Research on Security and Identity Management (by Marco Casassa Mont) : Data Privacy

Do Enterprises know where they store personal data?

marcocasassamont — Wed, 18 Mar 2009 10:03:00 GMT

Apparently most of enterprises don't, at least based on this survey, called "Safeguarding the Currency of Business", where they found that "71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored".

This has strong implications (among other things ...) from a privacy perspective, in particular from a consent and revocation management angle - as also currently highlighted in a recent HP Labs report of ours ("On the Management of Consent and Revocation in Enterprises: Setting the Context").

Hopefully we will explore how to tackle some of the related issues in the UK TSB EnCoRe project.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Research Study: Huge Amount of Sensitive Data Still on Redundant Computer Hard Disk

marcocasassamont — Wed, 05 Nov 2008 15:35:00 GMT

This interesting article, called "Identity Theft Risks: Huge Amount of Sensitive Data Still on Redundant Computer Hard Disk" provides an overview of a research study to be published soon - warning about the risk of data left on devices to be decommissioned:

"Ongoing research to be published in the International Journal of Liability and Scientific Enquiry suggests that there is a huge amount of sensitive data still on redundant computer hard disks. These devices are often disposed of or sold into the second-hand market by corporations, organizations, and individuals with the data intact. The report's authors say that this data represents a significant level of risk for commercial sabotage, identity theft, and even political compromise, and suggest that better education is essential to reduce the risk of harm. ...

The 2007 study is being made available in its entirety through the International Journal of Liability and Scientific Enquiry. The team is now completing the 2008 analysis and will announce those results shortly as well. However, the initial results for the 2008 study show that there is still a long way to go regarding the decommissioning of computer hard disk drives. The team expects that the complete 2008 study will be made available for publication by the end of the year."

This is an area where "classic" identity management (based on control points) shows its limits. The explicit management of IdM strategic policies, related processes and risks should be a key part of "identity management".

"Identity Analytics" could also be of some help here, to understand the implications of policies and possible strategic decisions (given specific IT and IdM frameworks), along with exploring investment trade-offs.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Gartner’s Report: Top Seven Cloud-computing Security Risks

marcocasassamont — Fri, 04 Jul 2008 12:45:00 GMT

I tend to agree with the outcomes of a recent Gartner’s Report on the top seven cloud-computing security risks. A related article, by Jon Brodkin, provides a nice overview and summary of the key taking points of this report:

“Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions, and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.” Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing,” Gartner says.” In particular I believe that the aspects related to “privileged user access”, “regulatory compliance” and “data location/data segregation/privacy management” are potential key issues that, if not properly addressed, can expose organizations (and users) to high risks.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Do CIOs care about Data Privacy?

marcocasassamont — Thu, 26 Jun 2008 17:23:00 GMT

Apparently they don't, at least based on a recent Ernst & Young report, whose outcomes have been summarised in this article written by Adrie van der Luijt :

“IT fraud and data privacy fail to sound the alarm for CIOs and internal audit chiefs, a survey shows. Sixty-five per cent internal audit chiefs do not recognise data privacy and IT fraud as a serious threat to their business.

A survey, released by Ernst & Young, found that internal audit chiefs ranked corporate breaches and data privacy regulation sixth in their top ten IT risks for the organisation, while for CIOs it barely made it onto the list at just ninth.

In addition just 14 per cent of internal audit chiefs said that their staff had been trained in fraud investigation. …”

I would be interested in having a look at this survey, if only I could find a copy online …

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---