ppt by linzhengnd

VIEWS: 9 PAGES: 14

									COLLABORATION & COMPLIANCE
 Identity Management meets Risk Management

Policy Physics meets Unintended Consequences


                           Terry Gray, PhD
                           Chief Technology Architect & Therapist
                           University of Washington
                           NAAG Identity Panel 15 June 2010
WHO, ME ?



                                                                              Accused killer to use an
                                                                              insanity defense
Rap singer arrested                                                           Citing a family history of bipolarity
in slaying                                                                    and murder, the attorney for accused
                                                                              killer Terry Gray says Gray will rely on
                                                                              an insanity defense.
"Terry Gray did not murder anyone,"
Alexander said. "They arrested the wrong man.                                 http://www.realpagessites.com/attyatlaw/newsarticles/article.nhtml?uid=10003
Terry wasn't even in the building when it happened."

  http://www.latimes.com/news/local/la-me-rapper10march1094,0,7499869.story
                                                                                                                                                         2
   MISTAKEN ID?




http://www.dallasdesperados.com/images/coach_gray_terry.jpg
          http://1.bp.blogspot.com/_bOKmjbY7wEo/SwF3evlnsnI/AAAAAAAABMI/cjL2xs-dP2E/s1600/Terry+Gray+with+Owl.JPG
                               http://cdn1.ioffer.com/img/item/737/389/96/839e_1.JPG
                                                                                                                    3
                                                                  CONTEXT: Research Universities
                                                                                     Mission: discovery & innovation
http://liu.english.ucsb.edu/wiki1/images/4/4c/Collaboration.gif




                                                                                     Means:     extreme collaboration
                                                                                      – Globally, at scale, crossing many boundaries
                                                                                      – Seamless and simple resource sharing
                                                                                     Culture: decentralized; diffuse authority
                                                                                      – Collections of many independent businesses
                                                                                      – A microcosm of “the Internet”

                                                                        “Industry turns ideas into money;
                                                                         Universities turn money into ideas.”   --Craig Hogan    5
IDENTITY ISSUES IN COLLABORATION
    Multiple Account Madness and role of Federated access
        –   How many credentials?
        –   Single ID: convenience vs. “Single Point of Failure”
        –   Institutional vs. consumer identities

    Role of identity providers & trust fabrics
        –   Reputational risk
        –   Transitive trust, e.g. Zoho via Google: bug or feature?

    Contradictions
        –   Access control complexity leads to no access control
        –   The role of anonymity and pseudonyms
        –   Jurisdictions: data location, prevailing law; sunshine states
WHAT DO WE FEAR ?




                 “Stolen identities used to buy
                  furniture and tummy tuck,
                  police allege”

http://www.chicagotribune.com/news/ct-met-identity-theft-charges-20100605,0,7395352.story


                                                                                            7
WHAT DO WE FEAR ?
 Individuals
   - Identity theft and identity errors
   - Privacy invasion (direct or via correlation and inference)
   - Undesired disclosure or modification of identity or content
   - Loss of civil liberties: Unreasonable or incorrect search / seizure
   - Crippling complexity

 Institutions
   - Compliance violations and costs (financial or reputational)
   - Compliance and opportunity costs / complexity / backlash
   - Identity or access control errors and their consequences
   - Undermining the effectiveness of our faculty/staff/students
WHO DO WE FEAR?
“TOTAL INFORMATION AWARENESS”



                                                          Study Shows Targeted Ads
                                                          Make Users Uneasy
                                                           * By Terrence Russell
                                                            * April 10, 2008




                                                          Even without ads, many are worried!

http://www.wired.com/epicenter/2008/04/study-shows-tar/
GETTING ON LISTS IS SO EASY…



                                                                       Computer Glitch caused NY Police to
      Sen. Kennedy Flagged
                                                                       raid wrong house
      by No-Fly List
                                                                             By: Justin McGuire | March 20th, 2010
      By Sara Kehaulani Goo
      Washington Post Staff Writer
      Friday, August 20, 2004                                          Here is a shocking incident of insensitivity, an
                                                                       octogenarian couple Walt and Rose Martin who are 83
      U.S. Sen. Edward M. "Ted" Kennedy said                           and 82 respectively, had their house raided an incredible
      yesterday that he was stopped and questioned                     50 times in the last 8 years leaving them scared and
      at airports on the East Coast five times in March                wary of the police. New York Police Department claims
      because his name appeared on the                                 that this was caused due to a glitch in the computer.
      government's secret "no-fly" list.
http://www.washingtonpost.com/wp-dyn/articles/A17073-2004Aug19.html
                                                                      http://www.manhattanstyle.com/news/computer-glitch-caused-ny-police-to-raid-wrong-house/
THE ROLE OF FEDERATION & SSO

                                                                   - Helps with “Multiple Account Madness”
                                                                   - Can reduce collaboration friction
                                                                   - Can convey attributes
                                                                      - e.g. OverLegalAge, or first-responder skills

                                                                   - Can reduce data correlation risks
                                                                   - Brings “transitive trust” risks
                                                                      - Crossing organizational policy boundaries
                                                                      - Crossing legal jurisdiction boundaries

 http://farm1.static.flickr.com/237/446791372_ec19181a63.jpg?v=0

                                                                                                                       12
WHAT DO WE NEED ?

Updated laws for privacy protection
  HIPAA plus EU “Fair Information Practices”
  Fundamental right to correct the record
  4th Amendment applied to data held by 3rd parties
  Role for anonymity (whistle-blower, stalker victim, dissident, secret agent)
  No single points of (identity) failure, nor very high-value targets (cf. RealID)
  No security theater; unintended consequences (cf. Pre-paid cell registration)

Improved identity infrastructure
  Privacy-preserving (non-correlatable) federated identities
  Pervasive trust fabrics (e.g. InCommon)
DISCUSSION

								
To top