Challenges for Identity Management and Trust in Data Privacy and Government-Private Sector Information Sharing Systems for Critical Infrastructure Protection John T. Sabo Director, Global Government Relations CA, Inc. Member, OASIS IDtrust Member - PowerPoint PPT Presentation

Loading...

PPT – Challenges for Identity Management and Trust in Data Privacy and Government-Private Sector Information Sharing Systems for Critical Infrastructure Protection John T. Sabo Director, Global Government Relations CA, Inc. Member, OASIS IDtrust Member PowerPoint presentation | free to download - id: 220eda-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Challenges for Identity Management and Trust in Data Privacy and Government-Private Sector Information Sharing Systems for Critical Infrastructure Protection John T. Sabo Director, Global Government Relations CA, Inc. Member, OASIS IDtrust Member

Description:

Government-Private Sector Information Sharing Systems for Critical Infrastructure Protection ... Involves sensitive information ... – PowerPoint PPT presentation

Number of Views:498
Avg rating:3.0/5.0

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Challenges for Identity Management and Trust in Data Privacy and Government-Private Sector Information Sharing Systems for Critical Infrastructure Protection John T. Sabo Director, Global Government Relations CA, Inc. Member, OASIS IDtrust Member


1
Challenges for Identity Management and Trust
in Data Privacy andGovernment-Private Sector
Information Sharing Systems for Critical
Infrastructure ProtectionJohn T.
SaboDirector, Global Government RelationsCA,
Inc.Member, OASIS IDtrust Member Section
Steering CommitteePresident, Information
Technology-Information Sharing and Analysis Center
www.oasis-open.org
2
The Emerging Challenge
  • Identity management challenges emerging from two
    distinct, but converging areas
  • the networked sharing of sensitive information
    for critical infrastructure protection
  • Information (or data) privacy

3
Information Sharing Mandate from Government
  • The objective of the information sharing life
    cycle is to provide timely and relevant
    information that security partners can use to
    make decisions and take necessary actions to
    manage critical infrastructure risks.
  • (The U.S. National Infrastructure Protection
    Plan (NIPP) NIPP, pages 59-60)

4
Cross-sector Information Sharing Environment

Securities.
WALL ST.
Transportation
Wall Street/The City
Banks/Finance
5
What is Information Sharing?
  • Information - what
  • descriptions and definitions of information
    sharing products
  • Sharing Entities - who
  • entities and individuals who comprise the
    information sharing infrastructure and their
    responsibilities
  • Sharing Mechanisms - how
  • the business processes and technical
    communications mechanisms used by information
    sharing entities
  • Originator Control
  • operational information sharing policies and
    rules for cross- sector and sector-government
    sharing
  • Vetting and Trust
  • security and privacy policies, standards and
    controls needed to establish and maintain a
    trusted information sharing environment

6
The Information Sharing community
7
Information Sharing for Critical Infrastructure
Protection
  • Involves many partners
  • Involves sensitive information
  • Crosses company, organization, sector and
    geo-political boundaries
  • Requires agreements about who, what, how, and
    attention to data protection components
  • Must add value to participants
  • Must be resilient
  • Must be available
  • Must be secure
  • Must be trusted

8
Problems and Issues Growing
  • Data privacy tensions exist in the use of
    personally identifiable information and sensitive
    business information for national security
    purposes
  • Use in cross-domain programs and applications
  • Crossing government and business boundaries
  • Assurances of basic information privacy and
    business confidentiality principles
  • Concerns over access and use of sensitive
    information
  • The implementation of information sharing systems
    is exposing threats to privacy
  • Data protection Commissioners
  • Advocacy organizations

9
Relationship to Personal Information
www.oasis-open.org
  • Society is increasingly driven by and dependent
    on personal information
  • personal information is continuously collected,
    processed, used, and shared
  • Information about finances, health,
    communications, behaviors and transportation --
    increasingly integrated into virtual databases of
    varying data quality
  • Governments express interest in such information
    for national security purposes
  • The use of this data for government purposes
    increases concerns as the potential for harm to
    the individual increases
  • For example - deny access to flight or entry to a
    country based on multiple information sources

10
Examples of Personal Information
  • Financial
  • Consumers leave a trail every time they use
    credit and debit cards for purchases
  • Communications Services
  • The increase in the use communications
    technology has created a vast amount of
    telecommunications traffic. Each call is logged,
    tracked, billed and stored, creating an
    unparalleled data set.
  • Location Data
  • Telecommunications can yield even more
    information the individuals location.
  • Transactions
  • Information and services purchased are recorded
    and mapped to individuals, creating an electronic
    web of money, communications, locations, and
    goods and services.
  • Interagency Exchanges
  • Government agencies may acquire commercial data
    through a variety of processes, including their
    authority for taxing, licensing, or monitoring.

11
Example the U.S. National Homeland Security
Network
12
Complex and Imprecise Privacy Laws, Directives,
Policies
  • US Privacy Act of 1974
  • The OECD Guidelines Principles
  • UN Guidelines Concerning Personalized Computer
    Files
  • EU Directive 95/46/EC Information Privacy
    Principles
  • Canadian Standards Association Model Code
  • International Labour Organization (ILO) Code of
    Practice on the Protection of Workers Personal
    Data
  • US-EU Safe Harbor Privacy Principles
  • Ontario Privacy Diagnostic Tool
  • Australian Privacy Act National Privacy
    Principles
  • The AICPA/CICA Privacy Framework
  • Japan Personal Information Protection Act
  • APEC Privacy Framework
  • . . . .

13
Privacy Context Policies Are Trailing Technology
and Practices
Technology
Evolving nature and concepts of Privacy
Society
Regulation
National Security
Standards
Information Society
Industry
Digital Economy
Pervasive Networked Devices
Forces
14
Privacy Principles/Practices (many with clear
Identity Management linkages)
  • Accountability
  • Notice
  • Consent
  • Collection Limitation
  • Use Limitation
  • Disclosure
  • Access and Correction
  • Data Quality
  • Enforcement
  • Openness
  • Anonymity
  • Data Flow
  • Sensitivity
  • Security/Safeguards

Source www.istpa.org Making Privacy
Operational.
15
Relative State of Privacy and Security Standards
  • Privacy standards essentially at very early
    state
  • Issues of definitions and taxonomy
  • Focus on front-end data collection and Web
    (such as Platform for Privacy Preferences (P3P)
  • Today heavy focus on data minimization as a
    practice
  • Unclear policy and operational relationship
    between security and privacy
  • Privacy and security often conflated
  • data breach
  • Security much more developed
  • frameworks, standards ITU, ISO, OASIS, IETF,
    W3C, etc.)
  • mechanisms, products
  • ISTPA Privacy Framework potentially important
    www.istpa.org

16
Convergence of Information Sharing and Privacy
  • Business and personal information protection may
    require similar security controls
  • Despite different motivations
  • Separate policies and technologies
  • Not integrated, no common understandings
  • No single ownership or infrastructure
    architecture
  • Convergence being forced in information sharing
    systems
  • Data privacy concerns heightening awareness

17
Starting Point Identity and Trust Foundation
  • Trust is core component of operational
    information sharing and data privacy
  • Identity and access management foundation
    necessary
  • Need for interoperability across information
    sharing domains
  • federated or loosely-coupled, but trusted
  • Standards-based
  • Little attention to this in the information
    sharing community

18
What Can Be Done?
  • Work must begin now - the information sharing
    infrastructures being implemented have serious
    security and privacy vulnerabilities
  • Need to take an overview of identity and trust
    standards in the context of loosely-connected
    systems and infrastructures
  • What is relationship of OASIS and other standards
    to a solution SAML 2.0, Liberty, WS-Security,
    WS-Federation, XACML, others?
  • Is there a need for a new framework or meta
    standard?
  • Todays workshop speakers discuss potentially
    important work underway that might be usable for
    identity management issues emerging in
    information sharing and privacy systems
  • How can the OASIS IDtrust Member Section play a
    role EKMI, PKIA, DSS-X or other initiatives?

19
Questions? john.t.sabo_at_ca.com
About PowerShow.com