Research on Security and Identity Management (by Marco Casassa Mont) : identity management

Research on Security and Identity Management

marcocasassamont — Fri, 09 Oct 2009 17:22:00 GMT

The time has come to update the topic (and focus) of this blog.

In the last few years my R&D work and research at HP Labs has been involving a variety of aspects, including security, identity management and privacy.

Most of my posts have actually been reflecting this - hence my decision to update my blog. Hope this will further increase the community of people that are interested and follow my blog.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

EEMA e-Identity: Presentation on the Future of the Identity in the Cloud

marcocasassamont — Mon, 29 Jun 2009 22:30:00 GMT

I recently attended the EEMA e-Identity Conference, in London, 25-26 June 2009. There have been interesting presentation and good talks.

I also gave a presentation on "The Future of Identity in the Cloud: Requirements, Risks and Opportunities":

"This presentation aims at: setting the context about Identity in the Cloud; discussing related identity management issues along with core requirements (coming from users and organisations); illustrating, from an HP Labs' perspective, future possible models, approaches and IT infrastructures to handle Identity in the Cloud.

The introduction of the presentation sets some background: it gives an overview of Cloud Computing and its implications, in terms of service provisioning, security, privacy and identity management. In particular it discusses the paradigm shift from a close & controlled approach (within enterprises) to potentially, on-the-fly composable and customisable services, in the Cloud.

Use cases are introduced to illustrate "common" usage and management tasks involving Identity in the Cloud - from both user and organisational perspectives, including the implications of having to deal with Identity in composable and dynamic services. New emerging, related threats and risks are briefly discussed, such as the potential growth of bogus service providers, targeted attacks to the weakest points in the service provisioning chain and identity thefts.

This will lead to a discussion of key requirements, determined by new interaction models and service-provisioning paradigms in the Cloud, including: control of identity flows and management of distributed user accounts; trust and reputation about service providers in the Cloud; identity assurance; transparency about security practices; privacy (including consent and revocation).

I will then discuss current (categories of) identity management solutions and approaches that deal with aspects of Identity in the Cloud (such as identity federation, identity brokering, Identity 2.0, etc.), along with their pros and cons and failures to address some of the core requirements (such as assurance, trust and privacy control).

The final part of this presentation challenges current assumptions and approaches and illustrates future directions, by presenting HP Labs' medium and long-term vision about how the underlying Cloud infrastructure is going to evolve along with its implication in terms of Identity and Identity Management. This includes the paradigm shifts introduced by the usage of trusted virtualisation, remote attestation of platform capabilities (Trusted Computing Platforms) and identity-driven computational environment (coming from the cloud) that could run on local systems (e.g. at the user side); new emerging identity management models driven by identity-aware platforms and policy-driven delegation of credentials; the role that Security and Identity Analytics can play, by using modelling and simulation, to help organisations to evaluating and predicting the consequences of using services in the Cloud, based on assumptions made on the underlying identity management model and existing threats."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Twitter and its Privacy and Identity Management Implications

marcocasassamont — Thu, 12 Mar 2009 09:33:00 GMT

I recently started using Twitter (my link: http://twitter.com/MCasassaMont).

Twitter it getting more and more popular within (and across) organisations in particular for geographically distributed teams, to share their activities and whereabouts.

I am interested to better understand this tool, in particular in terms of its identity and privacy implications and long term repercussions for individuals and organisations.

I see some interesting research to be potentially carried out in the context of the Identity Analytics R&D project at HP Labs and UK TSB EnCoRe project.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

2009-2010: Predictions about Identity and Privacy Management

marcocasassamont — Mon, 29 Dec 2008 16:02:00 GMT

During the next two years (2009-2010), the Identity and Privacy Management areas are going to be subject to the consolidation and cost cutting trends that are already happening in security and, more in general, in IT.

In my view investments in Identity Management (IdM) are going to be very pragmatic, also driven by the need to: manage a very "variable" workforce; cope with an increase of internal enterprise reorganizations and consolidations; deal with an increased number of identity thefts and related attacks.

As such I believe that the IdM areas that will get most of the market attentions are going to be in the areas of:

Entitlement management (and automated user provisioning)
Enterprise SSO
Authentication strategies

I don't believe that client-based federated identity management and advanced authorization solutions will be driving the Identity Management space, during this period of time.

From a Privacy Management perspective, I still believe that most of the action will happen in R&D contexts.

Of course, this is my view, based on some evidence and intuitions. I would be interested in getting your opinions.

I am also planning to compile a list of world-wide R&D projects and (industrial/university-based) R&D activities in the space of Identity and Privacy Management. I will post information about this. Of course, feel free to send me your input and relevant URLs.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Article: Changing business landscape makes IAM key to IT Security

marcocasassamont — Wed, 19 Nov 2008 17:24:00 GMT

Here is a recent, interesting article, called "Changing business landscape makes identity and access management key to IT security":

"In an age of significant layoffs and corporate restructuring, the burgeoning problem of identity and access management for IT operations and data centers has escalated into a critical security issue. Managing who gets access to which resources for how long - and under what circumstances - has become a huge and thorny problem. Improper and overextended access to sensitive data and powerful applications can cause massive risk as many employees find themselves in flux."

This article provides some excerpts from a discussion with Dan Rueckert (worldwide practice director for security and risk management in HP's Consulting and Integration group); Archie Reed (distinguished technologist in HP's security office in the Enterprise Storage and Server Group), and Mark Tice (vice president of identity management at Oracle).

Part II: On Applying Modelling and Simulation Techniques to Identity Management

marcocasassamont — Fri, 14 Nov 2008 09:13:00 GMT

Thanks to the readers that sent comments to me (interestingly, by email ...), about my previous post on "Applying Modeling and Simulation techniques to Identity Management". Feel also free to post your comments directly on the blog.

An interesting question I received was about the overall scope of the R&D work on Identity Analytics, i.e. if it only strictly applies to the Identity Management space.

I would say that the scope is wide. The goal is to include also economics aspects, people's behaviours, privacy and privacy management elements along with any IT and business aspects of relevance for the analysed scenario/case study. Our models and simulations indeed represent the (risk mitigation) effects of identity controls: they do it in the context of the scenario of interest, by including the representation of involved processes, data storage, information flows along with relevant applications and services.

The outcomes of our models can vary, depending on the questions we want to answer, such as ROIs in using specific IdM solutions, trade-offs in investments, impact of controls and security on usability, etc.

Hope this answer the question.

Please have also a look at the Demos2k model attached to our recent HP Labs Technical Report HPL-2008-186, for a few illustrative examples of the above points.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

On Applying Modelling and Simulation Techniques to Identity Management

marcocasassamont — Fri, 07 Nov 2008 15:15:00 GMT

At HP Labs, within the "Identity Analytics" project, we are researching how to apply modeling and simulation techniques to the domain of Identity Management, to explore and predict:

the consequences of potential decisions made by decision makers (e.g. in terms of strategic policies and adoption of controls) on key aspects such as security risks, costs, impact on reputation, etc.;
the impact of identity management solutions on IT infrastructures, people and business contexts;
the implications of people behaviours on security and privacy aspects.

The aim is to help decision makers to assess the consequences of their decisions and explore investment trade-offs. In particular, assessing the impacts on security risks and costs is very important: given the current global financial situation, the "cost" dimension is going to play more and more a key role.

We published a few HP Labs Technical Reports to provide an overview of our R&D work, including HPL-2008-186 and HPL-2008-84. In particular, the most recent HPL-2008-186 report provides and example of a model (based on the Demos2K simulation framework) we used to carry out our simulations and trade-off analysis in a "data sharing collaborative scenario".

Many case studies can potentially be explored with our approach, including Web 2.0 collaborative services, access and protection of critical business applications and services, user account lifecycle management processes, data flows and lifecycle management, identity theft scenarios, etc.

I would be interested in discussing this topic with this community, in particular about related work and exploring any specific requirement or case study you might have in this space.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Research Study: Huge Amount of Sensitive Data Still on Redundant Computer Hard Disk

marcocasassamont — Wed, 05 Nov 2008 15:35:00 GMT

This interesting article, called "Identity Theft Risks: Huge Amount of Sensitive Data Still on Redundant Computer Hard Disk" provides an overview of a research study to be published soon - warning about the risk of data left on devices to be decommissioned:

"Ongoing research to be published in the International Journal of Liability and Scientific Enquiry suggests that there is a huge amount of sensitive data still on redundant computer hard disks. These devices are often disposed of or sold into the second-hand market by corporations, organizations, and individuals with the data intact. The report's authors say that this data represents a significant level of risk for commercial sabotage, identity theft, and even political compromise, and suggest that better education is essential to reduce the risk of harm. ...

The 2007 study is being made available in its entirety through the International Journal of Liability and Scientific Enquiry. The team is now completing the 2008 analysis and will announce those results shortly as well. However, the initial results for the 2008 study show that there is still a long way to go regarding the decommissioning of computer hard disk drives. The team expects that the complete 2008 study will be made available for publication by the end of the year."

This is an area where "classic" identity management (based on control points) shows its limits. The explicit management of IdM strategic policies, related processes and risks should be a key part of "identity management".

"Identity Analytics" could also be of some help here, to understand the implications of policies and possible strategic decisions (given specific IT and IdM frameworks), along with exploring investment trade-offs.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Identity Management in the Cloud

marcocasassamont — Thu, 02 Oct 2008 08:27:00 GMT

This article, called "ID Management In the World of Cloud Services" (and a related podcast) is quite interesting, as it is thought provoking.

The advent of cloud services and services on demand is indeed likely to change the identity management landscape: most of current identity management solutions are focused on the enterprise and/or a very controlled, static environment. User-centric identity management solutions (such as various federated identity management) also make some assumptions on the involved parties (e.g. SP, IdP parties) and their related services.

In a world where services are offered on demand, in the cloud and they can continuously evolve, some of these models are going to be challenged, for example, in terms of trust assumptions, privacy implications and operational aspects of authentication and authorization.

Is anybody aware of studies in this space? What is your view?

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Announcing EnCoRe (Ensuring Consent and Revocation): a new UK IT Collaborative Project

marcocasassamont — Fri, 19 Sep 2008 16:23:00 GMT

A new UK IT collaborative project has been officially announced: EnCoRe - Ensuring Consent and Revocation (some initial press releases: here and here):

"As more and more personal information flows from individuals to organisations when they interact online, people are becoming more and more concerned that they can not effectively control what this information is used for, with which other organisations it is shared, and where it is stored. They may have given their consent, often in vague terms and implicitly, for its use, sharing and storage, but they have no real control over the specifics of these, nor the ability to revoke their consent and be sure that their wish is respected. In summary, they are not able to control where their personal information flows to, and this makes them uneasy about interacting online.

The overall vision of this project is to make giving consent as reliable and easy as turning on a tap, and revoking that consent as reliable and easy as turning it off again."

This £3.6m project consortium is multi-disciplinary, spanning across a number of IT and social science specialisms. The project partners are Hewlett-Packard Laboratories, HW Communications, QinetiQ, the London School of Economics, the Ethox Centre of the University of Oxford and the University of Warwick.

The EnCoRe project runs from June 2008 to November 2011. It receives funding from the UK Government's Technology Strategy Board, Economic & Social Research Council and Engineering & Physical Sciences Research Council.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

On Gartner’s Magic Quadrant for Identity Management

marcocasassamont — Thu, 11 Sep 2008 11:54:00 GMT

You might be interested in having a look at Gartner's Magic Quadrants for Identity Management. In particular, a recent article (15 August 2008) published by Earl Perkins and Perry Carpenter focused on the "Magic Quadrant for User Provisioning":

"User provisioning delivers capabilities to manage users' identities across systems, applications and resources. Driven by compliance (security effectiveness) and security efficiency, the market is maturing, but identity governance and role-based access concerns raise new issues for customers."

On one hand this kind of reports provides good insights about the current state of the art (in this case about user provisioning). On the other hand, some criticisms have been given about the overall evaluation of current IdM solutions and their positioning in the "magic quadrant". For example, have a look at this article by Dave Kearns.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Coming Digital ID World Conference 2008, 8-10 September 2008

marcocasassamont — Tue, 26 Aug 2008 14:34:00 GMT

The Digital ID World Conference 2008 is going to take place in Anaheim, California on 8-10 September 2008. A complete agenda is available online. Some of the Keynotes include:

Identity Assurance: A Backbone for the Identity Marketplace, Peter Alterman, Assistant CIO for E-Authentication and Chair, US Federal PKI Policy Authority, National Institutes of Health; Andrew Nash, Senior Director, Information and Risk Management, PayPal; Frank Villavicencio, Director, Citigroup
Making Identity Work End to End, Craig Wittenberg, Architect, Microsoft
State of the Industry, Jamie Lewis, CEO & Research Chair, Burton Group
Have I Seen You Before? An Industry Discussion About User-Centric Identity, Kim Cameron, Chief Architect of Identity, Microsoft
On VRM and Identity, Doc Searls, Fellow, Berkman Center, Harvard Law School

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

New UK TSB Project: Developing the Next Generation of Identity Management Systems

marcocasassamont — Thu, 21 Aug 2008 17:28:00 GMT

As announced by this article, a new UK government-founded project is going to start in October, aiming at developing the next generation of identity management systems:

"A research project will see a team of experts team up for three years to develop the next generation of identity management systems.

The government-funded project will launch in October and will include academics from Cranfield University, Royal Holloway University of London, Salford University, Consult Hyperion and Sunderland City Council.

The research team will look at topics of privacy and consent for identity management, with the aim of helping people and organisations make well-informed judgements about their choice of online services, how they use them, and what information they give out.

"There is a concern that people aren't really clear about the value of their unique identity," said Debi Ashenden, Cranfield's lead researcher. "Our research will engage people in current debates about privacy and consent issues, find out how they think about their identity and what decisions they make. We hope the discussions will provide invaluable information to help develop new identity management tools."

The funding for the project is part of a £5.5m investment by the Technology Strategy Board (TSB), Engineering and Physical Sciences Research Council (EPSRC), and Economic and Social Research Council (ESRC). Two other identity management related projects will also be funded by the investment.

Andrew Tyrer, the TSB's lead for its network security innovation platform said this research will be key to "ensuring that the hardware and software required will meet public expectations about these important issues"."

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

An Essential Guide to Identity Management for IT Professionals

marcocasassamont — Tue, 19 Aug 2008 09:14:00 GMT

Ian Grant has recently published an article on ComputerWeekly.com, called "Identity Management: An Essential Guide for IT Professionals".

It is actually an overview of some IdM initiatives and related aspects (thanks for mentioning my blog when referring to HP's initiatives in the IdM space).

Is anybody aware of an online "Complete and Up-to-Date" Guide to Identity Management and various related initiatives?

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Survey: Only Eight Percent of American are “Very Confident” their Personal Data is Properly Managed

marcocasassamont — Wed, 16 Jul 2008 16:08:00 GMT

This is the outcome of a recent survey by The Strategic Counsel, at least based on the overview provided by this article (called "Only Eight Percent of Americans are 'Very Confident' Their Personal Data is Safe With Retailers, Banks and Governments"):

"Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc., and conducted by The Strategic Counsel. The CA 2008 Security and Privacy Survey was done as in follow-up to the 2006 survey. Additionally, the consumer survey indicated that an average of 79 percent of American consumers cite loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of major security and privacy breaches suffered by the business or government organizations that they deal with."

Even more interesting is this statement, mentioned by the above article:

"Businesses used to worry about the hackers and thieves launching denial of service attacks from outside the firewall, now they recognize that their greatest danger lurks within the organization. The good news is that increasingly businesses are turning to identify and access management solutions to ensure that confidential data is safeguarded and available only to the people within the organization who genuinely need to have it."

Well, I just partially agree with the final part of this statement. Turning to identity and access management solutions is indeed important, but this is just one step towards really ensuring that personal and confidential data is managed according to legislation and users' preferences.

First of all, most of current IdM solutions are not really privacy-aware and/or do not provide privacy enhancing capabilities (e.g. privacy-aware access control) - aspects that are at the base for preventing that PII data is accessed and used beyond agreed purposes and for the wrong intents ... Secondly, IdM solutions can address the problem till at one point if accidents, social engineering, actions by traitors/insiders, and the effects of bad processes and practices can still happen ...

So, the other part of the story, for the enterprise, is putting in place proper "data governance processes" and dealing (upfront and periodically) with the necessary risk assessment and management steps. These steps (that should be carried out before deploying any "control point" in the IT infrastructure) are much, much harder to achieve and maintain than simply deploying IdM solutions ...

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---