CXO

Security and Privacy – Not the staid and boring business of the past 20 years

Normally I consider security as something that is tedious but a necessary evil.   Privacy is something lawyers mainly deal with, yuck. This has been a staid industry for some time with a number of fairly well known players.    I started a security company in the DLP and eDiscovery space.   We have to deal with security and privacy so we can have the fun applications that make this an exciting world.

Something is happening that makes security and privacy a much more interesting space than it has been during the last 20 years.

I. Healthcare is undergoing disruptive change

It is my belief that a lot of the problems of health are information related.   All things medically have to be studied.  Whether a drug or procedure the thing has to be studied before it can become accepted in use.   The cost of a single drug trial for instance costs a large number of millions of dollars.   It also takes 10 years or more for most drugs and therapies to go from experimental to available for general use.   In today’s world, 10 years is forever.   People don’t want to wait 10 years for new technology to emerge.   The pace of our medical progress and a large part of the cost of medicine is tied up in this tedious and expensive process of validation which is essentially mostly a problem of information.

When Medical Studies Go Wrong

Medical Informatics for Better and Safer Health Care

Basically, we need to turn millions of people into living test subjects who are telling us everything about themselves so we can figure out what does what.   The impact of such a vast amount of information that could be correlated to figure out these things could create a massive transformation in health care practices and reduce costs and improve results dramatically in the same way that open source has transformed software.  Mobile apps and IoT devices can be utilized to help gather information easily that can be used to feed our thirst for understanding.   New devices are coming out that measure not only our distance covered in steps but actually can determine key metrics of our body including insulin levels, heart rate, brain waves, heat flux and skin wetness.

You Should Share Your Health Data: Its Value Outweighs the Privacy Risk

If we could get access to everyone’s past medical history accurately, their genetic information, monitor everyone 24 hours a day, what they ingest, what therapies they have, what they do and what happens to them day to day we could potentially make enormous progress.

The data privacy issues are enormous.   The costs of such monitoring will be huge.   New technologies need to be developed to gather information and to analyze.   Nonetheless large numbers of people are joining movements to foster this kind of free information flow.   They are signing away their rights to privacy of their information.   They are engaging in some cases in what has become known as the“Quantified-Self” to help themselves but such information would also be incredibly valuable when analyzed with millions of other people.

What’s new?

However, if we don’t rapidly evolve our security and privacy technology to support this new use of all this data we will squander the potential to dramatically change health for the world.

Devices:  There are devices like BodyMedia that measure heart rates, heat capacitance, blood pressure, oxygen content, energy usage, blood sugar levels. Portable sonograms that are inexpensive enough for people to buy.   Some devices are available now but many are in the pipeline to give enormous increase in the ability of doctors, clinical trials and people themselves to monitor themselves accurately and continuously.

Genetic Information:  The cost of a genetic study has dropped to a hundred dollars from 23 and me and is becoming more and more common.

Blood Testing: Theranos Labs has reduced the cost and difficulty of blood tests to a pinprick and a couple dollars meaning people can have more blood tests more often for dozens and even hundreds of conditions for relatively small cost.  Besides the potential of this discovering diseases earlier it would be enormous benefit to buttress the conclusions of bigdata studies of all kinds of supplements.

EMR (Electronic Medical Records):   More and more of our medical history is becoming electronic and available to patients and for bigdata analysis.

Clinical Trial Information:  Clinical trial data could be made available in digital form from major drug companies.

Quantified Self movement:  People themselves are starting to take up this effort on an individual level.   People are starting to create diaries of themselves and the data about themselves from their fitness to health concerns in general.

II. The Cloud Increasing proliferation and accumulation of user data.

One person told me: “Be careful, they know everything.”   I know they know everything.  Whether or not you practice the best security practices or not the fact is unless you cut yourself off from society today by not interacting with social services on the web practically everything about your behavior and activities is known by some cloud service.

Whether in the cloud or in a corporate data center, companies I talk to are on a path to accumulate vast amounts of information on every individual.  It’s not just Facebook or Google that has records on you.   Literally thousands of companies worldwide are accumulating or culling information on you, your past and things you do day to day.   You would be shocked at the number of firms which will have vast amounts of this information on you.

Some may say : “SO WHAT!”   Others may be trying to avoid giving any information away to any company trying to stay off the grid it is called.

In the past having inaccurate information was an annoyance.  You would get inappropriate ads or junk email.  Big deal.  As this information becomes normal and more proliferated it will be used for more and more purposes.   Does someone find something about you on the internet that affects your job potential or a lending decision.  Possibly someone doesn’t contact you because of something they read or gets a wrong impression.    You don’t know what the consequences of all this data out there are.

 

The European Union is trying to come up with a law or enforce laws that try to erase you or something from the internet.   This is an incredibly hard thing to do.   Nonetheless there is some new technology to help.   We also need laws which give rights for people to know what every company knows about them and to question that information.   Such a law would be a large expense to information consequently increasing the cost of keeping the data.   This is probably a good thing.   Consolidation from thousands to hundreds of companies or tens of companies which have information on us would make it easier to manage and more efficient.   It cannot be cost-effective to have thousands of companies collecting so much information about us.

III Internet of Things

The internet of things is creating lots of new opportunities and challenges for security.   What if IOT cars could be hacked en-masse and cause huge traffic disasters and death?

IOT devices have a number of theoretical problems with security that are troublesome that need to be addressed.   They typically have no good way of authenticating themselves in a way that insures they aren’t being cloned.  Many devices have vulnerabilities and aren’t patched regularly.   There is a lot of concern about the sheer volume of devices represents a massive security management problem as well as the data they collect.

New Tech and changes

PUF for IOT / Devices

PUF stands for Physical Unclonable Function.    It has been found there are several ways to do something on silicon devices with a computer fabricated in todays practices that produces numbers that are unpredictable from any algorithm.   The results of the calculations depend on something so particular to the device that there is no way to copy it by copying the memory of the device or any security code.  This would insure you know the device is the specific device that was installed.  It would be proof the device is the particular device it says it is.    This technology may make it into mainstream quite quickly.   This may make IOT safer and much harder for someone to access a device.

3-4 Factor Authentication

The big thing in Authentication these days is not 2-factor authentication but 3-factor.   This means knowing something, having something and something about you that is hard to clone.    A fourth factor is location.     This means knowing a “password.”  Sorry this doesn’t go away although if you have other factors you may forego this.  It means having some device in your posession which can be verified electronically and 3rd some form of biometric information.   Together these give a much higher degree of autheticity.   A 4rth in some cases is requiring that some things can only be done in certain locations.

The Cloud is generally moving to 2 factor authentication but many are moving rapidly to include 3 factors.

Automated Policy Based Entitlement  Management

UMA (User Managed Access) is a new standard based on the OAUTH2 standard which would give users the ability to set policies that would automate the sharing decisions they want to make.   This is a problem because today with single-sign-on using federated security and OAUTH2 you can authorize an app for instance to have access to certain information but you may not want to grant permission for all time or in some situations.    There are many applications for this new technology.  You can say for instance that certain IOT devices that meet some criteria would automatically have one set of accesses to information or services in your home but not others.   You might want to say that your friends could have control of lights in your house but not the thermostat.   You might want to say that if you walk up to a beacon it can access certain information about you but not other.   You might say that your doctor has access to some information but not others.

Controlling access to information is tedious and as devices and services proliferate will become error prone.   UMA promises to make that much simpler and easier to control.

Anonymity Part I – How to make sensitive data public without risking disclosing identities

There are movements where people are voluntarily exposing their information for the sake of science for instance.  This is laudable but not everyone will agree to this.  Nonetheless it may become common or people may reveal some information but not other.   How do we do our best to guarantee access to useful information that can help society but not reveal information that may be deleterious to any particular person?

A patented technology is becoming available that enables data to be anonymized sufficiently (the the level desired) so that even if we release lots of information about you nobody can figure out you were the one who did it.   It is not as simple as simply withholding the username or phone number or something like that.   Frequently when information is released publicly it is possible to carefully analyze the data to determine something about which individual contributed what information.   This depends on how many people share information in common.   There is a way to formally structure the information to make it impossible for someone to figure out if it was you that has done something or has some behavior.

Anonymity Part II  – Zero Knowledge

A new branch of mathematics has grown around a topic called Zero-Knowledge theory.   This is a branch of cryptography that allows someone to do a transaction with someone knowing that the person I am doing the transaction with has some information but no-one else even if they can observe our communication can deduce for certain that I knew the information.   This enables the ability to complete truly anonymous transactions.

This is the next level of anonymity.   Traditional anonymity systems depend on layers of systems with obfuscated identities that make it difficult for someone trying to discover who did what.  Governments have found ways of penetrating such anonymity systems which used to be thought of as what protected you in the “dark web.”   Recently, crackdowns on firms and individuals engaged in nefarious activities have been caught surprising the users of previous anonymity techniques.  One negative is these people might be able to use this to escape detection.

This technology would be the holy grail for anonymity although it is difficult to implement and costly it is interesting that there is a way to do this.

Summary

These new technologies are potentially making the cloud safer, enabling medical data sharing, enabling the collection safely of data from IOT devices and to use IOT safely.   These technologies can be used in many other ways to improve Enterprise security and power us through the next few decades growth in new technology making it possible to build the fun applications and products we want to have.

Advertisements

Categories: CXO

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s