|
|
|
|
|
As announced in a recent press release, HP Labs are opening research opportunities to academia:
“HP today made it possible for colleges, universities and research institutions worldwide to participate in joint research with HP Labs, the company’s central research facility, through an open and competitive process.
The new HP Labs Innovation Research Program invites the worldwide academic community to submit proposals related to current research in the areas of information explosion, dynamic cloud services, content transformation, intelligent infrastructure and sustainability.
The program is the first offering of the HP Labs Open Innovation Office, which was established earlier this year as part of HP Labs’ new approach to research. The office is responsible for deepening HP Labs’ strategic collaborations with academia, the government and the commercial sector to produce mutually beneficial, high-impact research. …
Program guidelines and the online submission tool are available at www.hpl.hp.com/open_innovation/irp. Proposals will go through an extensive review process within HP Labs. Selected winners will be notified in late 2008.”
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Wednesday, May 07, 2008 at 9:20:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
A new HPL Technical report, “On Identity-aware Devices: Putting Users in Control across Federated Services”, has been recently published:
“This paper describes R&D work on "Identity-aware Devices", in the context of federated services. The aim is to put users in control of their credentials and identities and enable simple, secure, trustworthy and transparent access to federated services. Current users' experience in networked and federated services is difficult and painful, especially when using mobile devices (e.g. mobile phones, laptops, PDAs, etc.): users need to contact online service providers and authenticate against them; additional credentials might be issued and required to access services; credentials need to be stored in a safe and secure place. Users have little control over the release of their identity information and related processes. A solution to address these issues is presented, based on the concept of "Identity-aware Devices" and federated "Provisioning Services". "Identity-aware Devices" leverage trusted modules and are driven by policies and users' preferences. Part of this work has been carried out in the context of a Liberty Alliance initiative, in collaboration with BT and Intel teams, aiming at driving the next generation of interoperable identity solutions. A full working prototype has been developed and successfully demonstrated in a joint project. This is work in progress. Next steps and plans are presented and discussed.”
Authors: Casassa Mont, Marco; Balacheff, Boris; Rouault, Jason; Drozdzewski, Daniel
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Thursday, May 01, 2008 at 8:53:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
I found a recent Wall Street Journal’s article, called “Are your Medical Record at Risk” (by Sarah Rubenstein), very interesting. It provides good insights about the trade-offs adopted by the Healthcare industry when considering privacy against Quality Care:
“When it comes to protecting the privacy of patients' computerized information, the main threat the health-care industry faces isn't from hackers, but from itself …”.
This article focuses on the US reality – but some of the points it raises can be of concern also in other countries …
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Tuesday, April 29, 2008 at 8:19:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
Most of current work in the space of Identity Management is around “operational” identity management, i.e. systems and solutions providing security control points to be deployed within an IT infrastructure.
In addition, IdM solutions in the space of “compliance management” will also have to come to terms with the current shift towards “risk management”, where decision makers/CISOs/CIOs are more and more heavily scrutinising their security investments and making their investment bets based on priorities and actual risks.
I believe that an important “next step” in the Identity Management space is going to be towards “Identity Analytics” and related “Identity Risk Management”.
Here are a few interesting research questions in the “Identity Analytics” space:
- What are the basic principles that underpin and characterize enterprise’s identity & privacy management processes (and related human behaviors) and their impact on organizations?
- How to abstract them with models and ways to generate predictions (e.g. with simulation tools) that can be leveraged by decision makers/CISOs/CIOs?
- How to enable decision makers/CISOs/CIOs to better understand (in advance) the impact and implications of their decisions in terms of security risks, costs and potential losses, impact on reputation, etc.?
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Monday, April 28, 2008 at 8:37:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
This community might be interested in knowing that the Call-for-Paper for the 24th Annual Computer Security Application Conference (ACSAC 2008) is now available online – the submission deadline is June, 1st:
“ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. Papers offering novel contributions in any aspect of computer and application security are solicited. Papers may present technique, applications, or practical experience, or theory that has a clear practical impact. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application.
Topics of interest include, but are not limited to:
- Access control
- Applied cryptography
- Audit and audit reduction
- Biometrics
- Boundary control devices
- Certification and accreditation
- Database security
- Defensive information warfare
- Denial of service protection
- Distributed systems security
- Electronic commerce security
- Enterprise security
- Forensics
- Identification and authentication
- Identity management
- Incident response planning
- Information survivability
- Insider threat protection
- Integrity
- Intellectual property rights protection
- Intrusion detection
- Malware
- Mobile and wireless security
- Multimedia security
- Operating systems security
- Peer-to-peer security
- Privacy and data protection
- Product evaluation criteria and compliance
- Risk/vulnerability assessment
- Secure location services
- Security engineering and management
- Security in IT outsourcing
- Service Oriented Architectures
- Software assurance
- Trust management
- Virtualization security
- VoIP security”
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Tuesday, April 22, 2008 at 8:26:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
A recent press release issued by Liberty Alliance announced the first of three webcasts from its 2008 Privacy in Perspective series:
“Taking place at 8:00am US PT (3:00 UTC) on Wednesday, April 16, the public event is hosted by Robin Wilton, Corporate Architect for Federated Identity, Sun Microsystems and co-chair of the Liberty Alliance Public Policy Group. The webcast will review findings and next steps from the ongoing series of global Liberty Alliance privacy summits held so far in Basel, Berlin, Brussels, London and Washington DC.
The Liberty Alliance privacy summits bring privacy stakeholders from the global commercial, academic, legal and public sectors together to address privacy concerns and discuss possible solutions," said Wilton. "The April 16 webcast will showcase lessons learned during the summits to help organizations remove obstacles to a productive, multi-stakeholder discussion about privacy issues.””
The registration site for this privacy summit is available here.
Published findings from previous Liberty Alliance’s Privacy Summits are available here.
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Tuesday, April 15, 2008 at 8:19:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
The call for paper for the International Workshop on Security and Privacy in Enterprise Computing. InSPEC 2008, is now available online.
This workshop is going to be held in conjunction with IEEE EDOC 2008. Please consider submitting a paper. The deadline is June, 13 2008:
“Several technologies have emerged for enterprise computing. Workflows are now widely adopted by industry and distributed workflows have been a topic of research for many years. Today, services are becoming the new building blocks of enterprise systems and service-oriented architectures are combining them in a flexible and novel way. Business applications, such as Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and Supplier Relationship Management (SRM) systems form the core of enterprise systems. In addition, with wide adoption of e-commerce, business analytics that exploits multiple, heterogeneous data sources have become an important field. These technological trends are accompanied by new business trends due to globalization that involve innovative forms of collaborations such as virtual organizations. Further, the increased speed of business requires IT systems to become more flexible and highly dynamic.
All of these trends bring with them new challenges to the security and privacy of enterprise computing. We are increasingly relying on IT systems for our daily business including essential utilities such as water and power. The traditional forms of computer security need to be enhanced to address the distributed nature and multiple administrative domains of conducting business. For example, algorithms for incorporating the new business practices need to be identified for access control. Similarly, data confidentiality cannot be provided on the network layer anymore, it needs to be built into applications and processes that span across various domains. The enhanced data sharing calls for innovative algorithms and protocols. Novel cryptographic techniques need to be developed and established ones evaluated for industrial adoption. In addition to the security measures, this new generation of distributed systems requires techniques for ensuring compliance with regulations on governance and privacy of data, including those asserted by government and regulatory agencies.
New concepts for solving these challenges require the combination of many disciplines from computer science and information systems, such as cryptography, networking, distributed systems, process modeling and design, access control, privacy etc. It is the goal of this workshop to provide a forum for exchange of novel research in these areas among the experts from academia and industry. Completed work as well as research in progress is welcome, as we want to foster the exchange of novel ideas and approaches.
Topics of interest include but are not limited to:
* Security and privacy in workflow systems
o Access control architectures
o Modeling of security and privacy constraints
o Automatic security augmentation
o Secure/Trusted virtual domains
* Security and privacy in service-oriented architectures
o Secure composition of services
o Semantic aware security
o Security services
o Trustworthy computation
* Identity Management
o Security and Privacy
o Applications to compliance
o Effective use in business IT systems
* Data sharing
o Cryptographic protection during data sharing
o Privacy-preserving distributed applications
o Efficient multi-party computations
o Privacy and data sharing policies
* Security and privacy in management information systems
o Novel secure applications
o Secure and private data analytics
o Flexible and seamless security architectures
o Secure operating system design
* Collaborations
o Secure and private supply chains
o Security and privacy in virtual organizations
o Private social network and Web 2.0 applications
o Security and privacy in outsourcing”
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Thursday, April 10, 2008 at 11:51:00 AM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
An HPL Technical report has been recently published on the topic of “Automatic Compliance of Privacy Policies in Federated Identity Management”:
“Privacy in the digital world is an important problem which is becoming even more pressing as new collaborative applications are developed. The lack of privacy preserving mechanisms is particularly problematic in federated identity management contexts. In such a context, users can seamlessly interact with a variety of federated web services, through the use of single-sign-on mechanisms and the capability of sharing personal data among these web services. Because of the latter feature, user's privacy is at a stake, if the sharing of such data among federated service providers is not properly controlled to ensure that privacy is preserved and user's privacy preferences are complied with. Current federated identity managed solutions adopt simplistic approaches to privacy management, based on contractual/legal approaches and/or limited simple checks on users' privacy preferences. We argue that more comprehensive privacy policies (consisting of access control and obligation constraints, along with privacy preferences) should be stated by federated service providers and proactively checked by these providers, before disclosing users' data to federated partners. To address such requirements, we introduce mechanisms and algorithms for policy compliance checking between federated service providers, based on an innovative policy subsumption approach. We formally introduce and analyze our approach. We also show how our approach is suitable for deployment and application in existing federated identity management solutions, such as Liberty Alliance, WS-* and Shibboleth.”
Authors: Anna Squicciarini (The Pennsylvania State University), Marco Casassa Mont, Abhilasha Bhargav-Spantzel (Purdue University), Elisa Bertino (Purdue University).
A short paper derived from this technical report has been accepted at IEEE Policy 2008.
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Monday, April 07, 2008 at 8:03:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
|
A recent article, by Katherine Walsh, titled “How to Make a Business Case for Identity Management” provides a few tips on how to articulate a business case for Identity Management:
- Decide what IdM means to you
- Articulate the Business Performance and Productivity Benefits of IDM
- Create a Tangible, Phased Implementation Plan
- Don't Forget to Have a 'Mr. or Ms. IDM'--Is This You?
- Avoid Scare Tactics or Pigeonholing
I think that, from a CSO/CISO perspective, it would also make sense to clearly articulate the Business Risk Mitigation factors that IdM could bring …
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Friday, April 04, 2008 at 2:57:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
A new HP Labs technical report (called “Assurance for Federated Identity Management” - revisiting and extending a previous one, on the same topic), has been published:
“Federated Identity Management is an emerging paradigm that is rightly getting a lot of standardization and research attention. One aspect that is not receiving enough attention is assurance. Given the challenges enterprises faced trying to demonstrate appropriate control of their internal and monolithic identity management systems, the problem of how to provide assurance to multiple stakeholders that controls, operations and technologies that cut across organisational boundaries, are appropriately mitigating risk, looks daunting. The paper provides an exposition of the assurance process, how it applies to identity management and particularly to federated identity management. Our contribution is to show technology can be used to overcome many of trust, transparency and information reconciliation problems. Specifically we show how declarative assurance models can orchestrate and automate much of the assurance work, how certain enforcement technologies can radically improve identity assurance, and how an assurance framework can provide a basis for judging the assurance value of security technologies.”
HPL Authors: Baldwin, Adrian; Casassa Mont, Marco; Beres, Yolanda; Shiu, Simon
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Tuesday, April 01, 2008 at 8:06:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
As you might be aware, after 4 years the EU PRIME Project (Privacy for Identity Management in Europe) has come to an end. But it is not all over … The EU PrimeLife Project is going to be one of its follow-ups:
“The European Union is to spend £7.8m on a three-year project to enhance users' privacy in social networks, virtual communities and other Web 2.0 technologies. PrimeLife's short-term goal is to provide scalable and configurable privacy and identity management in new and emerging internet services and applications. In the longer term, it aims to develop tools that will protect individuals' privacy throughout their life.
Jan Camenisch, PrimeLife's technical leader, said everyone who used the internet left "virtual footprints" that others could collect and use without their knowledge. This was made possible by advances in technologies for data collection, unlimited storage, and reuse and lifelong linkage of these digital traces, he said. …” (more details are available in Ian Grant’s article).
Additional details are available in another article by Bryan Betts, Techword:
“PrimeLife's co-ordinator is IBM's Zurich research laboratory, and it follows on from an earlier EU-backed project into identity management systems, called Prime (Privacy and Identity Management in Europe). Where Prime was mostly concerned with identity management (see its white paper here), PrimeLife will go beyond that to address privacy management and trust issues across a user's entire lifespan from childhood to old age, said IBM cryptography researcher Jan Camenisch, who is the project's technical leader.
…”
Finally, this article provides some additional information on its scope and participants:
“Several PrimeLife partners are participants in industry and standardization groups such as the World Wide Web Consortium’s PLING, Liberty Alliance, ISO/IEC JTC 1, and ITU. Furthermore, PrimeLife will work and interact with relevant open-source communities such as Higgins, as well as with other research projects in order to achieve the sustainability of these project results.
PrimeLife’s multidisciplinary consortium consists of the coordinator, the IBM Zurich Research Laboratory, Switzerland, and project partners from various countries: Center for Usability Research & Engineering, Austria; Katholieke Universiteit Leuven, Belgium; GEIE ERCIM, France; Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, Technische Universität Dresden, Johann Wolfgang Goethe-Universität Frankfurt am Main, Europäisches Microsoft Innovations Center GmbH, Giesecke & Devrient GmbH and SAP AG, Germany; Università degli Studi di Bergamo and Università degli Studi di Milano, Italy; Stichting Katholieke Universiteit Brabant, The Netherlands; Karlstads Universitet, Sweden; and Brown University, United States of America.”
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Friday, March 28, 2008 at 8:26:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
|
The new HP Security Handbook is available for download, online.
This handbook provides a view into all the different threads of security that HP works in. Much of the content is focused on the three pillars of our security strategy: Identity Management, Proactive Security Management and Trusted Infrastructures. The handbook also describes how Governance issues fit into our security strategy and provides an insight into the security research work done by HP Labs.
Additional information about HP security initiatives is available here.
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Tuesday, March 25, 2008 at 8:37:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
A recent article (appeared on Compliance-Magazin.de) provides an overview of a whitepaper (sponsored by Novell) stressing the importance of risk management and compliance as key drivers for identity management:
“It’s no secret that security and compliance violations today can prove disastrous. Corporate fumbles can quickly become headlines, thrusting customers into the waiting arms of the competition. Well thought-out governance, risk and compliance (GRC) strategies help companies, large and small, to avoid those nasty entanglements.
Compliance is no longer the four-letter word that it used to be, a mandate imposed by outside forces. "Today, compliance is more often self-imposed," says Ross Chevalier, CTO Canada for Waltham, Mass.-based Novell. "It’s a differentiator, an opportunity to prove trust and competence."
Perhaps that change in mindset stems from the fact that getting the corporate house in order and preparing for audits doesn’t have to be as convoluted as once expected. "If we achieve our security goals, proving compliance is simple,” says Mike Johnson, security architect for Ingersoll Rand. And, according to a recent survey by IDG Research Services, that’s exactly what smart business and IT leaders are doing. This report sheds new light on why many companies are implementing identity, access and security management to automate the compliance process …”
Here are some of the key “findings” of the research:
- Risk management and compliance rate high as drivers of identity, access and security management.
- The ability to "prove” compliance is revealed as the top benefit of implementing identity, access and security management solutions.
- When it comes to successfully identifying and managing risk, many companies score lower than one might expect.
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Saturday, March 22, 2008 at 2:01:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
The EU PRIME Project “Closing Event” is going to happen on Monday, July 21 2008, at the Katholieke Universiteit Leuven.
This event, held in conjunction with the 8th PET Symposium 2008, includes presentations of the PRIME results:
- Display of Application Prototypes (integrated Prototype, LBS, Collaborative eLearning, OnionCoffee, PRIME tutorials)
- Social, legal and economic requirements, framework and architecture, policies
More information and registration details are available here.
--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments --- |
|
|
| » Read the full content |
|
|
|
| Posted by Marco Casassa Mont on Tuesday, March 18, 2008 at 1:13:00 AM |
| Permalink
| Trackbacks (0)
|
|
| Apr |
May 2008 |
Jun |
| S | M | T | W | T | F | S | | 27 | 28 | 29 | 30 | 1 | 2 | 3 | | 4 | 5 | 6 | 7 | 8 | 9 | 10 | | 11 | 12 | 13 | 14 | 15 | 16 | 17 | | 18 | 19 | 20 | 21 | 22 | 23 | 24 | | 25 | 26 | 27 | 28 | 29 | 30 | 31 | | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|
|
| » |
|
|
Printable version
