The focus of this blog is on trends, new technologies/solutions and innovative aspects of Security and the Cloud, in a variety of contexts. What is the next big thing in this space?
Friday, December 2, 2011
Changing Blog Focus: Research on Security and Innovation in the Cloud
In the meanwhile, my R&D activities have evolved consistently with HP Labs R&D research directions and priorities. It is time to reflect these changes also in my Blog.
This blog will now pay more attention to topics related to Research in the space of Security and Innovation in the Cloud Computing areas.
I n some way this has been anticipated in this blog by various posts (I submitted in the past months), discussing key aspects in the following areas:
· HP Security Analytics, applied to a variety of fields (beyond IAM), including Incident Management and Remediation, to provide strategic risk assessment and decision support;
· Innovation in the space of Situational Awareness, inclusive of new issues (and opportunities) due to the wider adoption of services in the Cloud and the consequent loss of control;
· Exploitation of new HP SW capabilities, such as HP ArcSight and TippingPoint in the above areas;
· Research and development in the space of consent and privacy management, including the work done by HP Labs in EnCoRe in providing a fully working Service Framework to support those capabilities;
· Innovation in the space of Cloud Computing , their management and related processes & information, inclusive of accountability management (e.g. via sticky policies), situational awareness, next generation SOC centres, etc.
· ...
Of course Identity and Access Management still plays a key role in all these areas: I am sure that some of my future blog posts will still discuss IAM aspects and related cool R&D work that we do at HP Labs.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
On Dynamic Consent and Privacy Management: EnCoRe Third Architectural Document Available Online
This document now provides a fine grained description of a technical approach to deal with the management of dynamic consent and privacy within organisations and in distributed scenarios (e.g. the cloud and supply-chains).
Specifically, the document uses the EnCoRe third case study (focusing on the UK Cabinet Office/Identity Assurance Programme) to illustrate use cases and capabilities in a distributed environment, involving multiple Service Providers, Identity Providers, and Attribute Providers via Federated Identity Management.
HP Labs have implemented a fully working Service Framework - technology and demonstrator - supporting all the capabilities discussed in the architectural document. The demonstrator shows how dynamic consent and privacy management can be effectively deployed in a context such as the IDA Federated scenario.
We are keen in exploring potential technological trials, jointly with our HP business groups. Please contact me for more information.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Next Generation Situational Awareness and Information Sharing
These areas are getting more and more relevant within organisations, beyond the traditional military and government contexts.
Situational Awareness is usually related to the process of collecting and processing large amount of information to understand risks, threats and issues and enable decision support.
I believe there are great innovation opportunities in this space, including:
· Leveraging longer-term risk assessment, what-if analysis and decision support capabilities, such as the ones provided by Security Analytics
· Leveraging Cloud computing and related services for the provisioning and management of situational awareness capabilities
· Innovation in the information flow management, involved in situational awareness scenarios, by using advance policy and context based techniques
· Leveraging assets such as HP ArcSight, HP TippingPoint and Autonomy in this space
· Designing SOC 2.0, the next generation of Security Operations Centers for Incident Management and Remediation to adapt to new emerging scenarios and technologies
· Intelligent detections of threats and risks and reactions (e.g. via dynamic playbooks)
More to come.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
On Incident Management, Security Analytics and the Cloud
These capabilities are now offered as a service by HP Security Business (HP ESS).
I am interested in exploring the implications of doing this in emerging scenarios involving organisations that increasingly rely on outsourcing, supply-chains and the Cloud. What are the implications in terms of Incident Management and Response? How to effectively enable Information Sharing? How to enable accountability among the involved parties?
There is an opportunity in designing and building the next generation of Security Analytics and Risk Management services that can scale and cope with these emerging scenarios. More to come.
In the meanwhile, I am looking for additional requirements and use cases in the above space. Please contact me if you are interested in engaging in this area.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
HP Labs Innovation Research Programme - 2012
I’ll provide updates, in particular for IRP topics of relevance to the Cloud & Security Lab (CSL).
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Monday, November 7, 2011
Survey on Situational Awareness and Information Sharing
Please let me know if you’d like to get involved. The deadline is by the end of November.
--- Posted by Marco Casassa Mont(here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Situational Awareness-as-a -Service
This demonstrator will show how it is possible to combine flexible cloud computing resources, secure, policy-driven analytics nodes and visualization to provide configurable information sharing and situational awareness, to a variety of stakeholders.
We are currently exploring a few scenarios, including document sharing and military/government ones. We are also looking for public data feeds of relevance for global information sharing.
Input and requirements are welcome from the industry, government and academia.
--- Posted by Marco Casassa Mont(here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Security Analytics for Incident Management and Remediation Processes
This solution has been fully transferred to HP Enterprise Security Solutions.
It is now available an overview of the Security Analytics Report that will be created and customised for customers.
In case you’d like to get a copy, learn more and/or are interested in carrying out a Security Analytics assessment in your organisation, please let me know.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
TSB Project Directory: Ensuring Trust in Digital Services
The EnCoRe project is listed along with the current status and plans.
This document has been released in the contest of a joint event organised by TSB and the UK Cabinet Office/IDA Programme.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---The Technology Strategy Board (TSB) has just released this Project Directory illustrating more than 20 funded projects in the space of trust, security, privacy and digital services.
The EnCoRe project is listed along with the current status and plans.
This document has been released in the contest of a joint event organised by TSB and the UK Cabinet Office/IDA Programme.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
HP Labs R&D Service Framework for Privacy and Consent Management
This demonstrator leverages the HP Labs R&D Service Framework (and a related prototype) i.e. a flexible and configurable service framework based on REST/RESTFul technologies. It is based on the EnCoRe Technical Architecture and can potentially be deployed in the context of an organisation, across organisations and the cloud.
It has been shown to the attendees of a recent joint Technology Strategy Board (TSB) and UK Cabinet Office/Identity Assurance (IDA) Programme event.
The demonstrator specifically showed how EnCoRe can be deployed in the IDA framework to support citizens and people in defining their privacy preferences as well as organisations in explicitly enforcing them.
HP Labs, along with EnCoRe, is actively engaging in the IDA Programme as well as looking for exploitation opportunities.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Sticky Policies: An Approach for Managing Privacy across Multiple Parties
“Machine-readable policies can stick to data to define allowed usage and obligations as it travels across multiple parties, enabling users to improve control over their personal information. The EnCoRe project has developed such a technical solution for privacy management that is suitable for use in a broad range of domains.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Sunday, August 14, 2011
On the Next Generation of Cloud Computing and Cloud Operations Centres
- Security and Privacy across various boundaries
- Assurance and governance for the involved parties
- Dynamic management of SLAs and policies across the involved parties
- Effective Cloud Operation Centres
- Effective migration of services and information in the Cloud
- The next generation of Security Event & Incident Management Processes in the Cloud
- Models for the provision of Cloud Operation Centres
- Information flow exchange, to underpin some of the above aspects
- Application of Security Analytics methodology in the Cloud
Security Analytics applied to Security Event & Incident Management Processes
I just finished carrying out a case study with a key HP customer, involving the usage of the HP Security Analytics methodology for risk assessment and productivity analysis of their Security Event and Incident Management Processes.
This is a complex area, that goes beyond the simple usage of Security Event & Incident Management (SIEM) solutions and involves people, skills and processes to analyse events, identify false positives and/or security incidents to remediate. These processes are very important to minimise organisations’ exposure to additional security risks.
The case study has been successful. Models and simulations indentified (and provided evidence about) key process bottlenecks and root causes of risk exposure. A full Security Analytics report has been produced for the customer.
Template Security Analytics models and result diagrams have also been produced, in order to support a repeatable analytics service for other customers.
This Security Analytics area is now ready to be offered as a service.
--- Posted by Marco Casassa
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Coordination of EnCoRe Project: Ensuring Consent and Revocation
I recently become the coordinator of the UK collaborative (TSB co-funded) EnCoRe project. This project focuses on ensuring consent & revocation to users, along with privacy management capabilities integrated with state-of-the-art IT frameworks.
This is a great opportunity. The project is now in its exploitation phase. We are setting up a strategic collaboration with the UK Cabinet Office/Identity Assurance programme, to leverage EnCoRe technical capabilities in their framework.
Further progress has been made to further develop the EnCoRe compliance checking and risk assessment capabilities, as well as in finalising the second case study in a Biobanking context.
In addition to various demonstrators built by EnCoRe partners, HP Labs are also developing a R&D EnCoRe Service Framework to provide a reference implementation, exploitable by third parties as well as a R&D platform for advanced research. This framework will be compliant with current EnCoRe Architecture and the coming third release.
Other exploitation opportunities are emerging with business groups and other UK agencies. More information to be provided soon on the EnCoRe web site ...
--- Posted by Marco Casassa
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Book – PRIME: Privacy and Identity Management for Europe
The PRIME Book is now available online.
This book documents the R&D outcomes of the EU PRIME project. It presents 28 detailed chapters organized in five parts:
- Introductory summary
- Legal, social, and economic aspects
- Realization of privacy-enhancing user-centric identity management
- Exploitation of PRIME results for applications
- Conclusions drawn and an outlook on future work
I specifically contributed to this book with two chapters:
· - Privacy Models and Languages: Obligation Policies
· - Privacy-Aware Identity Lifecycle Management
My R&D work on obligations policies and privacy-aware identity lifecycle management is also available here.
--- Posted by Marco Casassa
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
HP Information Security – Inform Magazine – Available Online
The latest issue of Inform, the HP Information Security Magazine, is available online.
--- Posted by Marco Casassa
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Updated HPL Personal Web Page
I just finished to update my HPL Web Page, with the latest information about my research, public activities, publications and presentations.
--- Posted by Marco Casassa
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Friday, July 1, 2011
Towards A “Social Network” of Monitoring and Incident Management in the Cloud?
Things might get worse when more and more organisational services and IT infrastructure is outsources in the Cloud …
This triggered a few thoughts about how assurance could be provided in the Cloud and how this could be done effectively to handle various degrees of risks.
Interestingly, when outsourcing in the Cloud, part of the organisational control on IT and processes is lost. This might include the ability of logging information at the desired level of granularity and timely acting on it, e.g. in case on incidents …
Which mechanisms should be put in place to enable organisations to get timely information, including logs and incidents, from their Cloud Service Providers?
This has an impact not only on SLAs and contractual agreements but also on technical solutions that needs to be deployed to:
- enable Cloud service providers to flexibly collect log information, at different level of abstractions in the IT stack – for specific customers - and provide it to organisations
- enable organisations to deal with mixed sources of log files, with potentially different level of accuracy and trust, to drive their audit & compliance management activities as well as incident management processes
It is going to be a “recursive” issue, as Cloud Service providers might rely on other providers in the Cloud …
I envisage a situation where enterprises’ business and governance requirements will dictate a wider collaboration between various Service Providers in order to collect, process, sanitise and share “logs information” and incidents.
Are we moving towards Federated Monitoring in the Cloud i.e. a sort of “Social Network” of Monitoring and Incident Management in the Cloud? …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
HP Labs’ EnCoRe Service Framework for Privacy Management
This work aims to provide a flexible, general purpose, agile and extensible R&D platform to further support the exploitation of EnCoRe technologies and solutions. We envisage using this Service Framework in the context of the EnCoRe engagement with the Cabinet Office, in their Identity Assurance Programme.
More details about this work are going to be published in the coming EnCoRe Newsletter.
References
[1] EnCoRe Architecture D2.1, http://www.encore-project.info/deliverables_material/D2.1%20EnCoRe%20Architecture%20V1.0.pdf, 2010
[2] EnCoRe Architecture D2.2, http://www.encore-project.info/deliverables_material/D2_2_EnCoRe_Architecture_V1.0.pdf, 2011
[3] UK Cabinet Office’s Identity Assurance Programme, http://www.publications.parliament.uk/pa/cm201011/cmhansrd/cm110518/wmstext/110518m0001.htm#11051863000116, 2011
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
UK Cabinet Office’s Identity Assurance Programme
This article provides additional information and analysis:
“Government is hard at work with IT industry partners to crack the problem of identity assurance, says Nigel Harrison of the Office of Cyber Security and Information Assurance (OCSIA).
The initiative, being led by the Cabinet Office, is essential to government commitment to delivering services online, he told Computer Weekly.
In May, the Cabinet Office announced government plans to help create a market of private sector identity assurance services.
Nigel Harrison says it is likely the UK will soon see the emergence of multiple providers of identity assurance services specialising in different types or levels of assurance.
This will enable citizens to choose their own identity assurance providers depending on what level of assurance is required. Harrison said no single provider would necessarily have guardianship of all identity information about any individual, he said.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Presentation: Risk Assessment and Decision Support for Enterprise Security Policies
My presentation is now available online. The abstract of the related paper follows:
“This paper presents and discusses our work to provide organizations with risk assessment and decision support capabilities when dealing with their strategic security policies. We aim at achieving this by using a rigorous and scientific methodology (and tools) which leverages modeling and simulation techniques. This methodology helps organizations to assess their risk exposure. It factors in policy implementation at the operational level along with relevant threats, processes, interactions and people behaviors. It provides “what-if” analysis by illustrating the consequences of making policy changes and investments. We introduce our methodology and tools and then illustrate how this approach has been successfully used in a real case study with one of our major customers. This case study focused on the organization’s access management processes and related policies: it helped to inform strategic security policies and support changes of current processes. Additional work is planned in this space.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Monday, May 30, 2011
Focusing on the Cloud and the Intersection of Cloud with Security
In particular I am interested exploring and contributing in the space of “Cloud middleware”. Some initial questions:
Which “middleware” services can be provided in the cloud to support various Cloud applications and services?
Which identity maangemet, security and privacy capabilities need to be in place?
How ensure accountability and assurance?
How to exploit recent Identity and Security Analytics capabilities, developed by HP Labs, in that space
I am currently gathering various information and documents in this space, related to business opportunities, current solution offering and technological approaches.
Any input and links to publicly available information are really welcome.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
EnCoRe Project: Architecture Version 2 released
This architectural document updates and refines the first Architecture about the explicit management of Privacy, Consent and Revocation by introducing – among many things - refined internal and external workflow management capabilities, the explicit management of obligation policies and the support for sticky policies.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Various papers accepted at International Conferences
Simon Shiu, Adrian Baldwin, Yolanta Beres, Marco Casassa Mont, Geoff Duggan - Economic Methods and Decision Making by Security Professionals, WEIS 2011, George Mason University, 14-15 June 2011, US
Siani Pearson, Marco Casassa Mont and Gina Kounga, “Enhancing Accountability in the Cloud via Sticky Policies”, STAVE, Springer, June 2011.
Nick Papanikalaou, Siani Pearson and Marco Casassa Mont, “Towards Natural-Language Understanding and Automated Enforcement of Privacy Rules and Regulations in the Cloud: Survey and Bibliography”, STAVE, Springer, June 2011.
Nick Papanikolaou, Siani Pearson, Marco Casassa Mont and Ryan Ko, “Towards Greater Accountability in Cloud Computing through Natural-Language Analysis and Automated Policy Enforcement”, Proc. eChallenges, 2011.
Hopefully good debates and discussions will follow the presentations of these papers.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Presentation - Centre for Cybercrime and Computer Security Conference 2011
My presentation, on "Risk Exposure to Social Networks in Enterprises", is now available online.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Friday, April 29, 2011
Applying Security Analytics in the Space of SOC and Incident Management
I and colleagues of mine have been carrying out a few case studies, jointly with HP Customers and HP businesses, in the space of situational awareness by using Security Analytics.
This is an exciting area, very suitable for the HP Labs and HP IS Security Analytics methodology and tools, as it involves modelling critical processes, people behaviours and dealing with risk assessment issues.
The aim is to provide decision support to strategic decision makers (CISOs, CIOs, risk managers, etc.) and support the definition of related security policies.
Of particular interest and relevance is the application of our modelling & simulation methodology (along with related tools) to the processes involved in Security Operations Centres (SOCs) and related Incident Management & Remediation.
Specifically, we aim at assessing the risk exposure of organisations due to their SOC/incident management processes and the involved performance (e.g. time wasted in handling false positives). A series of metrics have been identified to measure the involved risks, e.g. time to fully manage incidents (the higher the wider the risk exposure window).
We used our analytics models to explore “what-if” scenarios e.g. the impact of changing SOC/incident management process steps, introducing automation and/or changing the number of involved personnel.
Interesting trade-offs are currently explored based on the priorities of decision makers, e.g. costs vs productivity vs security risks.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Identity and Security Analytics: Paper Accepted at IEEE Policy 2011 Symposium
“Marco Casassa Mont, Richard Brown
Risk Assessment and Decision Support for Security Policies and Related Enterprise Operational Processes”
The abstract of the paper follows:
“This paper presents and discusses our work to provide organizations with risk assessment and decision support capabilities when dealing with their strategic security policies. We aim at achieving this by using a rigorous and scientific methodology (and tools) which leverages modeling and simulation techniques. This methodology helps organizations to assess their risk exposure. It factors in policy implementation at the operational level along with relevant threats, processes, interactions and people behaviors. It provides “what-if” analysis by illustrating the consequences of making policy changes and investments. We introduce our methodology and tools and then illustrate how this approach has been successfully used in a real case study with one of our major customers. This case study focused on the organization’s access management processes and related policies: it helped to inform strategic security policies and support changes of current processes. Additional work is planned in this space.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
EnCoRe General Meeting in Venice and Networking Event for EU Framework 7 Call 8
Good discussions on the third case study, system framework design and architectural aspects.
In this context, a networking event has been held to explore collaboration opportunities for the coming EU FP7 Call 8. It has been a very successful meeting with exciting opportunities, in particular in the area of “Cloud Accountability”.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
EnCoRe Project – 11th Quarter Summary
In this context, the EnCoRe Architecture v.2 has now been fully completed and a related document will be published shortly. This release will feature new capabilities, including Obligation Management, support for Sticky Policies and improved Internal and external workflows for the management of consent and revocations.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Wednesday, March 9, 2011
Conference – Centre for Cybercrime and Computer Security Conference
I will be giving a presentation on “Risk Exposure to Social Networks in Enterprises”.
This is a great opportunity to network with experts in this area and to share thoughts about related HP Labs R&D activities that we have been carrying out in Bristol, UK.
Please consider attending.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Security and Identity Analytics
This paper is based on a recent HPL Technical Report I published, on “Risk Assessment and Decision Support for Security Policies and Related Enterprise Operational Processes”.
Looking forward at presenting this work.
Interestingly, this paper describes work that we did jointly with a major HP customer, in the space of Security Analytics and Identity Access Management.
This work de-risked Security Analytics in this area: it is now one of the Security Analytics capabilities offered as a service by HP Information Security.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
UK Cyber Security Challenge 2011
It has been a very interesting experience observing and engaging with the various participants. Very good fun.
I would really encourage the readers to engage in the coming editions.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
On the value of being part of Conference Program Committees
Some statistics: based on my experience, I would say that only 25-30% of the papers that I review are usually worth their publication, because of the innovation and new insights they provide.
Nevertheless, I believe this is a great opportunity to stay in touch and up-to-date with key R&D topics. In my case, in the space of security, privacy, IAM and risk management.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Making good progress in the UK EnCoRe Project
I have been deeply involved in finalising the new version of the EnCoRe Architecture that will support the coming case studies and (hopefully) a pilot with a major UK company. It will be soon publicly released.
We are currently working on an “EnCoRe System Framework” that will enable grounding this architecture at the system, compliance and regulatory levels – to enable the above mentioned case studies and pilot.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Thursday, February 3, 2011
New HP Labs Report: Risk Assessment and Decision Support for Security Policies and Related Enterprise Operational Processes
“Marco Casassa Mont, Richard Brown - Risk Assessment and Decision Support for Security Policies and Related Enterprise Operational Processes”
The paper abstract follows:
“This paper presents and discusses our work to provide organizations with risk assessment and decision support capabilities when dealing with their strategic security policies. Traditional work in the policy management space primarily focuses on technical languages and frameworks to manage and enforce operational policies. These contributions are important but they do not address strategic decision makers’ needs and questions such as: What business and security risks is my organization exposed to, due to the current security policies and related operational processes? How effectively are these policies enforced at the operational level? What is the impact of changing them? We aim at providing strategic decision support in this space by using a rigorous and scientific methodology (and tools) which leverages modeling and simulation techniques. This methodology helps organizations to assess their risk exposure. It factors in policy implementation at the operational level along with relevant threats, processes, interactions and people behaviors. It provides “what-if” analysis by illustrating the consequences of making policy changes and investments. We briefly introduce our methodology and tools and then ground the discussion by illustrating how this approach has been successfully used in a real case study with one of our major customers. This case study focused on the organization’s access management processes and related policies: it helped to inform strategic security policies and support changes of current access management processes. Additional work is planned in this space to further validate our approach and build template solutions for different types of organizational policies and processes.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
New IEEE Computer Article - Using Modelling and Simulation to Evaluate Enterprises’ Risk Exposure to Social Networks
“Anna Squicciarini, Sathya Dev Rajasekaran, Marco Casassa Mont – Using Modelling and Simulation to Evaluate Enterprises’ Risk Exposure to Social Networks”
The abstract follows:
“An analytic methodology involving modeling and simulation could help decision makers determine how their employees' use of social networks impacts their organization, identify how to mitigate potential risks, and evaluate the financial and organizational implications of doing so.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
UK Cyber Security Challenge
“The Cyber Security Challenge is a series of national online games and competitions that will test the cyber security abilities of individuals and teams from every walk of life. It is designed to excite and inspire anyone considering a career in the cyber security industry.”
Please consider getting involved. Read here why you should to.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Submissions to 8th International Conference TrustBus 2011
The submission deadline is 27 February 2011. The Call for Papers is available online:
“The advances in the Information and Communication Technologies (ICT) have raised new opportunities for the implementation of novel applications and the provision of high quality services over global networks. The aim is to utilise this ‘information society era’ for improving the quality of life for all citizens, disseminating knowledge, strengthening social cohesion, generating earnings and finally ensuring that organisations and public bodies remain competitive in the global electronic marketplace. Unfortunately, such a rapid technological evolution cannot be problem free. Concerns are raised regarding the "lack of trust" in electronic procedures and the extent to which "information security" and "user privacy" can be ensured. In answer to these concerns, the 8th International Conference on Trust, Privacy and Security in Digital Business (TrustBus '11) will provide an international forum for researchers and practitioners to exchange information regarding advancements in the state of the art and practice of trust and privacy in digital business. TrustBus '11 will bring together researchers from different disciplines, developers, and users all interested in the critical success factors of digital business systems.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---