Privacy Compliance: Technology - Gaps, Challenges

1
Privacy Compliance Technology - Gaps, Challenges

• Larry Korba
• National Research Council of Canada
• Larry.Korba_at_nrc-cnrc.gc.ca

CACR Privacy and Security, Nov. 1-2, 2006 Toronto
2
Outline

• About NRC/IIT/IS
• What is the problem?
• Backdrop
• Technologies for Compliance
• Types, Snapshot
• Compliance Gaps
• Technologies, Other Challenges
• NRCs Approach
• Project Structure, Early Results
• Summary

3
Caveats

• My Opinions
• No Endorsements by NRC
• Technology Focus, But Compliance Needs More
  Than Technology!
• Ask Questions Any Time

4
NRC NRC-IIT

• NRC
• 850M, in every province, 20 institutes
• Scientific Research one of its Seven Mandates
• Goal
• NRC-IIT
• 20M, 4 Cities Ottawa, Gatineau, Fredericton,
  Moncton
• 9 Groups
• http//www.iit-iti.nrc-cnrc.gc.ca
• NRC-IIT-IS
• Security and Privacy Research and Development

Increase Competitiveness through Research that
gets Exploited
Security and Privacy without Complexity
5
What is the Problem?

• From the News
• Feds Often Clueless After Data Losses Oct.
  18, 2006
• Business brass ill-prepared for disasters
  Sept. 26, 2006
• AOL is Sued Over Privacy Search Breach Sept.
  26, 2006
• Police warned to improve database security
  Aug. 23, 2006
• Data Loss is a Major Problem Aug. 18, 2006
• Three-Fifths of Companies Suffer Severe Data
  Loss Aug. 17, 2006
• 2nd VA Data Loss Prompts Resignation Aug. 8,
  2006
• Patient Data stolen from Kaiser Aug. 8, 2006
• Sentry Insurance Says Customer Data Stolen
  July 29, 2006
• Stitching Up Healthcare Records Privacy
  Compliance Lags April 16, 2006

6
What is the Problem?Data Explosion

• The Roots of the Problem

Organization
Organization Data
Clients

7
Technologies for Compliance The Promise
Technology makes the world a new place. -
Shoshana Zuboff, U.S. social scientist. In the
Age of the Smart Machine, Conclusion (1988).
8
Technologies forCompliance Market Drivers

• Compliance
• Huge market (10 Billion)
• Healthy Growth Rate (20 - 50 per year)
• Compliance areas
• Payment Cards, Privacy, Financial Information,
  Security, Privacy
• Sectors Diverse
• Government
• Healthcare
• Tourism/Hospitality
• Services, Financial
• Manufacturing
• Transportation
• Military
• Others

9
Technologies for ComplianceMarket Drivers

• Bandwagon Effect
• Firewall, Intrusion Prevention, Network
  Management, Security/Privacy Policy Management
• Consultants
• New Technologies
• To Deal with Different Needs
• Sarbanes-Oxley
• Privacy
• Intellectual Property Management
• And Emerging Needs
• Data Purity

10
Technologies for ComplianceBackdrop Key Types

• Compliance
• Consulting Services
• Internet Service
• Appliance
• Database
• Application
• Focus
• Enterprise Systems
• Enforcement
• Not Policy Creation/Distribution/Management
• Two Types
• Network-Based
• Agent Based
• And Combinations of the Above

11
Technologies for ComplianceTypes Network-Based

• Monitor Network Traffic
• Dissect packets
• Determine type of traffic, or data mine content
• Flag/Prevent activities denied based upon policy
• Encrypted Traffic

Network
Packet Capture Understand Traffic Mine
Content Policy Interpretation Log or Prevent
Inappropriate Activities
12
Technologies for ComplianceTypes Agent-Based

• Installs on Servers, Desktops, Laptops
• Direct access to activities
• Management Console to Coordinate Actions

Console
Network
Mine Data at Rest Mine Computer Activity Policy
Interpretation Log or Prevent Inappropriate
Activities
13
Technologies for ComplianceTypes Combination

• Best of Both Worlds!

Console
Network
14
Technologies for Compliance
Technology is a servant who makes so much noise
cleaning up in the next room that his master
cannot make music. - Karl Kraus (18741936)
15
Technologies for ComplianceImplementation Issues

• Dealing with
• Interactions Between Different Laws/Regulations
• Structured or Unstructured Data
• Data Server Environments
• Content Management
• Automation of Policy Controls
• Proactive Enforcement
• Or Testing/Scanning
• Flexibility of Forensic Tools
• Risk Management Tools
• Interactions between Compliance Existing
  Systems
• Identity, Document, Project Management, etc.
• Network Security, Antivirus, Databases

16
Technologies for ComplianceChallenges
Technology is dominated by two types of people
those who understand what they do not manage,
and those who manage what they do not
understand. - Putt's Law
17
Technologies for ComplianceUnderlying Challenges

• Despite the hype
• There is no Instant, Universal, Ever- Adaptable
  Solution for Automated Compliance
• You cannot rely on technologies alone
• Resources will be required
• Purchasing,
• Maintenance,
• Related SW HW,
• Staff,
• Consultants
• As well, there are technology gaps

18
Technologies for ComplianceImplications
Challenges

• Monitoring Employee/Guest Computer and Network
  Activity
• There may be little privacy
• Little expectation of privacy
• There may be a great deal of data exposure
• How well does the compliance technology protect?
• Balancing Legal Obligation with
  Employer/Employee Trust Relationship

19
Technologies for ComplianceSome Examples

• Just a sampling of offerings
• Market is changing monthly

20
Technologies for ComplianceSome Examples

• ACM www.acl.com
• SOX, agent-based
• Googgun www.googgun.com
• privacy compliance server
• Ilumin www.ilumin.com
• Assentor
• Vontu www.vontu.com
• Discover, Protect, Monitor, Prevent

21
Technologies for ComplianceSome Examples

• Verdasys www.verdasys.com
• Digital Guardian
• Oakley Networks www.oakleynetworks.com
• Sureview, Coreview
• Axentis www.axentis.com
• Internet service for SOX compliance
• IBM Workplace for Bus. Controls www.ibm.com

22
Technologies for ComplianceSome Examples

• Qumas www.qumas.com
• DocCompliance, ProcessCompliance, Portal
• Stellent www.stellent.com
• Enterprise Content Management
• Reconnex www.reconnex.com
• iGuard 3300
• Tablus www.tablus.com
• Content Alarm NW

23
Technologies for ComplianceSome Examples

• Intrusion www.intrusion.com
• Compliance Commander
• Vericept www.vericept.com
• Enterprise Risk Management Platform

24
Technologies for ComplianceSome Examples

• Privasoft www.privasoft.com
• AccessPro (Information Access Privacy)
• Enara Technologies www.enarainc.com
• Saperion Enara Technologies
• Autonomy www.autonomy.com
• Aungate Division
• Data mining for email and voice compliance
• And more

25
Technologies for ComplianceChallenges
Having intelligence is not as important as
knowing when to use it, just as having a hoe is
not as important as knowing when to plant. -
Chinese Proverb
26
Technologies for ComplianceTechnology Gaps

• Visualization Techniques
• Minimize Operator Errors
• Learn from Operators
• Accountability and Privacy
• Audits, Retention, Access Restriction, Data Life,
  Rule Sets
• Data Mining and Machine Learning
• Better Algorithms Speed, Accuracy, Privacy
• Semantic Analysis, Link Analysis
• Context Operator, Similar Operators
• Privacy Aspects
• Privacy-Aware Data Mining
• Limit Collection Reduce Overhead and Big
  Brother Effect Intelligence
• Better Workflow Integration
• Reflect/Understand what really happens in an
  organization
• Forensic Tools
• Security Built-In
• Protect Data Discovery and Discovered Data
• Privacy-Aware Security Protocols

27
Technologies for ComplianceNRCs Approach

• Technology Approach
• Inappropriate Insider Activity Discovery/Preventio
  n
• Privacy Technology
• Distributed text/data mining
• Comprehensive Privacy Compliance Technology
• Could be applied for other compliance
  requirements
• Social Networking Applied to Privacy SNAP
• Strategic project for NRCs Institute for
  Information Technology

28
SNAP ProjectTechnologies

• Trusted Human Computer Interaction
• Simple, Effective Control of Complex Systems
• Automated Work Flow Discovery
• Project Management, Organizational Work Flow
• Security Protocols for Privacy Protection
• Scalable, effective, efficient exchanges
• Secure Distributed Computing
• Authentication, Authorization, Access Control
• Data/Knowledge Visualization
• Effective Security/Privacy posture Display
• Privacy-Enabled Data Mining
• Protect data while assuring compliance

29
SNAP ProjectGoals

• Create technology that
• Discovers important data within a corporation
• Wherever it may be
• Discovers and visualizes how people work with the
  data
• Fills the Technology Gaps
• Exploit Results
• Widely

• Core Technology
• Application Areas
• Business
• Public Safety
• Healthcare
• Government
• Military

30
SNAP Project NRCs Approach

• User-Centered Research, Development, Design
• Identify User, Context, and Needs
• Business, Functional, Data and Usability
  Requirements
• Early Testing
• Privacy Technology User Group
• First Users
• Exploitation Interests

User Group
SNAP
Exploitation
NRC
31
SNAP ProjectPrivacy Technology User Group

• Goal
• Identify Essential Product
• Determine User
• Detect Expectations
• Define Use Context
• Four Parts
• Business Requirements
• Functional Requirements
• Data Requirements
• Usability Requirements

32
SNAP ProjectPrivacy Technology User Group

• Analysis
• Document
• Stakeholder Interviews
• Stakeholder Workshops
• Observations in Context
• Scenarios and Use Cases
• Focus Groups with End Users
• Demonstrations, simulation and prototypes
• Targets
• Shared understanding - End User Involvement
• Project Scope/Risk Reduction - Requirements
  Specification

33
SNAP ProjectOrganization Picture
SNAP Project
NRC-IIT
Background Research
SNAP Technologies
Trusted HCI
Automated Workflow Analysis
Security Technologies For Privacy Protection
Private Data Discovery
Effective Knowledge Visualization Analysis
Privacy Technology User Group Requirements Focus
Requirements Gathering
SNAP Demo
Company
Product 4
Product 3
Product 2
Product 1
34
SNAP ProjectSome Results(Current Prototype)

• Private data,
• SIN, Credit Card number, Address, Email
• Find it anywhere
• Any action, any context, any file, any
  application
• Automated private data workflow discovery
• Locate what went wrong and when for automated
  compliance or forensics
• Determine normal and abnormal workflow
• Correct workflow, discover experts
• Compare flow/operations against policy
• Prevent inappropriate operations
• Automatically

35
(No Transcript)
36
Attempting to Open Documents with Private Data
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
Summary

• Technologies for Compliance
• Brief Compliance Technology Company List
• Technology Gaps
• NRC-IITs SNAP Project

46
Questions?
?
Larry.Korba_at_nrc-cnrc.gc.ca http//www.iit-iti.nrc
-cnrc.gc.ca/
Humanity is acquiring all the right technology
for the wrong reasons. R. Buckminister Fuller
47
(No Transcript)