IT and Privacy Landscape: Areas to Watch in 2008

A recent article by Brian Tretick, titled “IT and the Changing Privacy Landscape: Eight Areas to Watch in 2008”, provides an interesting analysis of the current state of privacy management and suggests eight areas to watch in 2008:

• Information is Power: Keeping Data Classification up to Date;
• Less is More: Minimising the Use of Personal Information;
• Decode or Not Decode: The Evolving Use of Encryption;
• The Three-Legged Stool: Strict Standards for Vendors and Business Partners;
• On the Road Again: Personal Information and the Telecommuter’s Way of Life;
• In Case of Emergency: Having a Plan for a Worst-Case Scenario;
• It’s a Small World: Developing Privacy Procedures for Home and Abroad;
• Building a Better Mousetrap: Keeping Pace with Privacy Management Technologies;
  

This article concludes by saying that “Privacy is a mainstream business issue. These eight areas deserve more than a check-the-box exercise. Each one should be addressed as part of the comprehensive, deliberate management of privacy risk and compliance. Founded on policy and governance, an effective privacy program relies on controls, monitoring, compliance activities and other assurances to keep an effective operation in place.”.

I really tend to agree with this point: in my view, identities and privacy should be more and more considered as key “enterprise assets” and addressed from an “enterprise risk and compliance management” perspective (also see a related post of mine, here).

--- NOTE: my original HP blog can be found here ---

Identity Management 2007: A Year in Review

2007 is drawing to a close. This has been an interesting but also frustrating year for Identity Management. Here are some thoughts and highlights of what happened:

• Consolidation of Identity Management in Enterprises: Identity Management has gone through further consolidation in enterprises. In my view, there have been no major news and proposals in this space, apart from the maturation of IdM offerings in the space of “Auditing and Compliance Management”. In this context we also assisted to a growing interest for solutions in the space of Role Discovery/Mining and Role Management;
• Federated Identity Management: solutions in the space of Federated Identity Management have further matured, with various proposals and options both in “client-driven” and “service-driven” scenarios. This includes Liberty Alliance and Web 2.0/Identity 2.0 solutions, such as Microsoft CardSpace, OpenId, Higgins, etc. Despite this, there is still confusion in the market in terms of ways to move forward, due to (partially) competing proposals, lack of critical mass (in terms of adoption) and weak business opportunities for Identity Providers;
• Privacy Management: this has been another interesting year for privacy and privacy management. There is no doubt that privacy and privacy management are recognised as important aspects of identity management (and have stron backing from a legislative side): however, despite the increased number (and gravity) of identity thefts and “identity accidents”, very few Identity Management suite still provide integrated privacy management/enforcement solutions/capabilities. Current focus is still on auditing and compliance checking approaches (for the law compliance reasons mentioned above) that, in my view, only partially address the privacy problem. There has been a first step towards a more systemic Identity Governance Framework, with the IGF proposal (in the context of Liberty Alliance and Openliberty) putting privacy enforcement at the center of processes involving accesses and manipulation of personal data;
• Identity Management beyond Management of People’s Profiles: during 2007 we assisted to the first steps/attempts to extend “identity management” from traditional, centralised management of people’s identity attributes (and their rights/permissions) to include the management of device/system identities and exploring distributed/delegated approached to the management of identities. This includes work done in the context of Liberty Alliance, with the Identity Capable Platform initiative, R&D done on device based identity management, various initiatives involving Network-based Access Control (NAC) and attempts to integrate this with identity management solutions at higher level of abstractions;
• Business-driven Identity Management: I believe that 2007 has been the turning point in realising that Identity Management is not only about self-standing technological solutions but also it must be considered in an overall business context and as such it is of concern of strategic business decisions. Apart from the existing influence of legislation and laws, we also assisted to a growing interest in revisiting Identity Management in the context of ITIL (from a service management perspective) and Risk Management (from a security management perspective). Despite being at the beginning of a long evolution process, ITIL and Risk Management will impact and reshape Identity Management, at least in an enterprise context;
• Identity as a Service: during 2007 we also assisted to the first steps towards “Identity as a service”, driven by a growing interest, within enterprises, on SOA and web 2.0. This area is just at the beginning: it is going to be interesting to explore and contribute to its development in the coming years.

--- NOTE: my original HP blog can be found here ---

Who Am I?

Well, on the Web this also depends on the search engine …

As a simple test, I searched (on 23 December 2007) for my surname, “casassa mont”, by using three popular search engines:

• Google: 5470 results
• Microsoft MSN: 15900 results
• Yahoo: 5070 results

Quite interestingly Microsoft MSN indicates a (potential) number of findings 3 times greater than the ones provided by Yahoo and Google … This ratio is pretty much the same also for a more specific search, about “marco casassa mont”:

• Google: 3960 results
• Microsoft MSN: 9940 results
• Yahoo: 3790 results

In this simple test, these search engines provide consistent information about my “web profile”: MSN also includes some oddities, i.e. specific findings not immediately spotted by the other two search engines. Of course I didn’t check for all the findings, just the first 30 …

Just wondering about the impact that “Consent and Privacy Management” could have on “digital personae”, in the context of the web and search engines …

--- NOTE: my original HP blog can be found here ---

Coming Conferences on Identity and Privacy Management

Here are a few conferences related to the Identity and Privacy Management topics whose paper submission deadlines are in January and February 2008:

• SEC 2008 23rd International Information Security Conference, Co-located with IFIP World Computer Congress 2008, Milan, Italy, September 8-10, 2008. (Submissions due 10 January 2008)
• IFIP-TM 2008 Joint iTrust and PST conferences on Privacy, Trust Management and Security, Trondheim, Norway, June 18-20, 2008. (Submissions due 11 January 2008)
• UPSEC 2008 Workshop on Usability, Psychology, and Security, Co-located with the 5th USENIX Symposium on Networked Systems Design & Implementation (NSDI 2008), San Francisco, California, USA, April 14, 2008. (Submissions due 18 January 2008)
• CARDIS 2008 8th Smart Card Research and Advanced Application Conference, Royal Holloway, University of London, Egham, Surrey, UK, September 8-11, 2008. (Submissions due 15 February 2008)
• IFIP-DAS 2008 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, London, UK, July 13-16, 2008. (Submissions due 20 February 2008)
• SHPCS 2008 Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2008 International Conference on High Performance Computing & Simulation (HPCS 2008) and the 22nd European Conference on Modelling and Simulation (ECMS 2008), Nicosia, Cyprus, June 3-6, 2008.
• SOUPS 2008 Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA, July 23-25, 2008. (Submissions due 29 February 2008)

--- NOTE: my original HP blog can be found here ---

Are Kids the New Targets of Identity Thefts?

A recent article, titled “Children Becoming Prime Identity Theft Targets”, reports the findings of a recent study by the Identity Theft Resource Center:

“According to a recent study by the Identity Theft Resource Center, based in San Diego, the theft usually takes place early in the child’s life. The researchers found that, in 54 percent of the cases, the theft took place before the child was six years old. The study also found that, while parents or other relatives were the most likely perpetrators, other identity thieves increasingly target children for one simple reason. It’s easy to do, and to get away with for long periods of time before discovery.”

This article also highlights that:

“Of the more than 255,000 identity theft complaints received in 2005 by the Federal Trade Commission, five percent involved people 18 or younger, an increase from three percent in 2003.”

--- NOTE: my original HP blog can be found here ---

Liberty Alliance’s Advanced Client 1.0 - Final Specifications

The Liberty Alliance’s “Advanced Client v1.0” Final Specification set has been released publicly and can be found here.

--- NOTE: my original HP blog can be found here ---

UK Information Commissioner’s Office (ICO): Call for Privacy Impact Assessment

A recent ICO’s Press Release (on December, 11th) reveals that:

“At a surveillance conference in Manchester the ICO will say that the breach at HM Revenue and Customs was a watershed and will call for organisations to implement new safeguards to help protect individuals’ privacy. The UK’s first privacy impact assessment handbook will be launched to help organisations address the risks to personal privacy before implementing new initiatives and technologies. By carrying out a privacy impact assessment organisations will also increase public confidence in data collection”

This Privacy Impact Assessment (PIA) handbook has now been released and it is available online, here.

--- NOTE: my original HP blog can be found here ---

W3C PLING Interest Group: Wiki site is now up and running …

The Wiki site of the W3C Policy Languages Interest group (PLING) is now up and running. Feel free to subscribe and add your contributions.

As anticipated in a previous post of mine, the current discussion topics are:

1) Use-cases involving the usage of policies in various scenarios, pros and cons of adopted policy frameworks, pain points, issues and recommendations

2) Review of Policy languages and frameworks that are currently used in the industry and research

--- NOTE: my original HP blog can be found here ---

Evolution of Identity Management

Jon Oltsik, in his blog post, “Redux in the Identity Management Market”, provides a concise and interesting account of the evolution of Identity Management, from initial start-ups, consolidation by large corporations and back again to start-ups, in some “hot” areas (such as governance, role management, network-based Identity Management, etc.).

Interestingly, he does not mention potential future evolutions of Identity Management in two areas: “Identity as a Service” and Identity Management for (Enterprise) Web 2.0.

He predicts more M&As and specializations in the Identity Management space in the months to come.

--- NOTE: my original HP blog can be found here ---

W3C Policy Language Interest Group (PLING): Discussion Topics …

The W3C Policy Language Interest Group is now ready to start discussions on policy related topics. Of course, if you are interested in this topic, feel free to join the public mailing list.

The PLING's team contacts (Thomas and Rigo), Renato and I have received a few (off-line) emails asking for more information about PLING's next steps and discussion topics.

Given the PLING Charter, we suggest to start discussing these two key topics:

1) Use-cases involving the usage of policies in various scenarios, pros and cons of adopted policy frameworks, pain points, issues and recommendations

2) Creating a list of known policy languages & frameworks that are currently used in the industry, academy, etc. and/or are of relevance to the audience

Topic 1 aims at sharing practical experiences in using policies in a variety of contexts, along with any issue and requirements. The goal is to create awareness of important (and/or common) use-cases, limitations and needs.
Please notice this is NOT a discussion about specific policy language features.

Topic 2 aims at creating a list that "maps" the current "policy language" space, by clearly identifying policy languages and frameworks that the audience uses and/or believe are of some relevance.

Of course these two topics are not independent: discussions and contributions are really welcome on both themes.

The PLING team is also exploring the usage of a W3C Wiki site to record various discussions and contributions. More information on this aspect will follow.

We would also like to encourage the members of this mailing list to publicly introduce themselves by sharing their affiliation, interests, what they would like to get from this IG and/or how they would like to contribute (thanks to the ones that have already done it!) .

--- NOTE: my original HP blog can be found here ---

ENISA Position Paper – Reputation-based System: a Security Analysis

A new Position Paper has been released by ENISA, titled “Reputation-based System: a Security Analysis”:
“This paper aims to provide a useful introduction to security issues affecting Reputation-based Systems by identifying a number of possible threats and attacks, highlighting the security requirements that should be fulfilled by these systems and providing recommendations for action and best practices to reduce the security risks to users. … This paper is aimed at providers, designers, research and standardisation communities, government policy-makers and businesses.”

It provides an introduction to reputation-based systems and significant use-cases. It then analyses related key threats and security requirements. Finally it provides recommendations and concluding remarks.

The Identity Management Community might be interested in this paper given the role that identity management and privacy have in reputation-based systems and the fact that these systems are affected by and affect identities.

--- NOTE: my original HP blog can be found here ---

UK Personal Data for Sale on the Internet …

A recent article by “The Times” (authors: Alexi Mostrous and Dominic Kennedy), called “Websites Sell Secret Bank Data and PINs”, reveals how journalists easily managed to get identity information about UK citizens, on the Internet, for free, offered as “tasters”:

“Security breaches that are allowing the financial details of tens of thousands of Britons to be sold on the internet are to be investigated by the country’s information watchdog.
Without paying a single penny, The Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director. The private account numbers, PINs and security codes were offered as tasters by illegal hacking sites in the hope that purchases would follow.
Richard Thomas, the Information Commissioner, will begin an investigation into the security breach today and Scotland Yard is also investigating. Experts said that the findings suggested that more personal data than ever before was going astray. The Times found: More than 100 websites trafficking British bank details; A fraudster offering to sell 30,000 British credit card numbers for less than £1 each; A British “e-passport” for sale, although the Government insists that they are unhackable. …”

--- NOTE: my original HP blog can be found here ---