470 likes | 653 Views
Privacy Compliance: Technology - Gaps, Challenges. Larry Korba National Research Council of Canada Larry.Korba@nrc-cnrc.gc.ca. CACR Privacy and Security, Nov. 1-2, 2006 Toronto. Outline. About NRC/IIT/IS What is the problem? Backdrop Technologies for Compliance: Types, Snapshot
E N D
Privacy Compliance: Technology - Gaps, Challenges Larry Korba National Research Council of Canada Larry.Korba@nrc-cnrc.gc.ca CACR Privacy and Security, Nov. 1-2, 2006 Toronto
Outline • About NRC/IIT/IS • What is the problem? • Backdrop • Technologies for Compliance: • Types, Snapshot • Compliance Gaps • Technologies, Other Challenges • NRC’s Approach • Project Structure, Early Results • Summary
Caveats… • My Opinions • No Endorsements by NRC • Technology Focus, But… Compliance Needs More Than Technology! • Ask Questions Any Time…
NRC & NRC-IIT • NRC • $850M, in every province, 20 institutes • Scientific Research one of its Seven Mandates • Goal: • NRC-IIT • $20M, 4 Cities: Ottawa, Gatineau, Fredericton, Moncton • 9 Groups • http://www.iit-iti.nrc-cnrc.gc.ca • NRC-IIT-IS • Security and Privacy Research and Development Increase Competitiveness through Research that gets Exploited Security and Privacy without Complexity
What is the Problem? • From the News: • “Feds Often Clueless After Data Losses” – Oct. 18, 2006 • “Business brass ill-prepared for disasters” – Sept. 26, 2006 • “AOL is Sued Over Privacy Search Breach” – Sept. 26, 2006 • “Police warned to improve database security” – Aug. 23, 2006 • “Data Loss is a Major Problem” – Aug. 18, 2006 • “Three-Fifths of Companies Suffer Severe Data Loss” – Aug. 17, 2006 • “2nd VA Data Loss Prompts Resignation” – Aug. 8, 2006 • “Patient Data stolen from Kaiser” – Aug. 8, 2006 • “Sentry Insurance Says Customer Data Stolen” – July 29, 2006 • “Stitching Up Healthcare Records: Privacy Compliance Lags” – April 16, 2006
Marketing, Competition Expanding Services Computers Everywhere + + + Cheap Storage + - - - Legislation Risk Management Regulations/Policies What is the Problem?Data Explosion • The Roots of the Problem Organization Data Organization Clients +
Technologies for Compliance: The Promise “Technology makes the world a new place.” - Shoshana Zuboff, U.S. social scientist. In the Age of the Smart Machine, Conclusion (1988).
Technologies forCompliance: Market Drivers • Compliance • Huge market ($10+ Billion) • Healthy Growth Rate (20% - 50% per year) • Compliance areas: • Payment Cards, Privacy, Financial Information, Security, Privacy… • Sectors: Diverse • Government • Healthcare • Tourism/Hospitality • Services, Financial • Manufacturing • Transportation • Military • Others
Technologies for Compliance:Market Drivers • Bandwagon Effect… • Firewall, Intrusion Prevention, Network Management, Security/Privacy Policy Management • Consultants • New Technologies… • To Deal with Different Needs • Sarbanes-Oxley • Privacy • Intellectual Property Management • And Emerging Needs • Data Purity
Technologies for Compliance:Backdrop: Key Types • Compliance • Consulting Services • Internet Service • Appliance • Database • Application • Focus • Enterprise Systems • Enforcement • Not Policy: Creation/Distribution/Management • Two Types • Network-Based • Agent Based • And Combinations of the Above
A B C NTM Technologies for Compliance:Types: Network-Based • Monitor Network Traffic • Dissect packets • Determine type of traffic, or data mine content • Flag/Prevent activities denied based upon policy • Encrypted Traffic Network Packet Capture Understand Traffic Mine Content Policy Interpretation Log or Prevent Inappropriate Activities
A B C Technologies for Compliance:Types: Agent-Based • Installs on Servers, Desktops, Laptops • “Direct” access to activities • Management Console to Coordinate Actions Console Network Mine Data “at Rest” Mine Computer Activity Policy Interpretation Log or Prevent Inappropriate Activities
A B C NTM Technologies for Compliance:Types: Combination • Best of Both Worlds! Console Network
Technologies for Compliance “Technology is a servant who makes so much noise cleaning up in the next room that his master cannot make music. ” - Karl Kraus (1874–1936)
Technologies for Compliance:Implementation Issues • Dealing with: • Interactions Between Different Laws/Regulations • Structured or Unstructured Data • Data Server Environments • Content Management • Automation of Policy Controls • Proactive Enforcement • Or Testing/Scanning • Flexibility of Forensic Tools • Risk Management Tools • Interactions between Compliance & Existing Systems • Identity, Document, Project Management, etc. • Network Security, Antivirus, Databases…
Technologies for ComplianceChallenges “Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand. ” - Putt's Law
Technologies for Compliance:Underlying Challenges • Despite the hype… • There is no Instant, Universal, Ever- Adaptable Solution for Automated Compliance • You cannot rely on technologies alone • Resources will be required • Purchasing, • Maintenance, • Related SW & HW, • Staff, • Consultants • As well, there are technology gaps
Technologies for Compliance:Implications & Challenges • Monitoring Employee/Guest Computer and Network Activity • There may be little privacy • Little expectation of privacy • There may be a great deal of data exposure • How well does the compliance technology protect? • Balancing Legal Obligation with Employer/Employee Trust Relationship
Technologies for Compliance:Some Examples • Just a sampling of offerings • Market is changing monthly
Technologies for Compliance:Some Examples • ACM: www.acl.com • SOX, agent-based • Googgun: www.googgun.com • privacy “compliance” server • Ilumin: www.ilumin.com • Assentor • Vontu: www.vontu.com • Discover, Protect, Monitor, Prevent
Technologies for Compliance:Some Examples • Verdasys: www.verdasys.com • Digital Guardian • Oakley Networks: www.oakleynetworks.com • Sureview, Coreview • Axentis: www.axentis.com • Internet service for SOX compliance • IBM Workplace for Bus. Controls: www.ibm.com
Technologies for Compliance:Some Examples • Qumas: www.qumas.com • DocCompliance, ProcessCompliance, Portal • Stellent: www.stellent.com • Enterprise Content Management • Reconnex: www.reconnex.com • iGuard 3300 • Tablus: www.tablus.com • Content Alarm NW
Technologies for Compliance:Some Examples • Intrusion: www.intrusion.com • Compliance Commander • Vericept: www.vericept.com • Enterprise Risk Management Platform
Technologies for Compliance:Some Examples • Privasoft: www.privasoft.com • AccessPro (Information Access Privacy) • Enara Technologies: www.enarainc.com • Saperion + Enara Technologies • Autonomy: www.autonomy.com • Aungate Division • Data mining for email and voice compliance • And more…
Technologies for ComplianceChallenges “Having intelligence is not as important as knowing when to use it, just as having a hoe is not as important as knowing when to plant. ” - Chinese Proverb
Technologies for Compliance:Technology Gaps • Visualization Techniques • Minimize Operator Errors • Learn from Operators • Accountability and Privacy • Audits, Retention, Access Restriction, Data Life, Rule Sets • Data Mining and Machine Learning • Better Algorithms: Speed, Accuracy, Privacy • Semantic Analysis, Link Analysis • Context: Operator, Similar Operators • Privacy Aspects • Privacy-Aware Data Mining • Limit Collection: Reduce Overhead and “Big Brother Effect”… Intelligence • Better Workflow Integration • Reflect/Understand what “really happens” in an organization • Forensic Tools • Security Built-In • Protect Data Discovery and Discovered Data • Privacy-Aware Security Protocols
Technologies for Compliance:NRC’s Approach • Technology Approach: • Inappropriate Insider Activity Discovery/Prevention + • Privacy Technology + • Distributed text/data mining = • Comprehensive Privacy Compliance Technology • Could be applied for other compliance requirements • Social Networking Applied to Privacy: SNAP • Strategic project for NRC’s Institute for Information Technology
SNAP Project:Technologies • Trusted Human Computer Interaction • Simple, Effective Control of Complex Systems • Automated Work Flow Discovery • Project Management, Organizational Work Flow • Security Protocols for Privacy Protection • Scalable, effective, efficient exchanges • Secure Distributed Computing • Authentication, Authorization, Access Control • Data/Knowledge Visualization • Effective Security/Privacy posture Display • Privacy-Enabled Data Mining • Protect data while assuring compliance
SNAP Project:Goals • Create technology that: • Discovers important data within a corporation • Wherever it may be • Discovers and visualizes how people work with the data • Fills the Technology Gaps • Exploit Results • Widely • Core Technology • Application Areas: • Business • Public Safety • Healthcare • Government • Military
SNAP Project: NRC’s Approach • User-Centered Research, Development, Design • Identify User, Context, and Needs • Business, Functional, Data and Usability Requirements • Early Testing • Privacy Technology User Group • First Users • Exploitation Interests User Group SNAP Exploitation NRC
Goal: Identify Essential Product Determine User Detect Expectations Define Use Context Four Parts Business Requirements Functional Requirements Data Requirements Usability Requirements SNAP Project:Privacy Technology User Group
Fully Understand Problem SNAP Project:Privacy Technology User Group • Analysis • Document • Stakeholder Interviews • Stakeholder Workshops • Observations in Context • Scenarios and Use Cases • Focus Groups with End Users • Demonstrations, simulation and prototypes • Targets: • Shared understanding - End User Involvement • Project Scope/Risk Reduction - Requirements Specification
Org. 1-Org. 6 SNAP Project:Organization Picture SNAP Project NRC-IIT Background Research SNAP Technologies Trusted HCI Automated Workflow Analysis Security Technologies For Privacy Protection Private Data Discovery Effective Knowledge Visualization & Analysis Privacy Technology User Group Requirements Focus Requirements Gathering SNAP Demo Company Product 2 Product 3 Product 4 Product 1
SNAP Project:Some Results(Current Prototype) • Private data, • SIN, Credit Card number, Address, Email • Find it anywhere • Any action, any context, any file, any application • Automated private data workflow discovery • Locate what went wrong and when for automated compliance or forensics • Determine normal and abnormal workflow • Correct workflow, discover experts • Compare flow/operations against policy • Prevent inappropriate operations • Automatically
Summary • Technologies for Compliance • Brief Compliance Technology Company List • Technology Gaps • NRC-IIT’s SNAP Project
Questions? ? Larry.Korba@nrc-cnrc.gc.ca http://www.iit-iti.nrc-cnrc.gc.ca/ “Humanity is acquiring all the right technology for the wrong reasons.” — R. Buckminister Fuller