We recently finished a project on privacy& security in the cloud for SURFnet (Dutch NREN, responsible for the Dutch research network and middleware services on top of this). Basically, we supplemented work of others that focussed on the contractual and legal perspective with a more technology perspective. We listed what an organisation can do themselves to improve privacy & security when taking applications to the cloud, focussing on authentication, autorisation, provisioning/account management and encryption. Below a more eloborate blog post in Dutch.
We did a very interesting project for a large Dutch bank (Rabobank) and IBM to determine the usefulness and feasibility of Context-enhanced Authorization in the banking sector. We focussed here on employees, and taking their context (location, used device etc) into account for authorization decisions. This would allow the authorization to become more dynamic, and address new trends such as nomadic working (Dutch: Het Nieuwe Werken) and Bring Your Own Device. An important technology in this project was XACML, for which we used IBM’s tooling (Tivoli Security Policy Manager). In short the outcome was yes it is useful and yes it is feasible.
Today I presented the project at a XACML seminar, organized by PIMN, CSA, PvIB and SURFnet. I repeat the key take-aways here: