Last Thursday, I participated in the Privacy Tweet Chat led by @OracleIDM, featuring Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario Canada, tweeting as @embedprivacy.  The #PrivQA chat archive is available now on Storify.

I always enjoy these tweet chats, and invariably learn more than I contribute.  Perhaps the key insight I gained in this chat is summarized in this tweet that I posted later in the chat:

Privacy is freedom to decide how my data is used. Security is the mechanism to enable and protect that freedom of choice. #PrivQA

 

After reading the white paper, “Privacy and Security by Design, A Convergence of Paradigms,” this week, I pinged a couple of associates on Twitter to see what they thought about Privacy by Design.  Steve Wilson replied to the effect that “We need more than principles.  We need implementable requirements.”

When I met with  Ann Cavoukian yesterday, I asked her about that viewpoint.  She agreed that we need to step beyond principles to requirements to implementation.  She gave me a copy of a paper published last December by the PdB team, entitled, “ Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices.”  This paper doesn’t provide all the answers, but begins to explore how privacy is being implemented in 9 application area:

1. CCTV/Surveillance Cameras in Mass Transit Systems
2. Biometrics Used in Casinos and Gaming Facilities
3. Smart Meters and the Smart Grid
4. Mobile Devices & Communications
5. Near Field Communications (NFC)
6. RFIDs and Sensor Technologies
7. Redesigning IP Geolocation Data
8. Remote Home Health Care
9. Big Data and Data Analytics

Interestingly enough, when Marc Chanliau shared with me a his unpublished report from which came the security content for the “Privacy and Security by Design” paper, it was gratifying to see the title he had selected for that larger report: “Requirements for Enterprise Security.”

There is much to do, but progress is being made.

Today I had the privilege of having lunch with Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, Canada, along with Jack Crail, Oracle Director of Security Sales Consulting for the Western US.  It was a pleasure to have a delightful lunch, sitting outside in the deliciously warm springtime air in Scottsdale, AZ.  We explored many topics of mutual interest, but focused primarily on the concepts in the white paper, “Privacy and Security by Design, A Convergence of Paradigms,” published recently by Dr. Cavoukian and Marc Chanliau, Director, Product Management with Oracle.

I had prepared the following matrix which shows remarkably close alignment with the seven foundational principles of Privacy by Design and how these principles could also apply to Information Security.  We recognize that the scope of security is broader than privacy, but the needs to proactively build security into all the technology and processes we create are remarkably similar.

In this matrix, row 5 (End-to-end security) shows where security and privacy interact.  In fact, end-to-end security is a necessary enabler for privacy.  The other rows begin to explore how a Security by Design approach can align with and support Privacy by Design.

While this matrix is just in draft form, I believe it can help us discuss how  the goals and solutions of privacy and security can be aligned in a meaningful way.  

If any on you would like to offer any suggestions for improvements, please let me know.

An interesting new report came to my attention today, “ Unlocking the Value of Personal Datra: From Collection to Usage,” published by the  World Economic Forum, prepared in collaboration with  The Boston Consulting Group.

Some statements from the executive summary that I like include:

Our world is changing. It is complex, hyperconnected, and increasingly driven by insights derived from big data. And the rate of change shows no sign of slowing.

… the economic and social value of big data does not come just from its quantity. It also comes from its quality – the ways in which individual bits of data can be interconnected to reveal new insights with the potential to transform business and society.

… fully tapping that potential holds much promise, and much risk.

… It is up to the individuals and institutions of various societies to govern and decide how to unlock the value – both economic and social – and ensure suitable protections

The report is organized as follows

• Chapter 1: The World Is Changing
• Chapter 2: The Need for a New Approach
• Chapter 3: Principles for the Trusted Flow of Personal Data
• Chapter 4: Principles into Practice
• Appendix – Relevant Use Cases

It is particularly interesting to me that although there are numerous examples about the potential benefits of big data, there are huge challenges, and no easy fixes.  But the report is well written and provocative.  Well worth the time to read.

Plus as an added bonus, the report has some great pictures and graphics – a treat seldom seen in a report like this.  Here is my favorite – it seems to capture the spirit of the crazy world of privacy and security we are in right now.

 

In the Oracle Information InDepth newsletter I just received, a new white paper, “Privacy and Security by Design: A Convergence of Paradigms,” was announced. The paper is a collaboration of Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada, and Marc Chanliau, Director, Product Management, Oracle Corporation.

The forward by Ms. Cavoukian includes this statement:

My hope is that privacy and security – by design, will continue to evolve into an essential component of information technologies and operational practices of organizations, as well as becoming an integral part of entire systems of data governance and privacy protection.

The paper further explains the value of these converging topics:

This paper highlights the convergence of these two paradigms. In the first part, the concept of security by design as understood in the technical community is introduced. In the second, the concept of Privacy by Design (PbD) as understood in the privacy community is discussed. The third and final part explores how these two concepts share notable similarities and how they may complement and mutually reinforce each other.

The paper provides a good overview of Security by Design …

… we address three aspects of security by design: i) software security assurance (designing software systems that are secure from the ground up and minimizing the impact of system breach when a security vulnerability is discovered) ; ii) preserving privacy in the enterprise environment and; iii) ensuring identity across heterogeneous vendors.

… and Privacy by Design.

Privacy by Design … is aimed at preventing privacy violations from arising in the first place. PbD is based on seven (7) Foundational Principles. It emphasizes respect for user privacy and the need to embed privacy as a default condition. It also preserves a commitment to functionality in a doubly-enabling ‘win-win, ’ or positive-sum strategy. This approach transforms consumer privacy issues from a pure policy or compliance issue into a business imperative.

The paper concludes:

It is becoming widely recognized that privacy and security must both be embedded, by default, into the architecture, design and construction of information processes. This is a central motivation for PbD, which is aimed at reducing the risk of a privacy harm from arising in the first place. By taking a proactive approach, it is possible to demonstrate that it is indeed possible (and far more desirable) to have privacy and security! Why settle for one when you can have both?

I found the paper to be thoughtful and timely. By coincidence, this morning I committed to an event next week where I will meet Ms. Cavoukian. I look forward to it!

Oracle recently released a white paper entitled, “Oracle Access Manager Mobile and Social, A Case Study – Piggy Bank.”  This white paper outlines the use of the Mobile and Social component of the Oracle Access Management platform.  Mobile and Social provides a simple means to integrate Mobile applications with the security capabilities provided by Oracle’s Identity and Access Management platform.

The white paper:

discusses the effort involved in executing a Proof of Concept with a major international bank. While the PoC exercise was real and the requirements described in this paper implemented, certain details have been changed to protect the identity of the bank and its security architecture and simplified for those new to OAM Mobile and Social.

The Proof of Concept detailed in this white paper involved three main tasks:

1. creating a simple electronic banking application
2. the REST/JSON services for the application
3. securing the application and services with the Oracle IAM technology stack.

The “Piggy Bank” represents the bank for which the Proof of Concept was completed.  The basic PoC architecture is shown below:

 

The white paper does a good job of outlining just what is necessary to configure the components in this architecture.

The white paper concludes:

While the PiggyBank application is quite simple, it illustrates the power and capabilities of the Oracle Identity and Access Management platform including Oracle Access Manager, Oracle Adaptive Access Manager and some of the Mobile and Social Services. By using the OAM Mobile and Social SDK a fully functional mobile e-Banking application was created and secured in a very short time, without the need to install and configure any additional software and without the need to write complex code to secure the mobile App and its communication to the services it uses. 

A customer with an existing security infrastructure based on Oracle Access Manager and Adaptive Access Manager can easily deploy Oracle Mobile and Social to extend the same security capabilities to mobile applications. By using the Mobile and Social SDK customers can seamlessly integrate security into their native Apps on popular mobile platforms including iOS and Android.

The need for secure mobile access is already huge and growing rapidly.   The Oracle Mobile and Social product goes a long way towards meeting that demand.

 

 

This week, Oracle published a new white paper, “Security in Depth Reference Architecture,” authored by Dave Chappelle as part of Oracle’s Global Enterprise Architecture Program.

The executive overview includes this statement:

The traditional approach of securing the IT infrastructure is no longer enough. Today’s threats are multifaceted and often persistent, and traditional network perimeter security controls cannot effectively mitigate them. Organizations need to implement more effective, multi-level security controls that are embedded with their electronic assets. They need to take a holistic approach to protect systems starting with sensitive applications and data. And, they need to protect these key assets from both external and internal threats.

The conclusion states, in part:

Oracle’s security in depth architecture helps you prevent, detect, and respond to threats. It focuses on the most vital asset – your data. It starts from deep within the organization, protecting data at rest, in use, and in transit. It combines robust, proven application and database platform security, the latest in standards and technologies, versatile security services, and advanced monitoring and management capabilities, to produce a secure and cost effective solution.

The architecture presented in this paper provides a blueprint for security. It follows the most widely adopted security principles and best practices, and it describes a scalable architecture that addresses aspects of security that are critical to all organizations – data security, fraud detection, and regulatory compliance.

I hope you enjoy the white paper.  If you’d like to discuss, please let me know.

KuppingerCole just released a Snapshot report on Oracle Audit Vault and Database Firewall.  It provides a good overview of this product, which recently merged into one combined product, encompassing the functionality previously in two products.  Can you guess their names?  Yep – Oracle Audit Vault and Oracle Database Firewall.

With the new product, Oracle combines these offerings. Notably this is about integration, not just about a suite of two different products.

For example:

The new offering has a single administrator console and fully integrates the two products.  Events generated by the database firewall component are automatically provided to the audit vault component.

Primary features include:

1. Database firewall: detecting and blocking database attacks, including SQL injection attacks, the most common web application threat.
2. Database and “stack” auditing: auditing across the stack, including operating system events, file system events (Oracle ACFS), the databases themselves, and custom audit logs.
3. Separation of duties: segregation between administrators and auditors to avoid fraud on collected audit data; supported by a fine-grain security model.
4. Alerting: flexible configuration of complex alerting conditions, including multi-event alerts with thresholds and group-by.
5. Flexible deployment models: support for a wide range of deployment models, from out-of-band monitoring to full in-line high availability mode.
6. Single administration console: unified administration console to manage all features and policies through a single interface.
7. Compliance reporting: dozens of out of the box reports that can be easily customized through the user interface.

The databases currently supported are Oracle Database, MySQL, SAP Sybase, IBM DB2, and Microsoft SQL Server

 

Mandiant, an American cyber security firm, recently released a 74 page report documenting evidence of cyber attacks by the People’s Liberation Army of the Republic of China:

Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the “Advanced Persistent Threat” (APT). … this report is focused on the most prolific of these groups. We refer to this group as “APT1” and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. …

APt1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property. Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.

This detailed report includes a map showing observed APT1 activity …

 

… and a timeline of observed compromises by industry sector:

 

The report includes a detailed analysis of the APT attack lifecycle and methods for compromising the systems in the targets they attacked:

Detailed background about  the infrastructure used in the attacks and some of the people involved in this work are also included.

The report concludes:

In a State that rigorously monitors Internet use, it is highly unlikely that the Chinese Government is unaware of an attack group that operates from the Pudong New Area of Shanghai. The detection and awareness of APT1 is made even more probable by the sheer scale and sustainment of attacks that we have observed and documented in this report. Therefore the most probable conclusion is that APT1 is able to wage such a long-running and extensive cyber espionage campaign because it is acting with the full knowledge and cooperation of the government. Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1.

Perhaps this statement from Sun Tzu, in his book, The Art of War, is particularly appropriate in this case:

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

Much has been written and said recently about using data analytics to mine data for existing or probable security breaches. This morning, thanks to a tweet by @RohanPinto, I learned about a small, but practical application of this science … hunting Zebras.

In a Dark Reading article entitled, “Five Ways To Better Hunt The Zebras In Your Network,” Robert Lemos talked about zebras:

… Not the kind on that roam the African savannah, but the kind that sit at computers behind the corporate firewall.

Zebras are the employees, and their computers, who are doing something odd. Defenders are right to want to protect the zebras in their network, but defenders should occasionally “radio tag” and follow their zebras to see where they go.

He then proposed five steps to fight the zebras who might do you harm

1. Know the network
2. Collect all the data
3. Find the foolish zebras
4. Combine with threat intelligence
5. Check back on your foolish zebras

It is worth the time to read the details of each step.

Happy Hunting!