Posted June 8th, 2009 Among the sessions in this year’s Computers Freedom and Privacy conference was a panel on the recently released National review of cyber-security. Ed Felten presented three related areas that he believes have to be improved in equal measure to improve overall cyber-security:
- Product development
- System administration
- User behavior
But, to me, there was something missing from the list – product design.
Too often I have seen products whose user interface, in fact its entire user experience, was constructed after the fact. First the special sauce gets codified, then the chrome is put on and product gets a face. It is easy to recognize products that have been built in this way as they tend to expose their internal data models to users, forcing users to adopt the metaphors of the engineers that built the product in the first place. These types of products make problems internal to the product problems for the end-user and this can lead to very bad things. See Three Mile Island as an example. Poor user experience design leads to so-called “user error,” but is it really user error if the end-user is confronted with meaningless alarms, confusing error messages, and misleading feedback?
At CFP, I talked to Bruce Schneier his research that went into Beyond Fear to get a better understanding of the psychology of fear and its relation to security. As you probably know, humans (and other animals too) are fantastically bad about evaluating risk. Optimism bias and other factors cause us to either over or under-estimate risks. Combine this with the fact that how choices are presented directly influences how choices are made and you realize the crucial need to build better user experiences for security (frankly, all) products. Continue reading "The role of design in protecting cyberspace: thoughts from CFP 2009"...
Posted May 15th, 2009 No organization wants to be the first to be fined because of a new regulation. Unfortunately, that’s exactly where Kaiser Permanente finds itself. After some high profile cases of unauthorized access to celebrities’ medical records, the California legislature adopted two new privacy laws (SB 541 and AB 211); these regulations were so swiftly enacted that they contained spelling errors. Both regulations went into effect on January 1 of this year. Five months later, Kaiser Permanente has become the first enterprise to be fined under this new regime.
Regulators have levied the maximum fine, $250,000, for the recent incident involving Nadya “Octomom” Suleman. (Kevin commented on this previously.) All in all, 23 individuals looked at Ms. Suleman’s records without authorization. Of these, 15 have either been fired or resigned. And although the state regulators have fined Kaiser, they have yet to penalize any of these 23 individuals – which they can do under state law.
As reported in the LA Times, Suleman’s lawyer said:
“I think Kaiser handled it professionally. They found out, they terminated the employees, they brought it to our attention. They certainly didn’t try to hide it.“
It’s important to note that even though Kaiser acted appropriately, laws like SB 541 are clear cut: unauthorized access to medical information = fine. Do not pass Go; do not collect $200.
As we’ve said before privacy risks are real. The fines are increasing. The number of regulations is increasing. Now more than ever is the time to register for this year’s Catalyst conference so you can attend our Privacy Risks Get Real track and learn how to reduce the chance your organization will become the next “first.” Continue reading "Privacy Risks Get Real – California Privacy Laws, Octomom, and Kaiser Permanente"...
Posted May 13th, 2009 Ian Yip’s take on access management versus entitlement management can be partially summed up with this equation:
Entitlement management is simply fine-grained authorisation + XACML
I have four problems with this.
First, definitions that include a protocol are worrisome as they can overly restrict the definition. For example, if I defined federation as authentication via SAML, people would quickly point out that authentication via WS-Fed was just as viable as a definition. So in terms of an industry conversation, we need to make sure that our terms are not too narrow.
Second, I fear that this definition is a reflection of products in the market today and not a statement on what “entitlement management” is meant to do. Yes, most of today’s products can use XACML. Yes, they facilitate authorization decisions based on a wider context. But who’s to say that these products, and the market as a whole, have reached their final state? Along these lines, I wonder if externalized authorization stores are a required part of an “entitlement management” solution?
Third, there is something missing from the definition – the policy enforcement point. A fine-grained authorization engine provides a policy decision point, but that still leaves the need for an enforcement point. This holds true whether an application has externalized its authorization decisions or not. Continue reading "Nailing Down the Definition of “Entitlement Management”"...
Posted May 11th, 2009 There are plenty of reasons to come to Catalyst. Engaging workshops, great sessions, interesting speakers, the chance to see the entire Identity and Privacy Strategies team on stage with bags on their heads - you know, the kinds of thing you’d expect. For those of you with a Certified Information Privacy Professional (CIPP) certification, this year we’ve a little something extra for you – continuing education credits. By attending IdPS’ Privacy Risks Get Realtrack, you’ll earn 3.5 hours of continuing privacy education (CPE) credit. Attend SRMS’ Risk Management: Programs You Can’t Afford to Cut and receive another 3.5 hours of credit.
And here’s a second bonus: we are making it easier than ever for you privacy professionals out there who haven’t attended a Catalyst before to attend this year. By registering with promo code IAPP, you’ll be able to attend the conference at $300 off the Early Bird rate. See you in July!
(Cross-posted from Burton Group’s Identity blog.)
Posted April 6th, 2009 Over the last 6 or so months, Bob Blakley and I have been doing a lot of listening and thinking about privacy. To successfully re-launch our privacy coverage, we needed to lay a wide foundation that would serve to support future research. We needed to provide a meaningful starting point for our customers. Since our customers’ jobs are not typically focused on privacy, we needed to start with a form of first principles and build outward.
I’ve learned that it is generally frowned upon to use the second person in our reports – too informal I am told. Use the blog if you want to address the audience directly. Normally, I don’t have a problem avoiding the second person, but this report proved to be a challenge. We had to work hard not to write without using “you.” And why was that? Privacy discussions are and must be inclusive. They involve each of us on a far more personal level than a discussion of, say, account lifecycle management. Cognizant of privacy implications or not, the decisions you make on a daily basis have effects the privacy of your customers and partners.
Because privacy is personal, because it requires concerted behavior throughout the enterprise, discussions about privacy must include everyone. You. Me. Everyone. To guide concerted behavior, in our recently released privacy report, we put forth a Golden Rule as a means of developing and evaluating privacy principles leadings to practices and behaviors: Continue reading "The beginning of the beginning: our privacy report publishes"...
|
|
what others say