privacy compliance: technology - gaps, challenges larry korba national research council of canada...
Post on 19-Dec-2015
216 Views
Preview:
TRANSCRIPT
Privacy Compliance: Technology - Gaps, Challenges
Larry KorbaNational Research Council of Canada
Larry.Korba@nrc-cnrc.gc.ca
CACR Privacy and Security, Nov. 1-2, 2006Toronto
Outline• About NRC/IIT/IS• What is the problem?
–Backdrop
• Technologies for Compliance:–Types, Snapshot
• Compliance Gaps–Technologies, Other Challenges
• NRC’s Approach–Project Structure, Early Results
• Summary
Caveats…
• My Opinions– No Endorsements by NRC
• Technology Focus, But… Compliance Needs More Than Technology!
• Ask Questions Any Time…
NRC & NRC-IIT
• NRC– $850M, in every province, 20 institutes– Scientific Research one of its Seven Mandates– Goal:
• NRC-IIT– $20M, 4 Cities: Ottawa, Gatineau, Fredericton, Moncton– 9 Groups– http://www.iit-iti.nrc-cnrc.gc.ca
• NRC-IIT-IS– Security and Privacy Research and Development
Increase Competitiveness through Research that gets Exploited
Security and Privacy without Complexity
What is the Problem?
• From the News:– “Feds Often Clueless After Data Losses” – Oct. 18, 2006
– “Business brass ill-prepared for disasters” – Sept. 26, 2006
– “AOL is Sued Over Privacy Search Breach” – Sept. 26, 2006
– “Police warned to improve database security” – Aug. 23, 2006
– “Data Loss is a Major Problem” – Aug. 18, 2006
– “Three-Fifths of Companies Suffer Severe Data Loss” – Aug. 17, 2006
– “2nd VA Data Loss Prompts Resignation” – Aug. 8, 2006
– “Patient Data stolen from Kaiser” – Aug. 8, 2006
– “Sentry Insurance Says Customer Data Stolen” – July 29, 2006
– “Stitching Up Healthcare Records: Privacy Compliance Lags” – April 16, 2006
What is the Problem?Data Explosion
• The Roots of the Problem
ClientsOrganizationOrganization
Data +
Computers Everywhere
+
Expanding Services
+
Marketing,Competition
+
Cheap Storage +
Legislation
-
Regulations/Policies
-Risk Management
-
Technologies for Compliance: The Promise
“Technology makes the world a new place.”
- Shoshana Zuboff, U.S. social scientist. In the Age of the Smart Machine, Conclusion (1988).
“Technology makes the world a new place.”
- Shoshana Zuboff, U.S. social scientist. In the Age of the Smart Machine, Conclusion (1988).
Technologies forCompliance: Market Drivers
• Compliance– Huge market ($10+ Billion)– Healthy Growth Rate (20% - 50% per year)– Compliance areas:
• Payment Cards, Privacy, Financial Information, Security, Privacy…
– Sectors: Diverse• Government• Healthcare• Tourism/Hospitality• Services, Financial• Manufacturing• Transportation• Military• Others
Technologies for Compliance:Market Drivers
• Bandwagon Effect…– Firewall, Intrusion Prevention, Network Management,
Security/Privacy Policy Management– Consultants
• New Technologies…– To Deal with Different Needs
• Sarbanes-Oxley• Privacy• Intellectual Property Management
– And Emerging Needs• Data Purity
Technologies for Compliance:Backdrop: Key Types
• Compliance– Consulting Services– Internet Service– Appliance– Database– Application
• Focus– Enterprise Systems– Enforcement
• Not Policy: Creation/Distribution/Management – Two Types
• Network-Based• Agent Based• And Combinations of the Above
Technologies for Compliance:Types: Network-Based
• Monitor Network Traffic• Dissect packets
– Determine type of traffic, or data mine content• Flag/Prevent activities denied based upon policy
– Encrypted Traffic
A B C
NTM
Network Packet CaptureUnderstand TrafficMine ContentPolicy InterpretationLog or Prevent Inappropriate Activities
Packet CaptureUnderstand TrafficMine ContentPolicy InterpretationLog or Prevent Inappropriate Activities
Technologies for Compliance:Types: Agent-Based
• Installs on Servers, Desktops, Laptops• “Direct” access to activities• Management Console to Coordinate Actions
A B C
NetworkMine Data “at Rest”Mine Computer ActivityPolicy InterpretationLog or Prevent Inappropriate Activities
Mine Data “at Rest”Mine Computer ActivityPolicy InterpretationLog or Prevent Inappropriate Activities
Console
Technologies for Compliance:Types: Combination
• Best of Both Worlds!
A B C
Network
Console
NTM
Technologies for Compliance
“Technology is a servant who makes so much noise cleaning up in the next room that his
master cannot make music. ”
- Karl Kraus (1874–1936)
“Technology is a servant who makes so much noise cleaning up in the next room that his
master cannot make music. ”
- Karl Kraus (1874–1936)
Technologies for Compliance:Implementation Issues
• Dealing with:– Interactions Between Different Laws/Regulations– Structured or Unstructured Data– Data Server Environments– Content Management
• Automation of Policy Controls– Proactive Enforcement– Or Testing/Scanning
• Flexibility of Forensic Tools• Risk Management Tools• Interactions between Compliance & Existing Systems
– Identity, Document, Project Management, etc.– Network Security, Antivirus, Databases…
Technologies for ComplianceChallenges
“Technology is dominated by two types of people: those who understand what they do not manage,
and those who manage what they do not understand. ”
- Putt's Law
“Technology is dominated by two types of people: those who understand what they do not manage,
and those who manage what they do not understand. ”
- Putt's Law
Technologies for Compliance:Underlying Challenges
• Despite the hype… – There is no Instant, Universal, Ever- Adaptable Solution for Automated Compliance
• You cannot rely on technologies alone• Resources will be required
– Purchasing, – Maintenance, – Related SW & HW, – Staff, – Consultants
• As well, there are technology gaps
Technologies for Compliance:Implications & Challenges
• Monitoring Employee/Guest Computer and Network Activity– There may be little privacy
• Little expectation of privacy
– There may be a great deal of data exposure • How well does the compliance technology protect?
– Balancing Legal Obligation with Employer/Employee Trust Relationship
Technologies for Compliance:Some Examples
• Just a sampling of offerings• Market is changing monthly
Technologies for Compliance:Some Examples
• ACM: www.acl.com– SOX, agent-based
• Googgun: www.googgun.com– privacy “compliance” server
• Ilumin: www.ilumin.com – Assentor
• Vontu: www.vontu.com– Discover, Protect, Monitor, Prevent
Technologies for Compliance:Some Examples
• Verdasys: www.verdasys.com– Digital Guardian
• Oakley Networks: www.oakleynetworks.com– Sureview, Coreview
• Axentis: www.axentis.com– Internet service for SOX compliance
• IBM Workplace for Bus. Controls: www.ibm.com
Technologies for Compliance:Some Examples
• Qumas: www.qumas.com– DocCompliance, ProcessCompliance, Portal
• Stellent: www.stellent.com– Enterprise Content Management
• Reconnex: www.reconnex.com– iGuard 3300
• Tablus: www.tablus.com– Content Alarm NW
Technologies for Compliance:Some Examples
• Intrusion: www.intrusion.com– Compliance Commander
• Vericept: www.vericept.com– Enterprise Risk Management Platform
Technologies for Compliance:Some Examples
• Privasoft: www.privasoft.com– AccessPro (Information Access Privacy)
• Enara Technologies: www.enarainc.com– Saperion + Enara Technologies
• Autonomy: www.autonomy.com– Aungate Division– Data mining for email and voice compliance
• And more…
Technologies for ComplianceChallenges
“Having intelligence is not as important as knowing when to use it,
just as having a hoe is not as important as knowing when to plant. ”
- Chinese Proverb
“Having intelligence is not as important as knowing when to use it,
just as having a hoe is not as important as knowing when to plant. ”
- Chinese Proverb
Technologies for Compliance:Technology Gaps
• Visualization Techniques– Minimize Operator Errors– Learn from Operators
• Accountability and Privacy– Audits, Retention, Access Restriction, Data Life, Rule Sets
• Data Mining and Machine Learning– Better Algorithms: Speed, Accuracy, Privacy
• Semantic Analysis, Link Analysis
– Context: Operator, Similar Operators
• Privacy Aspects– Privacy-Aware Data Mining– Limit Collection: Reduce Overhead and “Big Brother Effect”… Intelligence
• Better Workflow Integration– Reflect/Understand what “really happens” in an organization– Forensic Tools
• Security Built-In– Protect Data Discovery and Discovered Data– Privacy-Aware Security Protocols
Technologies for Compliance:NRC’s Approach
• Technology Approach:– Inappropriate Insider Activity Discovery/Prevention
+– Privacy Technology
+– Distributed text/data mining
=– Comprehensive Privacy Compliance Technology– Could be applied for other compliance requirements
• Social Networking Applied to Privacy: SNAP
• Strategic project for NRC’s Institute for Information Technology
SNAP Project:Technologies
• Trusted Human Computer Interaction– Simple, Effective Control of Complex Systems
• Automated Work Flow Discovery– Project Management, Organizational Work Flow
• Security Protocols for Privacy Protection– Scalable, effective, efficient exchanges
• Secure Distributed Computing– Authentication, Authorization, Access Control
• Data/Knowledge Visualization– Effective Security/Privacy posture Display
• Privacy-Enabled Data Mining– Protect data while assuring compliance
SNAP Project:Goals
• Create technology that:– Discovers important data within a
corporation• Wherever it may be
– Discovers and visualizes how people work with the data
– Fills the Technology Gaps
• Exploit Results– Widely
Core TechnologyApplication Areas:- Business- Public Safety- Healthcare- Government- Military
Core TechnologyApplication Areas:- Business- Public Safety- Healthcare- Government- Military
SNAP Project: NRC’s Approach
• User-Centered Research, Development, Design– Identify User, Context, and Needs
– Business, Functional, Data and Usability Requirements
– Early Testing
• Privacy Technology User Group– First Users
• Exploitation Interests
Exploitation
User Group
NRC
SNAP
SNAP Project:Privacy Technology User Group
• Goal:– Identify Essential Product– Determine User– Detect Expectations– Define Use Context
• Four Parts– Business Requirements– Functional Requirements– Data Requirements– Usability Requirements
SNAP Project:Privacy Technology User Group
• Analysis– Document– Stakeholder Interviews– Stakeholder Workshops– Observations in Context– Scenarios and Use Cases– Focus Groups with End Users
• Demonstrations, simulation and prototypes
• Targets:– Shared understanding - End User Involvement– Project Scope/Risk Reduction - Requirements Specification
Fully Understand Problem
Product 4Product 3
SNAP Project
SNAPTechnologies
SNAP Project:Organization Picture
Trusted HCI
Automated WorkflowAnalysis
SecurityTechnologiesFor PrivacyProtection
Private DataDiscovery
EffectiveKnowledge
Visualization& Analysis
SNAPDemo
Product 1 Product 2
Privacy Technology User GroupRequirements Focus
NRC-IIT
Company
Background Research
RequirementsGathering
Org. 1-Org. 6
SNAP Project:Some Results(Current Prototype)
• Private data, – SIN, Credit Card number, Address, Email
• Find it anywhere– Any action, any context, any file, any application
• Automated private data workflow discovery– Locate what went wrong and when for automated compliance or
forensics
• Determine normal and abnormal workflow– Correct workflow, discover experts
• Compare flow/operations against policy• Prevent inappropriate operations
– Automatically
Attempting to Open Documents with Private Data
Summary
• Technologies for Compliance
• Brief Compliance Technology Company List
• Technology Gaps
• NRC-IIT’s SNAP Project
Questions?
?Larry.Korba@nrc-cnrc.gc.ca
http://www.iit-iti.nrc-cnrc.gc.ca/
Larry.Korba@nrc-cnrc.gc.ca
http://www.iit-iti.nrc-cnrc.gc.ca/
“Humanity is acquiring all the right technology for the wrong reasons.”— R. Buckminister Fuller
“Humanity is acquiring all the right technology for the wrong reasons.”— R. Buckminister Fuller
top related