Everyone is talking about data privacy regulations. I thought it would be a good idea to share some of the data protection related legislations worldwide. It is not an exhaustive representation.

1. California legislation SB-1386:

Any agency, person or business that conducts business in California and owns or licenses computerized ‘personal information‘ are required to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed).

2. Gramm-Leach-Bliley:

The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.

3. Health Insurance Portability and Accountability Act (HIPAA):

The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used.

4. EU Regulation (27 Member State) - Personal Data Protection Directive:

The EU Directive on Data Protection (DDP) of 1998 is a framework that stipulates the minimum data protection legislation EU member countries must have in place. The legislation is intended to protect the rights of EU citizens regarding the processing of their personal data. Any organization doing business in one or more EU countries must comply with the national data privacy legislation of each member country in which it operates.

5. Canadian Regulation - Personal Information Protection and Electronic Documents Act:

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) ensures the protection of personal information. The PIPEDA applies to “any work undertaking or business that is under the legislative authority of Parliament.” Organizations must protect personal information regardless of the format by:

• Developing and implementing a security policy.

• Using appropriate security safeguards, including physical measures, technological tools (passwords, encryption, firewalls and anonymizing software) and organizational controls.

• Removing or masking any personal information that has no relevance when providing copies of information.

6. UK Regulation - Data Protection Act:

The Data Protection Act (DPA) of 1998 applies to UK residents and UK-based organizations. It requires that all personal information, even data not stored in computerized systems, be protected from abuse and secured from unauthorized access. The DPA requires that data controllers take appropriate technical and organization measures to prevent unauthorized or unlawful processing or disclosure of personal data. Data must be protected during storage, transport, transition and update.

7. Australia Regulation - Privacy Amendment Act of 2000

The Privacy Amendment (Private Sector) Act 2000, which amended the Privacy Act 1988, came into effect on 21 December 2001, establishing a national scheme to regulate private sector organisations’ handling of personal information.

The legislation, as amended, was designed to bring Australia into line with international standards on personal information and to instil confidence in how Australian businesses handle personal information. The Government also aimed to address concerns about the development and take up of online business and eCommerce.

8. Japan Regulation - The Personal Information Protection Act
Japan enacted the Personal Information Protection Act (JPIPA) in 2003 to protect individuals’ rights and personal information while preserving the usefulness of information technology and personal information for legitimate purposes. The law establishes responsibilities for businesses that handle personal information for citizens of Japan and outlines potential fines and punishments for organizations that do not comply. The act requires businesses to communicate their purpose in collecting and using personal information. They must also take reasonable steps to protect personal information from disclosure, unauthorized use or destruction.

9. Hong Kong Regulation – The Personal Data (Privacy) Ordinance
The Personal Data (Privacy) Ordinance (’Privacy Ordinance’) sets out a number of strict obligations and restrictions for dealing with an individual’s personal data.

‘Personal data’, which is covered by the Privacy Ordinance includes any information about a living individual, so long as that information includes some data which would allow the individual to be identified. Personal data must include data from which it is reasonably practicable to ascertain the identity of the person. It includes paper documents, microfilm, audio tapes, video tapes, and computer files.

10. Argentinean Regulation - Law for the Protection of Personal Data

The purpose of this Act is the full protection of personal information recorded in data files, registers, banks or other technical means of data-treatment, either public or private for purposes of providing reports, in order to guarantee the honor and intimacy of persons, as well as the access to the information that may be recorded about such persons

11. Industry Privacy Standard - Payment Card Industry Data Security Standard (PCI DSS):
The PCI DSS a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover, JCB, MasterCard and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

A recent article by Miya Knights, called “Strong ID and Access Management eludes UK Business” provides an overview of the findings of a recent research report by Insight Consulting, on UK business attitudes towards identity and access management. Here are a few key points highlighted in this article:

“New research into attitudes towards identity and access management has found very few are taking effective steps to address potential security lapses.

Although most UK businesses realise the increased threat from inadequate security systems and policies the research, produced for Siemens-owned Insight Consulting, found 71 per cent of companies still rely solely username and password authentication, which has been criticised for its effectiveness in protecting against malicious attacks.

A further 62 per cent of the 259 IT services and management professionals surveyed admitted that their organisation had no information security management system in place, or at least they didn't know if it did.

And more than 90 per cent do not have a fully automated solution capable of producing audit reports detailing network, application and data access, despite the fact that 51 per cent of businesses surveyed now have to deal with increasing partner, supplier and customer system access.

In addition, only 50 per cent of respondents were confident that network access rights of staff members who leave a company are removed or deactivated when they leave - the other half leave outdated user accesses active and open to malicious misuse as well.

Only 22 per cent of businesses have an enterprise single sign-on identity and access management systems in place, which Insight said delivers the fastest return on investment.”

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I’ve found this article by Matt Hines, called “Security experts pitch culture of data” quite interesting:

“The companies that are having the most success in advancing their data security efforts today are those that are finding a way to protect sensitive information without getting in the way of business users, industry experts maintain.

In crafting their data-handling policies and selecting from the multitude of security technologies at their fingertips, those businesses that can foster both ready access to information, along with strong defenses for end-users and IT systems, are making progress the fastest, claim leading vendors and service providers.

After years of "throwing technologies" at the data security problem while juggling complex business demands along with external threats and regulatory compliance audits, some businesses are finally discovering that they can simplify the entire process by taking a more comprehensive approach to tailoring their programs to the manner in which their users access, handle, and share information. …”

It would also be interesting getting some concrete examples, e.g. how this could be achieved for identity data, where related policies dictate goals and expectations from (sometimes contradictory) business, security and privacy perspectives.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

As a blogger, I have found the services provided by feedburner very useful: in particular I like the service providing analytics about the usage of my blog, number and provenance (…) of visitors, accessed posts, etc. This helps to better understand from which geographic areas there is an interest in my posts, which topics are perceived being more relevant, etc. (ok, somebody might think about this as a privacy threat. We could have an interesting debate …).

I was thinking about the implications and impact of having a similar service in the context of “Identity Management”, where, by analogy, instead of monitoring blogs and posts, end-users would be enabled to monitor (potentially in a fine-grained way) their identity information and profiles scattered around an organisation …

I think this would give “more control” to users on their personal data, by helping them to better understand the status of their data, who has been accessing/using it, indications of any violations (against agreed purposes/consent), etc. – via a visual and easy to understand GUI. This feature could be provided in addition to the usual self-registration and account management capabilities, by Service Providers and/or by Identity Providers (in case of federated IdM) …

Anyway, I believe a key issue would be around “trust”. Should a user trust the information provided by such a service? Which assurance should be given to the user about the integrity and accuracy of these metrics and displayed information? Who should run this service?

Another key issues is the impact (cost) for the enterprise/service provider (if done seriously) because of the need to track, monitor, collect and process “events” associated to large set of data, within their IT stack. So, after all, would there be anyone willing to deploy and run such a kind of service – in the context of Identity Management?

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

As highlighted by Phil Hunt in a related post, material available on Identity Governance Framework (IGF) has been posted here. This includes overview material and previous documents such as:

• Overview of the Id Governance Framework
• Id Governance - Identity Privacy and Access Policy MRD

I have contributed to the “Identity Privacy and Access Policy MRD” document and I believe IGF has key potentials to help organisations dealing with data/identity governance aspects.

What is your view on IGF? Any comment or feedback?

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

On November, 2^nd 2007, George Mason University (Fairfax, VA) is going to host ACM DIM 2007 – a Workshop on Digital Identity Management, in the wider context of CCS 2007 (14^th ACM Conference on Computer and Communications Security).

This year, DIM focus is on “Usability Issues for Identity Management”. Accepted papers cover the following topics:

• Usability and Authentication
• Identity Assurance and Linkability
• Network based Approach to Identity Management
• Reputation and Trust

A preliminary program is available here. Registration information is available here.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

You might be interested in attending this online webcast by Ignacio Alamillo of CATCert (topic: “Federated Identity Management, Web Services, and Health Information Exchange: Technology, Policy, Case Study and Best Practices”) on October, 11 2007:

“The adoption of health information technology (HIT) with the development of decentralized, interoperable health information networks, is widely regarded as critical to enhancing the performance of our health care systems locally and globally. Health information exchange involving disparate networks enabling access to personal and public health information regardless of source or format will require scalable, affordable authentication and authorization individuals accessing these systems. Federated identity management provides real world solutions for real world identity management problems. This discussion will explore and describe the technology needed and policy considerations through the lens of a Case Study (Catalonia ePrescribing project) that delivers best practices guidance.”

Webcast registration information is available here.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

News from the General PRIME meeting:

“The PRIME project recently received more support and endorsement for its work to raise awareness and knowledge about Privacy-Enhancing Technologies for identity management to a wider audience that makes the decisions which will affect their take-up in real applications.

The main activities in PRIME are about advancing the state of the art in user-centric identity management, including in PETs themselves, but it also has an outreach and dissemination objective to ensure that its technology work is made known to all communities whose decisions will affect how these advances are made available for real use. As part of that objective, it has written two White Papers on its work, which are aimed at different audiences and will be soon made available on PRIME website http://www.prime-project.eu . The second of these is aimed at IT professionals.

A currently public version of the PRIME Whitepaper (v2) is available here.

PRIME is very keen to ensure that its work remains focused on topics that are relevant and on results that are deployable in real situations. To that end, it formed a project advisory board, named the Reference Group,that provides guidance on direction and priorities and reviews the project's output.

The Reference Group comprises more than a dozen professionals from various countries' data protection commissions and privacy specialists from industry, consumer groups and academia. They recently reviewed the second White Paper and were very positive about it and the role it could play in bringing about wide adoption of PETs. The project is now making plans for another White Paper, together with other educational materials, such as tutorials, that will be aimed at other communities.”

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I am currently attending a General Meeting (one of the last – the project is meant to finish by the beginning of next year) of the EU PRIME Project (Privacy for Identity Management in Europe).

Current PRIME results and published documents (in terms of requirements, approaches to privacy, whitepapers, reports, architecture, prototypes, etc.) are available here.

We look forward to hearing from you: any question, concern, feedback, etc. is welcome. I’ll make sure to share this with the team here and let you know about any reply.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

In a recent post, James McGovern makes this comment about a post of mine, called “To Be or Not To Be and Identity Provider?”:

“One should never research the notion of the business model of identity providers from scratch when there are many already in existence. How about starting with Securities Hub to not only understand the business model of being an identity provider but why it matters in an industry vertical context which most identity bloggers pretend don't exist.”

Well, I’ve never said I was researching on this topic – I was just trying to understand the business model …, as I also wrote in a previous post of mine called “What is the Business Case for Identity Providers?”: “I wonder what would be the incentive for an organization to be an Identity Provider (IdP) and, in particular one that just plays this role i.e. with no additional stake in providing other services”.

Anyway, thanks for suggesting an example – even if this example looks like more being about a “Hub-based Service Provider” rather than an “Identity Provider” …

Any other example? In particular where the role of the Identity Provider is clear, whatever underlying federated identity management solution is adopted.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I think this is a great initiative, opening new opportunities in teaching and researching in the areas of Identity, Privacy and Security – as highlighted in this article by CNW Group:

“On September 17, 2007, Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, will be presenting the inaugural lecture at the University of Toronto's new interdisciplinary program called the Identity, Privacy and Security Initiative (IPSI), www.ipsi.utoronto.ca.

This initiative links two new graduate concentrations in privacy and security, offered this fall through the Faculty of Applied Science and Engineering and the Faculty of Information Studies. A key goal of IPSI is to bring together faculty and students from different disciplines to study and think together about identity, privacy and security and related technologies, policies and sciences.

Commissioner Cavoukian was appointed as the Chair of the Advisory Council for IPSI. "Given the Commissioner's strong support over the past two decades for privacy-related research, education and innovation, we are delighted that Dr. Cavoukian has agreed to act as the Advisory Council Chair," says Dr. Tim McTiernan, Interim Vice-President, Research, at the University of Toronto. "We feel that she is the ideal partner for this exciting initiative." …”

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

You might be interested in this initiative by Google, which is meant to make a call for Global Privacy Standards. An article by Jeremy Kirk provides an overview:

“Search giant Google will propose on Friday that governments and technology companies create a transnational privacy policy to address growing concerns over how personal data is handled across the Internet.

Google's global privacy counsel, Peter Fleischer, will make the proposal at a United Nations Educational, Scientific and Cultural Organization meeting in Strasbourg, France, dealing with the intersection of technology with human rights and ethics. Fleischer's 30-minute presentation will advocate that regulators, international organizations, and private companies increase dialog on privacy issues with a goal to create a unified standard.

Google envisions the policy to be a product of self-regulation by companies, improved laws, and possible new ones, according to a Google spokesman based in London. …”

I believe this is going to be a huge challenge, considering the different cultural approaches to privacy and ways to deal with it (just look at how US and EU have a different interpretation and approach to the concept of privacy …). It would also be interesting to see how the voice of consumers and citizens is going to be factored in.

More details and thoughts about this initiative can be found in a post by Peter Fleischer.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

As a researcher at HP Labs I have some ideas and opinions about what could be (long-term) priorities in the Identity Management space. Some of these opinions are driven by factual information (analysis of trends, etc.) others by intuitions. I expressed some of my views in various previous posts.

Listening to people and customers is another important source – to understand what is valuable and required by the business. For example, a customer has recently told me that their key priorities in the identity management space include:

• Consolidation, integration and coordinated management of various identity management systems in their organisation: this apparently is still a major issue and problem to be solved;
• Suitable authentication mechanisms for their customers, along with mechanisms providing a better attestation of their asserted identities.

As you can see, these are not very fancy “things” but they are very important from a business perspective.

What are your priorities in the Identity management space? Which areas of identity management you think are/will be more valuable to you/your business/the market?

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Yesterday, in a post of mine called “What is the Business Case for Identity Providers?”, I was wondering what would be the incentive for an organization to be an “Identity Provider”(IdP) and, in particular one that just plays this role i.e. with no additional stake in providing other services

Of course there is no constraint for being both an IdP and also a Service Provider (SP). Actually this is the most likely case to happen – in my view. I would not be surprised if Federated Identity Management will consolidate and happen for cases based on a dominant organization/service provider and other subordinated service providers, where the dominant organization plays both the IdP and SP roles and use federation to simplify the life of its customers, in a well controlled environment. This is already happening in telecom and outsourcing contexts …

In theory, being just an IdP would be the ideal case, with a clear “separation of duty” between who manage identities (on behalf of users) and who “consumes” them. But, in practice, does this make any sense? Here are some initial thoughts:

• Would the Identity Provider have to charge users to store their personal data and enable their SSO across various Service Providers? Not sure if users are really willing to pay for this kind of service …

• Would the Identity Provider have to charge Service Providers, let’s say on transactional basis? But would Service Providers (1) be willing to give up the control that currently have on personal data and (2) have also to pay for it?

• Would the Identity Provider make a living based on advertisement? Maybe, but then the temptation to use stored personal data for providing better, customised advertising to users or for potentially other purposes would be too strong. Would users be happy about this?

• Would the Identity Provider be the user itself? If so, what would be the practical implications?

I think this is an important aspect to understand - independently from various approaches, standards and technologies that are emerging (and competing) in this space – in particular for its implications on trust, privacy and assurance matters.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

On Sunday, 9^th September, Liberty Alliance has announced the creation of a new Identity Assurance initiative:

“Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced it has formed a new expert group to deliver the Liberty Trust Framework, an organizational framework designed to fill industry requirements for standardized identity assurance criteria for use in a broad range of federation scenarios. Liberty’s Identity Assurance Expert Group (IAEG) was established by the recent merge of the Electronic Authentication Partnership (EAP) into Liberty Alliance, and consists of representatives from the worldwide financial services, government, healthcare and service provider sectors working collaboratively to release the Liberty Trust Framework for public review and input later this year. The Liberty Trust Framework will remove a major barrier to global inter-federation deployments: the complexity of assessing the level of identity assurance among all organizations participating in federated relationships. Currently, different federations have varying policies and processes governing identity operations, the interpretation of which adds to the cost and complexity of deploying assured identity services. …”

Hopefully this initiative will help to define comprehensive requirements and criteria for “Identity Assurance” in Federated Identity Management contexts.

A few colleagues of mine and I recently wrote an HP Labs Technical report on a related topic, called “On Identity Assurance in the Presence of Federated Identity Management Systems”.

In our view Identity Assurance must be concerned with the proper management of risks associated with identity management. In an enterprise context, “processes” define how identity information has to be managed; identity management technologies ease the burden of dealing with them, by automating some of the related operational aspects. However, it is of paramount importance to ensure that these processes are well controlled and therefore risk is controlled – hence the need for identity assurance. Prior to defining an identity assurance framework, a risk analysis needs to be carried out identifying the identity assets (e.g. user accounts, user profiles, user rights, etc.) and the impact if there is a loss of confidentiality, availability or integrity along with threats that could lead to such losses. From an understanding of risks an enterprise can make decisions about the control objectives (strategies for mitigating risks) they need and ultimately design the controls that need to operate to achieve these objectives. Typically controls will be additional stages in management processes designed to mitigate risks (e.g. an approval step) although they may be technological mechanisms.

The interesting challenge is how to enable Identity Assurance in a federated identity management context, where multiple organisations need to collaborate and share information to achieve this. In our paper we suggested a potential approach to move forward …

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

As already stated by Conor Cahill, in a recent post, the Draft Release 2 of the Liberty Alliance Advance Client Specs is available online, here.

In February 2007, Intel, BT and HP successfully built a first proof-of-concept (PoCv1) based on the Draft Release 1 and demonstrated the feasibility of these specs (in terms of Identity Capable Platforms and related Provisioning Services) during a related Liberty Alliance Workshop at RSA 2007.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I am back from Regensburg, Germany where I attended and presented at TrustBus 2007. This conference was very interesting for the variety of presentations and covered topics, including:

• aspects of trusted and secure virtual organisations;
• identity management and usage control;
• authentication and access control;
• compliance and user privacy;
• policy management;
• secure system management and trust.

In this context I gave a presentation on our work on “Device-based Identity Management in Enterprises”. My presentation is available here: it describes the outcome of our related R&D project, where we explored ways to model and represent device identities (and the role that Trusted Computing/TPM can play), provision these identities by leveraging enterprise IdM solutions and use them to define access control policies. Technical results and outcomes are shared.

I’ve also been involved in a panel discussion on “Managing Digital Identities – Challenges and Opportunities” (chair: Gunther Pernul). My presentation (along with my view on top challenges and opportunities in the IdM space) is available here. The other panellists gave interesting presentations, with additional, complementary views of IdM challenges and opportunities, from government, software developer and academic perspectives. Hopefully their presentations will be made available online.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

A recent article, provides an overview of the findings of a new report (accessible as a free download, here) by “The Alliance for Enterprise Security Risk Management (AESRM)”:

“The currently popular silo approach to managing enterprise risk is inadequate because it leaves too many gaps and provides no reliable way to evaluate an enterprise’s risk position, according to a new research report issued by The Alliance for Enterprise Security Risk Management (AESRM), a partnership of leading international security associations ISACA and ASIS International.

The Convergence of Physical and Information Security in the Context of Enterprise Risk Management shows that while risk management is fundamental to most enterprise managers, many risk reduction initiatives are not coordinated or integrated across all risk areas. Only 19 percent of executives surveyed said their company has a robust process in place for identifying when risk tolerance approached or exceeded defined limits.

To address these risk challenges, organizations are investigating more inclusive enterprise risk management (ERM) programs and converging traditional and information security functions. Although this convergence is intuitive and logical, it is still in its early stages, according to the research conducted by Deloitte.

When asked to identify the major drivers of their companies’ security integration efforts, 73 percent of the executives cited “reducing risk of combined information and physical security threats,” 58 percent said “increased information sharing,” and 50 percent noted “better protection of the organization’s people, intellectual property and corporate assets.” The survey shows that security integration and ERM, when aligned, add value throughout an organization.”

As you might expect, the management of identity information has itself its “risks”. In particular, in terms of identity and identity management this report mentions that:

• Identity thefts and account frauds are listed among one of the main (internal and external) threats that enterprises have to face
• Each stolen customer identity is the cause of a financial lost of $100 (rule of thumb)
• Identity and Access Management is the third more important initiative in terms of “current focus on security initiatives”

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

James McGovern, in a recent post to his “Enterprise Architecture: from Incite comes Insights” blog makes this comment to a recent post of mine, “On the Role of “Role Mining” in Enterprises”:

“I really hate stealth blog entries that don't talk about why and where role mining activities fail. In fact, I would love it if somewhere were to blog a comparison of starting with role mining vs starting with entitlements management and let the coins fall where they may”

James, thanks for your input. Actually, I thought I covered the “limitation” point, in the final part of my post:

“… Solutions are already available in the market: however I believe this is still a green field, open to innovation – in particular if we consider this in the overall context of Enterprise Identity Management (by including provisioning, access control policy setting and compliance management).

After all, the effectiveness of “Role Mining” solutions and related techniques can be measured in their capability of extracting meaningful set of roles, from a business perspective (i.e. meaningful to and comparable with an enterprise organisation) rather than purely from a technical perspective (i.e. a list of “labels” identifying abstract roles) and helping administrators to spot potential anomalies and suggest remediation steps – integrated with state-of-the-art identity management solutions.”

Do you see any additional limitation or cons about “Role Mining”? I’d like to hear your view on this – as you might have additional insights.

I think “role mining” is interesting from an IdM Research perspective – because of its potentials and also because of some of its current limitations.

I am not sure what you meant by “… comparison of starting with role mining vs starting with entitlements management”. In my view I see them as complementary approaches, not really in competition one against the other. Both could be used at different stages – depending on the context/need. Do you have a different view? What is your take on this? I am very interested in getting your comments on this.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I believe that “Role Mining” is and will become more and more relevant in enterprises and complex organisations. Too many changes happen nowadays in enterprises (changes in org charts, merge & acquisitions, business-focus changes, increased outsourcing of activities and temporary labour force, etc.). How to ensure that the right people/groups have the necessary access rights in a context that is constantly changing?

Good practices and processes, auditing and compliance checking are ways to achieve for … However, “Role Mining” solutions can provide additional help, from an operational perspective, to identify “organisational roles” that reflects current security and access control permissions associated to employees. The analysis of the outcome of a “role mining” activity can sometime reserve surprises …

“Role Mining”, at the very core, is about identifying and extracting meaningful “roles” in an enterprise from “row data” (e.g. access control rights, ACLs, etc.) by using different techniques (e.g. data mining, clustering, etc.). A related, interesting paper on Role Mining can be found here.

Solutions are already available in the market: however I believe this is still a green field, open to innovation – in particular if we consider this in the overall context of Enterprise Identity Management (by including provisioning, access control policy setting and compliance management).

After all, the effectiveness of “Role Mining” solutions and related techniques can be measured in their capability of extracting meaningful set of roles, from a business perspective (i.e. meaningful to and comparable with an enterprise organisation) rather than purely from a technical perspective (i.e. a list of “labels” identifying abstract roles) and helping administrators to spot potential anomalies and suggest remediation steps – integrated wit hstate-of-the-art identity management solutions.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I’ve recently been asked this question, that I am now turning to the Identity Management Community (I am very keen to hear your replies …).

My current answer is that OpenID provides a simplified, open-source based approach to SSO, for low-cost/low-risk transactions on the web, primarily in consumer/user-driven, B2C environments.

An article titled “The Case for OpenId”, by Phil Becker, makes a more compelling case for OpenId. However it must also be said that:

• There are not many use-cases justifying the usage of OpenId in other contexts, such as enterprises or B2B contexts (thanks to the people whom suggested a few of them). Still looking for suggestions from the community …

• Recent blog discussions have highlighted potential OpenID limitations (in terms of trust, privacy and security – e.g. see here, here and here), along with possible ways to mitigate some of them (such as identity phishing, see here) by leveraging CardSpace and/or other approaches

What else to say?

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I’ve just finished to read this article, published by ScienceDaily, called “Databases Must Balance Privacy with Utility, says the Professor”. The Professor mentioned by this article is George Duncan, Carnegie Mellon University.

I tend to agree with his points, in particular: “Agencies like the U.S. Census Bureau produce a voluminous amount of data, much of which is of tremendous value to social scientists and other researchers. But the data also includes personal information that, under the law, must be protected and could be harmful were it to fall into the wrong hands. Thus, organizations that maintain such databases need to devise ways to protect individuals' privacy while preserving the value of the information to researchers”.

Prof. Duncan also raised an important question: 'How can data be made useful for research purposes without compromising the confidentiality of those who provided the data?'".

I would say that this question is true not only for “research contexts” but also for any other context and purpose where personal data is accessed, used and disclosed (e.g. for business, marketing or other reasons). Privacy management is indeed a very complex topic, and has different connotations depending on the contexts and type of personal information, as mentioned in the article.

In my opinion, when specifically discussing about privacy-enhancing solutions in an enterprise/organisation context, it is also important to consider (1) the role that current identity management solutions have in enterprises, (2) the complex enterprise processes and information flows that involve identity information and (3) the fact that different types of data repositories are used in enterprises (i.e. not just RDBMS databases but also LDAP directories, meta and virtual directories, etc.).

In this context, privacy management is ultimately yet another aspect of enterprise IT and data governance and is handled from business and regulatory compliance perspectives: enterprises deal with it in terms of risk management and threat mitigation. In order to be adopted, privacy-enhancing proposals need to recognise this situation and leverage (and potentially extend/be compatible with) current enterprise identity management solutions - for practical and economical reasons.

At HP Labs we have been working in this direction during the last 3 years, in particular in the context of two related R&D projects:

• Privacy-Aware Access Control for Enterprises
• Privacy-Aware information Lifecycle Management

An overview of other related R&D privacy management projects can be found in my web page.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I’ve just come across this site providing an overview of a new report (to be released in September 2007), titled “Identity & Access Management Services”, by Research&Market:

“The "Identity & Access Management Services” report provides extensive research and rational analysis on the Identity Management industry at global level. This report has been made to help clients in analyzing the opportunities, challenges and drivers critical to the growth of identity management service industry. The forecast given in this report is not based on a complex economic model, but is intended as a rough guide to the direction in which the market is likely to move. It is based on a correlation between the past market growth and growth of base drivers….”

Here are some of the key findings of this work, including a list of the issues, facts and players that have been analysed:

“Key Findings

• Identity management services industry is expected to grow at a CAGR of 7.28% over the period 2007 to 2011.
• It is forecasted that hardware token authentication market will grow at a rate of 10.72% from 2003 to 2009.
• Increasing investment in identity management-related technologies will further drive the identity management services industry in future.
• Use of identity management services will curtail the administrative time up to 50%.
• Identity management services can be applied to different industry verticals like banking, defense, and automotive manufacturing.

Key Issues and Facts Analyzed

• The market size of the global identity management services industry.
• Analysis of various challenges and opportunities for the industry.
• The factors driving growth in this sector.
• SWOT analysis of key players operating in the industry.

Key Players Analyzed

This section covers the key players operating in the global identity management service industry including BMC Software, Inc., Computer Associates, Novell Inc., Cisco Systems Inc., Accenture, IBM Corporation, Hewlett Packard Co. etc.”

Further information is available here, including a “Table of Content”.

The “Industry Analysis” (and related SWOT analysis) and “Future Outlook (2007-2011)” sections might potentially provide some interesting insights about the current status of Identity Management Technologies/Services and where this area is heading: however it must be said that this report is not free (and actually it is quite expensive …).

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I’ve been invited to be part of a panel at the 4^th International Conference TrustBus 2007 (chair: Prof. Gunther Pernul), to discuss on “Managing Digital Identities – Challenges and Opportunities”.

In my opinion the top challenges that Identity Management is going to face in the next 5 years are the following:

• Improve Users’ Control on Their Personal Data (within Devices and Orgs)
• Enterprise Privacy Management: Automation of Privacy Management and Regulatory Compliance in Enterprises
• Alignment of Enterprise IdM Practices and Solutions to Business-driven IT Management (ITIL, etc.): Identity Governance, Risk and Assurance Mgmt
• Secure, Privacy-aware and Trustworthy Federated IdM/SSO
• Interoperability between various Federated IdM/SSO initiatives
• Standards to enable Data Exchange between Enterprises/Orgs driven by Security and Privacy Policies and Users’ Preferences
• Exploitation of Web 2.0 + Identity 2.0 in Enterprises/Organisations …

Instead, I believe that the top opportunities are:

• Improve overall Enterprise IdM Practice and User Experience/Control …
• New Research & Development Opportunities in the Identity Management Area both at the User and Enterprise sides
• New Business Opportunities in the Identity Management space in terms of IdM Services, Solutions, Products, …

What is your opinion? Do you have any different view and/or suggestion on challenges and opportunities?

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

A recent article by Kable, called “Whitehall to boost identity spend by £5.2 billion” reports that:

“Spending on IdM is ready to leap by almost 50% next year from £825m to £1.23bn, propelled by major programmes such as the National Identity Card Scheme, e-Borders, the Police National Database and the National Offenders Management Systems. Total IdM spend in the period 2008-2011 will amount to £5.2bn. This follows a prolonged period of strong growth since 2000 when total IdM spend was just £135m, and maintains the trend of central government being the biggest spender …

Behind the growth is the government's well publicised desire to deal with identity fraud, illegal immigration and the threat of terrorism, along with the drive for government bodies to share more information in integrating services. The latter has to include a strong element of IdM to ensure that officials only have access to the information appropriate to their roles. It could, however, run into problems deriving from fears over the development of a "surveillance society", worries over the reliability of databases and biometric technology, the attractions that new systems could provide for fraudsters, and implementation delays.”.

This article says that to obtain a copy of a related Kable’s report, called “Identity management in the UK public sector until 2011” it is necessary to contact Matt Phelan on +44 20 7061 3235 or matthew.phelan@kable.co.uk.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I agree with the comments made by Jeff (in a recent post called “Compendium of OpenId Issues”) about current OpenId limitations. I’ve also found the analysis made by Stefan Brand in his post about current OpenId issues very educational and comprehensive.

Of course, I believe that OpenId provides value but I also see some of the key limitations and related threats (in terms of privacy, security and trust), when considering them from (1) an end-user perspective and (2) potential future adoption of OpenId in enterprise contexts – if “valuable” transactions and/or assets are involved.

Kim Cameron’s post, called “Integrating OpenId with InfoCard”, suggests an interesting approach to mitigate some of these issues (in particular identity phishing) by leveraging InfoCard/CardSpace. I’ve also found in the web other people’s suggestions and ideas on how to solve other specific issues.

However, in general, what is OpenId community’s reaction to these issues and criticisms? Is there any site/documents tracking these issues and describing how the OpenId community thinks to address them, along with plans/roadmaps?

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I’d like to create awareness about a potentially interesting webcast, on August 29 (“Identity Enables Mobility with Security: ICA aligning SOA with NGN”), by Rakesh Radhakrishnan (Sun Microsystems):

“Rakesh Radhakrishnan (http://www.identity.futuretext.com/), an IT architect with Sun, joins us to present the second in a series of webcasts exploring the intersection of Identity Management with SOA. Based on experiences Rakesh has had working in the teleco sector, Rakesh will explore the strategic significance, market requirements and all the potential possibilities of leveraging Standards based Identity Systems for an Enterprise IT environment (& Enterprise Architecture) and Telecommunication environment to provide a pragmatic view for the future in network convergence and converged services based on Service Oriented Architecture. Specific topics included will be:

• Overview (Identity for SOA and NGN)
• Identity for Sensor Networks
• Identity for Programmable Networks
• Identity for IMS
• Identity for OAM
• Identity for NGN IN
• Identity for Web Services/ESB
• Identity for Content/DRM
• Identity for Devices
• Identity for Enterprise Networks
• Identity for Storage and ILM”

More information about this webcast, along with details about (free) registration can be found here.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---