Transcript Slide 1

Privacy Compliance: Technology Gaps, Challenges
Larry Korba
National Research Council of Canada
[email protected]
CACR Privacy and Security, Nov. 1-2, 2006
Toronto
Outline
• About NRC/IIT/IS
• What is the problem?
– Backdrop
• Technologies for Compliance:
– Types, Snapshot
• Compliance Gaps
– Technologies, Other Challenges
• NRC’s Approach
– Project Structure, Early Results
• Summary
Caveats…
• My Opinions
– No Endorsements by NRC
• Technology Focus, But…
Compliance Needs More Than Technology!
• Ask Questions Any Time…
NRC & NRC-IIT
• NRC
– $850M, in every province, 20 institutes
– Scientific Research one of its Seven Mandates
– Goal:
Increase Competitiveness through Research that gets Exploited
• NRC-IIT
– $20M, 4 Cities: Ottawa, Gatineau, Fredericton, Moncton
– 9 Groups
– http://www.iit-iti.nrc-cnrc.gc.ca
• NRC-IIT-IS
– Security and Privacy Research and Development
Security and Privacy without Complexity
What is the Problem?
From the News:
– “Feds Often Clueless After Data Losses” – Oct. 18, 2006
– “Business brass ill-prepared for disasters” – Sept. 26, 2006
– “AOL is Sued Over Privacy Search Breach” – Sept. 26, 2006
– “Police warned to improve database security” – Aug. 23, 2006
– “Data Loss is a Major Problem” – Aug. 18, 2006
– “Three-Fifths of Companies Suffer Severe Data Loss”
– Aug. 17, 2006
–
–
–
–
“2nd VA Data Loss Prompts Resignation” – Aug. 8, 2006
“Patient Data stolen from Kaiser” – Aug. 8, 2006
“Sentry Insurance Says Customer Data Stolen” – July 29, 2006
“Stitching Up Healthcare Records: Privacy Compliance Lags”
– April 16, 2006
What is the Problem?
Data Explosion
• The Roots of the Problem
Marketing,
Competition
Expanding Services
+
Cheap Storage
+
-
Risk Management
Computers Everywhere
+
+
Organization
Organization
Data
+
Clients
Regulations/Policies
Legislation
Technologies for
Compliance: The Promise
“Technology makes the world a new place.”
- Shoshana Zuboff, U.S. social scientist. In the Age of the Smart
Machine, Conclusion (1988).
Technologies for
Compliance: Market Drivers
• Compliance
– Huge market ($10+ Billion)
– Healthy Growth Rate (20% - 50% per year)
– Compliance areas:
• Payment Cards, Privacy, Financial Information, Security,
Privacy…
– Sectors: Diverse
•
•
•
•
•
•
•
•
Government
Healthcare
Tourism/Hospitality
Services, Financial
Manufacturing
Transportation
Military
Others
Technologies for Compliance:
Market Drivers
• Bandwagon Effect…
– Firewall, Intrusion Prevention, Network Management,
Security/Privacy Policy Management
– Consultants
• New Technologies…
– To Deal with Different Needs
• Sarbanes-Oxley
• Privacy
• Intellectual Property Management
– And Emerging Needs
• Data Purity
Technologies for Compliance:
Backdrop: Key Types
• Compliance
– Consulting Services
– Internet Service
– Appliance
– Database
– Application
• Focus
– Enterprise Systems
– Enforcement
• Not Policy: Creation/Distribution/Management
– Two Types
• Network-Based
• Agent Based
• And Combinations of the Above
Technologies for Compliance:
Types: Network-Based
• Monitor Network Traffic
• Dissect packets
– Determine type of traffic, or data mine content
• Flag/Prevent activities denied based upon policy
– Encrypted Traffic
A
B
Network
NTM
C
Packet Capture
Understand Traffic
Mine Content
Policy Interpretation
Log or Prevent Inappropriate Activities
Technologies for Compliance:
Types: Agent-Based
• Installs on Servers, Desktops, Laptops
• “Direct” access to activities
• Management Console to Coordinate Actions
A
Network
B
C
Console
Mine Data “at Rest”
Mine Computer Activity
Policy Interpretation
Log or Prevent Inappropriate Activities
Technologies for Compliance:
Types: Combination
• Best of Both Worlds!
A
B
Network
NTM
C
Console
Technologies for
Compliance
“Technology is a servant who makes so much
noise cleaning up in the next room that his
master cannot make music. ”
- Karl Kraus (1874–1936)
Technologies for Compliance:
Implementation Issues
• Dealing with:
– Interactions Between Different Laws/Regulations
– Structured or Unstructured Data
– Data Server Environments
– Content Management
• Automation of Policy Controls
– Proactive Enforcement
– Or Testing/Scanning
• Flexibility of Forensic Tools
• Risk Management Tools
• Interactions between Compliance & Existing Systems
– Identity, Document, Project Management, etc.
– Network Security, Antivirus, Databases…
Technologies for Compliance
Challenges
“Technology is dominated by two types of people:
those who understand what they do not manage,
and
those who manage what they do not understand. ”
- Putt's Law
Technologies for Compliance:
Underlying Challenges
• Despite the hype…
– There is no Instant, Universal, Ever- Adaptable Solution for
Automated Compliance
• You cannot rely on technologies alone
• Resources will be required
– Purchasing,
– Maintenance,
– Related SW & HW,
– Staff,
– Consultants
• As well, there are technology gaps
Technologies for Compliance:
Implications & Challenges
• Monitoring Employee/Guest Computer and Network Activity
– There may be little privacy
• Little expectation of privacy
– There may be a great deal of data exposure
• How well does the compliance technology protect?
– Balancing Legal Obligation with
Employer/Employee Trust Relationship
Technologies for Compliance:
Some Examples
• Just a sampling of offerings
• Market is changing monthly
Technologies for Compliance:
Some Examples
• ACM: www.acl.com
– SOX, agent-based
• Googgun: www.googgun.com
– privacy “compliance” server
• Ilumin: www.ilumin.com
– Assentor
• Vontu: www.vontu.com
– Discover, Protect, Monitor, Prevent
Technologies for Compliance:
Some Examples
• Verdasys: www.verdasys.com
– Digital Guardian
• Oakley Networks: www.oakleynetworks.com
– Sureview, Coreview
• Axentis: www.axentis.com
– Internet service for SOX compliance
• IBM Workplace for Bus. Controls:
www.ibm.com
Technologies for Compliance:
Some Examples
• Qumas: www.qumas.com
– DocCompliance, ProcessCompliance, Portal
• Stellent: www.stellent.com
– Enterprise Content Management
• Reconnex: www.reconnex.com
– iGuard 3300
• Tablus: www.tablus.com
– Content Alarm NW
Technologies for Compliance:
Some Examples
• Intrusion: www.intrusion.com
– Compliance Commander
• Vericept: www.vericept.com
– Enterprise Risk Management Platform
Technologies for Compliance:
Some Examples
• Privasoft: www.privasoft.com
– AccessPro (Information Access Privacy)
• Enara Technologies: www.enarainc.com
– Saperion + Enara Technologies
• Autonomy: www.autonomy.com
– Aungate Division
– Data mining for email and voice compliance
• And more…
Technologies for Compliance
Challenges
“Having intelligence is not as important as
knowing when to use it,
just as having a hoe is not as important as
knowing when to plant. ”
- Chinese Proverb
Technologies for
Compliance:
Technology Gaps
• Visualization Techniques
– Minimize Operator Errors
– Learn from Operators
• Accountability and Privacy
– Audits, Retention, Access Restriction, Data Life, Rule Sets
• Data Mining and Machine Learning
– Better Algorithms: Speed, Accuracy, Privacy
• Semantic Analysis, Link Analysis
– Context: Operator, Similar Operators
• Privacy Aspects
– Privacy-Aware Data Mining
– Limit Collection: Reduce Overhead and “Big Brother Effect”… Intelligence
• Better Workflow Integration
– Reflect/Understand what “really happens” in an organization
– Forensic Tools
• Security Built-In
– Protect Data Discovery and Discovered Data
– Privacy-Aware Security Protocols
Technologies for
Compliance:
NRC’s Approach
• Technology Approach:
– Inappropriate Insider Activity Discovery/Prevention
+
– Privacy Technology
+
– Distributed text/data mining
=
– Comprehensive Privacy Compliance Technology
– Could be applied for other compliance requirements
• Social Networking Applied to Privacy: SNAP
• Strategic project for NRC’s Institute for Information Technology
SNAP Project:
Technologies
• Trusted Human Computer Interaction
– Simple, Effective Control of Complex Systems
• Automated Work Flow Discovery
– Project Management, Organizational Work Flow
• Security Protocols for Privacy Protection
– Scalable, effective, efficient exchanges
• Secure Distributed Computing
– Authentication, Authorization, Access Control
• Data/Knowledge Visualization
– Effective Security/Privacy posture Display
• Privacy-Enabled Data Mining
– Protect data while assuring compliance
SNAP Project:
Goals
• Create technology that:
– Discovers important data within a
corporation
• Wherever it may be
– Discovers and visualizes how people
work with the data
Core Technology
Application Areas:
– Fills the Technology Gaps
- Business
• Exploit Results
- Public Safety
– Widely
- Healthcare
- Government
- Military
SNAP Project:
NRC’s Approach
• User-Centered Research, Development, Design
– Identify User, Context, and Needs
– Business, Functional, Data and Usability Requirements
– Early Testing
• Privacy Technology User Group
– First Users
• Exploitation Interests
User Group
SNAP
Exploitation
NRC
SNAP Project:
Privacy Technology
User Group
• Goal:
– Identify Essential Product
– Determine User
– Detect Expectations
– Define Use Context
• Four Parts
– Business Requirements
– Functional Requirements
– Data Requirements
– Usability Requirements
SNAP Project:
Privacy Technology
User Group
• Analysis
– Document
– Stakeholder Interviews
– Stakeholder Workshops
– Observations in Context
– Scenarios and Use Cases
– Focus Groups with End Users
Fully Understand Problem
• Demonstrations, simulation and prototypes
• Targets:
– Shared understanding
– Project Scope/Risk Reduction
- End User Involvement
- Requirements Specification
SNAP Project:
Organization Picture
SNAP Project
NRC-IIT
SNAP
Technologies
Background Research
Trusted
HCI
Automated
Workflow
Analysis
Security
Effective
Technologies Private Data Knowledge
For Privacy
Discovery Visualization
Protection
& Analysis
Privacy Technology User Group
Requirements Focus
Requirements
Gathering
SNAP
Demo
Company
Product 1
Org. 1-Org. 6
Product 2Product 3Product 4
SNAP Project:
Some Results
(Current Prototype)
• Private data,
– SIN, Credit Card number, Address, Email
• Find it anywhere
– Any action, any context, any file, any application
• Automated private data workflow discovery
– Locate what went wrong and when for automated compliance or
forensics
• Determine normal and abnormal workflow
– Correct workflow, discover experts
• Compare flow/operations against policy
• Prevent inappropriate operations
– Automatically
Attempting to Open Documents
with Private Data
Summary
•
•
•
•
Technologies for Compliance
Brief Compliance Technology Company List
Technology Gaps
NRC-IIT’s SNAP Project
Questions?
?
[email protected]
http://www.iit-iti.nrc-cnrc.gc.ca/
“Humanity is acquiring all the right technology for the wrong reasons.”
— R. Buckminister Fuller