Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Monday, August 30, 2010

Security Analytics as a Service - Important IAM Case Study Successfully Delivered

Good news. We successfully delivered an important case study in Security Analytics, in the context of IAM (provisioning and deprovisioning processes) for a major customer (no details can be provided due to confidentiality agreements).

This consisted of a detailed risk assessment analysis of their current IAM access management processes – based on agreed metrics – and a related “what-if” analysis of the consequences of adopting degrees of IAM automation.

This provided good insights and key taking points to the customer as well as useful feedback for our Security Analytics work, in particular in the context of HP Labs Identity Analytics.

We indeed want to run Security Analytics as a business Service. In this context, Vistorm is going to play a key role, as described here. Specifically, for Security Analytics applied to IAM, we can think at “Identity Analytics as a Service”.

I can see two main threads of coming activities:

  • Paid Security Analytics Services (carried out by Vistorm, in collaboration with HP Labs) – for standard security analytics assessments, in IAM areas that have already been templated and explored
  • Exploratory case studies (lead by HP Labs, in collaboration with Vistorm) in IAM areas that require additional investigations, for examples a few leading-edge ones, discussed here

Security Analytics as a Service - in particular in the context of IAM, is going to help strategic decision makers to clarify their priorities and support their decisions, in processes and investments that quite often are in the order of million of dollars.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On the Consumerization of the Enterprise and the impact on IAM

Medium and large organisations are affected by an interesting trend: the consumerisation of their IT – as previously mentioned in a post of mine.

This involves: employees increasingly using their own appliances and devices (laptops, smartphones, etc.) to carry out their jobs; the adoption of services in the cloud, both by employees and enterprise organisations to carry out business tasks (quite often as an answer to bureaucracy and long provisioning time); outsourcing of key IT services and infrastructure.

This process is primarily driven by convenience, cost reduction and productivity.

On the other hand it is going to have interesting repercussions on the CIO and CISO offices, that will see their roles increasingly eroded as well as a reduced ability to mandate effective and enforceable security and privacy policies.

Security, assurance, data management, trust and privacy are indeed aspects that are overlooked when dealing with this trend: more studies and analysis need to be done to fully understand the implications.

This is particularly true in the context of IAM. In a consumerised enterprise, what are the identity and the access rights of the employees? How are they effectively allocated, managed and revoked – when “enterprise resources” (now partially in the cloud) are affected? Which identity assurance can be provided? How?

This is an important area of development for IAM, both from a research and products/solutions perspective.

I am currently exploring opportunities in this space, in particular by leveraging our HP Labs Identity Analytics and Trusted Infrastructure capabilities – as well as key consulting services.

I am interested in getting your views and opinions.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

RAND Europe Meeting – The Cloud: understanding the Security, Privacy and Trust Aspects

I am going to attend and present at a RAND Europe meeting on the topic of “The Cloud: understanding the Security, Privacy and Trust Aspects”, as a part of a EU project commissioned to RAND, time.lex and IDL Warwick:

“This study has undertaken a review of the literature and a number of real-life case studies to identify how challenges in respect of the privacy, security and trust issues were overcome in various implementations of cloud computing.”

In particular I am going to give a related presentation, from an industrial and research angle, followed by a panel debate.

If you have any point or aspect you’d like me to cover, please let me know.

Currently my presentation is structured as it follows:

- provide an overview of cloud computing, its main aspects and implications
- highlight current security, trust and privacy issues in cloud computing
- discuss trade-offs and different approaches to cloud computing depending on the type of business, e.g. SMEs, medium-large organisations, goverments
- talk about some standardisation/public initiatives in the security space (Jericho, Cloud Security Alliance, etc.)
- Provide an overview of current approaches and solutions to security, trust and privacy and their limitations
- talk about collaborative (industry driven) R&D activities in cloud computing where HP Labs are currently involved, including UK TSB projects (EnCoRe, Cloud Stewardship Economics, etc.)



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Friday, August 20, 2010

Applying Security/Identity Analytics to Cloud Computing

In previous posts of mine, I provided additional information about what the HP Labs Identity Analytics is and how it relates to the Security Analytics initiative. I then provided an overview of various IAM areas where to apply Identity and Security Analytics.

Related to this, an interesting area where Identity/Security Analytics can be applied is Cloud Computing.

Organisations (and their decision makers) need to make decisions about adopting cloud-based resources and services in their businesses. They need to explore relevant trade-offs, i.e. lower costs (and perhaps better efficiency) vs. potentially losing control on IT and exposing themselves to additional threats and risks.

In this context, IAM solutions and emerging related frameworks can provide some of the required controls (e.g. via trusted federation, cloud-based compliance and assurance management, etc.).

On the other hand, the IAM frameworks and solutions we know are too enterprise-biased/focused: IAM needs to go through a profound transformation to fully address the needs and requirements of managing identities, profiles and user access rights in cloud environments.

This without keeping into account that individuals - both as private people and employees - are themselves increasingly making decisions about adopting cloud computing solutions for personal and work related matters (consumerisation of the enterprise).

I discussed some of these concepts and dynamics in previous presentations, such as “The Future of Identity in the Cloud” and “The Future of the Information Society”

Security/Identity Analytics can help to explore these trade-offs, related investment options and threats.

Furthermore, Security/Identity Analytics can be used to explore “what-if” scenarios, based on different assumptions and risk mitigation capabilities introduced by different IAM frameworks and other related controls (based on different models and assumptions).

I indeed believe that there is a need for a more rigorous, scientific analysis of this space as well as a better understanding of the impact of various IAM approaches in the Cloud and their actual added values.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---