PrivatelyExposed

A Blog dedicated to exploring privacy and technology

Posts Tagged ‘security’

Part 1- An Introduction to my Dissertation Research

Posted by Wayne on February 11, 2012

Over the next few months I’ll finally be able to come out of hiding … not that I’ve been doing anything stealthy or that exciting even. I’ve been working on completing the hardest thing I’ve ever under taken in my life – a PhD. Four and a half calendar years and literally well over a thousand hours of time. For some I guess this is something they know they are going to do when they are young and full of energy and strong of heart and mind but for me this was my mid-life-crises.

Anyway – the coolest outcomes are: I definitely think a little different about things and the research that I got to do has some interesting and (I think) valuable results.

My initial goal was to do something epic, far reaching, and somehow alter the way we think about things. Did I accomplish that? Yes for me I did. I had some outstanding help from some great minds on my dissertation committee that helped me to explore a few things that will add to the science regarding privacy. I learned a lot from the body of knowledge already out there, from and about myself, and from those who supported me through the process.

The topic of study was “An Empirical Study of Privacy Risk Assessment Methodologies in Cloud Computing Environments” the initial abstract was published here and it has changed to look more like this. The abstract is not the only thing to change – the hypothesis changed, the research questions changed, and even the methodology changed. Fortunately what didn’t change was the data.

For this post I’m just going to share the research questions:

Q1.Do existing privacy assessment methods adequately assess privacy risk exposures of cloud computing for the enterprise?

Q2.By using the scoring system (outlined in the methodology section) are the new characteristics in cloud computing such as on-demand/self-service, broad network access, measured services, shared resources, and elasticity adequately evaluated or accommodated in existing privacy assessment methods?

The drivers for these questions were based on some basic phenomena that I had observed 4 years ago when I started looking for problems to explore. First and foremost I was (and still am) so excited about cloud computing. In my opinion Cloud is the most interesting technical thing to happen since the 80’s and Vax/VMS clusters ruled the computing world. The second thing that I realized was that privacy was also a domain that seemed to be important and was so incredibly polarizing with my peers in school and colleagues at work. The last thing that I noticed was that we seem to have this blind belief system and trust in assessment methods. Security folk call it checklist compliance – find a good checklist, check things off, and everything will be fine.

In the privacy domain risk assessments are very immature compared to the security world. Also what got me thinking about all this was – who says we’re asking the right questions? When we’re done why can’t we have a risk score like with our credit card score? I found some work done by Dr. George Yee (Estimating the Privacy Protection Capability of a Web Service Provider) that became the basis for my inquiry – how do we get assurances of privacy when we connect with web service providers?

More to come soon …

/wayne

Posted in cloud, privacy, risk, security, Uncategorized | Tagged: , , , , | Leave a Comment »

Why Privately Exposed?

Posted by Wayne on October 3, 2009

Seems to me like privacy issues come up every day in the news whether it is good news, bad news, or just new regulations and laws about privacy – it is becoming harder to hide or be off the grid. I just googled the word privacy and got over 1 billion hits! The UK has installed over 10,000 cameras in 32 boroughs (dated 2007) and Washington DC has a penchant for the same type of privacy invasion with CCTV cameras appearing on every corner, at all public transport sites, all government buildings, etc

Add to this the fact that our lives are becoming a mere shadow of our digital existence and it quickly becomes an area that I think we should be paying close attention to. Security provides the instruments needed to protect our privacy – and privacy is information about us that we choose to share, we understand where that information is going to be seen and used, how it will be combined with other information, where it will be stored, how long it will be kept around, and have choices/consent when all this will happen with OUR information.

Add to that the “cloud computing” phenomena and now you have some really smart people scratching their heads about privacy in this new computing paradigm. What happens when information that used to be inside the chinese wall of the enterprise are now sitting in a 3rd party providers data center? Does the Patriot Act come into play in a different way than it did when the data was inside the enterprise? What about the use of 3rd parties that use 3rd parties? Do the protections flow with an “inheritance clause” or is each sub-level of agreement treated with a new service level and privacy protection level?

Like I said – the good news is some really smart people are spending a lot of time discussing  and working towards solving these issues – from government to academia to the enterprise. My hope is to help expose some of the good and bad of what is going on in the privacy domain (especially as it relates to cloud and the enterprise), put my opinion out there, show what I find in the research, and together we can come away with a new consensus on how to proceed.

Also – be warned – I’m here to learn and use what I learn in my research for my doctorate and beyond so I may want to contact you directly if you comment to find out more from you!

-wayne

Posted in Uncategorized | Tagged: , , , , | Leave a Comment »

 
%d bloggers like this: