Research on Security and Identity Management (by Marco Casassa Mont) : risk management

ENISA Cloud Computing Risk Assessment Report

marcocasassamont — Fri, 20 Nov 2009 18:35:00 GMT

ENISA has recently released three documents related to Cloud Computing, all of them available online:

Enjoy.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Article: Changing business landscape makes IAM key to IT Security

marcocasassamont — Wed, 19 Nov 2008 17:24:00 GMT

Here is a recent, interesting article, called "Changing business landscape makes identity and access management key to IT security":

"In an age of significant layoffs and corporate restructuring, the burgeoning problem of identity and access management for IT operations and data centers has escalated into a critical security issue. Managing who gets access to which resources for how long - and under what circumstances - has become a huge and thorny problem. Improper and overextended access to sensitive data and powerful applications can cause massive risk as many employees find themselves in flux."

This article provides some excerpts from a discussion with Dan Rueckert (worldwide practice director for security and risk management in HP's Consulting and Integration group); Archie Reed (distinguished technologist in HP's security office in the Enterprise Storage and Server Group), and Mark Tice (vice president of identity management at Oracle).

Part II: Risk Management for Unstructured Data in Enterprises

marcocasassamont — Thu, 04 Sep 2008 13:09:00 GMT

In a recent post published on the Netweaver Identity Manager Weblog, the author has made a few comments about my post on "Risk Management for Unstructured Data in Enterprises" (well, actually the published URL to my post is apparently broken ...).

Thanks for this input, in particular about three main points that I (tried to) summarise as it follows:

1) Meaning of unstructured data (or the fact that unstructured data does not exist by definition ...)

2) Narrowness of perception of approaches and incompleteness of my list of required solutions

3) Availability of comprehensive methodology for implementing enterprise wide risk management

About point 1), this looks pretty much a philosophical discussion. No doubt that, at the end, we talk about information that has some sort of structure (well, an email has a header, a body with some texts and attachments; a document is made of paragraphs or lines of text; ...). However, the (maybe over-hyped) "unstructured data" term is currently used to (a) identify specific types of information and (b) contrast it against classic "structured data" (e.g. information stored in RDBMS repositories, etc.). I think I will stick with this terminology ...

Back to the key point, recent reports (including the Ponemon Institute's survey on "Governance of Unstructured Data" and other market and research reports) indeed highlight that the management of unstructured data in enterprises is a raising concern for enterprises, both in terms of governance and risk management. I think this is what really matters - independently from the terminology.

No doubt that classification of data is an important point, especially if you ever manage to "find" where this "unstructured data" is, within a complex enterprise environment ... I would say that, given the particular nature of "unstructured data", a preliminary "data discovery" phase might be required, indeed followed by a classification and assessment of its value (considering though, that the value of some of this information might also come from aggregations and correlations ...).

About point 2), by no means my post was meant to provide a definitive or comprehensive assessment and answer to the problem of information risk management or, more specifically, on "unstructured" information risk management. It was just a statement of some "desirable" properties and capabilities that I would like to see (and I know it would be of some help to customers ...).

I am well aware of the complexity of the overall (security) "enterprise risk assessment and management" problem, its extent and the fact that, when assessing and managing (security) risks, many factors are involved, including business goals, IT, other assets, people, processes, awareness/education, etc.

(Security) risk assessment and management techniques/methodologies/frameworks and standards/etc. are indeed out there (e.g. ISO 27005/2700x, CoBIT, etc.). These "standards" provide guidelines and criteria to be carefully refined, grounded and contextualized in various "operational" realities, along with some good, common sense ...

So, no doubt that there are already "comprehensive methodology for implementing enterprise wide risk management", at least from a consulting perspective, but this was not my main point.

My main point was not so focused on these methodologies but rather on the need to better understand and possibly improve the process of exploring, explaining and predicting the consequences and impacts of strategic (policy) choices and decisions in enterprise contexts and environments, in particular when dealing with security matters.

An approach that we are currently exploring is based on modeling and simulation techniques in the security field, coupled with economic theory and social science. Please have a look at the HPL Technical Report on "Identity Analytics" that I mentioned a few times - to see what I mean, in more details (at least from an "IdM perspective").

Specifically, one of my R&D interests is in "(semi-) automation" tools and solutions in this space that can indeed help and support professional and consulting services in their risk assessment & management activities. This includes providing decision support and "what-if analysis", involving modeling and simulation, providing trade-off analysis, etc.

Given the complexity of this space, I deliberately focused on the aspect of "management of unstructured data" and the IdM perspective, well conscious this is just a part of the overall problem and space.

I hope I clarified this point.

About point 3), no doubt about this, as I mentioned above.

However the statement that "comprehensive methodology for implementing enterprise wide risk management is done" sounds (at least to me) sounds a little bit abstract to me ...

It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company ...:-)).

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Risk Management for Unstructured Data in Enterprises

marcocasassamont — Mon, 01 Sep 2008 16:21:00 GMT

In the context of the HP Labs' Security and Identity Analytics project I have been investigating the implications of "unstructured data" (i.e. emails, documents, multimedia files, pages in data sharing sites, messages exchanged with Instant Messaging tools, blog posts, data mash-ups, etc.) within organizations, along with how to explain and predict involved risks and explore the consequences of related security (policy) choices.

Is "unstructured data" really a problem for organizations? If so, where is this problem? Well, the content of unstructured data (and/or an aggregation of it) can be confidential as it might include personal, financial and business-critical information. Because of the nature of unstructured data (and associated, emerging tools to handle and share it), there are many ways this data could leak and/or be misused, ranging from accidental disclosures to aggregations of information posted in public areas.

The threat landscape (including threats to data confidentiality, integrity and availability) is potentially broad as many contextual elements, IT components, processes and behavioral aspects are involved.

Most of the current approaches (I am aware of), that mitigate some of the involved risks, are based on traditional IT security and identity "control points" (such as access control, interception points, complex document lifecycle management tools, etc.), addressing "point problems".

I believe this is not enough. Solutions are required to help organizations (and decision makers) to: (1) fully understand the nature of the problem, based on their specific context and environment; (2) have a picture of their overall risk exposure; (3) make informed decisions on which approaches to follow, explain and predict the consequences and define appropriate policies; (3) explore trade-offs.

So far I have found no comprehensive approach/solution providing these features. Is anybody aware of any?

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

The Future of Identity Management? It is all about Managing Risk …

marcocasassamont — Sat, 28 Jun 2008 17:57:00 GMT

As I have been posting for a while, I believe that Identity Management will evolve, during the next few years, from a pure “control point and compliance”-based approach towards an approach that will increasingly factor in the management of Risk.

Decision makers (CIOs, CISOs, etc.) are shifting from a “compliance management” mentality to a “risk management” mentality, when making investment decisions on IT security solutions. Their investment decisions (including the ones on Identity Management) are going to be increasingly questioned, due to the shrinking of resources available. Hence the need to prioritise based on real business objectives and needs.

I am glad that Burton Group is now making some statements in the same direction, as it is possible to evince from this article:

“Identity management is evolving to include a closer recognition of risk and how to manage it rather than trying to eliminate it using technology, according to the head of the Burton Group consulting firm.

“Companies are looking at controls from a risk perspective instead of trying to control everything,” said Jamie Lewis, CEO of the Burton Group during the opening day of the firm’s annual Catalyst Conference. “It is about people managing risk and not about technology trying to make risk disappear.””

I believe there is a whole new set of research and commercial opportunities in this space (i.e. beyond compliance management and control points), whilst traditional Identity Management solutions are becoming more and more a commodity.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Article: “50 Ways to Take Back Control of Your Personal Data”

marcocasassamont — Wed, 11 Jun 2008 15:56:00 GMT

Have a look at this very interesting article, called “50 Ways to Take Back Control of Your Personal Data”, by InsideCRM providing a useful list of tips and “common sense” (but quite often forgotten …) ways to protect your personal data, maintaining degrees of control on it and reduce your risk exposure to identity thefts, financial losses and other crimes. These tips are organised by categories, in terms of:

Web Privacy
Credit and Finance
General Privacy
Cell Phones and Online Phone Services
Rules to follow to Protect Your Privacy
Tools and tips

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---