[Log In] []

Exploring the science and magic of Identity and Access Management
Wednesday, August 23, 2017

Oracle White Paper: Helping Address GDPR Compliance

Information Security, Oracle, Privacy
Author: Mark Dixon
Thursday, July 27, 2017
12:00 pm

GDPR

May 25, 2018 is bearing down on us like a proverbial freight train. That is the date when the European Union General Data Protection Regulation (GDPR) becomes binding law on all companies who store or use personal information related to EU citizens. (Check out the count down clock on the GDPR website).

Last week, Oracle published a new white paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

Leveraging our experience built over the years and our technological capabilities, Oracle is committed to help customers implement a strategy designed to address GDPR security compliance. This whitepaper explains how Oracle Security solutions can be used to help implement a security framework that addresses GDPR.

GDPR is primarily focused on protecting fundamental privacy rights for individuals. By necessity, protection of personal information requires good data security. As stated in the white paper, 

The protection of the individuals whose personal data is being collected and processed is a fundamental right that necessarily incorporates IT security.

In modern society, IT systems are ubiquitous and GDPR requirements call for good IT security. In particular, to protect and secure personal data it is, among other things, necessary to:

  • Know where the data resides (data inventory)
  • Understand risk exposure (risk awareness)
  • Review and, where necessary, modify existing applications (application modification)
  • Integrate security into IT architecture (architecture integration)

Oracle proposes the following framework to 

… help address GDPR requirements that impact data inventory, risk awareness, application modification, and architecture integration. The following diagram provides a high-level representation of Oracle’s security solutions framework, which includes a wide range of products and cloud services.

OracleGDPR SecuritySolutions july17

 

The paper primarily focuses on the “Enforcement” portion of this model, postposing that:

… four security requirements are a part of many global regulatory requirements and well-known security best practices (i.e. ISO 27000 family of standards, NIST 800-53, PCI-DSS 3.2, OWASP and CIS Controls).

Enforcement

In conclusion, the paper states:

The path towards GDPR compliance includes a coordinated strategy involving different organizational entities including legal, human resources, marketing, security, IT and others. Organizations should therefore have a clear strategy and action plan to address the GDPR requirements with an eye towards the 25 May, 2018 deadline.

Based on our experience and technological capabilities, Oracle is committed to help customers with a strategy designed to achieve GDPR security compliance.

 

May 25, 2018 is less than ten short months away.  We all have a lot of work to do.

 

 

 

Comments Off on Oracle White Paper: Helping Address GDPR Compliance . Permalink . Trackback URL
WordPress Tags: , , ,
 

$1,000 per Record?

Information Security, Privacy
Author: Mark Dixon
Tuesday, November 19, 2013
5:49 pm

One Thousand Dollars

Today, I read of at three separate instances where class-action lawsuits have been filed on behalf of people whose personal information had been breached at a healthcare company.  The largest lawsuit, filed against TRICARE, represents 4.9 million affected individuals and is seeking damages of $1,000 per record – a total of $4.9 BILLION. Wow!

This action or other similar lawsuits have yet to be reach court or settlement. Depending on the outcomes, potential costs of litigation and resulting awards to victims may emerge as the single most powerful financial driver to implement good information security in the healthcare industry. 

Comments Off on $1,000 per Record? . Permalink . Trackback URL
WordPress Tags: ,
 

Video: Ann Cavoukian – Privacy and Security by Design: An Enterprise Architecture Approach

Information Security, Privacy
Author: Mark Dixon
Wednesday, November 6, 2013
4:17 pm

The following video features Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada, discussing the paper I co-authored with her, “Privacy and Security by Design: An Enterprise Architecture Approach.”

Comments Off on Video: Ann Cavoukian – Privacy and Security by Design: An Enterprise Architecture Approach . Permalink . Trackback URL
WordPress Tags: ,
 

Protect Privacy to Build Trust in the Age of Context

Privacy
Author: Mark Dixon
Monday, November 4, 2013
4:04 pm

Wetrust

My recent post about the book, “Age of Context: Mobile, Sensors, Data and the Future of Privacy,” by Robert Scoble and Shel Israel, began to explore the benefits that might accrue from converging technologies of the “perfect storm” of mobile devices, social media, big data, sensors and location-based services. But what effect will this have on personal privacy?

Scoble and Israel provide these comments in the final chapter of the book, entitled “Trust is the New Currency”:

We have spoken to hundreds of people and looked at hundreds of technologies, and we firmly believe that adding context will make the world an easier, more efficient, cleaner and more productive place.

However, we’d be negligent if we didn’t point out that the price we pay for many of these benefits is our personal privacy. Every new piece of technology we adopt requires us to consider that price and how it will be exacted.

The book proposes the follow principles that need to be wrestled with in this area.  These are not the exact order or terminology used in the book, but my interpretation of what is needed.

  1. Transparency and candor.  Service providers don’t attempt to cover up impacts to privacy made by choices consumers make.
  2. Freedom to choose.  Consumers are always able to opt in and out at will – choosing what privacy they may be willing to sacrifice for other benefits.
  3. The right to know.  Consumers can know what data services providers maintain, and what that data is used for.
  4. The right to go silent.  Consumers retain the right to “go silent,” or opt out of any attempts to monitor or track that consumer.
  5. Data ownership.  Personal data remains property of the consumer, event when the service provider is a steward of that data.
  6. Human override.  Humans can always over ride automatic processes.
Do other principles apply?  Probably.  But figuring out the implication of this list will take some concerted effort.

Scoble and Israel propose that online service providers that get it right will gain advantage over those that don’t – that privacy will become a valuable asset, not just for consumers, but those who hope to deliver services to them.

This was echoed in a recent Huffington Post article:

Today there is a new business currency. It can’t be found at the local bank, or purchased for any price. The new commodity is trust. And while I speak of trust as a commodity it can’t be bough or sold. It has to be earned. … A shift is underway in how businesses and consumers interact, both online and in person, and the businesses that recognize the value of building trust and dare I say “wow” with each transaction will set themselves apart from the competition.

“Protect privacy to build trust” can and must become a powerful mantra for modern business.

 

 

Comments Off on Protect Privacy to Build Trust in the Age of Context . Permalink . Trackback URL
WordPress Tags: , ,
 

Great Book – Age of Context: Mobile, Sensors, Data and the Future of Privacy

Identity, Privacy, Technology
Author: Mark Dixon
Tuesday, October 29, 2013
10:24 pm

Ageofcontext

This evening, I finished reading a fascinating book, “Age of Context: Mobile, Sensors, Data and the Future of Privacy,” by Robert Scoble and Shel Israel.

Scoble and Israel propose that we are in the midst of a perfect storm:

Our perfect storm is composed not of three forces, but five, and they are technological rather than meteorological: mobile devices, social media, big data, sensors and location-based services. … they’re already causing disruption and making waves. As discrete entities, each force is already part of your life. Together, they have created the conditions for an unstoppable perfect storm of epic proportion: the Age of Context.

I have long been fascinated with the concept of context. I first mentioned context as an important factor in Identity Management in July, 2005,  as I blogged about the Catalyst Conference.  During my years with Sun Microsystems, we often spoke about “context-aware, blended services” being delivered via mobile devices.  For example, in September, 2008, one of my blog posts entitled, “Sensor-triggered Personalized Services,” stated, in part:

Project Destination, an initiative I lead for Sun, is all about providing the infrastructure to deliver highly personalized, context-aware, blended services to online users across the “screens of your life.” When you couple sensor technologies with Identity, personalization and service orchestration techniques, you can get some powerful results.

It is great to see the progression and refinement of that concept.  I sense we are barely scratching the surface of possibilities in this arena.  Lot of fun ahead!

Comments Off on Great Book – Age of Context: Mobile, Sensors, Data and the Future of Privacy . Permalink . Trackback URL
WordPress Tags: , ,
 

Privacy and Security by Design: Foundational Principles

Information Security, Privacy
Author: Mark Dixon
Thursday, September 26, 2013
1:08 pm

To prepare for my first meeting with Ann Cavoukian earlier this year, I drafted a brief table which proposed a set of principles for Security by Design that aligned with the well-know foundational principles for Privacy by Design. It seemed to me that this would provide a starting point for exploring how security both supported and benefited from Privacy by Design principles.  I published that draft table on my blog back in March of this year.

After reviewing the draft table, Ann asked me to work with her on a paper to amplify this alignment concept.  The result was the paper, “Privacy and Security by Design: An Enterprise Architecture Approach” which was published earlier this week.

The table I originally drafted became the following table published in the final paper:

Privacysecuritytable

Comments Off on Privacy and Security by Design: Foundational Principles . Permalink . Trackback URL
WordPress Tags: ,
 

Video: Privacy and Security by Design: An Enterprise Architecture Approach

Information Security, Privacy
Author: Mark Dixon
Tuesday, September 24, 2013
3:45 am

In the following video, Dr. Ann Cavoukian describes the paper I was privileged to co-author with her.

More information and a download link is available here.

Comments Off on Video: Privacy and Security by Design: An Enterprise Architecture Approach . Permalink . Trackback URL
 

Privacy and Security by Design: An Enterprise Architecture Approach

Information Security, Privacy
Author: Mark Dixon
Monday, September 23, 2013
6:28 am

PDBToday, we are pleased to announce publication of a paper entitled “Privacy and Security by Design: An Enterprise Architecture Approach,” which I co-authored with Ann Cavoukian, Ph.D., Information & Privacy Commissioner, Ontario, Canada.

In the foreword to the paper, Dr. Cavoukian wrote:

In an earlier paper with Oracle, we discussed the convergence of paradigms between the approach to privacy I have long championed called Privacy by Design, and a similar approach to security called ‘Security by Design.’ The current and future challenges to security and privacy oblige us to revisit this convergence and delve deeper. As privacy and security professionals, we must come together and develop a proactive approach to security – one that is indeed “by design.” To this end, I am delighted to be partnering with Mark Dixon, Enterprise Architect, Information Security, at Oracle Corporation, on this joint paper.

This paper has two key objectives:

  • Define a set of foundational “Security by Design” principles that are modelled upon and support the 7 foundational principles of Privacy by Design.
  • Illustrate an enterprise-level process for defining and governing the strategic journey of Security by Design through an enterprise architecture approach.

To achieve these objectives, the paper includes the following major sections:

  • Foundational Principles of Privacy by Design
  • Foundational Principles of Security by Design
  • The Enterprise Security Journey
  • Conclusion

The conclusion states:

“In this paper, we explored the strong synergy that exists between the related disciplines of privacy and security. While on the one hand, strong security is essential to meet the objectives of privacy, on the other hand, well-known privacy principles are valuable in guiding the implementation of security systems. On the basis of this synergy, we defined a set of foundational principles for Security by Design that are modeled upon and support the foundational principles of Privacy by Design. …

“On the basis of this new Security by Design approach, we then developed an enterprise-level process for defining, governing and realizing a ‘by design’ approach to security. In order to become a reality for enterprises, Security by Design requires strong leadership and continuous goal-setting. However, Enterprise Architecture is an ongoing journey, not a single project or disjointed set of loosely related projects. Our discussion found that if an EA framework is followed to define an EA security strategy in harmony with the holistic, interdisciplinary principles of Privacy by Design and Security by Design, and if a formal governance process is implemented to guide and govern the journey, then an enterprise can be proactive, rather than reactive, in addressing any security concerns.

We hope this paper will assist enterprises to deliver stronger security and better privacy, for all of their stakeholders – a win/win proposition.

 

 

Comments Off on Privacy and Security by Design: An Enterprise Architecture Approach . Permalink . Trackback URL
 

Privacy by Design Ambassador

Information Security, Privacy
Author: Mark Dixon
Monday, September 9, 2013
9:12 am

Coe pbd

It was an honor today to be announced as a Privacy by Design Ambassador by the Information and Privacy Commissioner of Ontario, Canada:

Privacy by Design Ambassadors are an exclusive, but growing, group of privacy thought-leaders committed to ensuring the ongoing protection of personal information by following the Principles of PbD.  Ambassadors advance the case for embedding privacy protective measures in technology, processes and physical design. …

The Information and Privacy Commissioner of Ontario (IPC) is an independent officer of the Legislature whose mandate is to oversee compliance with public sector access and privacy legislation and health sector privacy legislation in the province of Ontario.

The IPC recognizes ambassadors based on their attestations that they apply the principles of Privacy by Design. The IPC does not endorse any company or product of any recognized ambassador.

It was humbling to be listed among others whom I admire and respect for their contributions to the industry we serve.

I have deeply appreciated the opportunity to work closely with Dr. Ann Cavoukian and her staff on a soon to be announced joint paper on principles of privacy and security.  I look forward to announcing and discussing this paper soon.

Comments Off on Privacy by Design Ambassador . Permalink . Trackback URL
WordPress Tags: ,
 

Gigabytes of Personal Data

Identity, Privacy
Author: Mark Dixon
Wednesday, May 1, 2013
8:19 pm

Now, in honor of my post about Personal Clouds – the philosophy of Frank & Ernest:

Frankandernest 130501

Comments Off on Gigabytes of Personal Data . Permalink . Trackback URL
 
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.