PrivatelyExposed

A Blog dedicated to exploring privacy and technology

Archive for December, 2009

Privacy Knowledge – Solving for the X factor

Posted by Wayne on December 31, 2009

   I was toiling away today on the third version of my dissertation proposal (more like a complete redo!) and I came across a paper “An Ontology-based approach to Information Systems Security Management” written by three researchers from Greece. What struck me as an important idea from their paper was that they created a way to categorize security management into a framework that could be codified as a schema in a database (more on that in a sec) and most importantly was based on “security knowledge”.

  Why is “security knowledge”  (SK) such an important construct? To those who have been in the security business a long time – they probably already have a good idea of what SK is. SK is made up of a thorough understanding of context of the infrastructure, the collecting of requirements, the actions that are to be deployed, and value of information assets.  Most organizations have some or all of these elements in their security knowledge base – though it is likely diffused over several people or even departments or stored in multiple products. The diffusion of security knowledge  is not a trivial problem in its own though beyond what I wanted to try to get to in this posting.

As a privacy researcher, what struck me as a key concept in this research is that there is a  parallel need for “privacy knowledge” and it has to stop being an “also ran” to security knowledge. Privacy is important because privacy is based on Information and we are literally exuding Exabytes of information annually – much of it personal (70% according to this IDC link).

In the security domain one of the metrics listed by Hermann in her book “Complete Guide to Security and Privacy Metrics” is security policy management. I found it interesting that of the 972 metrics she listed there is not a corollary to security policy management which I would think would be called  “privacy policy management“. Yet with the Cloud or any Internet-based business these days – Privacy Policies are kind of treated as “ho hum – ya we got one” item – but have you ever read one (Microsoft has an excellent one that is easy to read , while Wal-Mart’s is easy to enough to read but is lacking in navigation friendliness)? Maybe when you do online banking you take the time to read it, but I’d bet a $1.00 you never read it when you sign up for another widget you want to use on Facebook (that the FB folks wash their hands of when it is not their widget! – What! you didn’t know their privacy policies were NOT transitive? ). So why not have a privacy policy management metric? Why not include the privacy policy as part of the Privacy Knowledge (PK) that the enterprise has to manage since the privacy policy defines a set of requirements that the what the company is adhere to when they DO something with your not-as-private information that they now have.

What if we had a full-blown PK though? To some folks this seems like slicing the onion a different way – but bear with me for a minute. What if you actually took all the SK steps and applied to privacy knowledge and treated privacy knowledge as important as we do security knowledge? The steps would be:

  • Get a full inventory of all your information assets (instead of the infrastructure itself) that applied to your customers, employees, and intellectual property.
  • Understand who has access to the information and can transform, store, or transmit this information (who being people, process, or technology!)
  • Extract privacy knowledge (privacy requirements) from the privacy policy
  • Associate the privacy requirements with privacy controls.  Control instruments would include rule-of-law, regulations (HIPAA, SOX, etc.), and internal business rules as defined in privacy policy.

   Hypothetically speaking if you took these steps and put the resulting information into a database, married it to the Privacy Rights Clearinghouse database, throw in some information asset values – you could begin to perform analytics against the policies. With the  historical breach data you could model potential exposures and perform what if’s. Minimally you could begin to evaluate privacy risk quantitatively. If nothing else you would be a lot closer to understanding X, X standing for the unknown.

/wayne

Posted in Uncategorized | Leave a Comment »

Twas the Night before Cloudness

Posted by Wayne on December 25, 2009

Twas the night before Cloudness, when all through the Cloud
Not a creature was stirring, not even a squirrel.
The tweets were sent only 140 with care,
In hopes that a final, final, final cloud definition soon would be there.

The Clouderati were nestled all snug in their beds,
While visions of standards danced in their heads.
Dot.Gov and her ‘cyberchief, and OVF in his cap,
DMTF and OCCI messed with our brains before a long winter’s nap.

When out on the Vaporware there arose such a clatter,
I sprang from the Mac to see what was the matter.
Typed away on the keyboard, I tweeted like a flash,
Private & Public, for Hybrid – just add a dash.

The predictions had come, for 2010 like new-fallen snow
Predicted the cloud #fail, all of the vendors we know.
When, what to my cloud-washed eyes should appear,
But a transparent cloud provider, and eight controls simple & clear.

With a bunch of new VM’s, and security we designed to stick,
I knew in a moment SAS70, I wouldn’t pick.
More rapid than Cloud Security Alliance, then ENISA came,
And they covered their _aaS  and called out the controls by name!

“Now Bochagalupe! Now, Suredy! Now lmacvittie, Werner and Alverez (cloud Vixen)!
On, Ruv! On, WattersJames! On GeorgeReese, on Jamesurquhart and Randy-Biaz!
On Samj! On Aneel! On Mfratto! On ShlomoSwidler and Swardly!

To the top of the storage farm! to the edge of the firewall!
Now compute away! Compute away! Compute away all!”

As the competition heated up, like the wild hurricane fly,
When they meet with an obstacle, change their offers on the sly.
And finally the enterprise, to the providers they flew,
With the sleigh full of AWS, Google, and now Microsoft too.

And then, in a twinkling, I heard where’s the proof
Will my data be safe, VM’s can the hackers spoof?
As I drew in my head, an architecture that was sound,
I conferred with my cloudmates, not an exposure was found.

Along came one all dressed in fur, with a tail longer than a foot
Yet his nickname was beaker and he often says !woot.
He carried a bundle of Cloud Toys he had flung on his back,
And he told us about frogs, while opening his pack.

Others worried about interop and if there was privacy!
Some call the process a mobocracy and others an isocracy!
Some speak of the cloud and security as ones in the know,
One has his sock puppets and beard as white as snow.

They spoke not a word, but tweet’d while they work,
And filled all the demand, keeps them from going totally berserk.
And laying out standards, all gaps they expose.
Ready their clouds, for enterprise rose!

They sprang to their work, this A-team gave a whistle,
And away they all flew, like the shot of a missile.
And I heard the Clouderati exclaim, ‘ere they drove out of sight,
“Happy Cloudness to all, and to all a good-night!”

Posted in Uncategorized | Leave a Comment »

 
%d bloggers like this: