[Log In] []

Exploring the science and magic of Identity and Access Management

Ask not what your country can do for you. Ask what you can do for your country. — John F. Kennedy

Friday, October 31, 2014

$1,000 per Record?

Information Security, Privacy
Author: Mark Dixon
Tuesday, November 19, 2013
5:49 pm

Buffer

One Thousand Dollars

Today, I read of at three separate instances where class-action lawsuits have been filed on behalf of people whose personal information had been breached at a healthcare company.  The largest lawsuit, filed against TRICARE, represents 4.9 million affected individuals and is seeking damages of $1,000 per record – a total of $4.9 BILLION. Wow!

This action or other similar lawsuits have yet to be reach court or settlement. Depending on the outcomes, potential costs of litigation and resulting awards to victims may emerge as the single most powerful financial driver to implement good information security in the healthcare industry. 

 

Video: Ann Cavoukian – Privacy and Security by Design: An Enterprise Architecture Approach

Information Security, Privacy
Author: Mark Dixon
Wednesday, November 6, 2013
4:17 pm

Buffer

The following video features Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada, discussing the paper I co-authored with her, “Privacy and Security by Design: An Enterprise Architecture Approach.”

 

Protect Privacy to Build Trust in the Age of Context

Privacy
Author: Mark Dixon
Monday, November 4, 2013
4:04 pm

Buffer

Wetrust

My recent post about the book, “Age of Context: Mobile, Sensors, Data and the Future of Privacy,” by Robert Scoble and Shel Israel, began to explore the benefits that might accrue from converging technologies of the “perfect storm” of mobile devices, social media, big data, sensors and location-based services. But what effect will this have on personal privacy?

Scoble and Israel provide these comments in the final chapter of the book, entitled “Trust is the New Currency”:

We have spoken to hundreds of people and looked at hundreds of technologies, and we firmly believe that adding context will make the world an easier, more efficient, cleaner and more productive place.

However, we’d be negligent if we didn’t point out that the price we pay for many of these benefits is our personal privacy. Every new piece of technology we adopt requires us to consider that price and how it will be exacted.

The book proposes the follow principles that need to be wrestled with in this area.  These are not the exact order or terminology used in the book, but my interpretation of what is needed.

  1. Transparency and candor.  Service providers don’t attempt to cover up impacts to privacy made by choices consumers make.
  2. Freedom to choose.  Consumers are always able to opt in and out at will – choosing what privacy they may be willing to sacrifice for other benefits.
  3. The right to know.  Consumers can know what data services providers maintain, and what that data is used for.
  4. The right to go silent.  Consumers retain the right to “go silent,” or opt out of any attempts to monitor or track that consumer.
  5. Data ownership.  Personal data remains property of the consumer, event when the service provider is a steward of that data.
  6. Human override.  Humans can always over ride automatic processes.
Do other principles apply?  Probably.  But figuring out the implication of this list will take some concerted effort.

Scoble and Israel propose that online service providers that get it right will gain advantage over those that don’t – that privacy will become a valuable asset, not just for consumers, but those who hope to deliver services to them.

This was echoed in a recent Huffington Post article:

Today there is a new business currency. It can’t be found at the local bank, or purchased for any price. The new commodity is trust. And while I speak of trust as a commodity it can’t be bough or sold. It has to be earned. … A shift is underway in how businesses and consumers interact, both online and in person, and the businesses that recognize the value of building trust and dare I say “wow” with each transaction will set themselves apart from the competition.

“Protect privacy to build trust” can and must become a powerful mantra for modern business.

 

 

 

Great Book – Age of Context: Mobile, Sensors, Data and the Future of Privacy

Identity, Privacy, Technology
Author: Mark Dixon
Tuesday, October 29, 2013
10:24 pm

Buffer

Ageofcontext

This evening, I finished reading a fascinating book, “Age of Context: Mobile, Sensors, Data and the Future of Privacy,” by Robert Scoble and Shel Israel.

Scoble and Israel propose that we are in the midst of a perfect storm:

Our perfect storm is composed not of three forces, but five, and they are technological rather than meteorological: mobile devices, social media, big data, sensors and location-based services. … they’re already causing disruption and making waves. As discrete entities, each force is already part of your life. Together, they have created the conditions for an unstoppable perfect storm of epic proportion: the Age of Context.

I have long been fascinated with the concept of context. I first mentioned context as an important factor in Identity Management in July, 2005,  as I blogged about the Catalyst Conference.  During my years with Sun Microsystems, we often spoke about “context-aware, blended services” being delivered via mobile devices.  For example, in September, 2008, one of my blog posts entitled, “Sensor-triggered Personalized Services,” stated, in part:

Project Destination, an initiative I lead for Sun, is all about providing the infrastructure to deliver highly personalized, context-aware, blended services to online users across the “screens of your life.” When you couple sensor technologies with Identity, personalization and service orchestration techniques, you can get some powerful results.

It is great to see the progression and refinement of that concept.  I sense we are barely scratching the surface of possibilities in this arena.  Lot of fun ahead!

 

Privacy and Security by Design: Foundational Principles

Information Security, Privacy
Author: Mark Dixon
Thursday, September 26, 2013
1:08 pm

Buffer

To prepare for my first meeting with Ann Cavoukian earlier this year, I drafted a brief table which proposed a set of principles for Security by Design that aligned with the well-know foundational principles for Privacy by Design. It seemed to me that this would provide a starting point for exploring how security both supported and benefited from Privacy by Design principles.  I published that draft table on my blog back in March of this year.

After reviewing the draft table, Ann asked me to work with her on a paper to amplify this alignment concept.  The result was the paper, “Privacy and Security by Design: An Enterprise Architecture Approach” which was published earlier this week.

The table I originally drafted became the following table published in the final paper:

Privacysecuritytable

 

Video: Privacy and Security by Design: An Enterprise Architecture Approach

Information Security, Privacy
Author: Mark Dixon
Tuesday, September 24, 2013
3:45 am

Buffer

In the following video, Dr. Ann Cavoukian describes the paper I was privileged to co-author with her.

More information and a download link is available here.

 

Privacy and Security by Design: An Enterprise Architecture Approach

Information Security, Privacy
Author: Mark Dixon
Monday, September 23, 2013
6:28 am

Buffer

PDBToday, we are pleased to announce publication of a paper entitled “Privacy and Security by Design: An Enterprise Architecture Approach,” which I co-authored with Ann Cavoukian, Ph.D., Information & Privacy Commissioner, Ontario, Canada.

In the foreword to the paper, Dr. Cavoukian wrote:

In an earlier paper with Oracle, we discussed the convergence of paradigms between the approach to privacy I have long championed called Privacy by Design, and a similar approach to security called ‘Security by Design.’ The current and future challenges to security and privacy oblige us to revisit this convergence and delve deeper. As privacy and security professionals, we must come together and develop a proactive approach to security – one that is indeed “by design.” To this end, I am delighted to be partnering with Mark Dixon, Enterprise Architect, Information Security, at Oracle Corporation, on this joint paper.

This paper has two key objectives:

  • Define a set of foundational “Security by Design” principles that are modelled upon and support the 7 foundational principles of Privacy by Design.
  • Illustrate an enterprise-level process for defining and governing the strategic journey of Security by Design through an enterprise architecture approach.

To achieve these objectives, the paper includes the following major sections:

  • Foundational Principles of Privacy by Design
  • Foundational Principles of Security by Design
  • The Enterprise Security Journey
  • Conclusion

The conclusion states:

“In this paper, we explored the strong synergy that exists between the related disciplines of privacy and security. While on the one hand, strong security is essential to meet the objectives of privacy, on the other hand, well-known privacy principles are valuable in guiding the implementation of security systems. On the basis of this synergy, we defined a set of foundational principles for Security by Design that are modeled upon and support the foundational principles of Privacy by Design. …

“On the basis of this new Security by Design approach, we then developed an enterprise-level process for defining, governing and realizing a ‘by design’ approach to security. In order to become a reality for enterprises, Security by Design requires strong leadership and continuous goal-setting. However, Enterprise Architecture is an ongoing journey, not a single project or disjointed set of loosely related projects. Our discussion found that if an EA framework is followed to define an EA security strategy in harmony with the holistic, interdisciplinary principles of Privacy by Design and Security by Design, and if a formal governance process is implemented to guide and govern the journey, then an enterprise can be proactive, rather than reactive, in addressing any security concerns.

We hope this paper will assist enterprises to deliver stronger security and better privacy, for all of their stakeholders – a win/win proposition.

 

 

 

Privacy by Design Ambassador

Information Security, Privacy
Author: Mark Dixon
Monday, September 9, 2013
9:12 am

Buffer

Coe pbd

It was an honor today to be announced as a Privacy by Design Ambassador by the Information and Privacy Commissioner of Ontario, Canada:

Privacy by Design Ambassadors are an exclusive, but growing, group of privacy thought-leaders committed to ensuring the ongoing protection of personal information by following the Principles of PbD.  Ambassadors advance the case for embedding privacy protective measures in technology, processes and physical design. …

The Information and Privacy Commissioner of Ontario (IPC) is an independent officer of the Legislature whose mandate is to oversee compliance with public sector access and privacy legislation and health sector privacy legislation in the province of Ontario.

The IPC recognizes ambassadors based on their attestations that they apply the principles of Privacy by Design. The IPC does not endorse any company or product of any recognized ambassador.

It was humbling to be listed among others whom I admire and respect for their contributions to the industry we serve.

I have deeply appreciated the opportunity to work closely with Dr. Ann Cavoukian and her staff on a soon to be announced joint paper on principles of privacy and security.  I look forward to announcing and discussing this paper soon.

 

IoT: A Market Landscape

Identity, Information Security, Internet of Things, Privacy
Author: Mark Dixon
Friday, August 9, 2013
12:14 pm

Buffer

Gigaom

Today I read an informative paper published by GigaOM Research entitled, “The Internet of Things: A Market Landscape.”  I find The Internet of Things to be the most interesting area of technology and business in my professional world today.  This paper did an excellent job of providing an overview of the IoT landscape and highlighting both opportunities and challenges.

A few things that I found intriguing:

IoT is not just new technology:

The internet of things is not a single technology trend. Rather, it is a way of thinking about how the physical world at large and the objects, devices, and structures within it are becoming increasingly interconnected.

The market is moving rapidly to mind-boggling scale:

  1. Some 31 billion internet-connected devices will exist by 2020, according to Intel.
  2. A family of four will move from having 10 connected devices in 2012 to 25 in 2017 to 50 in 2022.
  3. Mobile subscriptions will exceed the number of people in the world by early 2014.

Identity is first on the list of important characteristics:

For things to be manageable, they need to be identifiable either in terms of type or as a unique entity. … Identification by type or by instance is fundamental to the internet of things.

The power of IoT comes from connectivity, not just individual components:

The internet of things is an ultra-connected environment of capabilities and services, enabling interaction with and among physical objects and their virtual representations, based on supporting technologies such as sensors, controllers, or low-powered wireless as well as services available from the wider internet.

The biggest challenges?  Security, monitoring and surveillance:

Computer security, say the experts, boils down to protecting the confidentiality, integrity, and availability of both data and services. With the internet of things looking set to create all manner of data, from heart rate and baby monitors to building management systems, there is clearly going to be a great deal to protect. …

The internet of things enables the whole world to be monitored. …  the potential for the inappropriate use of such technologies — for example, to spy on partners or offspring — will grow. In the business context as well, the role of the internet of things offers a wealth of opportunity but also of abuse.

The bottom line?  The possibilities are vast, the challenges daunting, but IoT is happening.  It will be great to go along for the ride.

 

Core Identities and Personal Data Stores

Identity, Privacy
Author: Mark Dixon
Friday, May 3, 2013
12:23 pm

Buffer

MIT

I just finished reading an intriguing white paper, “Towards a Trustworthy Digital Infrastructure for Core Identities and Personal Data Stores,” written by Thomas HardjonoDazza Greenwood, and Alex (Sandy) Pentland, all associated with MIT.  I was particularly interested to see how much detail has been built around this concept of Core Identities since Dazza Greenwood and I discussed it several years ago, while I was employed by Sun Microsystems.

The paper proposes …

At the heart of digital identities is the concept of the core identity of an individual, which inalienably belongs to that individual. The core identity serves as the root from which emerge other forms of digital derived identities (called personas) that are practically useful and are legally enforced in digital transactions.

… and goes on to explore:

potential business models for Core Identity service providers and Persona providers (specializing in personalization, privacy and preferences services for a unified user experience across many sites and systems)

The paper then ties the concept of Core Identities and Personas to the MIT Open Personal Data Store (Open PDS) initiative:

The OpenPDS is an open-source Personal Data Store (PDS) enabling the user to collect, store, and give access to their data while protecting their privacy. Users can install and operate their own PDS, or alternatively users can operate an OpenPDS instance in a hosted environment.

We use the term “dynamic” here to denote that fact that the PDS does not only contain static data but also incorporates the ability to perform computations based on policy and is user-managed or user-driven. In a sense, the OpenPDS can be considered a small and portable Trusted Compute Unit belonging to an individual.

The paper concludes by emphasizing these four concepts:

  1. An infrastructure to support the establishment and use of core identities and personas is needed in order to provide equitable access to data and resources on the Internet.
  2. Personas are needed which are legally bound to core identifiers belonging to the individual. We see personas as a means to achieve individual privacy through the use of derived identifiers.
  3. the privacy preserving features of core identities and personas fully satisfy the data privacy requirements of Personal Data Stores as defined by the MIT OpenPDS project. The ability for an individual to own and control his or her personal data through deployment of a PDS represents a key requirement for the future of the digital commerce on Internet.
  4. We believe the MIT OpenPDS design allows for a new breed of providers to emerge who will support consumer privacy, while at the same time allow the consumer to optionally partake in various data mining and exploration schemes in a privacy-preserving manner.

This sounds like OpenPDS is very much in line with the Personal Cloud concept.  Perhaps the MIT work with Core Identities, Personas and Open Personal Data Systems will help shorten the time before we can take advantage of real, working Personal Clouds. 

 
 
 
 
 
Copyright © 2005-2013, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.