ENISA has recently released three documents related to Cloud Computing, all of them available online:
· Cloud Computing Risk Assessment
· Cloud Computing Information Assurance
· Cloud Computing SME Perspective Survey
Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Friday, November 20, 2009
ENISA Cloud Computing Risk Assessment Report
On the T-Mobile Incident and Open Questions on Trading Personal Data Online
There has been an incident this week where employees of T-Mobile have been caught selling customer data.
On one hand this has shown that there is a thriving market for this kind of data …
On the other hand, this has also highlighted “interesting issues as under the Data protection Act, it is a criminal offence knowingly or recklessly to obtain or disclose personal data (or to get someone else to do it for you) without the consent of the organisation responsible for that data. ...", as discussed in this article.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Whitepaper – Avoid the 7 Most Common Mistakes of Compliance
Here is a recent whitepaper that might be of interest to the IAM and security community, “Avoiding the 7 Most Common Mistakes of Compliance” (registration is required to get a copy …):
“At the most basic level, there is no single standardized framework or terminology that explicitly defines what your organization must do for compliance. Instead, there are many frameworks with conflicting requirements. Terminology is often vague or interpreted differently within organizations and between geographic regions. Ambiguity abounds due to lack of a universal philosophy of compliance.
A big challenge for security professionals is navigating this ambiguity. Check out this white paper for an in-depth review of the seven most common mistakes of security compliance and tips on using these lessons to meet your compliance goals.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, November 16, 2009
W3C Workshop on Access Control Application Scenarios – Papers Available Online
The position papers submitted to the W3C Workshop on Access Control Application Scenarios (17/18 November 2009, Luxembourg) are now available online.
A few interesting positions have been made by various authors: I am sure the debates at the workshop are going to be useful and interesting for the security and access control community.
The workshop agenda, shows the accepted papers and planned presentations.
One of the accepted position papers is the one I co-authored with a few colleagues:
“Towards an Integrated Approach to the Management, Specification and Enforcement of Privacy Policies, Marco Casassa Mont, Siani Pearson (Systems Security Lab, HP Labs, Bristol, UK), and Sadie Creese, Michael Goldsmith, Nick Papanikolaou (International Digital Library, University of Warwick, UK)”
We make a strong position point about the existing gap between risk assessment and management - driven by a variety of business, legal, social and security requirements - and current low level technical access control languages, policies and frameworks (control points), that can only partially take into account the richness and variety of these requirements.
We believe that the community, instead of focusing their effort in producing yet another access control language and framework might need to make progress on bridging this gap – to get their proposals leveraged by the industry. In our paper we make an initial proposal based on introducing an intermediate “conceptual model” to reason and identify the nature of existing gaps – as well as ways to address them/drive new technical requirements.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
CfP Workshop – Security and Privacy of Pervasive Systems and Smart Devices
Please consider submitting a paper at the WISTP 2010 workshop focusing on security and privacy topics for pervasive systems and smart devices. The submission deadline is November, 10th:
“The impact of pervasive and smart devices on our daily lives is ever increasing, and the rapid technological development of information technologies ensures that this impact is constantly changing. It is imperative that these complex and resource constrained technologies are not vulnerable to attack. This workshop will consider the full impact of the use of pervasive and smart technologies on individuals, and society at large, with regard to the security and privacy of the systems that make use of them.The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of pervasive systems and smart devices, as well as experimental studies of fielded systems.We encourage submissions that address the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Updated HPL Web Page with my R&D Work and Other Topics
I eventually found time to update my HP Labs personal web page, where I describe my current R&D work in the security and identity management, research activities.
I received a few emails related to a recent post of mine (where I announced an extension of the topics discussed in this blog) asking for more details. Now you can find additional details in my HPL web page.
My focus is indeed on Security, Identity Management and Privacy. In my web page you can find project descriptions, recent publications and HPL technical reports of mine. Enjoy.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, November 2, 2009
Security Trends Report by Microsoft and McAfee: Phishing Scams Relying More Heavily on Worms and Trojans
Based on a recent security trends report by Microsoft and MAfee, it looks like that social networks have been targeted with phishing scams and relying more heavily on worms and Trojans to attack computers. Rogue security software also remains a big issue.
Some related articles on this topic can also be found here and here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
3rd PrivacyOS meeting
The 3rd PrivacyOS meeting has taken place in Vienna, 26-27 October 2009.
I attended, along with a few colleagues from HP Labs Bristol, the 3rd PrivacyOS meeting, in Vienna.
It has been a very interesting meeting, with presentations from various stakeholders of the privacy community and debates.
A summary of presentations and related notes can be found here.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Article - Malware is bound to hit smartphone devices as users do not consider security
Interesting article, by Dan Raywood (called “Malware is bound to hit smartphone devices as users do not consider security”):
“Smartphone attacks are likely to increase, as users are encouraged to take as much care with their device as with their PC. According to a report by CNN, smartphone security threats are likely to rise as the popularity of smartphones is on the rise and malware could be heading for them. …”
I believe this is a real threat. At risk, among many, are business corporate executives and senior people relying in and using more and more smartphones as their core device for their communications, including handling emails and storing confidential data.
I predict that more efforts (in terms of products, solutions, services) will be paid to address these issues, at least at a corporate level …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Update about TSB UK EnCoRe Project – Ensuring Consent and Revocation
The 5th Quarter Summary of EnCoRe (http://www.encore-project.info) R&D activities in the space of Consent and Revocation management is now available online at: http://www.encore-project.info/press_archive/Q5%20summary.pdf
In addition, a new “service” has been launched, about “Latest EnCoRe Tidbits” aiming at providing links to snippets of news related to consent and revocation: http://www.encore-project.info/news.html#story1
More to come. Enjoy.
]--- NOTE: my original HP blog can be found here ---
Friday, October 9, 2009
Research on Security and Identity Management
The time has come to update the topic (and focus) of this blog.
In the last few years my R&D work and research at HP Labs has been involving a variety of aspects, including security, identity management and privacy.
Most of my posts have actually been reflecting this – hence my decision to update my blog. Hope this will further increase the community of people that are interested and follow my blog.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
New W3C PLING General Phone Call – 14 October 2009, 12:00 UTC
The next W3C Policy Language Interest Group (PLING) general meeting is going to happen on October, 14th – 12:00 UTC.
Topics to be discussed include: (1) Best practices for privacy awareness; (2) web policy language working group proposal.
Please consider attending.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Article – Phishing or not, leaked passwords show lazy habits
This article, called Phishing or not, leaked passwords show lazy habits, by Elinor Mills, is quite interesting.
It is not a novelty the fact that there are bad practices when dealing with passwords – but it is also true that people are usually good at making risk assessments and judge which level of protection to choose, depending on the value of the asset to protect …
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Monday, September 28, 2009
3rd PrivacyOS Conference, Vienna, 25-27 October 2009
The Third PrivacyOS conference is going to take place in Vienna, 25-27 October 2009:
http://www.amiando.com/3rdprivacyos.html
“The third PrivacyOS Conference focuses on “rising awareness – functions and impact of data protection”.
Participants are invited to join the Austrian Big Brother Awards Gala on the evening of the 25th of October and to discuss about privacy issues or their experiences in this field. The conference provides a unique opportunity to articulate and exchange best practices, challenges and solutions in privacy and data protection on the 26th and 27th of October.
The conference primarily addresses legal and technical IT experts, interested manufacturers of IT products or services as well as data protection authorities. All persons interested in privacy or data protection aspects are welcome to register for the event. “
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Workshop on Access Control (and Privacy) Application Scenarios
Please consider submitting a position paper at the W3C Workshop on Access Control (and Privacy) Application Scenarios, by October 23rd:
http://www.w3.org/2009/policy-ws/cfp.html
"W3C invites people to participate in a Workshop on Access Control Application Scenarios on 17-18 November 2009 in Luxembourg. This Workshop is intended to explore evolving application scenarios for access control technologies, such as XACML. Results from a number of recent European research projects in the grid, cloud computing, and privacy areas show overlapping use cases for these technologies that extend beyond classical intra-enterprise applications. The Workshop, co-financed by the European Commission 7th framework program via the PrimeLife project, is free of charge and open to anyone, subject to review of their statement of interest and space availability.
The workshop is intended to discuss issues around access control in very wide sense, encompassing conditions and rules derived from the fact of accessing information. Topics that might serve as appropriate discussion points for position papers include, but are not limited to:
- interaction between access control and privacy policies
- language extensions to connect access control languages to novel types of credentials
- large-scale cloud and grid computing use cases for access control technologies
- policy management
- mechanisms for controlling progressive disclosure of information by user agents and servers
- the emerging role of trust delegation and supportive mechanisms in cloud computing, grid, and Web use cases
- mechanisms for richer user control over downstream data controllers
The workshop will examine experiences and recent research results in these areas, their need for agreed semantics, the need for extensions to existing access control languages, and perhaps for radically new approaches.
Position papers are due 23 October. See the call for participation for more information."
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)
