PrivatelyExposed

A Blog dedicated to exploring privacy and technology

Archive for the ‘risk’ Category

Rethinking Privacy in the Digital Age

Posted by Wayne on March 27, 2012

I’ve been teaching grad school for the past couple of years with the desire to eventually be able to create a course on a subject that is near and dear to my heart – Privacy. Well that time has finally come as I’ve been hard at work developing a course that has practitioner and theoretical content. The course includes combining four ways to frame privacy – legally – different laws by state and data type, technically – PETs and surveillance systems, regulatory – FTC/FCC/OECD, and socially – Facebook/Linkedin,and more.

Here is the announcement from the director of the program (and one of my mentors) Dr. Maria Garcia:

“Greetings, Students!
Are you concerned about the privacy and security of your personal data? Do you work in an industry that manages sensitive data? Read on!
 
All businesses know the importance of safeguarding confidential data. This practice is no longer limited to companies subject to regulation, such as healthcare, education, and financial services. With increased access to personal information via social media and consumer products, such as smartphones and gaming systems, the growing risk of exposure affects everyone, personally and professionally.
 
With this in mind, Franklin Pierce is launching a new course – Rethinking Privacy in the Digital Age. In this class, students will learn the fundamentals of privacy – its origins, risks, and protections. Learn how to assess the value of your and your customers’ privacy when data is shared through online systems designed to use your information as currency.
 
Rethinking Privacy in the Digital Age (GI 590) will be offered at the Manchester, N.H. center in an eight-week hybrid format; hybrid classes meet every other week and classwork is completed online during the alternate weeks. The class begins on Tuesday, April 24, 2012 and ends on Tuesday, June 12, 2012.
 

I can’t begin to tell you how excited I am! The sessions are going to include debates on for/against advertisers and commercial companies rights verses the individuals rights, an exercise writing a privacy bill, practical experience trying to gather information on others, and reviewing the new FTC privacy framework just published this week.  If you have 8 weeks to spare – come join us! I know we will all learn something about privacy together and you get graduate or undergraduate credits as well.

Hope to see you there!

/Wayne

Posted in cloud, privacy, risk | Leave a Comment »

Part 2 – Choosing the Assessments

Posted by Wayne on March 2, 2012

Once I had detailed the research questions I next needed to decide what privacy assessments I was going to use. First I looked to the security instruments out there to see what they had and found that several of the common security instruments did have a few questions that pertained to information privacy they were by no means comprehensive. For example the ISO/IEC 27002:2005 instrument has sections on privacy policy management and data classification but is missing specifics on notice, use, or retention as examples. The next place to look was for books on privacy assessments. Again though I found books that contained sections on privacy such as Debra Hermann’s book “Complete Guide to Security and Privacy Metrics” only about 10% of all the metrics listed were US-centric privacy metrics. US-centricity was a self-imposed requirement to managed the scope of this research.

Next approach was to try something that I figured this would be an easy step – run a few searches on the Internet and I’d probably have too many privacy assessments to choose from. Instead what I got was a lot of commercial consulting companies that have all developed their own assessments. Now what? More searches – only directed and emails to friends and friends of friends! I found three that seemed to be pretty good choices and also finding them detailed in an article written by Roger Clarke on Privacy Impact Assessments helped support the use of them.

DHS/DOJ Privacy Impact Assessment – The first one is the only mandated privacy assessment in the US which is mandated by the DHS/DOJ when deploying a new government system (also someone government specific as well). Since it is a privacy impact assessment it is designed to be used as a ‘pre-assessment’ before a system is implemented. I couldn’t determine the provenance of the DHS/DOJ PIA but I had to assume that it is a ‘best practice’ and is reviewed by the office of the CPO. Also the DHS/DOJ PIA only has 40 questions in it making it the briefest of assessments.

ISO/IEC 22307:2008 Financial Services Privacy Impact Assessment – This is an international standard and is financial services biased. It is also a pre-assessment instrument and has a total of 102 questions. I had to purchase this assessment for my research from ANSI who manages ISO standards here in the US.

SharedAssessments Privacy Assessment – Shared Assessments is a not-for-profit group that was created by leading financial institutions and accounting firms. The instrument I used was an earlier version and was freely available. However if you wish to access the tools today you have to become a member.The SharedAssessments tool that I used has 127 questions.

So these the three assessments I used. In my next post I’ll talk about the cloud providers I choose and why.

thanks,

Wayne

p.s. There is a bit of irony that I want to mention – a complete book on privacy impact assessments was published just recently that may be useful if you are interested in knowing more about this topic: Privacy Impact Assessment (Law, Governance, and Technology Series).

Posted in cloud, privacy, risk, Uncategorized | Tagged: , , , | Leave a Comment »

Part 1- An Introduction to my Dissertation Research

Posted by Wayne on February 11, 2012

Over the next few months I’ll finally be able to come out of hiding … not that I’ve been doing anything stealthy or that exciting even. I’ve been working on completing the hardest thing I’ve ever under taken in my life – a PhD. Four and a half calendar years and literally well over a thousand hours of time. For some I guess this is something they know they are going to do when they are young and full of energy and strong of heart and mind but for me this was my mid-life-crises.

Anyway – the coolest outcomes are: I definitely think a little different about things and the research that I got to do has some interesting and (I think) valuable results.

My initial goal was to do something epic, far reaching, and somehow alter the way we think about things. Did I accomplish that? Yes for me I did. I had some outstanding help from some great minds on my dissertation committee that helped me to explore a few things that will add to the science regarding privacy. I learned a lot from the body of knowledge already out there, from and about myself, and from those who supported me through the process.

The topic of study was “An Empirical Study of Privacy Risk Assessment Methodologies in Cloud Computing Environments” the initial abstract was published here and it has changed to look more like this. The abstract is not the only thing to change – the hypothesis changed, the research questions changed, and even the methodology changed. Fortunately what didn’t change was the data.

For this post I’m just going to share the research questions:

Q1.Do existing privacy assessment methods adequately assess privacy risk exposures of cloud computing for the enterprise?

Q2.By using the scoring system (outlined in the methodology section) are the new characteristics in cloud computing such as on-demand/self-service, broad network access, measured services, shared resources, and elasticity adequately evaluated or accommodated in existing privacy assessment methods?

The drivers for these questions were based on some basic phenomena that I had observed 4 years ago when I started looking for problems to explore. First and foremost I was (and still am) so excited about cloud computing. In my opinion Cloud is the most interesting technical thing to happen since the 80’s and Vax/VMS clusters ruled the computing world. The second thing that I realized was that privacy was also a domain that seemed to be important and was so incredibly polarizing with my peers in school and colleagues at work. The last thing that I noticed was that we seem to have this blind belief system and trust in assessment methods. Security folk call it checklist compliance – find a good checklist, check things off, and everything will be fine.

In the privacy domain risk assessments are very immature compared to the security world. Also what got me thinking about all this was – who says we’re asking the right questions? When we’re done why can’t we have a risk score like with our credit card score? I found some work done by Dr. George Yee (Estimating the Privacy Protection Capability of a Web Service Provider) that became the basis for my inquiry – how do we get assurances of privacy when we connect with web service providers?

More to come soon …

/wayne

Posted in cloud, privacy, risk, security, Uncategorized | Tagged: , , , , | Leave a Comment »

Finally, almost published …

Posted by Wayne on March 27, 2010

About 18 months ago I took a (premature) shot at publishing a paper on cloud … I was neither ready for the level required for the paper nor was the topic mature enough when I had started writing it. When I finally heard from the organization I submitted the article to I also almost gave up ever trying again … the whole process of submitting, waiting, etc. is really a trying process. The amount of friction involved likely drives many away from even bothering when there are so many other avenues with a much lower coefficient of friction.

For those who are prolific peer-reviewed researchers and writers my hat is off to you. With all the work work, school work, dissertation efforts, and errata activities I decided to give “published” writing a break.

In the past 2 months a funny thing happened – call it aligning the stars or something in the water – whatever it is I had a brainstorm for a paper, ran across a great venue for it, and my idea was accepted. I had blogged about and posted on other sites about cloud transparency so I thought why don’t I do the real research and empirically do a quick (small population study). The process forced me to analytically break down the notion of cloud service provider transparency, do the literature review, and come up with a workable scorecard. Then I studied six cloud providers to see how they fared based on the scorecard. The process all forced me to re-evaluate the scorecard. I also had a few friends help out – like Randy Bias at Cloudscaling who made a few suggestions on the scorecard.

The second event came about through someone sending me the link to a venue and saying to me – “hey Wayne – you should present at this”.  “This” happens to be this summers Usenix HotCloud conference. When I read the event structure and topics I knew I wanted to do something for the conference but … how do I do something that is related to my dissertation without spilling all the beans on what my study is about (this is a primal fear in researchers – for good reason – stolen work)? So I asked a colleague at work who I am so privileged to know Dr. Burton S. Kaliski, Jr. and who has so very graciously agreed to be on my dissertation committee. He suggested – why not take your thesis topic and we do something related as a position paper? So the scramble began and in two weeks we wrote a position paper on Risk Assessment as a Service in Cloud Environments … won’t hear if we got in or not for a few weeks. The whole process of working with such a knowledgable person who can write a paragraph faster than I can read one! He is amazing and so fluid with his thoughts. We took a years worth of white board discussions and came up with a closely related topic that has already provided me greater insight into what I have to clarify in my thesis process.

So now the fun begins – I wait and hopefully go from – almost published … to published. Either way the experience and learning was well worth it. Now back to my thesis …

/wayne

Updated May 7th:

We (Dr. Kaliski and I) got accepted into the Usenix HotCloud workshop on June 22. We have some minor edits and then I will post the paper. You can find the program for the day here which has sections on Performance/Power, Economics/Pricing, New Programming Models and Usage Scenario’s, and my favorite Security and Reliability.

Updated June 25th:

My second article got accepted by IEEE Privacy and Security. The article will appear soon online and be printed in a special edition on Cloud Computing this fall.

Posted in cloud, risk, security, Uncategorized | Leave a Comment »

What hat do you wear in private?

Posted by Wayne on March 15, 2010

I’ve been studying privacy for about three solid years now and have sat in graduate level classes, read some 300+ research papers, 100’s of blog postings/articles (thanks IAPP – the dailys are awesome). and own/read some 25+ books on privacy (checkout my library), and even follow some great minds in twitter (like @privprof!) ,- so this all totals up to hours and hours (north of 1500 hours) of thought after thought about privacy.

What strikes me as a point of interest is that 99.999% of the content seems to be about the user/consumer/citizen – the person. Not that this is a bad thing – because lets face it – most private information comes from people.  We have contemporary privacy scholars who focus on the legal aspects of privacy like Daniel Solove (if you haven’t read his book “Understanding Privacy” – I highly recommend it!). Software Engineering privacy experts like  Lorrie Cranor who has driven incredible changes in how software, user interfaces, and web tools gather and use privacy related information. Roger Clarke who has looked at privacy statements and privacy impact assessments in-depth. Or Herman Tavani who has shaped much of the theoretical basis for IT Ethics (he has published some excellent research on Privacy & Ethics) And I could go on and on with the list of really great minds.

Recently I have had a few discussions with folks who are privacy experts – in fact a few of them are world-renowned in the academic circles. When I bring up the fact that business has a privacy requirement too – let’s just say I usually get a pretty strong negative response to that. One person even suggested that maybe I’m just working for a business and not really doing research.

Let’s face it – particularly here in the U.S. companies have been very liberal with their controls of their customers (and even just prospects) information. Take the days of the 3×5 warranty card. How is it that a company that sold you a baby carriage needed to know your annual income or your age? All that they need to know (if they need to know anything) is the date it was purchased, where it was purchased, a serial number, and your address.

But … what if we thought about privacy a little bit different? What if we thought of it as if the corporation were a person. For example – a corporation has to worry about the data of their employees, customers, and their own “information”. Their own information could include protected things like intellectual property or more grey area things like temporal or tribal knowledge (e.g. current incentives given to sales to drive sales behavior against a competitor).

Also – has anyone every heard the phrase “it would be like pushing on a rope”. In other words if the discussion/argument/definition is one sided – how do you really move your position forward if there is nothing there to resist the progress? Benjamin Franklin said “Reading makes a full man, meditation a profound man, discourse a clear man.” How can the tension between man and corporation when it comes to privacy be one-sided? It seems valuable to research and understand the privacy privilege, violation, protections, perspective, and purpose from the corporate side of the coin seems to be not only valuable – but a requirement. How can we fully understand where the line needs to be drawn with regard to individual protections if the fight is one-sided?

H. Jeff Smith wrote in his book “Managing Privacy” that corporations only respond to privacy requirements when there is an external event (breach, lawsuit, regulation) – why not choose to find a different – proactive course? One which embraces the needs of the enterprise, assesses it against the needs and rights of the citizen – so that we can find the middle ground? Why constrain our forward movement in the realm of privacy to just the outcome of complaint or the past tense of lost privacy?

And no, my research is not for the corporation or by the corporation. My personal opinion is that corporate America does have too many liberties with our private information and we’re not adequately protected. However my opinion doesn’t count when it comes to research and one of the most interesting ways to study a problem is to reverse it.

/wayne

Posted in privacy, risk, Uncategorized | Leave a Comment »

Veiled Transparency

Posted by Wayne on November 23, 2009

Over the past month I’ve been researching (mostly searching and the results have been #fail) cloud providers to understand what they use to “assure” trust.  In other words – if I’m a company is of sufficient size that risk outweighs convenience and I want to make sure that if I use the cloud – my site will be secure, my information will protected with the privacy controls I require for my business (be they HIPAA/HITECH, SOX, PCI, etc.) and the site will maintain good availability via service levels.

Many of the providers want you to believe that they are in fact transparent – which also happens to be the latest buzz word in the blogosphere (there are some great articles by Hoff, Randy Bias to name a few)  regarding the information that the providers is willing to put up on their website. On the one hand I’ve found that just getting this information as a non-customer is not an easy feat. Some providers like Google and Microsoft provide what I would call one-stop-shopping (e.g. Google Privacy Center, Microsoft OnLine Privacy) . They have a web page that gives you the core stuff like their terms of service, privacy policy, and either a security policy or at least a white paper on their controls. Microsoft has developed a full online Compliance Framework that they “appear” to be applying to Azure.

First lets tackle what constitutes transparency for the customer (customer being someone who is going to place a business ON the cloud providers systems). As a potential customer I’m likely to want to see the following:

  • SLA’s – What are the SLA’s? Are they Five 9’s? Four 9’s? What are the aggregated service levels if I’m a typical customer? So if I use your messaging services, your storage, and compute services do I get an aggregate of Five 9’s still or was one of the services at a lower level? Is there a service level credit? For example GoGrid provides a 10,000x credit for downtime while others just credit your minutes of lost time. Several providers will also actually provide the customer payments for business lost though this is provided via an insurance policy that the business could otherwise acquire.
  • External Audits – The rage seems to be SAS70 Type II audits which are designed to have provide an element of financial systems trust by having a third-party certified auditor look at security policies and procedures and determine what controls are in place and measure their effectives as they relate to an audit of their financial statements (see SAS70 details). This is great if you are trying to make sure the provider has controls in place that support SOX requirements but what about general PII/PCI controls or HIPAA? What about their security posture? I’d argue that this type of audit is a good “business” control type of audit. What is still needed is a Security and a Privacy audit to complete this picture. Minimally as a customer I would want to see the SAS70 audit results and the mitigation plans. While many of the providers have this audit done – none of them currently provider the results on their websites and would not provider the details to me via email though one provider did provide a list of the SAS70 control “buckets” that they include in their audit but they would not let me publish them via a blog or post to the web – to quote them it would “lessen it’s value” (not sure how that is – but they provided it for my research). One last note is that I found that ADP would provide the results to of their SAS70 audits to their paying customers for the areas that aligned to the services that they used.
  • Internal Audits/Assessments – It is assumed that the security and privacy policies need to be in place as SOP for data center operations. Along with the policies are internal audits/assessments that are performed with due rigor and regularity. The International standard ISO/IEC 27001:2005  is for security assessments and is considered by many to be one of the best and most thorough.  There are several other well know security assessments such as OCTAVE  from Carnegie Mellon which uses a Bayesian Model based on quantitative analysis of qualitative data and is designed to be used by internal resources. The US Government also has developed a series of standards in a he NIST SP800-53 standard The results of these audits are not generally available to “prospects”, actual customers, are not published, nor are they necessarily “honest”. For example – I ran across this statement on risk assessments from Pivot Points Security:

At this point Risk Assessments are a lot like a bikini; “What they reveal is suggestive, but what they conceal is vital”. Worse, it’s easy (and common) to make what they reveal what you want them to reveal.

Having performed and participated in OCTAVE, ISO/IEC 27001, NIST SP800-53, and COBIT audits myself I found out a few things in the process. Purely internal or purely external assessments introduce too much bias. OCTAVE was designed to be run internally because the subject matter expertise lie within the organization and employees/security staff have a better understanding of “asset value” (and I’m not going to get into the whole debate on usefulness of ALE/ROSI valuation methods). The internal bias could potentially be mitigated by having an external firm provide oversight and guidance. Perhaps the best (and most expensive method) would be to have an internal and external audit performed and compare them for patterns and gaps. Having run the operations for a managed service provider in the past it was my experience that we would have internal assessments run on off cycles from the external ones and the external ones would go through a “rough pass” phase, allow us to fix the most egregious problems, have a final pass run, and then the results would be provided to requesting and paying customers. If they weren’t both they didn’t see our security audit results.

One last comment on Risk Assessments – there is a new method name FAIR that Hoff pointed out developed by Jack Jones from Risk Management Insights that takes a different (and refreshing) approach to assessment methods. While most assessment methods rely heavily on interviewing and subjective qualitative data FAIR uses quantitative analysis for the asset valuation, threat impact, and also uses Monte Carlo simulations to pinpoint where the threats are most probably. This seems to be very unique because it is far more quantitative and makes it potentially far more machine readable/executable (I’ll expand on why this is important in future blogs).

  • Employee Certifications/Expertise – If you go back a bit in time to ASP/MSP’s vs. Hosting there was a line of demarkation that happened when you wanted help. The MSP had excellent subject matter expertise on the services they provided all the way up through the stack to whatever level they provided. If they were a database MSP they had experts in database, security, backup, etc. at your disposal. If they were a hosting provider – they stopped at the lowest level – they knew a lot about power/pipe/ping (physical security, power, cooling, core network) but they usually left the but they usually stopped at the lowest level and if you needed OS support – they may/may not provide if and if they do it is not included in the service.

When looking at cloud providers you should look at the experience and certification levels of the staff as part of your investigation. I would also suggest looking at “where” the talent is and what hours they work. For example if they use a “follow-the-sun” method – that may mean the staff you are using during your normal workday does a hand-off  when the clock strikes 5:00PM and you have to re-educate someone new who may want to have too much creative license on what the focus of the troubleshooting effort. No matter what – find out if they people working in support have names that are followed by the alphabet soup we are all accustomed to int he IT industry – CISSP, CIPP, CNE, CNA, MSCE, RSA/CA, etc. and make sure they have these certs from reputable organizations such as Cisco, ISC2, etc.

Also consider using a provider that is ITIL certified or at least has ITIL certified staff members. Why? Well for one ITIL was designed to improve the quality of service management by creating a framework of best practices for organizations to establish a service desk, a services catalog, and to measure service levels against. The latest version of ITIL v3 included the use of third-party providers extending the standard into the cloud/MSP/ASP world.

  • Miscellaneous – The final set of things to look at is – have these guys been in business a while? Are they solvent? What outage/security events have they had? Are they willing to provide you with the things listed above (and anything else you need) to make a good decision? Also make sure you really understand their billing model – some providers charge you for the “max used” or “burst” rate for the month while others do some averaging. Some include or group services together (such as DNS is part of network usage) while others are 100% a-la-carte and you need to pay for them separately. Perhaps someday we’ll see finer grain metering systems (due to competition) like with networks that tend to use 95th percentile billing that allow for short bursts.

One final thought on this tome I’ve written (assuming you read this far!) – consider what happens with your cloud provider when they are part of a set of service providers. For example if you are using one provider who gives you an easy portal to set up and manage your cloud infrastructure, then another behind that provides the core services (storage, compute), then another for backup/DR, then another for Security – start to think about the complexity (=risk), and does this aggregated service (what I like to call the service-stream) still have the security level, SLA, etc. that you had when you started? Do they have the same privacy standards and requirements? Are the protections transitive? Are they willing to test an outage and share the results or actually include you in the process (like you do internally when you test your DR test plan)?

In the end – you need to decide is the provider making it easy for me to understand how they do business with you? Are they open to sharing the controls/methods/etc? Or do you have to work really hard to find out what they really are doing on your behalf – don’t take the thinly veiled answer that it is for your protection that they won’t provide the information – you are the customer but if you are just using a free service – you get what you pay for.  If you are a real paying customer – then you don’t deserve to be treated with obscurity or directed to talk to someone else. The cloud is supposed to be self-service and automated – it is up to the providers to include in that service making it easy for potential/paying customers to get the answers they need to make their stockholders and customers happy.

Attached are the results of my looking at various providers via search and the web. It is incomplete – some sites had everything in one place making it easy to find. Others that have empty spaces are because after trying for hours I gave up. Could be my skills are not what they should be with search – but I think if a 25+ year IT vet can’t find stuff easily on the web or with search then you are losing customers already.

/wayne
Resources:

SAS 70 – http://www.sas70.com/index2.htm, http://infotech.aicpa.org/Resources/Assurance+Services/Standards/SAS+No.+70+Service+Organizations.htm

RMI & FAIR – http://www.riskmanagementinsight.com/

Posted in cloud, privacy, risk, security, Uncategorized | Leave a Comment »

 
%d bloggers like this: