Download Slide 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts
no text concepts found
Transcript 
Privacy Compliance: Technology Gaps, Challenges
Larry Korba
National Research Council of Canada
[email protected]
CACR Privacy and Security, Nov. 1-2, 2006
Toronto
Outline
• About NRC/IIT/IS
• What is the problem?
– Backdrop
• Technologies for Compliance:
– Types, Snapshot
• Compliance Gaps
– Technologies, Other Challenges
• NRC’s Approach
– Project Structure, Early Results
• Summary
Caveats…
• My Opinions
– No Endorsements by NRC
• Technology Focus, But…
Compliance Needs More Than Technology!
• Ask Questions Any Time…
NRC & NRC-IIT
• NRC
– $850M, in every province, 20 institutes
– Scientific Research one of its Seven Mandates
– Goal:
Increase Competitiveness through Research that gets Exploited
• NRC-IIT
– $20M, 4 Cities: Ottawa, Gatineau, Fredericton, Moncton
– 9 Groups
– http://www.iit-iti.nrc-cnrc.gc.ca
• NRC-IIT-IS
– Security and Privacy Research and Development
Security and Privacy without Complexity
What is the Problem?
From the News:
– “Feds Often Clueless After Data Losses” – Oct. 18, 2006
– “Business brass ill-prepared for disasters” – Sept. 26, 2006
– “AOL is Sued Over Privacy Search Breach” – Sept. 26, 2006
– “Police warned to improve database security” – Aug. 23, 2006
– “Data Loss is a Major Problem” – Aug. 18, 2006
– “Three-Fifths of Companies Suffer Severe Data Loss”
– Aug. 17, 2006
–
–
–
–
“2nd VA Data Loss Prompts Resignation” – Aug. 8, 2006
“Patient Data stolen from Kaiser” – Aug. 8, 2006
“Sentry Insurance Says Customer Data Stolen” – July 29, 2006
“Stitching Up Healthcare Records: Privacy Compliance Lags”
– April 16, 2006
What is the Problem?
Data Explosion
• The Roots of the Problem
Marketing,
Competition
Expanding Services
+
Cheap Storage
+
-
Risk Management
Computers Everywhere
+
+
Organization
Organization
Data
+
Clients
Regulations/Policies
Legislation
Technologies for
Compliance: The Promise
“Technology makes the world a new place.”
- Shoshana Zuboff, U.S. social scientist. In the Age of the Smart
Machine, Conclusion (1988).
Technologies for
Compliance: Market Drivers
• Compliance
– Huge market ($10+ Billion)
– Healthy Growth Rate (20% - 50% per year)
– Compliance areas:
• Payment Cards, Privacy, Financial Information, Security,
Privacy…
– Sectors: Diverse
•
•
•
•
•
•
•
•
Government
Healthcare
Tourism/Hospitality
Services, Financial
Manufacturing
Transportation
Military
Others
Technologies for Compliance:
Market Drivers
• Bandwagon Effect…
– Firewall, Intrusion Prevention, Network Management,
Security/Privacy Policy Management
– Consultants
• New Technologies…
– To Deal with Different Needs
• Sarbanes-Oxley
• Privacy
• Intellectual Property Management
– And Emerging Needs
• Data Purity
Technologies for Compliance:
Backdrop: Key Types
• Compliance
– Consulting Services
– Internet Service
– Appliance
– Database
– Application
• Focus
– Enterprise Systems
– Enforcement
• Not Policy: Creation/Distribution/Management
– Two Types
• Network-Based
• Agent Based
• And Combinations of the Above
Technologies for Compliance:
Types: Network-Based
• Monitor Network Traffic
• Dissect packets
– Determine type of traffic, or data mine content
• Flag/Prevent activities denied based upon policy
– Encrypted Traffic
A
B
Network
NTM
C
Packet Capture
Understand Traffic
Mine Content
Policy Interpretation
Log or Prevent Inappropriate Activities
Technologies for Compliance:
Types: Agent-Based
• Installs on Servers, Desktops, Laptops
• “Direct” access to activities
• Management Console to Coordinate Actions
A
Network
B
C
Console
Mine Data “at Rest”
Mine Computer Activity
Policy Interpretation
Log or Prevent Inappropriate Activities
Technologies for Compliance:
Types: Combination
• Best of Both Worlds!
A
B
Network
NTM
C
Console
Technologies for
Compliance
“Technology is a servant who makes so much
noise cleaning up in the next room that his
master cannot make music. ”
- Karl Kraus (1874–1936)
Technologies for Compliance:
Implementation Issues
• Dealing with:
– Interactions Between Different Laws/Regulations
– Structured or Unstructured Data
– Data Server Environments
– Content Management
• Automation of Policy Controls
– Proactive Enforcement
– Or Testing/Scanning
• Flexibility of Forensic Tools
• Risk Management Tools
• Interactions between Compliance & Existing Systems
– Identity, Document, Project Management, etc.
– Network Security, Antivirus, Databases…
Technologies for Compliance
Challenges
“Technology is dominated by two types of people:
those who understand what they do not manage,
and
those who manage what they do not understand. ”
- Putt's Law
Technologies for Compliance:
Underlying Challenges
• Despite the hype…
– There is no Instant, Universal, Ever- Adaptable Solution for
Automated Compliance
• You cannot rely on technologies alone
• Resources will be required
– Purchasing,
– Maintenance,
– Related SW & HW,
– Staff,
– Consultants
• As well, there are technology gaps
Technologies for Compliance:
Implications & Challenges
• Monitoring Employee/Guest Computer and Network Activity
– There may be little privacy
• Little expectation of privacy
– There may be a great deal of data exposure
• How well does the compliance technology protect?
– Balancing Legal Obligation with
Employer/Employee Trust Relationship
Technologies for Compliance:
Some Examples
• Just a sampling of offerings
• Market is changing monthly
Technologies for Compliance:
Some Examples
• ACM: www.acl.com
– SOX, agent-based
• Googgun: www.googgun.com
– privacy “compliance” server
• Ilumin: www.ilumin.com
– Assentor
• Vontu: www.vontu.com
– Discover, Protect, Monitor, Prevent
Technologies for Compliance:
Some Examples
• Verdasys: www.verdasys.com
– Digital Guardian
• Oakley Networks: www.oakleynetworks.com
– Sureview, Coreview
• Axentis: www.axentis.com
– Internet service for SOX compliance
• IBM Workplace for Bus. Controls:
www.ibm.com
Technologies for Compliance:
Some Examples
• Qumas: www.qumas.com
– DocCompliance, ProcessCompliance, Portal
• Stellent: www.stellent.com
– Enterprise Content Management
• Reconnex: www.reconnex.com
– iGuard 3300
• Tablus: www.tablus.com
– Content Alarm NW
Technologies for Compliance:
Some Examples
• Intrusion: www.intrusion.com
– Compliance Commander
• Vericept: www.vericept.com
– Enterprise Risk Management Platform
Technologies for Compliance:
Some Examples
• Privasoft: www.privasoft.com
– AccessPro (Information Access Privacy)
• Enara Technologies: www.enarainc.com
– Saperion + Enara Technologies
• Autonomy: www.autonomy.com
– Aungate Division
– Data mining for email and voice compliance
• And more…
Technologies for Compliance
Challenges
“Having intelligence is not as important as
knowing when to use it,
just as having a hoe is not as important as
knowing when to plant. ”
- Chinese Proverb
Technologies for
Compliance:
Technology Gaps
• Visualization Techniques
– Minimize Operator Errors
– Learn from Operators
• Accountability and Privacy
– Audits, Retention, Access Restriction, Data Life, Rule Sets
• Data Mining and Machine Learning
– Better Algorithms: Speed, Accuracy, Privacy
• Semantic Analysis, Link Analysis
– Context: Operator, Similar Operators
• Privacy Aspects
– Privacy-Aware Data Mining
– Limit Collection: Reduce Overhead and “Big Brother Effect”… Intelligence
• Better Workflow Integration
– Reflect/Understand what “really happens” in an organization
– Forensic Tools
• Security Built-In
– Protect Data Discovery and Discovered Data
– Privacy-Aware Security Protocols
Technologies for
Compliance:
NRC’s Approach
• Technology Approach:
– Inappropriate Insider Activity Discovery/Prevention
+
– Privacy Technology
+
– Distributed text/data mining
=
– Comprehensive Privacy Compliance Technology
– Could be applied for other compliance requirements
• Social Networking Applied to Privacy: SNAP
• Strategic project for NRC’s Institute for Information Technology
SNAP Project:
Technologies
• Trusted Human Computer Interaction
– Simple, Effective Control of Complex Systems
• Automated Work Flow Discovery
– Project Management, Organizational Work Flow
• Security Protocols for Privacy Protection
– Scalable, effective, efficient exchanges
• Secure Distributed Computing
– Authentication, Authorization, Access Control
• Data/Knowledge Visualization
– Effective Security/Privacy posture Display
• Privacy-Enabled Data Mining
– Protect data while assuring compliance
SNAP Project:
Goals
• Create technology that:
– Discovers important data within a
corporation
• Wherever it may be
– Discovers and visualizes how people
work with the data
Core Technology
Application Areas:
– Fills the Technology Gaps
- Business
• Exploit Results
- Public Safety
– Widely
- Healthcare
- Government
- Military
SNAP Project:
NRC’s Approach
• User-Centered Research, Development, Design
– Identify User, Context, and Needs
– Business, Functional, Data and Usability Requirements
– Early Testing
• Privacy Technology User Group
– First Users
• Exploitation Interests
User Group
SNAP
Exploitation
NRC
SNAP Project:
Privacy Technology
User Group
• Goal:
– Identify Essential Product
– Determine User
– Detect Expectations
– Define Use Context
• Four Parts
– Business Requirements
– Functional Requirements
– Data Requirements
– Usability Requirements
SNAP Project:
Privacy Technology
User Group
• Analysis
– Document
– Stakeholder Interviews
– Stakeholder Workshops
– Observations in Context
– Scenarios and Use Cases
– Focus Groups with End Users
Fully Understand Problem
• Demonstrations, simulation and prototypes
• Targets:
– Shared understanding
– Project Scope/Risk Reduction
- End User Involvement
- Requirements Specification
SNAP Project:
Organization Picture
SNAP Project
NRC-IIT
SNAP
Technologies
Background Research
Trusted
HCI
Automated
Workflow
Analysis
Security
Effective
Technologies Private Data Knowledge
For Privacy
Discovery Visualization
Protection
& Analysis
Privacy Technology User Group
Requirements Focus
Requirements
Gathering
SNAP
Demo
Company
Product 1
Org. 1-Org. 6
Product 2Product 3Product 4
SNAP Project:
Some Results
(Current Prototype)
• Private data,
– SIN, Credit Card number, Address, Email
• Find it anywhere
– Any action, any context, any file, any application
• Automated private data workflow discovery
– Locate what went wrong and when for automated compliance or
forensics
• Determine normal and abnormal workflow
– Correct workflow, discover experts
• Compare flow/operations against policy
• Prevent inappropriate operations
– Automatically
Attempting to Open Documents
with Private Data
Summary
•
•
•
•
Technologies for Compliance
Brief Compliance Technology Company List
Technology Gaps
NRC-IIT’s SNAP Project
Questions?
?
[email protected]
http://www.iit-iti.nrc-cnrc.gc.ca/
“Humanity is acquiring all the right technology for the wrong reasons.”
— R. Buckminister Fuller
Related documents
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Computer Science 9616a, Fall 2011 Project Description Your project
Computer Science 9616a, Fall 2011 Project Description Your project
Computer Science 9616b, Fall 2016 Project Description Your project
Computer Science 9616b, Fall 2016 Project Description Your project
HIPPA Compliance Form
HIPPA Compliance Form
Donor Privacy Policy
Donor Privacy Policy
Innovative Applications of Artificial Intelligence Techniques in
Innovative Applications of Artificial Intelligence Techniques in
Privacy Policy This privacy policy discloses the privacy practices for
Privacy Policy This privacy policy discloses the privacy practices for
19-DS-05-2016_OZGUR
19-DS-05-2016_OZGUR
DIRECT MARKETING
DIRECT MARKETING
Data Privacy and Security
Data Privacy and Security
Medical History
Medical History
Presentazione di PowerPoint - Georgia Institute of Technology
Presentazione di PowerPoint - Georgia Institute of Technology
Document
Document
Privacy - Dartmouth College
Privacy - Dartmouth College
Rachel Hogue`s presentation on Big Data in Education
Rachel Hogue`s presentation on Big Data in Education
Privacy Wizards for Social Networking Sites
Privacy Wizards for Social Networking Sites