Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Privacy Compliance: Technology Gaps, Challenges Larry Korba National Research Council of Canada [email protected] CACR Privacy and Security, Nov. 1-2, 2006 Toronto Outline • About NRC/IIT/IS • What is the problem? – Backdrop • Technologies for Compliance: – Types, Snapshot • Compliance Gaps – Technologies, Other Challenges • NRC’s Approach – Project Structure, Early Results • Summary Caveats… • My Opinions – No Endorsements by NRC • Technology Focus, But… Compliance Needs More Than Technology! • Ask Questions Any Time… NRC & NRC-IIT • NRC – $850M, in every province, 20 institutes – Scientific Research one of its Seven Mandates – Goal: Increase Competitiveness through Research that gets Exploited • NRC-IIT – $20M, 4 Cities: Ottawa, Gatineau, Fredericton, Moncton – 9 Groups – http://www.iit-iti.nrc-cnrc.gc.ca • NRC-IIT-IS – Security and Privacy Research and Development Security and Privacy without Complexity What is the Problem? From the News: – “Feds Often Clueless After Data Losses” – Oct. 18, 2006 – “Business brass ill-prepared for disasters” – Sept. 26, 2006 – “AOL is Sued Over Privacy Search Breach” – Sept. 26, 2006 – “Police warned to improve database security” – Aug. 23, 2006 – “Data Loss is a Major Problem” – Aug. 18, 2006 – “Three-Fifths of Companies Suffer Severe Data Loss” – Aug. 17, 2006 – – – – “2nd VA Data Loss Prompts Resignation” – Aug. 8, 2006 “Patient Data stolen from Kaiser” – Aug. 8, 2006 “Sentry Insurance Says Customer Data Stolen” – July 29, 2006 “Stitching Up Healthcare Records: Privacy Compliance Lags” – April 16, 2006 What is the Problem? Data Explosion • The Roots of the Problem Marketing, Competition Expanding Services + Cheap Storage + - Risk Management Computers Everywhere + + Organization Organization Data + Clients Regulations/Policies Legislation Technologies for Compliance: The Promise “Technology makes the world a new place.” - Shoshana Zuboff, U.S. social scientist. In the Age of the Smart Machine, Conclusion (1988). Technologies for Compliance: Market Drivers • Compliance – Huge market ($10+ Billion) – Healthy Growth Rate (20% - 50% per year) – Compliance areas: • Payment Cards, Privacy, Financial Information, Security, Privacy… – Sectors: Diverse • • • • • • • • Government Healthcare Tourism/Hospitality Services, Financial Manufacturing Transportation Military Others Technologies for Compliance: Market Drivers • Bandwagon Effect… – Firewall, Intrusion Prevention, Network Management, Security/Privacy Policy Management – Consultants • New Technologies… – To Deal with Different Needs • Sarbanes-Oxley • Privacy • Intellectual Property Management – And Emerging Needs • Data Purity Technologies for Compliance: Backdrop: Key Types • Compliance – Consulting Services – Internet Service – Appliance – Database – Application • Focus – Enterprise Systems – Enforcement • Not Policy: Creation/Distribution/Management – Two Types • Network-Based • Agent Based • And Combinations of the Above Technologies for Compliance: Types: Network-Based • Monitor Network Traffic • Dissect packets – Determine type of traffic, or data mine content • Flag/Prevent activities denied based upon policy – Encrypted Traffic A B Network NTM C Packet Capture Understand Traffic Mine Content Policy Interpretation Log or Prevent Inappropriate Activities Technologies for Compliance: Types: Agent-Based • Installs on Servers, Desktops, Laptops • “Direct” access to activities • Management Console to Coordinate Actions A Network B C Console Mine Data “at Rest” Mine Computer Activity Policy Interpretation Log or Prevent Inappropriate Activities Technologies for Compliance: Types: Combination • Best of Both Worlds! A B Network NTM C Console Technologies for Compliance “Technology is a servant who makes so much noise cleaning up in the next room that his master cannot make music. ” - Karl Kraus (1874–1936) Technologies for Compliance: Implementation Issues • Dealing with: – Interactions Between Different Laws/Regulations – Structured or Unstructured Data – Data Server Environments – Content Management • Automation of Policy Controls – Proactive Enforcement – Or Testing/Scanning • Flexibility of Forensic Tools • Risk Management Tools • Interactions between Compliance & Existing Systems – Identity, Document, Project Management, etc. – Network Security, Antivirus, Databases… Technologies for Compliance Challenges “Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand. ” - Putt's Law Technologies for Compliance: Underlying Challenges • Despite the hype… – There is no Instant, Universal, Ever- Adaptable Solution for Automated Compliance • You cannot rely on technologies alone • Resources will be required – Purchasing, – Maintenance, – Related SW & HW, – Staff, – Consultants • As well, there are technology gaps Technologies for Compliance: Implications & Challenges • Monitoring Employee/Guest Computer and Network Activity – There may be little privacy • Little expectation of privacy – There may be a great deal of data exposure • How well does the compliance technology protect? – Balancing Legal Obligation with Employer/Employee Trust Relationship Technologies for Compliance: Some Examples • Just a sampling of offerings • Market is changing monthly Technologies for Compliance: Some Examples • ACM: www.acl.com – SOX, agent-based • Googgun: www.googgun.com – privacy “compliance” server • Ilumin: www.ilumin.com – Assentor • Vontu: www.vontu.com – Discover, Protect, Monitor, Prevent Technologies for Compliance: Some Examples • Verdasys: www.verdasys.com – Digital Guardian • Oakley Networks: www.oakleynetworks.com – Sureview, Coreview • Axentis: www.axentis.com – Internet service for SOX compliance • IBM Workplace for Bus. Controls: www.ibm.com Technologies for Compliance: Some Examples • Qumas: www.qumas.com – DocCompliance, ProcessCompliance, Portal • Stellent: www.stellent.com – Enterprise Content Management • Reconnex: www.reconnex.com – iGuard 3300 • Tablus: www.tablus.com – Content Alarm NW Technologies for Compliance: Some Examples • Intrusion: www.intrusion.com – Compliance Commander • Vericept: www.vericept.com – Enterprise Risk Management Platform Technologies for Compliance: Some Examples • Privasoft: www.privasoft.com – AccessPro (Information Access Privacy) • Enara Technologies: www.enarainc.com – Saperion + Enara Technologies • Autonomy: www.autonomy.com – Aungate Division – Data mining for email and voice compliance • And more… Technologies for Compliance Challenges “Having intelligence is not as important as knowing when to use it, just as having a hoe is not as important as knowing when to plant. ” - Chinese Proverb Technologies for Compliance: Technology Gaps • Visualization Techniques – Minimize Operator Errors – Learn from Operators • Accountability and Privacy – Audits, Retention, Access Restriction, Data Life, Rule Sets • Data Mining and Machine Learning – Better Algorithms: Speed, Accuracy, Privacy • Semantic Analysis, Link Analysis – Context: Operator, Similar Operators • Privacy Aspects – Privacy-Aware Data Mining – Limit Collection: Reduce Overhead and “Big Brother Effect”… Intelligence • Better Workflow Integration – Reflect/Understand what “really happens” in an organization – Forensic Tools • Security Built-In – Protect Data Discovery and Discovered Data – Privacy-Aware Security Protocols Technologies for Compliance: NRC’s Approach • Technology Approach: – Inappropriate Insider Activity Discovery/Prevention + – Privacy Technology + – Distributed text/data mining = – Comprehensive Privacy Compliance Technology – Could be applied for other compliance requirements • Social Networking Applied to Privacy: SNAP • Strategic project for NRC’s Institute for Information Technology SNAP Project: Technologies • Trusted Human Computer Interaction – Simple, Effective Control of Complex Systems • Automated Work Flow Discovery – Project Management, Organizational Work Flow • Security Protocols for Privacy Protection – Scalable, effective, efficient exchanges • Secure Distributed Computing – Authentication, Authorization, Access Control • Data/Knowledge Visualization – Effective Security/Privacy posture Display • Privacy-Enabled Data Mining – Protect data while assuring compliance SNAP Project: Goals • Create technology that: – Discovers important data within a corporation • Wherever it may be – Discovers and visualizes how people work with the data Core Technology Application Areas: – Fills the Technology Gaps - Business • Exploit Results - Public Safety – Widely - Healthcare - Government - Military SNAP Project: NRC’s Approach • User-Centered Research, Development, Design – Identify User, Context, and Needs – Business, Functional, Data and Usability Requirements – Early Testing • Privacy Technology User Group – First Users • Exploitation Interests User Group SNAP Exploitation NRC SNAP Project: Privacy Technology User Group • Goal: – Identify Essential Product – Determine User – Detect Expectations – Define Use Context • Four Parts – Business Requirements – Functional Requirements – Data Requirements – Usability Requirements SNAP Project: Privacy Technology User Group • Analysis – Document – Stakeholder Interviews – Stakeholder Workshops – Observations in Context – Scenarios and Use Cases – Focus Groups with End Users Fully Understand Problem • Demonstrations, simulation and prototypes • Targets: – Shared understanding – Project Scope/Risk Reduction - End User Involvement - Requirements Specification SNAP Project: Organization Picture SNAP Project NRC-IIT SNAP Technologies Background Research Trusted HCI Automated Workflow Analysis Security Effective Technologies Private Data Knowledge For Privacy Discovery Visualization Protection & Analysis Privacy Technology User Group Requirements Focus Requirements Gathering SNAP Demo Company Product 1 Org. 1-Org. 6 Product 2Product 3Product 4 SNAP Project: Some Results (Current Prototype) • Private data, – SIN, Credit Card number, Address, Email • Find it anywhere – Any action, any context, any file, any application • Automated private data workflow discovery – Locate what went wrong and when for automated compliance or forensics • Determine normal and abnormal workflow – Correct workflow, discover experts • Compare flow/operations against policy • Prevent inappropriate operations – Automatically Attempting to Open Documents with Private Data Summary • • • • Technologies for Compliance Brief Compliance Technology Company List Technology Gaps NRC-IIT’s SNAP Project Questions? ? [email protected] http://www.iit-iti.nrc-cnrc.gc.ca/ “Humanity is acquiring all the right technology for the wrong reasons.” — R. Buckminister Fuller