“Interactivity is all there is to write about: it is the paradox and the horizon of realization.” (R. Kaehr in http://www.thinkartlab.com/pkl/lola/Interactivity.pdf )

"The powerful (try to) insist that their statements are literal depictions of a single reality. 'It really is that way', they tell us 'There is no alternative.' But those on the receiving end of such homilies learn to read them allegorically, these are techniques used by subordinates to read through the words of the powerful … Continue reading Reading Allegorically

In his Philosophical Remarks, L. Wittgenstein wrote prophetically: "I predict a time when there will be mathematical investigations of calculi containing contradictions, and people will actually be proud of having emancipated themselves from contradictions." The import of this statement is deeper than you may think, because it puts into question not only what is the … Continue reading Dialetheism and Multipolarity

Security professionals need to take a hard look at the “spirit of the times,” the ideological atmosphere that surrounds us and our clients, and take a step back. A most concerning part of the current scenario is that the presumptions around so-called “Cyber war” are taking hold, and slowly becoming part of “reality.” In general … Continue reading Against all Cyber wars (and the others)

A Simple Rule for the Committed Person   The World is changing. I am sure you know this. Now, how it is changing and where it is going are open questions. Because they are open, because uncertainty reigns, should we abandon all hope and resign ourselves to a life of adaptation to “what is”? Quite … Continue reading On Being Right or Being Complete

I was browsing today the publications index of the Harvard Business Review and found 960 articles dedicated to the subject of leadership. Years of publications. If only one of these articles were complete, in the sense that it addressed not only the subject of leadership but also the causes of the total lack of leadership … Continue reading “Leadership”

I believe that a discussion of “third party risk” is useful in the context of privacy and security in electronic commerce and social media. To fully understand the debate, it is good to look into the current ideas about “third party risk” in so far as these appear in the Security practice. IT manuals usually … Continue reading Missing Third Parties in IT Operations

David Graeber is Professor of Anthropology at the London School of Economics "Once, when contemplating the apparently endless growth of administrative responsibilities in British academic departments, I came up with one possible vision of hell. Hell is a collection of individuals who are spending the bulk of their time working on a task they don’t … Continue reading David Graeber: “a possible vision of hell”

It is extremely concerning to see political figures and even business leaders admonishing the general population of the Western countries stating that privacy and freedom need to be traded for “security.”  Democratic and civic principles are abandoned by those who should defend them and instead recommend their destruction for political ends. State bureaucrats improve even … Continue reading False Trade-Off between Security and Freedom

In months and years to come, Security sales team will bring up in conversation the name of Mr Edward Snowden as an example of “insider attack,” perhaps to highlight security risks or recommend “new” technologies to protect organisational assets. Snowden´s actions will be compared with the paradigmatic Société Générale case, where lack of controls allowed … Continue reading Analysing the NSA/BAH case

Public and private actors are aligning largely into two camps in respect to the controversy generated after recent press and whistle-blower reports on mass surveillance and secret data mining. This alignment by no means is transparent, and many will be surprised to see that there are both liberal ("progressive") and conservative voices that don´t see "what the fuss is about." It is … Continue reading We are Persons and Citizens

  The following notes address current initiatives for the creation of an identity “assurance market”. This has been a permanent area of interest in the public and private sectors for years, but a complete solution has not been found to date. The text below discusses the problems arising from the trusted third party or hub … Continue reading Identity Assurance Services

In the past few years an interesting exchange of opinions has been taking place between Larry Ellison and Marc Benioff, respectively CEOs of Oracle Corporation and Salesforce.com. This debate was summarised by Bob Evans writing in Forbes Magazine. (1) Computerworld and InformationWeek carried at the time good descriptions of the discussion. (2)& (3) I had … Continue reading After The Clouds

The simplest way to appear “on top of your subject” is to avoid contradictions when you speak. It does not matter if you know your subject, for in a generalised Services Economy there are hardly any standards. When presenting something, just be consistent and utter tautological implications. For example: “We need a consistent plan to … Continue reading The Cloud is (not) what I say it is (not)

In May 2003, Nicholas Carr predicted the end of Corporate Computing: "Something happened in the first years of the 20th century that would have seemed unthinkable just a few decades earlier: Manufacturers began to shut down and dismantle their waterwheels, steam engines and electric generators. They no longer had to run their own dynamos; they could … Continue reading What IT does not do (never did, and never will)

The Cloud is many things and it is particularly one thing for those who approach it with the eyes of the computer revolution of the 20th Century: the Cloud phenomenon appears as an ever more slick incarnation of the out-sized computer, sitting somewhere remote and isolated, capable of everything, ever-present. To the hammer, everything looks … Continue reading IAMaaS is not SaaS

Here is a new version of an article I published in 2006 in my old web site. I have expanded the article with more recent material pointing to the idea of the "completenes" of action and the need for new conceptual foundations for Information Security. The original article did not explain the need for new … Continue reading What is an Error?

In a recent article in SC Magazine, Dan Raywood points to the critical change that is occurring in the Information Security market. He quotes Paul Simmonds, former CISO of AstraZeneca and board member of the Jericho Forum, as saying: "The issue is on the move outside the perimeter, which is driven 100 per cent by … Continue reading What Security Shall Be

As I mentioned in a previous post, I attended the 13th CISO Roundtable in Zeist on December 14th. The participants—all senior Security and Risk management leaders—engaged in a lively discussion. Floris van den Dool, the Accenture EALA Security Lead, managed to deliver yet another successful gathering focused on Security Management. The subject of the meeting, “The Future … Continue reading Eclosion: The Future of Identity Management

I spoke at 13th CISO Roundtable in Zeist, Netherlands on December 14th, 2010. This event had the participation of CISOs from Europe and the theme of the gathering was "The Future of Identity Management." How do you address such a challenging subject making sense of the fast changing landscape of Security and Identity and Access Management? I … Continue reading Thinking of the Future: Identity and Access Management

If you remain alert to the trends and changes of the information technology markets, there are moments when you feel that history repeats itself. This has been the case for the past 2-3 years with the raise of so-called Cloud Computing. It is evident that the combination of virtualisation, hosting, web services, new security protocols, … Continue reading Required: Varieties of Identity to Deliver the Value of Cloud Computing

In techno-centric environments it is not rare to find a strong emphasis on "people, process and technology". These are three aspects consistently covered by presentations, papers, books, proposals and reference materials. This kind of emphasis is shared by the major consulting firms and market research organisations like Gartner and Forrester. It is important to remark that this … Continue reading I&AM: More than People, Process and Technology

Hans Wierenga recently published in SOA Magazine (Issue XLII: August 2010) a brilliant article analysing the predicament of the Security disciplines. The title itself is ‘to the point’: “Why the Information Security Consultancy Industry Needs a Major Overhaul”   (http://www.soamag.com/I42/0810-1.php ) Wierenga writes: “Unfortunately, the current information security vocabulary - in particular, as embodied in … Continue reading Hans Wierenga on Trust, Respect & Utility

The Identity and Access Management Architecture defines three layers of I&AM processes. These are essentially business processes engineered to provide centralised user management, access control, account lifecycle management and security policy compliance. The three layers are: 1.IDENTITY INTEGRATION: Identity Data Governance, Identity Validation, Role Engineering, Directory Integration and Directory Rationalisation 2.ACCOUNT LIFE-CYCLE MANAGEMENT: Authorisation Workflows, … Continue reading I&AM Programme Layers

I keep quoting John Arnold's 2006 article "Security Services Model - Security Architectures". His work can be read here: https://docs.google.com/Doc?docid=0AexnQiysWyHGZGdwNWRiN2hfNTh2OHJoaGg&hl=en I believe  John's thinking is essential to develop new direction in Security and Identity Management.

The I&AM Reference Architecture must be based on the idea of the "Circle of Trust". I take this notion from a paper published by John Arnold in 2006. In this context, "security" is interpreted as the definition, the establishment, the enforcement and the verification of trust. The I&AM domain is conceived in terms of "establishment … Continue reading I&AM in the “Circle of Trust”

At the core of the I&AM domain we find the architectural principles of Identity Data Management and Identity Data Ownership.  Contrary to appearances and technological trends, I&AM is essentially data management and its correct understanding will lead to the application of both industry and enterprise standards in the sphere of information management. I&AM must be … Continue reading I&AM beyond the “standard approach”

Many times in my career I have been asked "What is Identity and Access Management and how does it work?" Even Security professionals feel unsure about the scope and nature of our discipline. Identity and Access Management --I always say-- is above everything else, a security discipline, but it would be a misunderstanding to interpret … Continue reading I&AM and Organizational Transformation

"We are now, admittedly, the masters of the Earth and the world, but our very mastery seems to escape our mastery. We have all things in hand, but we do not control our actions. Everything happens as though our powers escape our powers. Our consequences outstrip our deliberate intentions. So, it no longer depends on … Continue reading The Next Task

The Aristotelian "square of oppositions" is at the centre of recent developments in the geometry of logic. The image below is a modified representation of the logical tetra-icosahedron defined by Regis Pellisier [2004, 2009]. I have moved the nodes and edges around to better show the standard logical square (depicted in red). The labels "Immediate", … Continue reading Mapping the Logic of Action

Continuing with the subject of logic, here is a diagram I did after reading the work of A. Moretti [2003, 2004], H. Smessaert [2004, 2009] and R. Pellisier [2004, 2009]. These researchers have found --following previous progress achieved mainly by Blanché [1953] and Sesmat [1951] -- that logical oppositions can be represented geometrically in a … Continue reading Geometry of Oppositions (Logic!)

The Circle of Trust for Information Systems Security The philosophy behind these pages and the I&AM Reference Architecture is based on the idea of the “Circle of Trust”. In this context, “security” is interpreted as the definition, the establishment, the enforcement and the verification of trust. (Reference: John Arnold, Information Security Bulletin, 2006). The I&AM … Continue reading Security Perspectives

Are you interested in Actor-Oriented-Programming or the "logic of agency"? If the answer is yes, then you will benefit from studying the XII Century work by Anselm of Canterbury (St. Anselm). The works of Sara Uckelman and Douglas Walton (see notes in the Mind Map) gave me surprising insights into the achievement of this "old" … Continue reading St. Anselm of Canterbury: Logic of Action

Right-click on the image and select "View" or "Save" depending on your Browser.

"Security architects and practitioners need to develop an integrated data model that will enable end-to-end user management and access auditing. This article proposes a data model and reviews ideas that could constitute the basis for Security Management enhancement and progress. There is constant progress in the Security Management discipline. Now we see IT Security Management … Continue reading From “The Path to Assured Solutions” (2006)

Donn Parker's approach to security : "The bottom line is that no matter how elaborate or “scientific” the risk assessment methodology is, whether it is Octave, FAIR, FRAP, or even Dr. Kevin Soo Hoo’s that is the most complete mathematical model of risk assessment methods ever developed, there are no sufficiently valid frequency and impact … Continue reading Beyond Risk-Based Security

The Aristotelian "square of oppositions" is at the centre of recent developments in the geometry of logic. The image below is a modified representation of the logical tetra-icosahedron defined by Regis Pellisier [2004, 2009]. I have moved the nodes and edges around to better show the standard logical square (depicted in red). The labels "Immediate", … Continue reading Logic of Action II (2009)

The philosophy behind the I&AM Reference Architecture is based on the idea of the “Circle of Trust”. In this context, “security” is interpreted as the definition, the establishment, the enforcement and the verification of trust. (Reference: John Arnold, Information Security Bulletin, 2006). The IAM domain is reflected in terms of “establishment of trust” under the … Continue reading Security: The Circle of Trust

Right-click on the image and select "View" or "Save" depending on your browser.

Negative Feedback Chain Negative Feedback Chain in Solution Definition and Execution © Carlos Trigoso - 2008 - 2009 Executive Summary This paper is based on many years of investigation working for major organizations.  The paper summarizes the results of my investigation, revealing multiple inter-linked problems which determine a very low level of integration and lack … Continue reading The Conditions of Error in Security Investment Decisions

People tend to discuss about process, and take for granted that there is an order before, during and after the process takes place. It is important to concentrate on the nature of the things we talk about, for these are part of a natural or social order which pre-dates our intentions and planning. If this … Continue reading The Ground, Natural Order

A general characteristic of the "vision of the anointed" is that within its framework a single cause is chosen to be imposed as the most important of the day only because of circumstantial preferences, personal history, and other limitations. This is evident not only in the fact that a particular "cause" many times is shown … Continue reading On the “vision of the anointed”