1 / 47

Privacy Compliance: Technology - Gaps, Challenges

Privacy Compliance: Technology - Gaps, Challenges. Larry Korba National Research Council of Canada Larry.Korba@nrc-cnrc.gc.ca. CACR Privacy and Security, Nov. 1-2, 2006 Toronto. Outline. About NRC/IIT/IS What is the problem? Backdrop Technologies for Compliance: Types, Snapshot

hedda
Download Presentation

Privacy Compliance: Technology - Gaps, Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Compliance: Technology - Gaps, Challenges Larry Korba National Research Council of Canada Larry.Korba@nrc-cnrc.gc.ca CACR Privacy and Security, Nov. 1-2, 2006 Toronto

  2. Outline • About NRC/IIT/IS • What is the problem? • Backdrop • Technologies for Compliance: • Types, Snapshot • Compliance Gaps • Technologies, Other Challenges • NRC’s Approach • Project Structure, Early Results • Summary

  3. Caveats… • My Opinions • No Endorsements by NRC • Technology Focus, But… Compliance Needs More Than Technology! • Ask Questions Any Time…

  4. NRC & NRC-IIT • NRC • $850M, in every province, 20 institutes • Scientific Research one of its Seven Mandates • Goal: • NRC-IIT • $20M, 4 Cities: Ottawa, Gatineau, Fredericton, Moncton • 9 Groups • http://www.iit-iti.nrc-cnrc.gc.ca • NRC-IIT-IS • Security and Privacy Research and Development Increase Competitiveness through Research that gets Exploited Security and Privacy without Complexity

  5. What is the Problem? • From the News: • “Feds Often Clueless After Data Losses” – Oct. 18, 2006 • “Business brass ill-prepared for disasters” – Sept. 26, 2006 • “AOL is Sued Over Privacy Search Breach” – Sept. 26, 2006 • “Police warned to improve database security” – Aug. 23, 2006 • “Data Loss is a Major Problem” – Aug. 18, 2006 • “Three-Fifths of Companies Suffer Severe Data Loss” – Aug. 17, 2006 • “2nd VA Data Loss Prompts Resignation” – Aug. 8, 2006 • “Patient Data stolen from Kaiser” – Aug. 8, 2006 • “Sentry Insurance Says Customer Data Stolen” – July 29, 2006 • “Stitching Up Healthcare Records: Privacy Compliance Lags” – April 16, 2006

  6. Marketing, Competition Expanding Services Computers Everywhere + + + Cheap Storage + - - - Legislation Risk Management Regulations/Policies What is the Problem?Data Explosion • The Roots of the Problem Organization Data Organization Clients +

  7. Technologies for Compliance: The Promise “Technology makes the world a new place.” - Shoshana Zuboff, U.S. social scientist. In the Age of the Smart Machine, Conclusion (1988).

  8. Technologies forCompliance: Market Drivers • Compliance • Huge market ($10+ Billion) • Healthy Growth Rate (20% - 50% per year) • Compliance areas: • Payment Cards, Privacy, Financial Information, Security, Privacy… • Sectors: Diverse • Government • Healthcare • Tourism/Hospitality • Services, Financial • Manufacturing • Transportation • Military • Others

  9. Technologies for Compliance:Market Drivers • Bandwagon Effect… • Firewall, Intrusion Prevention, Network Management, Security/Privacy Policy Management • Consultants • New Technologies… • To Deal with Different Needs • Sarbanes-Oxley • Privacy • Intellectual Property Management • And Emerging Needs • Data Purity

  10. Technologies for Compliance:Backdrop: Key Types • Compliance • Consulting Services • Internet Service • Appliance • Database • Application • Focus • Enterprise Systems • Enforcement • Not Policy: Creation/Distribution/Management • Two Types • Network-Based • Agent Based • And Combinations of the Above

  11. A B C NTM Technologies for Compliance:Types: Network-Based • Monitor Network Traffic • Dissect packets • Determine type of traffic, or data mine content • Flag/Prevent activities denied based upon policy • Encrypted Traffic Network Packet Capture Understand Traffic Mine Content Policy Interpretation Log or Prevent Inappropriate Activities

  12. A B C Technologies for Compliance:Types: Agent-Based • Installs on Servers, Desktops, Laptops • “Direct” access to activities • Management Console to Coordinate Actions Console Network Mine Data “at Rest” Mine Computer Activity Policy Interpretation Log or Prevent Inappropriate Activities

  13. A B C NTM Technologies for Compliance:Types: Combination • Best of Both Worlds! Console Network

  14. Technologies for Compliance “Technology is a servant who makes so much noise cleaning up in the next room that his master cannot make music. ” - Karl Kraus (1874–1936)

  15. Technologies for Compliance:Implementation Issues • Dealing with: • Interactions Between Different Laws/Regulations • Structured or Unstructured Data • Data Server Environments • Content Management • Automation of Policy Controls • Proactive Enforcement • Or Testing/Scanning • Flexibility of Forensic Tools • Risk Management Tools • Interactions between Compliance & Existing Systems • Identity, Document, Project Management, etc. • Network Security, Antivirus, Databases…

  16. Technologies for ComplianceChallenges “Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand. ” - Putt's Law

  17. Technologies for Compliance:Underlying Challenges • Despite the hype… • There is no Instant, Universal, Ever- Adaptable Solution for Automated Compliance • You cannot rely on technologies alone • Resources will be required • Purchasing, • Maintenance, • Related SW & HW, • Staff, • Consultants • As well, there are technology gaps

  18. Technologies for Compliance:Implications & Challenges • Monitoring Employee/Guest Computer and Network Activity • There may be little privacy • Little expectation of privacy • There may be a great deal of data exposure • How well does the compliance technology protect? • Balancing Legal Obligation with Employer/Employee Trust Relationship

  19. Technologies for Compliance:Some Examples • Just a sampling of offerings • Market is changing monthly

  20. Technologies for Compliance:Some Examples • ACM: www.acl.com • SOX, agent-based • Googgun: www.googgun.com • privacy “compliance” server • Ilumin: www.ilumin.com • Assentor • Vontu: www.vontu.com • Discover, Protect, Monitor, Prevent

  21. Technologies for Compliance:Some Examples • Verdasys: www.verdasys.com • Digital Guardian • Oakley Networks: www.oakleynetworks.com • Sureview, Coreview • Axentis: www.axentis.com • Internet service for SOX compliance • IBM Workplace for Bus. Controls: www.ibm.com

  22. Technologies for Compliance:Some Examples • Qumas: www.qumas.com • DocCompliance, ProcessCompliance, Portal • Stellent: www.stellent.com • Enterprise Content Management • Reconnex: www.reconnex.com • iGuard 3300 • Tablus: www.tablus.com • Content Alarm NW

  23. Technologies for Compliance:Some Examples • Intrusion: www.intrusion.com • Compliance Commander • Vericept: www.vericept.com • Enterprise Risk Management Platform

  24. Technologies for Compliance:Some Examples • Privasoft: www.privasoft.com • AccessPro (Information Access Privacy) • Enara Technologies: www.enarainc.com • Saperion + Enara Technologies • Autonomy: www.autonomy.com • Aungate Division • Data mining for email and voice compliance • And more…

  25. Technologies for ComplianceChallenges “Having intelligence is not as important as knowing when to use it, just as having a hoe is not as important as knowing when to plant. ” - Chinese Proverb

  26. Technologies for Compliance:Technology Gaps • Visualization Techniques • Minimize Operator Errors • Learn from Operators • Accountability and Privacy • Audits, Retention, Access Restriction, Data Life, Rule Sets • Data Mining and Machine Learning • Better Algorithms: Speed, Accuracy, Privacy • Semantic Analysis, Link Analysis • Context: Operator, Similar Operators • Privacy Aspects • Privacy-Aware Data Mining • Limit Collection: Reduce Overhead and “Big Brother Effect”… Intelligence • Better Workflow Integration • Reflect/Understand what “really happens” in an organization • Forensic Tools • Security Built-In • Protect Data Discovery and Discovered Data • Privacy-Aware Security Protocols

  27. Technologies for Compliance:NRC’s Approach • Technology Approach: • Inappropriate Insider Activity Discovery/Prevention + • Privacy Technology + • Distributed text/data mining = • Comprehensive Privacy Compliance Technology • Could be applied for other compliance requirements • Social Networking Applied to Privacy: SNAP • Strategic project for NRC’s Institute for Information Technology

  28. SNAP Project:Technologies • Trusted Human Computer Interaction • Simple, Effective Control of Complex Systems • Automated Work Flow Discovery • Project Management, Organizational Work Flow • Security Protocols for Privacy Protection • Scalable, effective, efficient exchanges • Secure Distributed Computing • Authentication, Authorization, Access Control • Data/Knowledge Visualization • Effective Security/Privacy posture Display • Privacy-Enabled Data Mining • Protect data while assuring compliance

  29. SNAP Project:Goals • Create technology that: • Discovers important data within a corporation • Wherever it may be • Discovers and visualizes how people work with the data • Fills the Technology Gaps • Exploit Results • Widely • Core Technology • Application Areas: • Business • Public Safety • Healthcare • Government • Military

  30. SNAP Project: NRC’s Approach • User-Centered Research, Development, Design • Identify User, Context, and Needs • Business, Functional, Data and Usability Requirements • Early Testing • Privacy Technology User Group • First Users • Exploitation Interests User Group SNAP Exploitation NRC

  31. Goal: Identify Essential Product Determine User Detect Expectations Define Use Context Four Parts Business Requirements Functional Requirements Data Requirements Usability Requirements SNAP Project:Privacy Technology User Group

  32. Fully Understand Problem SNAP Project:Privacy Technology User Group • Analysis • Document • Stakeholder Interviews • Stakeholder Workshops • Observations in Context • Scenarios and Use Cases • Focus Groups with End Users • Demonstrations, simulation and prototypes • Targets: • Shared understanding - End User Involvement • Project Scope/Risk Reduction - Requirements Specification

  33. Org. 1-Org. 6 SNAP Project:Organization Picture SNAP Project NRC-IIT Background Research SNAP Technologies Trusted HCI Automated Workflow Analysis Security Technologies For Privacy Protection Private Data Discovery Effective Knowledge Visualization & Analysis Privacy Technology User Group Requirements Focus Requirements Gathering SNAP Demo Company Product 2 Product 3 Product 4 Product 1

  34. SNAP Project:Some Results(Current Prototype) • Private data, • SIN, Credit Card number, Address, Email • Find it anywhere • Any action, any context, any file, any application • Automated private data workflow discovery • Locate what went wrong and when for automated compliance or forensics • Determine normal and abnormal workflow • Correct workflow, discover experts • Compare flow/operations against policy • Prevent inappropriate operations • Automatically

  35. Attempting to Open Documents with Private Data

  36. Summary • Technologies for Compliance • Brief Compliance Technology Company List • Technology Gaps • NRC-IIT’s SNAP Project

  37. Questions? ? Larry.Korba@nrc-cnrc.gc.ca http://www.iit-iti.nrc-cnrc.gc.ca/ “Humanity is acquiring all the right technology for the wrong reasons.” — R. Buckminister Fuller

More Related