Research on Identity Management (by Marco Casassa Mont)

EEMA e-Identity: Presentation on the Future of the Identity in the Cloud

marcocasassamont — Mon, 29 Jun 2009 22:30:00 GMT

I recently attended the EEMA e-Identity Conference, in London, 25-26 June 2009. There have been interesting presentation and good talks.

I also gave a presentation on "The Future of Identity in the Cloud: Requirements, Risks and Opportunities":

"This presentation aims at: setting the context about Identity in the Cloud; discussing related identity management issues along with core requirements (coming from users and organisations); illustrating, from an HP Labs' perspective, future possible models, approaches and IT infrastructures to handle Identity in the Cloud.

The introduction of the presentation sets some background: it gives an overview of Cloud Computing and its implications, in terms of service provisioning, security, privacy and identity management. In particular it discusses the paradigm shift from a close & controlled approach (within enterprises) to potentially, on-the-fly composable and customisable services, in the Cloud.

Use cases are introduced to illustrate "common" usage and management tasks involving Identity in the Cloud - from both user and organisational perspectives, including the implications of having to deal with Identity in composable and dynamic services. New emerging, related threats and risks are briefly discussed, such as the potential growth of bogus service providers, targeted attacks to the weakest points in the service provisioning chain and identity thefts.

This will lead to a discussion of key requirements, determined by new interaction models and service-provisioning paradigms in the Cloud, including: control of identity flows and management of distributed user accounts; trust and reputation about service providers in the Cloud; identity assurance; transparency about security practices; privacy (including consent and revocation).

I will then discuss current (categories of) identity management solutions and approaches that deal with aspects of Identity in the Cloud (such as identity federation, identity brokering, Identity 2.0, etc.), along with their pros and cons and failures to address some of the core requirements (such as assurance, trust and privacy control).

The final part of this presentation challenges current assumptions and approaches and illustrates future directions, by presenting HP Labs' medium and long-term vision about how the underlying Cloud infrastructure is going to evolve along with its implication in terms of Identity and Identity Management. This includes the paradigm shifts introduced by the usage of trusted virtualisation, remote attestation of platform capabilities (Trusted Computing Platforms) and identity-driven computational environment (coming from the cloud) that could run on local systems (e.g. at the user side); new emerging identity management models driven by identity-aware platforms and policy-driven delegation of credentials; the role that Security and Identity Analytics can play, by using modelling and simulation, to help organisations to evaluating and predicting the consequences of using services in the Cloud, based on assumptions made on the underlying identity management model and existing threats."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Another New HP Labs Technical Report: Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes

marcocasassamont — Mon, 29 Jun 2009 22:27:00 GMT

Another new HP Labs Technical Report has been recently released, called "Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes" (authors: Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu):

"It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations' security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what- if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders"

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

New HP Labs Technical Report: Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks

marcocasassamont — Mon, 29 Jun 2009 22:22:00 GMT

A new HP Labs Technical Report has been recently released, called "Towards an Analytic Approach to Evaluate Enterprises' Risk Exposure to Social Networks" (authors: Anna Squicciarini, Marco Casassa Mont, Sathya Dev Rajasekaran):

"This paper aims at exploring the impact on enterprises of the adoption of Social Networks by employees. It analyses the risks that enterprises could face and suggests a methodology to answer questions, such as: what are the actual risks for an organization, given a specific context? How to assess these risks? What are the most significant approaches that can be taken to mitigate them? What are the financial and organizational implications for an organization in implementing any of the possible approaches?"

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

HP Labs - Second Annual Innovation Research Awards

marcocasassamont — Tue, 16 Jun 2009 16:04:00 GMT

HP Labs have announced the Recipients of the Second Annual Innovation Research Awards (http://finance.yahoo.com/news/HP-Announces-Recipients-of-bw-15522893.html?.v=1):

“Sixty projects from 46 universities in 12 countries will receive awards from HP Labs, the company’s central research arm. The program is designed to create opportunities for colleges, universities and research institutes to conduct breakthrough collaborative research with HP.

Building on the success of last year’s program, HP increased the number of projects it will fund by more than 30 percent – up from 45 projects at 35 institutions worldwide in 2008. Furthermore, given the significant contributions achieved in last year’s program – including 61 published papers and 13 invention disclosures – HP extended a second year of funding to 31 professors in 2009. …”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

W3C Policy Interest Group (PLING) Charter Extended

marcocasassamont — Tue, 16 Jun 2009 15:43:00 GMT

The W3C Policy Interest Group (PLING) Charter has been extended till 31 December 2009.

We are looking for additional case studies and requirements, in particular in emerging areas such as Cloud Computing and Social Networking.

Please share your thoughts, input and experience. Feel free to subscribe to the PLING mailing list to get periodic updates on discussions and topics of interest.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

A few Thoughts on Security Assurance …

marcocasassamont — Wed, 27 May 2009 13:50:00 GMT

Based on various interactions and discussions that I had with organizations, customers and various people, I understand that dealing with "Security Assurance" is currently a major concern and issue.

How can a CIO/CISO be sure that their organization is making the right bets on the right security investments? How to be sure that these investments are effectively addressing the right security issues (of relevance to the business), especially in an ever changing IT and social environment (with dynamic threat environments)? How to get proper feedback about the current, overall situation, have a reasonable understanding of involved risks and exposures and be in the position to make informed decisions?

This is actually a "recursive problem" involving various decision makers and managers in the organization ladder. It impacts their ability to define proper policies and protect organizational assets.

"Security Assurance" is of particular relevance in case of outsourcing and/or usage of services in the Cloud, when organization loses control on their IT stacks and related "control points". Just relying on contractual agreements and hoping that everything is going to be fine is not a satisfactory approach.

I do not think that current bottom-up "security monitoring" and risk assessment tools/solutions can address this kind of challenges. This is really and area open to contributions and innovation.

Incidentally, all the above points also apply to the "Identity Management" vertical (Identity Assurance ...).

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Part III: The Future of Identity in the Cloud: Requirements, Risks and Opportunities

marcocasassamont — Wed, 27 May 2009 13:46:00 GMT

I am surprised by the number of people and organizations that have been asking me to give a rerun of the presentation on "The Future of Identity in the Cloud: Requirements, Risks and Opportunities" - that I previously gave at the Open Group Security Practitioners Conference, London, 27 April 2009.

A copy of this presentation is now available here, in my web page.

I am currently working on a new version of it (for the EEMA e-Identity Conference 2009), to keep into account recent developments and new interesting aspects/concerns related to Identity in the Cloud.

I still believe that "Security Assurance" is the hot topic for Cloud Computing and specifically "Identity Assurance" is a key concern for Identity in the Cloud.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

IEEE Policy 2009 – Call for Sponsorship

marcocasassamont — Mon, 04 May 2009 22:20:00 GMT

The IEEE Policy 2009 Symposium (http://www.ieee-policy.org/), to be held in London, UK, 20-22 July 2009, has now received the sponsorship of both IEEE Computer Society and IEEE Communication Society (technical co-sponsorship).

A draft program is also available at http://www.policy-workshop.org/program.html.

We are now looking for sponsors from the industry and academy. Have a look at the "Call for Sponsors" (http://www.policy-workshop.org/POLICY2009-CallForPatrons.pdf),

In case of interest, please contact mailto:ieeepolicy2009@googlemail.com?subject=POLICY+2009+Sponsorship.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Identity and Privacy Forum, 14-15 May 2009, London

marcocasassamont — Mon, 04 May 2009 22:16:00 GMT

This community might be interested in attending the Identity and Privacy Forum, London, 14-15 May 2009, http://www.identityandprivacy.com/

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Part II: The Future of Identity in the Cloud: Requirements, Risks and Opportunities

marcocasassamont — Mon, 04 May 2009 22:07:00 GMT

The presentation on "The Future of Identity in the Cloud: Requirements, Risks and Opportunities" that I gave at the Open Group Security Practitioners Conference, London, 27 April 2009, is now available online, at http://www.opengroup.org/conference-live/ along with the ones of the other presenters (Security Plenary Presentation Section).

Thanks to the people who provided me with inputs and material about this topic.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

The Future of Identity in the Cloud: Requirements, Risks and Opportunities

marcocasassamont — Fri, 17 Apr 2009 14:14:00 GMT

I am preparing my presentation, called "The Future of Identity in the Cloud: Requirements, Risks and Opportunities" (http://www.opengroup.org/london2009-spc/mont.htm) for the coming Open Group Security Practitioners Conference, London, 27 April 2009.

In particular I am very keen in discussing current models and architectures underpinning both Cloud Computing and Identity in the Cloud, along with discussions of risks, issues and (users' and organisations') requirements.

This is a good opportunity to get additional input from this community, in particular related to Identity in the Cloud, if you have specific concerns, issues or you would like to share requirements.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

CfP for 5th ACM Workshop on Digital Identity Management – DIM 2009

marcocasassamont — Fri, 17 Apr 2009 14:12:00 GMT

The CfP of the 5^th ACM Workshop on Digital Identity Management, DIM 2009, is now available online: http://www2.pflab.ecl.ntt.co.jp/dim2009/

Please consider submitting a paper.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

BIdS 2009

marcocasassamont — Thu, 16 Apr 2009 15:44:00 GMT

The CfP of the first IEEE International Conference on Biometrics, Identity and Security is now available online: http://ieee-biometrics.org/bids2009/

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Cloud Security Alliance

marcocasassamont — Fri, 03 Apr 2009 09:38:00 GMT

You might be interested in knowing that a Cloud Security Alliance has been recently created and it will be launched at RSA.

I am interested in getting more details about their approach to handle IAM (and related issues) in the Cloud ...

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

The Economics of Identity and Access Management (IAM)

marcocasassamont — Fri, 20 Mar 2009 17:33:00 GMT

What are the Economics of Identity and Access Management (IAM)? This is a key area that needs to be explored, to really understand, from an economic perspective, the actual value that IAM provides to organizations based on its impact on aspects of relevance to decision makers (such as loss prevention and risk mitigation) and the threat landscape.

A few core aspects need to be researched:

1) What are the key "aspects/metrics" that characterize the impact of IAM investments on an enterprise, for example in terms of preventing/reducing losses? In a first analysis important "macro" aspects include: security breaches (B), productivity loss (P), compliance violations (C) and costs (K)...

2) How do these aspects/metrics relate to the basic IAM "levers" that decision makers (e.g. CIO/CISO/Risk Managers) can act on i.e. configuration, enforcement and audit reporting tools (compliance checking tools)? We need to capture the relevant causal dependencies, for example: what are the consequences and the impact of investing more on audit/compliance checking, rather than in configuration or enforcement? What are the consequences of acting on enforcement in terms of productivity and costs?

3) Which utility functions, U(B,P,C,K) can effectively model the impact of IAM (e.g. in terms of losses) on security breaches, productivity loss, compliance violations and costs by factoring in the investments in the "configuration, enforcement and audit" levers?

4) How to effectively use systems modeling to estimate these utility functions, by animating the causal dependencies and inter-relationships among these "levers" and their impact on metrics, inclusive of assumptions on the threat landscape?

So far I found very little literature and related work in this space - I would be keen to get any reference or link, if available.

I am going to pursue research in this space, in the context of the Identity Analytics activity (HP Labs Security Analytics project, Systems Security Lab), as I believe this (as for the Economics of Privacy and the Economics of Information Security) can:

- provide a more rational way to describe and analyse the impact and value that IAM actually offers to organizations;

- provide key decision makers with a decision support tool that operates at their level of abstraction.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---