Privacy Compliance: Technology - Gaps, Challenges

Larry KorbaNational Research Council of Canada

Larry.Korba@nrc-cnrc.gc.ca

CACR Privacy and Security, Nov. 1-2, 2006Toronto

Outline• About NRC/IIT/IS• What is the problem?

–Backdrop

• Technologies for Compliance:–Types, Snapshot

• Compliance Gaps–Technologies, Other Challenges

• NRC’s Approach–Project Structure, Early Results

• Summary

Caveats…

• My Opinions– No Endorsements by NRC

• Technology Focus, But… Compliance Needs More Than Technology!

• Ask Questions Any Time…

NRC & NRC-IIT

• NRC– $850M, in every province, 20 institutes– Scientific Research one of its Seven Mandates– Goal:

• NRC-IIT– $20M, 4 Cities: Ottawa, Gatineau, Fredericton, Moncton– 9 Groups– http://www.iit-iti.nrc-cnrc.gc.ca

• NRC-IIT-IS– Security and Privacy Research and Development

Increase Competitiveness through Research that gets Exploited

Security and Privacy without Complexity

What is the Problem?

• From the News:– “Feds Often Clueless After Data Losses” – Oct. 18, 2006

– “Business brass ill-prepared for disasters” – Sept. 26, 2006

– “AOL is Sued Over Privacy Search Breach” – Sept. 26, 2006

– “Police warned to improve database security” – Aug. 23, 2006

– “Data Loss is a Major Problem” – Aug. 18, 2006

– “Three-Fifths of Companies Suffer Severe Data Loss” – Aug. 17, 2006

– “2nd VA Data Loss Prompts Resignation” – Aug. 8, 2006

– “Patient Data stolen from Kaiser” – Aug. 8, 2006

– “Sentry Insurance Says Customer Data Stolen” – July 29, 2006

– “Stitching Up Healthcare Records: Privacy Compliance Lags” – April 16, 2006

What is the Problem?Data Explosion

• The Roots of the Problem

ClientsOrganizationOrganization

Data +

Computers Everywhere

+

Expanding Services

+

Marketing,Competition

+

Cheap Storage +

Legislation

-

Regulations/Policies

-Risk Management

-

Technologies for Compliance: The Promise

“Technology makes the world a new place.”

- Shoshana Zuboff, U.S. social scientist. In the Age of the Smart Machine, Conclusion (1988).

“Technology makes the world a new place.”

- Shoshana Zuboff, U.S. social scientist. In the Age of the Smart Machine, Conclusion (1988).

Technologies forCompliance: Market Drivers

• Compliance– Huge market ($10+ Billion)– Healthy Growth Rate (20% - 50% per year)– Compliance areas:

• Payment Cards, Privacy, Financial Information, Security, Privacy…

– Sectors: Diverse• Government• Healthcare• Tourism/Hospitality• Services, Financial• Manufacturing• Transportation• Military• Others

Technologies for Compliance:Market Drivers

• Bandwagon Effect…– Firewall, Intrusion Prevention, Network Management,

Security/Privacy Policy Management– Consultants

• New Technologies…– To Deal with Different Needs

• Sarbanes-Oxley• Privacy• Intellectual Property Management

– And Emerging Needs• Data Purity

Technologies for Compliance:Backdrop: Key Types

• Compliance– Consulting Services– Internet Service– Appliance– Database– Application

• Focus– Enterprise Systems– Enforcement

• Not Policy: Creation/Distribution/Management – Two Types

• Network-Based• Agent Based• And Combinations of the Above

Technologies for Compliance:Types: Network-Based

• Monitor Network Traffic• Dissect packets

– Determine type of traffic, or data mine content• Flag/Prevent activities denied based upon policy

– Encrypted Traffic

A B C

NTM

Network Packet CaptureUnderstand TrafficMine ContentPolicy InterpretationLog or Prevent Inappropriate Activities

Packet CaptureUnderstand TrafficMine ContentPolicy InterpretationLog or Prevent Inappropriate Activities

Technologies for Compliance:Types: Agent-Based

• Installs on Servers, Desktops, Laptops• “Direct” access to activities• Management Console to Coordinate Actions

A B C

NetworkMine Data “at Rest”Mine Computer ActivityPolicy InterpretationLog or Prevent Inappropriate Activities

Mine Data “at Rest”Mine Computer ActivityPolicy InterpretationLog or Prevent Inappropriate Activities

Console

Technologies for Compliance:Types: Combination

• Best of Both Worlds!

A B C

Network

Console

NTM

Technologies for Compliance

“Technology is a servant who makes so much noise cleaning up in the next room that his

master cannot make music. ”

- Karl Kraus (1874–1936)

“Technology is a servant who makes so much noise cleaning up in the next room that his

master cannot make music. ”

- Karl Kraus (1874–1936)

Technologies for Compliance:Implementation Issues

• Dealing with:– Interactions Between Different Laws/Regulations– Structured or Unstructured Data– Data Server Environments– Content Management

• Automation of Policy Controls– Proactive Enforcement– Or Testing/Scanning

• Flexibility of Forensic Tools• Risk Management Tools• Interactions between Compliance & Existing Systems

– Identity, Document, Project Management, etc.– Network Security, Antivirus, Databases…

Technologies for ComplianceChallenges

“Technology is dominated by two types of people: those who understand what they do not manage,

and those who manage what they do not understand. ”

- Putt's Law

“Technology is dominated by two types of people: those who understand what they do not manage,

and those who manage what they do not understand. ”

- Putt's Law

Technologies for Compliance:Underlying Challenges

• Despite the hype… – There is no Instant, Universal, Ever- Adaptable Solution for Automated Compliance

• You cannot rely on technologies alone• Resources will be required

– Purchasing, – Maintenance, – Related SW & HW, – Staff, – Consultants

• As well, there are technology gaps

Technologies for Compliance:Implications & Challenges

• Monitoring Employee/Guest Computer and Network Activity– There may be little privacy

• Little expectation of privacy

– There may be a great deal of data exposure • How well does the compliance technology protect?

– Balancing Legal Obligation with Employer/Employee Trust Relationship

Technologies for Compliance:Some Examples

• Just a sampling of offerings• Market is changing monthly

Technologies for Compliance:Some Examples

• ACM: www.acl.com– SOX, agent-based

• Googgun: www.googgun.com– privacy “compliance” server

• Ilumin: www.ilumin.com – Assentor

• Vontu: www.vontu.com– Discover, Protect, Monitor, Prevent

Technologies for Compliance:Some Examples

• Verdasys: www.verdasys.com– Digital Guardian

• Oakley Networks: www.oakleynetworks.com– Sureview, Coreview

• Axentis: www.axentis.com– Internet service for SOX compliance

• IBM Workplace for Bus. Controls: www.ibm.com

Technologies for Compliance:Some Examples

• Qumas: www.qumas.com– DocCompliance, ProcessCompliance, Portal

• Stellent: www.stellent.com– Enterprise Content Management

• Reconnex: www.reconnex.com– iGuard 3300

• Tablus: www.tablus.com– Content Alarm NW

Technologies for Compliance:Some Examples

• Intrusion: www.intrusion.com– Compliance Commander

• Vericept: www.vericept.com– Enterprise Risk Management Platform

Technologies for Compliance:Some Examples

• Privasoft: www.privasoft.com– AccessPro (Information Access Privacy)

• Enara Technologies: www.enarainc.com– Saperion + Enara Technologies

• Autonomy: www.autonomy.com– Aungate Division– Data mining for email and voice compliance

• And more…

Technologies for ComplianceChallenges

“Having intelligence is not as important as knowing when to use it,

just as having a hoe is not as important as knowing when to plant. ”

- Chinese Proverb

“Having intelligence is not as important as knowing when to use it,

just as having a hoe is not as important as knowing when to plant. ”

- Chinese Proverb

Technologies for Compliance:Technology Gaps

• Visualization Techniques– Minimize Operator Errors– Learn from Operators

• Accountability and Privacy– Audits, Retention, Access Restriction, Data Life, Rule Sets

• Data Mining and Machine Learning– Better Algorithms: Speed, Accuracy, Privacy

• Semantic Analysis, Link Analysis

– Context: Operator, Similar Operators

• Privacy Aspects– Privacy-Aware Data Mining– Limit Collection: Reduce Overhead and “Big Brother Effect”… Intelligence

• Better Workflow Integration– Reflect/Understand what “really happens” in an organization– Forensic Tools

• Security Built-In– Protect Data Discovery and Discovered Data– Privacy-Aware Security Protocols

Technologies for Compliance:NRC’s Approach

• Technology Approach:– Inappropriate Insider Activity Discovery/Prevention

+– Privacy Technology

+– Distributed text/data mining

=– Comprehensive Privacy Compliance Technology– Could be applied for other compliance requirements

• Social Networking Applied to Privacy: SNAP

• Strategic project for NRC’s Institute for Information Technology

SNAP Project:Technologies

• Trusted Human Computer Interaction– Simple, Effective Control of Complex Systems

• Automated Work Flow Discovery– Project Management, Organizational Work Flow

• Security Protocols for Privacy Protection– Scalable, effective, efficient exchanges

• Secure Distributed Computing– Authentication, Authorization, Access Control

• Data/Knowledge Visualization– Effective Security/Privacy posture Display

• Privacy-Enabled Data Mining– Protect data while assuring compliance

SNAP Project:Goals

• Create technology that:– Discovers important data within a

corporation• Wherever it may be

– Discovers and visualizes how people work with the data

– Fills the Technology Gaps

• Exploit Results– Widely

Core TechnologyApplication Areas:- Business- Public Safety- Healthcare- Government- Military

Core TechnologyApplication Areas:- Business- Public Safety- Healthcare- Government- Military

SNAP Project: NRC’s Approach

• User-Centered Research, Development, Design– Identify User, Context, and Needs

– Business, Functional, Data and Usability Requirements

– Early Testing

• Privacy Technology User Group– First Users

• Exploitation Interests

Exploitation

User Group

NRC

SNAP

SNAP Project:Privacy Technology User Group

• Goal:– Identify Essential Product– Determine User– Detect Expectations– Define Use Context

• Four Parts– Business Requirements– Functional Requirements– Data Requirements– Usability Requirements

SNAP Project:Privacy Technology User Group

• Analysis– Document– Stakeholder Interviews– Stakeholder Workshops– Observations in Context– Scenarios and Use Cases– Focus Groups with End Users

• Demonstrations, simulation and prototypes

• Targets:– Shared understanding - End User Involvement– Project Scope/Risk Reduction - Requirements Specification

Fully Understand Problem

Product 4Product 3

SNAP Project

SNAPTechnologies

SNAP Project:Organization Picture

Trusted HCI

Automated WorkflowAnalysis

SecurityTechnologiesFor PrivacyProtection

Private DataDiscovery

EffectiveKnowledge

Visualization& Analysis

SNAPDemo

Product 1 Product 2

Privacy Technology User GroupRequirements Focus

NRC-IIT

Company

Background Research

RequirementsGathering

Org. 1-Org. 6

SNAP Project:Some Results(Current Prototype)

• Private data, – SIN, Credit Card number, Address, Email

• Find it anywhere– Any action, any context, any file, any application

• Automated private data workflow discovery– Locate what went wrong and when for automated compliance or

forensics

• Determine normal and abnormal workflow– Correct workflow, discover experts

• Compare flow/operations against policy• Prevent inappropriate operations

– Automatically

Attempting to Open Documents with Private Data

Summary

• Technologies for Compliance

• Brief Compliance Technology Company List

• Technology Gaps

• NRC-IIT’s SNAP Project

Questions?

?Larry.Korba@nrc-cnrc.gc.ca

http://www.iit-iti.nrc-cnrc.gc.ca/

Larry.Korba@nrc-cnrc.gc.ca

http://www.iit-iti.nrc-cnrc.gc.ca/

“Humanity is acquiring all the right technology for the wrong reasons.”— R. Buckminister Fuller

“Humanity is acquiring all the right technology for the wrong reasons.”— R. Buckminister Fuller