Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Friday, June 15, 2012

Frameworks for Graphical Visualisation of Policies

I am looking for public information about case studies, frameworks and/or approaches to graphically visualise policies. In particular, how to convey data sharing policies by using graphical metaphors.


Policies are increasing getting more and more complex: not everybody can makes sense of them and/or translate them into practical/actionable terms. On the other hand, they are used in many digital contexts (web services, enterprise, B2C, cloud, etc.) to dictate constraints, SLAs, expectations and obligations.

I am interested in exploring how graphical visualisation can help to:

• convey them to end-users in a more intuitive way ...

• enable better reasoning about their meaning and implications

• allow administrators to translate them into enforceable activities/constraints



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---





Next Steps: Security Intelligence-as-a-Service (SILAS)

Thanks for your interest in my previous blog post, related to the HP Labs R&D work we are carrying out (in collaboration with a business group) in the area of Security Intelligence-as-a-Service (SILAS).




As mentioned before, the next steps involve trialling the solution in a Security Operation Centre (SOC) environment to refine its capabilities and provide value-added risk assessment and what-if analysis capabilities to the involved decision makers.



SILAS currently processes inputs provided by various data sources (including HP ArcSight, HP TippingPoint and OSVDB) to generate meaningful, strategic risk metrics and predictions. We are planning to expand the areas where to provide these predictions and what-if analysis (via HP Security Analytics), beyond the current IAM, VTM, Web Infection and Incident Management areas.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



HP Global Citizenship Report

HP Released the HP Global Citizenship Report, accessible online, here.




--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Friday, June 8, 2012

More on Security Intelligence-as-a-Service (SILAS)

As previously mentioned in a blog of mine, we (HP Labs in collaboration with an HP business group) are making quick progress in implementing a Security Intelligence as a Service (SILAS) solution:


“SILAS (Security Intelligence-as-a-Service): this R&D work aims to build a service that provides strategic metrics and risk assessment to customers (potentially in a federated SOC environment). It gathers information from the IT infrastructure (including SIM/SEM solution, e.g. HP ArcSight, HP TippingPoint, etc.) and uses it to provide statistical analysis, support predictive risk assessment and what-if scenario analysis (via HP Security Analytics), as well as trends and benchmarking across customers. Security Analytics (predictive) models are instantiated with the data collected from the field, to provide accurate predictions and animate what-if scenarios”

One of the coming objectives is trialing this solution in a Security Operation Centre (SOC). We already have identified one but I am welcoming any expression of interest by potential customers/early adopters. In addition I welcome inputs about security risk metrics and potential what-if analysis scenarios that might be of interest/relevance. Currently we have identified a few core metrics and scenarios in the space of IAM, VTM and SOC Incident Management Processes but I am very keen in getting a wider portfolio. Please contact me for more information and/or provide your input.







--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

More on Safe Information Sharing in the Cloud

As previously mentioned in my blog posts, a key R&D area I am currently involved in is about “Safe Information Sharing in the Cloud”.

Sharing information in the cloud about security, performance, legal, etc. aspects is critical to enable the right levels of accountability, risk assessment and governance.

This is even more important as the organisation, now leveraging resources from the cloud, loses controls on various critical aspects ranging from the management of the IT infrastructure to the involved security and governance processes.

Specifically, I am keen in further exploring the space of “data sharing policies”, enforcement environments and the actual implications in terms of controls. I have been looking for current examples and case studies. Any related link and public information is welcome.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Labs at HP Discovery 2012

HP Labs has been a key participant at HP Discovery 2012. Some highlights are available here.



In particular our Cloud & Security Lab has been involved, demonstrating state-of-the art prototypes and solutions in the Security and Risk Management areas.

This includes R&D work we did in Security Analytics, now transferred to HP ESS and offered to customers as a service.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



Friday, June 1, 2012

On Safe Information Sharing in the Cloud

I am interested in getting links to public material related to case studies, R&D and work done in the space of information sharing, in particular in the context of cloud environments.




Specifically, I am interested in next generation supply-chain scenarios and federated Security Operation Centres (SOCs), operating in the cloud and/or involving entities which use services in the cloud.



For example, in case of security incidents involving and IaaS and a SaaS, the SOC centre at the SaaS site might need to know more information about the incident, etc. This involves safe information sharing.



As previously mentioned in a post of mine, key requirements include providing mechanisms for safe sharing, assurance, risk assessment and compliance. Sharing policies need to be in place. Assurance mechanisms need to be in place to assess the pedigree, quality and completeness of the shared data.



I wonder if any specific case study has already been carried out in this space whose results are publicly available and or if there are any publications available. So far I didn’t manage to find very relevant information (but still searching ...).





--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

SILAS and SAaaS: Update on my R&D work

I am currently working on two new R&D areas:




• SILAS (Security Intelligence-as-a-Service): this R&D work aims to build a service that provides strategic metrics and risk assessment to customers (potentially in a federated SOC environment). It gathers information from the IT infrastructure (including SIM/SEM solution, e.g. HP ArcSight, HP TippingPoint, etc.) and uses it to provide statistical analysis, support predictive risk assessment and what-if scenario analysis (via HP Security Analytics), as well as trends and benchmarking across customers. Security Analytics (predictive) models are instantiated with the data collected from the field, to provide accurate predictions and animate what-if scenarios;



• SAaaS Demonstrator (Situational Awareness-as-a-Service): this demonstrator will showcase advanced scenarios and capabilities related to information sharing and situational awareness in a cloud context, specifically in the context of cyber security. Advanced GUI and back-end capabilities are under development. The demonstrator will also be used as a context where to further carry out research in the context of the CSL Safe Cloud R&D project.

I welcome input, material and case studies of relevance to the above two areas.





--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



Recent HPL R&D publications in the space of Cloud, Cloud Assurance and Privacy

I recently published, along with HPL colleagues, new papers in the space of Cloud, Cloud assurance and compliance and privacy:




• Marco Casassa Mont, Kieran McCorry, Nick Papanikolaou, Siani Pearson “Security and Privacy Governance In Cloud Computing via SLAs and a policy orchestration service”, Frank Leymann, Ivan Ivanov, Marten van Sinderen and Tony Shan (eds.), Proc. Closer 2012, Portugal, SciTePress, April 2012.

• Nick Papanikolaou, Siani Pearson, Marco Casassa Mont and Ryan Ko, “Automating Compliance for Cloud Computing Services”, Frank Leymann, Ivan Ivanov, Marten van Sinderen and Tony Shan (eds.), Proc. Closer 2012, Portugal, SciTePress, April 2012.



In particular I believe that safe information sharing in the cloud is a key aspect to further enable adoption of cloud solutions by the industry.



For example, this will be the case in next generation supply-chain scenarios and federated Security Operation Centres (SOCs), operating in the cloud and/or involving entities that use services in the cloud.



Key requirements include providing mechanisms for safe sharing, assurance, risk assessment and compliance. An area to further explore and research ...



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On Enabling Safer Information Sharing in the Cloud

I published an HPL Technical Report discussing an approach to enable safer information sharing in the cloud, leveraging data sharing agreements and policy enforcement mechanism:




HPL 2012-22 Marco Casassa Mont, Ilaria Matteucci, Marinella Petrocchi, Marco Luca Sbodio Enabling Data Sharing in the Cloud, HPL-2012-22



The HPL TR abstract follows:



“Web interactions usually require the exchange of personal and confidential information for a variety of purposes, including enabling business transactions and the provisioning of services. A key issue affecting these interactions is the lack of trust and control on how data is going to be used and processed by the entities that receive this data. In the traditional world, this issue is addressed by using contractual agreements that are signed by the involved parties. This could be done electronically as well but there is currently a major gap between the definition of legal contracts, regulating the sharing of data and the software infrastructure required to support and enforce them. How to ensure that legal contracts can be actually enforced by the underlying IT infrastructure? How to ensure that a potentially enforceable version of the contract corresponds to the legal version of the contract? This article describes our work to address this gap through the usage of electronic Data Sharing Agreements (e-DSA). e-DSAs can be formally defined and analysed to identify inconsistencies and contradictory policies/constraints; they can then be deployed within the IT infrastructure and enforced. We specifically show how this can be achieved in a cloud scenario, where e-DSAs are enforced via policy enforcement capabilities developed in the UK EnCoRe [6] collaborative project. “



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



Updated Personal HP Labs web site

I updated my personal HP Labs web site to reflect my recent work and R&D focus.


It contains updates about new HPL Technical Reports and papers I published in the space of privacy and information sharing as well as more details about my R&D focus areas.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Successful Conclusion of the UK Collaborative EnCoRe Project

On April, 27th HP Labs hosted the Closure Event for the UK Collaborative EnCoRe Project. The overall project was a great success. It provides great vision, technical, legal, risk management and social deliverables on how to effectively handle consent and revocation of personal data, from users and organisation viewpoints.


EnCoRe inter-disciplinary public deliverables are going to be made available on the EnCoRe web site in the coming months. Currently it provides links to the 3 incremental versions of the EnCoRe Technical Architecture, for 3 case studies.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---