Research on Security and Identity Management (by Marco Casassa Mont) : privacy management

Twitter and its Privacy and Identity Management Implications

marcocasassamont — Thu, 12 Mar 2009 09:33:00 GMT

I recently started using Twitter (my link: http://twitter.com/MCasassaMont).

Twitter it getting more and more popular within (and across) organisations in particular for geographically distributed teams, to share their activities and whereabouts.

I am interested to better understand this tool, in particular in terms of its identity and privacy implications and long term repercussions for individuals and organisations.

I see some interesting research to be potentially carried out in the context of the Identity Analytics R&D project at HP Labs and UK TSB EnCoRe project.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

2009-2010: Predictions about Identity and Privacy Management

marcocasassamont — Mon, 29 Dec 2008 16:02:00 GMT

During the next two years (2009-2010), the Identity and Privacy Management areas are going to be subject to the consolidation and cost cutting trends that are already happening in security and, more in general, in IT.

In my view investments in Identity Management (IdM) are going to be very pragmatic, also driven by the need to: manage a very "variable" workforce; cope with an increase of internal enterprise reorganizations and consolidations; deal with an increased number of identity thefts and related attacks.

As such I believe that the IdM areas that will get most of the market attentions are going to be in the areas of:

Entitlement management (and automated user provisioning)
Enterprise SSO
Authentication strategies

I don't believe that client-based federated identity management and advanced authorization solutions will be driving the Identity Management space, during this period of time.

From a Privacy Management perspective, I still believe that most of the action will happen in R&D contexts.

Of course, this is my view, based on some evidence and intuitions. I would be interested in getting your opinions.

I am also planning to compile a list of world-wide R&D projects and (industrial/university-based) R&D activities in the space of Identity and Privacy Management. I will post information about this. Of course, feel free to send me your input and relevant URLs.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Built-in Data Loss Prevention and Analogy with Privacy Management

marcocasassamont — Fri, 05 Dec 2008 13:51:00 GMT

I have just read this interesting article, called "Microsoft, RSA Partner to Develop Next-Gen data Loss Prevention", by Lawrence Walsh:

"The alliance between Microsoft and RSA will move data loss prevention technology into the fabric of the IT infrastructure and improve protection by associating data with identities and classifications. Analysts are already calling the idea a "game changer.""

The main message I got is that we need to move away from bolt-on solutions, towards "built-in DLP approaches". I tend to agree with this approach, despite being much harder to achieve.

This has some interesting analogies with privacy and the way privacy management is currently carried out, at least with most of current privacy-enhancing technology (PET) approaches. I believe that we need to move toward built-in approaches too, that require deep understanding of the interconnections with the relevant "IT infrastructure fabric", related business processes (and needs), along with involved risks and their potential impact.

So, I believe this is something to consider very carefully, for example, in the context of the "Consent and Revocation Management" R&D area, within the TSB EnCoRe project.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Survey: Only Eight Percent of American are “Very Confident” their Personal Data is Properly Managed

marcocasassamont — Wed, 16 Jul 2008 16:08:00 GMT

This is the outcome of a recent survey by The Strategic Counsel, at least based on the overview provided by this article (called "Only Eight Percent of Americans are 'Very Confident' Their Personal Data is Safe With Retailers, Banks and Governments"):

"Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc., and conducted by The Strategic Counsel. The CA 2008 Security and Privacy Survey was done as in follow-up to the 2006 survey. Additionally, the consumer survey indicated that an average of 79 percent of American consumers cite loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of major security and privacy breaches suffered by the business or government organizations that they deal with."

Even more interesting is this statement, mentioned by the above article:

"Businesses used to worry about the hackers and thieves launching denial of service attacks from outside the firewall, now they recognize that their greatest danger lurks within the organization. The good news is that increasingly businesses are turning to identify and access management solutions to ensure that confidential data is safeguarded and available only to the people within the organization who genuinely need to have it."

Well, I just partially agree with the final part of this statement. Turning to identity and access management solutions is indeed important, but this is just one step towards really ensuring that personal and confidential data is managed according to legislation and users' preferences.

First of all, most of current IdM solutions are not really privacy-aware and/or do not provide privacy enhancing capabilities (e.g. privacy-aware access control) - aspects that are at the base for preventing that PII data is accessed and used beyond agreed purposes and for the wrong intents ... Secondly, IdM solutions can address the problem till at one point if accidents, social engineering, actions by traitors/insiders, and the effects of bad processes and practices can still happen ...

So, the other part of the story, for the enterprise, is putting in place proper "data governance processes" and dealing (upfront and periodically) with the necessary risk assessment and management steps. These steps (that should be carried out before deploying any "control point" in the IT infrastructure) are much, much harder to achieve and maintain than simply deploying IdM solutions ...

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Liberty Alliance releases the Identity Assurance Framework (IAF) and Identity Governance Framework (IGF) Specifications

marcocasassamont — Mon, 23 Jun 2008 16:58:00 GMT

Today, Liberty Alliance has publicly announced the release of the Identity Assurance Framework (IAF) and Identity Governance Framework (IGF) Specifications:

"Liberty Alliance, the global identity community working to build a more trust-worthy internet for consumers, governments and businesses worldwide, today announced an industry milestone in driving trust and privacy into enterprise and identity-enabled applications based on the release of the Liberty Identity Assurance Framework (IAF) and the Liberty Identity Governance Framework (IGF). Today’s news is the result of the collaborative development of standardized frameworks and technologies designed to meet cross-industry requirements for policy-based security and privacy systems, with a focus on streamlining the establishment and management of identity and trust across user-driven applications and networks."

I believe this is a first, important steps towards providing a more systemic approach to assurance and privacy management in complex organisational (and cross-organisational) contexts.

More details can be found in the Liberty Alliance’s announcement, here.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---