Mary Ellen Zurko
Summary:
Specializing
in the cusp of research and development; research with practical impact, or "version 0" development. Over two decades of work
in user-centered security, in research, early product prototyping, and product development. Experience across the entire lifecycle
of software products, from technology transfer, to initial product definition and delivery, to mature product maintenance.
Experience:
IBM
Software Group, Littleton, MA
Security
Architecture for LotusLive Cloud Offerings
January
2007 to present
Security
architect for LotusLive brand of Software as a Service collaboration offerings. Defined and delivered security features, value
proposition and test approach in file sharing, social networking, instant messaging, emeetings and other collaboration services
and their infrastructure. Worked with components entirely developed within the team, integrated from other parts of IBM, and
components from acquisitions. Led engineers in design and implemention of security features, protocols, integration, and deployment.
Created security quality processes and goals. Engaged in customer presentations and discussions. Set direction and plans for
security features based on customer, market, and business needs. Drove security partner relations. Authored whitepapers on
LotusLive security. Set priorities and trade offs around security requirements. Addressed potential vulnerabilities, including
Web 2.0 and social networking vulnerabilities, phishing, and spam. Created and led community of cross cutting security experts
that functions as decision making body. Outstanding Technical Achievement Award for Security Leadership for LotusLive.
Innovation
leader through patent invention and direction. Master Inventor (recognizing mentorship, engagement in the Intellectual Property
process, and patenting). Lead of Security Patent Review Board for IBM Software Group, determining direction of patent inventions
from North America. Four patents issued. 31 patent applications filed over 9 years.
Security
Architecture and Strategy for Workplace, Portal and Collaboration Software (WPLC, aka Lotus) division
September 2004 to
December 2007
Security
strategy definition and execution as part of the WPLC CTO office. Special projects on user-centered security, antispam, content
protection, digital rights management, code security in Java/Eclipse, data leak prevention, security as a system quality and
software as a service. Experience working with partner companies and all internal stake holders of software products, including
business development, product management, acquisition teams, sales, support and services. Successful technology transfer of
security research into product. Defined security architecture and plans for Connections 2.0, IBM's social networking product.
Introduced vulnerability discovery and tracking processes to Workplace, Connections, and other IBM products.
WPLC
Patent Innovation Architect and Brand Lead, and Patent Review Board Chair. Operational responsibility for the processing of
over 1/5 of IBM SWG North America patent disclosures, with strategic oversight of over 1/2. Cooperation with intellectual
property lawyers internationally. Approximately 12 patent applications filed. Awards for patent disclosure quality, Master
Inventor, and lead of WPLC Master Inventor selection team. Defined patent strategy Led team identifying top issued patents
from WPLC.
Extensive
mentoring across geographies and diversity categories.
Workplace
products Security Architect
October 2001 to September 2004
Lead
Security Architect for all of Lotus Workplace Collaboration Services and Workplace Managed Client. Defined security goals,
requirements, and architecture of Lotus Workplace Messaging v1.0, Lotus Workplace v1.1, Lotus Workplace v2.0 and IBM Lotus
Managed Client and Workplace 2.5 products, including the areas of authentication, network protection, authorization, active
content, encryption, anti-spam. Team lead of Workplace Infrastructure Security team (11 members, spanning US and India). Security
architect responsibilities spanned entire development team. Founder and Chair of Lotus Security Working Group. Lotus representative
on many corporate security and privacy task forces. Responsible for selecting Lotus funded security and privacy research and
technology transfer of the results. Steering committee of IBM Massachusetts Women’s diversity organization and co-chair
of survey subgroup.
Iris
Associates, Westford, MA
Security Architect
June 1998 to October 2001
Security
team lead responsible for iNotes Web Access. Defined, designed and implemented active content filter for malicious mail dynamic content. Architected
and led design of support of encrypted mail. Security Group team member responsible for active content security for client
agents (Workstation Execution Control Lists) and authorization (ACLs) in Lotus Notes/Domino.
Team
facilitator, architect and implementer on Jonah project, a freeware reference code base for PKIX, a public-key infrastructure IETF standard. Designed
and developed core policy modules, certificate cutting code, certificate revocation lists, and registration authority enrollment.
Two IBM awards for teamwork, at the division and SWG levels.
The
Open Group Research Institute, Cambridge, MA
Senior Research Fellow
August 1994 to June 1998
Project
Leader of Adage, a user-centered authorization research project. Directly responsible for proposals that led to approximately
$2 million in contracts for related work (including Pledge, a follow-on project to deploy Adage in the DoD’s Next Generation
Information Infrastructure). Security consultant for many more successful contracts. Led and mentored teams staffed up to
11 engineers. Produced initial high level Adage architecture, designed and helped implement graphical user interface and authorization
policy language, specified mapping from authorization language to underlying engine data structures. Led design of deployment
enhancements under Pledge, including access control on authorization information and expanded query facilities. Wrote high
and low level design of Map, a prototype of rule-based authorization engine for a DCE Web server. Implemented server-side
management of rules and related structures and client side management function through a proxy interface. Designed model for
trust relationships between authorization service and authentication and attribute sources, including amount of trust, type
of trust, and distrust. Designed, administered, and documented results and recommendations of contextual inquiry and formal
usability tests.
Founding
member of the DCE Web project that designed and implemented World Wide Web servers, browsers, and gateways that took advantage
of DCE security and naming. Designed and implemented access control list manager and callbacks, and toolkit/server integration
of initial prototype.
Digital
Equipment Corporation, Littleton, MA
Distributed Processing Engineering
September 1992 to August 1994
Project
leader for first GUI tool on Digital’s DCE platforms (a Visual DCE ACL Editor). Created and designed the product, coded the UI (in Visual
C++), ran usability tests. Shared project leader responsibilities for DCE Client for Windows. Technical lead in researching
graphical DCE management tools, and in integration with other management tools at Digital and with Windows/NT.
Early
adopter of Visual C++ v1.0. Taught classes in Visual C++ to other members of my organization.
Responsible
for testing first port of OSF DCE to OpenVMS.
Digital
Equipment Corporation, Littleton, MA
Secure Systems Group
June 1986 to August 1990
Privacy-Enhanced
Mail, May 1990 to August 1990
Designed
and implemented new user interface to PEMail prototype.
VAX
Secure Virtual Machine Monitor, June 1986 to April 1990
Project
leader of design and implementation of user interface, and of design and development of user interface tests and testing process.
Designed look and feel of confirmation displays for secure-attention commands, and untrusted command support (patented). Implemented
command processing infrastructure. Designed reference monitor for subjects.
Co-owner
of full system functional specification. General resource for usability, security, and product functionality, both inside
this group and to other organizations (customers, NCSC (aka NSA)).
Prime, Framingham, MA
CAD/CAM User Interface Group
November
1984 to June 1986
Designed
end user interface of Prime’s first internally developed CAD/CAM product, PrimeDesign (including menus, windows, and
advanced graphics). Designed application programmer’s interface to the user interface modules. Designed and implemented
menu manager, message manager, and help system.
Digital
Equipment Corporation, Nashua, NH
Office Automation Performance Evaluation
June 1982 to November 1984
Evaluated
resource utilization, bottlenecks, and code. Set performance goals, ran workloads, and proposed enhancements for office automation
products. Created group’s first study of user perceived performance.
Education
Massachusetts
Institute of Technology
Cambridge, MA
Master of Science, Computer Science, August 1992
Coursework
-- Technology Strategy, Engineering Risk/Benefit Analysis, Distributed Algorithms, Object-Oriented Databases, Knowledge-Based
Systems, Programming Languages, Theory of Computation.
Bachelor
of Science, Computer Science, June 1982
Publications
“To Market, To Market: Human-Centered Security and LotusLive”, Security and Privacy Usability Technology Transfer: Emerging Research Workshop, 2010.
“Adaptive
Security Dialogs for Improved Security Behavior of Users”, INTERACT 2009.
“Using
Recommenders for Discretionary Access Control”, Web 2.0 Security and Privacy 2009 (W2SP).
“User-Centered Security: Stepping Up To The Grand Challenge”, Invited Essay and keynote speech, proceedings of Annual Computer Security Applications
Conference (ACSAC), December 2005. Follow up invited talks at MIT, WPI, Nokia Research, University of Newcastle, Carleton
University.
“Embedding
Security in Collaborative Applications: A Notes/Domino Perspective”, chapter of Security and Usability: Designing Secure Systems That People Can Use, O’Reilly, 2005.
“Did You Ever Have to Make Up Your Mind? What Notes Users Do When Faced With a Security Decision”, Proceedings of Annual Computer Security Applications Conference (ACSAC), December 2002.
“Performance
Considerations in Web Security”, invited paper to International Workshop on Certification and Security in E-Services
and IBM Technical Report, 2002.
“Tracking
Influence Through Citation Index Comparisons and Preliminary Case Studies”, invited paper and panelist, proceedings
of New Security Paradigms Workshop, 2001.
“Jonah:
Experience Implementing PKIX Freeware”, Proceedings of Usenix Security Symposium, August 1999.
“A
User-Centered, Modular Authorization Service Built on an RBAC Foundation”, Proceedings of the IEEE Computer Society
Symposium on Security and Privacy, May 1999.
“Separation
of Duty in Role-based Environments”, Proceedings of IEEE Computer Security Foundations Workshop, June 1997.
“User-Centered
Security”, Proceedings of New Security Paradigms Workshop, September 1996 (also in NSPW Highlights of the First Five
Years).
HTTP
1.0 and HTTP 1.1 specifications in the IETF HTTP working group (acknowledged contributor).
“The DCE Web Project: Providing Authorization and Other Distributed Services to the World Wide Web,” Poster paper for the Second International World-Wide Web Conference, October 1994.
“What
are the Foundations of Computer Security?,” Proceedings of IEEE Computer Security Foundations Workshop, June 1993 (Panel
Chair).
“Attribute
Support for Inter-Domain Use”, Proceedings of 5th IEEE Computer Security Foundations Workshop, June 1992.
“A
User Attribute Service Supporting Least Privilege in Distributed Applications”, MIT Master’s Thesis, August 1992.
“A
Retrospective on the VAX VMM Security Kernel”, IEEE Transactions on Software Engineering, Vol. 17, No. 11, November
1991.
“A
VMM Security Kernel for the VAX Architecture”, Proceedings of the IEEE Computer Society Symposium on Research in Security
and Privacy, May 1990 (Best Paper award).
Patents
and Patent Applications
7,926,112 System
for protecting a computing system from harmful active content in documents
7,853,471 Instance
messaging auto-scheduling
7,697,551 System
for instant message to telephone speech and back
7,607,172 Method
of protecting a computing system from harmful active content in documents
7,036,022 Verification
of trusted-path commands
6,871,283 Processing
trusted commands in trusted and untrusted environments
6,507,909 Method
for executing trusted-path commands
31 patent applications
filed while at IBM
Invited
Posts, Talks and Awards
“User-Centered
Security: From Grand Challenge to Technology Transfer”, invited talk, MIT’s Lincoln Laboratory, September 2011.
“Web
Security Context: User Interface Guidelines” short talk, Workshop on Usable Security Indicator Conventions (WUSIC),
Invited panelist, “Obstacles to Adopting UX Indicators as Conventions/Standards”, WUSIC co-chair. SOUPS 2011.
“We
Are All Watchers On This Bus: Can Social Network Transparency Substitute for Traditional Business Oversight?”, lightning
talk, SOUPS 2011.
“Usability
in Development: Perspectives from Lotus and LotusLive”, invited talk, Software and Usable Security Aligned for Good
Engineering Workshop, April 2011.
Speaker
at Lotusphere, the IBM Collaboration Service division's top customer event, 2011, 2010, 2007 - 2003. “Trusting Your
Data to IBM LotusLive and IBM LotusLive Notes” in 2011. “Lotus Brings Security to the Cloud with IBM LotusLive”
in 2010. "New Java Security Standards in the IBM Lotus Notes 8 Client" at 2007.
“An
Introduction to Usable Security”, tutorial, ACSAC 2010.
Security
& Privacy Usability Technology Transfer: Emerging Research Workshop, creator and co-chair, SOUPS 2010.
“LoutsLive
Notes Security” whitepaper, 2010.
“LotusLive
iNotes Security” whitepaper, 2010.
Chair
of W3C Web Security Context (WSC) working group, October 2006 – August 2010. Produced the W3C Recommendation Web Security Context: User Interface Guidelines. Invited talk on standards and usable security at Usability, Psychology and Security, 2008. Discussion
session on standardizing usable security at SOUPS 2007.
Steering
committee member for Symposium On Usable Privacy and Security (SOUPS), 2010 – present. Paper chair, 2005. Program committee
member from inception to the present.
“LotusLive
Engage Security” whitepaper, 2009.
“Unyte
Meetings Security” whitepaper, 2009.
Invited
Panelist, “Usability meets access control: challenges and research opportunities”. SACMAT 2009.
Lead
of discussion session, “Technology transfer of successful usable security research into product”, SOUPS 2009.
Invited
panelist at RSA on the topic of Usable Security, 2008.
Panel
organizer and moderator, “Usable Cryptography: Manifest Destiny or Oxymoron?”, Financial Cryptography 2008.
General
co-chair of WWW2007.
Invited
Panelist, Security Issues, speaking on "Authentication, Trust, and Risk in Web-based Business", WWW2006.
Program
Committee, W3C Workshop on Transparency and Usability of Web Authentication, 2005.
“Usability of Security Administration vs. Usability of End-User Security”, Panel speaker, SOUPS 2005.
“Web Security – why is it so darn hard?”, Keynote, AusWeb 2004.
Chair
of IW3C2, (2008 – present), member (1997 to present). Program chair of WWW10 (WWW2001). Ecommerce
and security vice chair for WWW8 and WWW9 and WWW2002. Industrial Track Vice Chair WWW2003. Program committee member for WWW4,
WWW5, and WWW6 and WWW2003. Invited member of Security Panel for WWW4 and WWW3. Organized and chaired Security BOF for WWW2.
“Security Evaluation and Assurance Lessons from Business, Marketing, and HCI”, Panel speaker on The Relationshop of System and Product Specifications and Evaluation,
ACSAC 2004.
Applied Computer Security Associates (ACSA) Fellow; steering committee for Annual Computer Security Applications
Conference and sister conferences, 2004 – present.
Electronic
Commerce Research special issue on Electronic Commerce, Security, and Privacy, Volume 5, Number 1, January 2005, co-editor.
Women to Watch 2004 award from Mass High Tech.
Member
of NRC panel assessing the National Institute of Standards and Technology Measurement and Standards Laboratories, 2000 –2005.
Co-author of 2001 and 2002 reports. Chair of security sub-panel, 2003 - 4.
Editor
of Springer's International Journal of Information Security (IJIS) (2000 – 2006).
General
chair for New Security Paradigms Workshop, 2000. Vice chair ’99. Program chair ‘97 and ‘98. Program committee
member 2001 – 2003. Steering committee 1997 – present.
Expert
Panel: What’s Missing in Web Services Security?, W3C/OASIS forum on Web Services Security, 2002.
Computer
Networks Special Issue on XML, co-editor, 2002.
Program
committee member and reviewer, Annual Computer Security Applications Conference (ACSAC), 2000 – 2003.
Ecommerce
Vice Chair, Symposium on Applications and the Internet (SAINT), 2001.
Program
Committee of IFIP Workshop on Internet Technologies, Applications, and Societal Impact (2002).
Member
of IFIP Working Group 6.4 on Internet Applications Engineering (2000 – 2004).
Regular
contributor to and Associate Editor of Cipher, the electronic newsletter of the IEEE Computer Society’s Technical Committee
on Security and Privacy (1997 to 2001).
Panelist,
Getting Involved in Technical Standards Organizations, Grace Hopper Celebration of Women in Computing, 2000.
Member
of NRC panel on Library of Congress Information Technology Strategy (1999). Co-author of results.
Chair
of W3C P3P Preferences Interchange Language Working Group (1998 - 1999).
Invited
talk at Digital Commerce Society of Boston, “Oh Jonah, He lived in a whale, Or, How IBM decided to win in ecommerce
by embracing standards and donating code”.
Program
committee member for Agent Systems and Applications/Mobile Agents, ’99 – ‘00. Program committee member of
HICCS ‘98 and WETICE ‘98 agents session.
Program
committee member for IEEE Symposium on Security and Privacy 96 - 98
Invited
speaker at the Fourth Computer Misuse and Anomaly Detection (CMAD) workshop on the topic of New Ideas in CMAD (1997).
Invited
lectures on Authorization and the DCE Web to the Stanford Distributed Libraries Group and on DCE and DCE Web at W3C (1996).
Advisory
committee representative to W3C and member of W3C security working group (1997 – 1998).
“Secure Authorization
Issues On The Web”, Tutorial at for the Third International World-Wide Web Conference, April 1995.
