Blog under spamming attack – end of anonymous comments?

I just noticed that my blog on “Research on Identity Management”, hosted by the HP portal, is under “comment spamming” attack.

This is not a major issue as the current blog platform’s security controls just filter these undesired comments.

However, in my view, this shows how the capability of having anonymous posting of comments can be easily abused.

I believe this capability will be increasingly disabled in most blog sites. The same could happen for “authenticated” comments, as most of the time this just requires a user setting an account with a fake profile, hence enabling spammers to post again their comments.

Switching-off the capability of posting comments or introducing further controls will make the blog experience harder and harder …

--- Posted by Marco Casassa Mont (here and here) ---


--- NOTE: my original HP blog can be found here ---

Interesting BBC article – “Cyber crooks get business savvy”

This article, called “Cyber crooks get business savvy” is particularly interesting as it illustrates how cybercrime is evolving and maturing:

“Cyber crooks are increasingly operating like successful businesses, deploying the same tools legitimate companies use to boost their profits. Networking giant Cisco said online criminals were increasingly using proven business practices.
In its mid-year security report, Cisco said this new approach puts the bad guys way ahead. "When your enemy is financially motivated you have to be on alert," said Cisco fellow Patrick Peterson.”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

IEEE Policy 2009 Symposium – Ready to Go

The 10th IEEE Policy 2009 Symposium (www.ieee-policy.org) is coming, 20-22 July 2009, Imperial College, London, UK.

This year’s programme is particularly interesting, with Keynote Speeches from Dr. Anne Adams (The Open University), Dr. Claudio Bartolini (HP Labs) and Dr. Mark Ryan (University of Birmingham).

I will present a paper describing recent HP Labs work on Identity Analytics, i.e. on how to use modeling and simulation to explore investment trade-offs and predict the impact of decisions in the space of Identity and Access Management. A related HPL Technical Report, on this topic, can be found here.

Registrations to the conference are still open.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

EEMA e-Identity: Presentation on the Future of the Identity in the Cloud

I recently attended the EEMA e-Identity Conference, in London, 25-26 June 2009. There have been interesting presentation and good talks.

I also gave a presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities”:

“This presentation aims at: setting the context about Identity in the Cloud; discussing related identity management issues along with core requirements (coming from users and organisations); illustrating, from an HP Labs’ perspective, future possible models, approaches and IT infrastructures to handle Identity in the Cloud.
The introduction of the presentation sets some background: it gives an overview of Cloud Computing and its implications, in terms of service provisioning, security, privacy and identity management. In particular it discusses the paradigm shift from a close & controlled approach (within enterprises) to potentially, on-the-fly composable and customisable services, in the Cloud.
Use cases are introduced to illustrate “common” usage and management tasks involving Identity in the Cloud - from both user and organisational perspectives, including the implications of having to deal with Identity in composable and dynamic services. New emerging, related threats and risks are briefly discussed, such as the potential growth of bogus service providers, targeted attacks to the weakest points in the service provisioning chain and identity thefts.
This will lead to a discussion of key requirements, determined by new interaction models and service-provisioning paradigms in the Cloud, including: control of identity flows and management of distributed user accounts; trust and reputation about service providers in the Cloud; identity assurance; transparency about security practices; privacy (including consent and revocation).
I will then discuss current (categories of) identity management solutions and approaches that deal with aspects of Identity in the Cloud (such as identity federation, identity brokering, Identity 2.0, etc.), along with their pros and cons and failures to address some of the core requirements (such as assurance, trust and privacy control).
The final part of this presentation challenges current assumptions and approaches and illustrates future directions, by presenting HP Labs’ medium and long–term vision about how the underlying Cloud infrastructure is going to evolve along with its implication in terms of Identity and Identity Management. This includes the paradigm shifts introduced by the usage of trusted virtualisation, remote attestation of platform capabilities (Trusted Computing Platforms) and identity-driven computational environment (coming from the cloud) that could run on local systems (e.g. at the user side); new emerging identity management models driven by identity-aware platforms and policy-driven delegation of credentials; the role that Security and Identity Analytics can play, by using modelling and simulation, to help organisations to evaluating and predicting the consequences of using services in the Cloud, based on assumptions made on the underlying identity management model and existing threats.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Another New HP Labs Technical Report: Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes

Another new HP Labs Technical Report has been recently released, called “Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes” (authors: Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu):

“It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations' security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what- if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

New HP Labs Technical Report: Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks

A new HP Labs Technical Report has been recently released, called “Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks” (authors: Anna Squicciarini, Marco Casassa Mont, Sathya Dev Rajasekaran):

“This paper aims at exploring the impact on enterprises of the adoption of Social Networks by employees. It analyses the risks that enterprises could face and suggests a methodology to answer questions, such as: what are the actual risks for an organization, given a specific context? How to assess these risks? What are the most significant approaches that can be taken to mitigate them? What are the financial and organizational implications for an organization in implementing any of the possible approaches?”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

HP Labs - Second Annual Innovation Research Awards

HP Labs have announced the Recipients of the Second Annual Innovation Research Awards (http://finance.yahoo.com/news/HP-Announces-Recipients-of-bw-15522893.html?.v=1):

“Sixty projects from 46 universities in 12 countries will receive awards from HP Labs, the company’s central research arm. The program is designed to create opportunities for colleges, universities and research institutes to conduct breakthrough collaborative research with HP.

Building on the success of last year’s program, HP increased the number of projects it will fund by more than 30 percent – up from 45 projects at 35 institutions worldwide in 2008. Furthermore, given the significant contributions achieved in last year’s program – including 61 published papers and 13 invention disclosures – HP extended a second year of funding to 31 professors in 2009. …”


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

W3C Policy Interest Group (PLING) Charter Extended

The W3C Policy Interest Group (PLING) Charter has been extended till 31 December 2009.

We are looking for additional case studies and requirements, in particular in emerging areas such as Cloud Computing and Social Networking.

Please share your thoughts, input and experience. Feel free to subscribe to the PLING mailing list to get periodic updates on discussions and topics of interest.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

A few Thoughts on Security Assurance …

Based on various interactions and discussions that I had with organizations, customers and various people, I understand that dealing with “Security Assurance” is currently a major concern and issue.

How can a CIO/CISO be sure that their organization is making the right bets on the right security investments? How to be sure that these investments are effectively addressing the right security issues (of relevance to the business), especially in an ever changing IT and social environment (with dynamic threat environments)? How to get proper feedback about the current, overall situation, have a reasonable understanding of involved risks and exposures and be in the position to make informed decisions?

This is actually a “recursive problem” involving various decision makers and managers in the organization ladder. It impacts their ability to define proper policies and protect organizational assets.

“Security Assurance” is of particular relevance in case of outsourcing and/or usage of services in the Cloud, when organization loses control on their IT stacks and related “control points”. Just relying on contractual agreements and hoping that everything is going to be fine is not a satisfactory approach.

I do not think that current bottom-up “security monitoring” and risk assessment tools/solutions can address this kind of challenges. This is really and area open to contributions and innovation.

Incidentally, all the above points also apply to the “Identity Management” vertical (Identity Assurance …).

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Part III: The Future of Identity in the Cloud: Requirements, Risks and Opportunities

I am surprised by the number of people and organizations that have been asking me to give a rerun of the presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities” - that I previously gave at the Open Group Security Practitioners Conference, London, 27 April 2009.

A copy of this presentation is now available here, in my web page.

I am currently working on a new version of it (for the EEMA e-Identity Conference 2009), to keep into account recent developments and new interesting aspects/concerns related to Identity in the Cloud.

I still believe that “Security Assurance” is the hot topic for Cloud Computing and specifically “Identity Assurance” is a key concern for Identity in the Cloud.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

IEEE Policy 2009 – Call for Sponsorship

The IEEE Policy 2009 Symposium (http://www.ieee-policy.org/), to be held in London, UK, 20-22 July 2009, has now received the sponsorship of both IEEE Computer Society and IEEE Communication Society (technical co-sponsorship).

A draft program is also available at http://www.policy-workshop.org/program.html.

We are now looking for sponsors from the industry and academy. Have a look at the “Call for Sponsors” (http://www.policy-workshop.org/POLICY2009-CallForPatrons.pdf),

In case of interest, please contact ieeepolicy2009@googlemail.com.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Identity and Privacy Forum, 14-15 May 2009, London

This community might be interested in attending the Identity and Privacy Forum, London, 14-15 May 2009, http://www.identityandprivacy.com/

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Part II: The Future of Identity in the Cloud: Requirements, Risks and Opportunities

The presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities” that I gave at the Open Group Security Practitioners Conference, London, 27 April 2009, is now available online, at http://www.opengroup.org/conference-live/ along with the ones of the other presenters (Security Plenary Presentation Section).

Thanks to the people who provided me with inputs and material about this topic.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

The Future of Identity in the Cloud: Requirements, Risks and Opportunities

I am preparing my presentation, called “The Future of Identity in the Cloud: Requirements, Risks and Opportunities” (http://www.opengroup.org/london2009-spc/mont.htm) for the coming Open Group Security Practitioners Conference, London, 27 April 2009.

In particular I am very keen in discussing current models and architectures underpinning both Cloud Computing and Identity in the Cloud, along with discussions of risks, issues and (users’ and organisations’) requirements.

This is a good opportunity to get additional input from this community, in particular related to Identity in the Cloud, if you have specific concerns, issues or you would like to share requirements.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

CfP for 5th ACM Workshop on Digital Identity Management – DIM 2009

The CfP of the 5th ACM Workshop on Digital Identity Management, DIM 2009, is now available online: http://www2.pflab.ecl.ntt.co.jp/dim2009/

Please consider submitting a paper.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---