_______________________
=== Organizing Committee ===

Co-chairs
* Thomas Groß, IBM Research, Switzerland
* Kenji Takahashi, NTT, Japan

________________________
=== Program Committee ===

* Gail-Joon Ahn, Arizona State University, USA
* Abhilasha Bhargav-Spantzel, Intel, USA
* Hu Bin, Huawei Technologies, USA
* Federica Paci, University of Trento, Italy
* Jan Camenisch, IBM Research, Switzerland
* Marco Casassa Mont, HP Labs, UK
* David Chadwick, University of Kent, UK
* Chihung Chi, Tsinghua University, China
* Hidehito Gomi, Yahoo! Japan Research, Japan
* Weili Han, Fudan University, China
* Seung-Hyun Kim, ETRI, Korea
* Brian LaMacchia, Microsoft, USA
* Hyung-Jin Lim, Financial Security Agency, Korea
* Howard Lipson, CERT, USA
* Paul Madsen, NTT, Canada
* Eve Maler, PayPal, USA
* Piotr Pacyna, AGH Univ. of Science and Technology, Poland
* Andreas Pfitzmann, Dresden Univ. of Technology, Germany
* Rakesh Radhakrishnan, Sun Microsystems, USA
* Amardeo Sarma, NEC Laboratories Europe, Germany
* Jörg Schwenk, Ruhr-University Bochum, Germany
* Diana Smetters, PARC, USA
* Anna C. Squicciarini, Pennsylvania State Univ., USA
* Tsuyoshi Takagi, Future University - Hakodate, Japan
* Peter Weik, Fraunhofer FOKUS, Germany






--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---