Data and Trust – Thoughts from the World Economic Forum’s Global Agenda Outlook 2013

In the recently released “Global Agenda Outlook 2013” by the World Economic Forum, one of the main topics that is tackled as part of the ‘agenda’ is titled ‘Thriving in a Hyperconnected World”.  The main premise is that the physical world and the digital world are merging rapidly, and institutions and leaders are not prepared to deal with it. Not only are the technologies evolving, but the amount of data being generated is completely unprecedented, yet will only grow.

Two of the major components of this “hyperconnectedness” that the WEF discusses are data and trust. Marc Davis with Microsoft Online Service Division frames it nicely: “[Big data] is a question of the structure of the digital society and digital economy, what it means to be a person, who has what rights to see and use what information, and for what purposes might they use it.”

Globally, countries and industries are dealing with the policy, economic and regulatory structures (on top of the technical interoperability challenges) to control the flow and sharing of data, particularly personal data. Yet there is virtually nothing that is done today without a data component. There are both huge societal benefits to the amount of data generated today, as well as potentially enormous – and life-threatening- drawbacks to this data if not managed properly, if collected erroneously, and if inappropriately shared.

There are many reasons why we each give data up – to open a bank account, to purchase a vehicle, to get healthcare treatment, to find people to date, to unlock a badge from our favorite gaming site. But in these instances, we make a conscious  choice to give up certain pieces of data and information about ourselves.

But we don’t know what the internal data quality practices are of the companies to whom we give data; we don’t know how they manage their cyber security practices; we don’t know how their internal access and authentication controls are managed; we don’t know if the company has the ability to do tagging at the data element level to fortify its privacy compliance protocols; we don’t know to whom the company resells our data; we don’t know if the company’s legitimate business partners with legitimate access to our data are also protecting our data with the same degree of integrity.

Knowing what I know about the actual limited capabilities of federal and states governments here in the U.S. to actually integrate and share data, I’m far less concerned with ‘Big Brother’ than I am with Amazon and Apple (both of whom seem to do a far more effective and efficient job of managing my data correctly) doing something creepy with my data (like recommend me purchasing a Justin Bieber CD).

Trust frameworks, transparency, policies, accountabilities – these are all steps on the right path to building trust. To engender trust by people, by society, in how data is collected, managed, and used, requires multiple degrees of sophistication far beyond where many organizations and institutions are today. This includes with technology, policies and regulations, and economic models. Unfortunately, policy will never keep up with the speed of technology innovation, so it may take awhile to get to trust.

Most importantly, however, individuals need to take responsibility for their data: being educated about their data, about how to control it, and to be given more controls over their data (especially when its in the hands of institutions). This part of the discussion is largely absent from the overall debate, and needs to be given its due attention.

Thoughts about how to move this individual responsibility discussion forward?

Identity, Data, Privacy and Security – Tumbling Together

For over a decade, the Federal Government has had numerous efforts and initiatives on identity and access management (IAM). These efforts morphed into identity, credential, and access management (with of course its own acronym, ICAM), underscoring a fundamental principle of … Continue reading

When Data Met Identity

My two favorite worlds – data and identity management – are predictably starting to collide in overt ways. Over the past decade, we’ve seen slow, but mostly steady, progress forward with a variety of identity management initiatives. The data world has moved exponentially faster and more explosively. As we grapple with the growth of personal data across an array of collection devices (including mobile devices) and storage mechanisms (including the cloud), identity management will be seen as the key fundamental enabler that it truly can be.

We live in a world of networked ecosystems. There will be two primary considerations for the maintaining the vibrancy of those ecosystems, and the communities, exchanges, and analytics that are done therein:

  • the ability to uniquely establish an identity (for a wide variety of purposes, including ecommerce, health care, analytics, information sharing, banking, etc. etc.) and
  • the ability to limit access to personal or sensitive data to only those with a legitimate need to access and use it

The ecosystems by nature have porous, extended boundaries. But many people belong to a variety of ecosystems, and the networked nature of the internet should allow us to glide effortlessly among these different environments. We’re not there yet, but technologies such as master data management and multi-factor authentication (among many) will help networked communities to thrive by creating trust, building interoperability across systems, promoting reliability and integrity, improving processes, and controlling security and privacy.

Beyond technologies however, strong governance processes and trust frameworks must be developed and implemented, to continue to foster the trust, privacy, and reliability of the system of systems.

Data Security – Crossing the Chasm

If your organization is engaging in information sharing (internal or external, it doesn’t matter) or if your organization is trying to optimize critical data sets through a ‘capture once, use many’ strategy, then a strong data security plan will serve as an effective enabler to accomplishing these goals.

But, most data owners don’t speak security-ese. Most enterprise architects (EAs) don’t either. The security folks on the other hand, are great at what they do – as long as they can lock it up, throw up walls, build the moats, and set up a strong defense posture. This approach, however, tends to slow or stop appropriate information sharing and information optimization efforts.

For an organization to effectively utilize, optimize, and share its information assets there needs to be a middle ground between complete openness and complete closure. And this middle ground really needs to be reached first by the data owners or EAs by crossing the chasm over to security.

Data, particularly highly sensitive or highly critical data, needs to be secured, protected, and distributed only to those with need-to-know rights. Too often what I’ve seen in EA documents or data governance plan is a box on a drawing for security that ends up being a black box where too often projects go to die.

The ‘Roles-based Access Control’ box needs to go far beyond this one line and do much more to:

  • enable data to be leverage and re-purposed appropriately, to
  • build trust in processes and policies around information sharing and re-use, and, to
  • increase confidence in policy enforcement

I’ve seen too often the default mode of trying to protect all data assets in the same way, and applying the same policy enforcement controls for any and all transactions and requests. The problems with this approach include the slowdown or stoppage of legitimate information requests and the inflated costs of trying to protect everything the same way.

Business data owners should provide the leadership to the architects and security teams regarding the rules, roles, and processes to accomplish SIMULTANEOUSLY the appropriate distribution and use of information assets and the security and privacy of those assets.

This requires a risk-based approach (not all data is created equal) to data security classification; a knowledge of the business rules and regulations that guide the usage of data assets; a sophisticated identity and access management system that includes roles, rules, and attribute based provisioning; and a strong policy enforcement engine. Other tools and technologies that can be useful are a meta-data tool, multi-factor authentication technologies, and an attribute exchange mechanism.

Again, it’s the responsibility of the business data owners to lead and guide the technologists to choose and implement the enabling technologies in the most appropriate way to achieve the business goals while securing systems and data and remaining in compliance with all applicable federal, state, and international laws.

Medical Apps and Identity Management recently ran an article discussing the impact and challenges of the mobile healthcare app market. Not only are doctors getting new apps to help them do their work, but there are hundreds of consumer medical apps available now.  In fact, just the other night, a friend gave me a very cool demo of a product called Up, from Jawbone (the maker of Jambox) which (directly from their website) “is the combination of a wristband and iPhone® app that tracks your activity and sleep and inspires you to move more, sleep better and eat smarter.”

One can easily envision the day when access to individual electronic medical records and images are available through an app, which is what the story was suggesting. I personally, being a fairly frequent business traveler, as well as having moved several times in my adult life, would find this one-stop access to my medical records via a mobile device to be extremely useful.

However, what’s missing from this conversation is the concept of identity management (IdM) and privacy. While it’s fairly easy to envision how a controlled health information network environment can appropriately manage access to medical records, it’s a big leap to open that network up to anyone with a smart phone or iPad. This is where the burgeoning digital identity management ecosystem will make immediate impact.

When I try to access my electronic health records via my iPad, there are a number of assertions, authentications, and authorizations that will need to occur in order for the records to be released AND for the medical provider to be incompliance with HIPAA.  Technologies exist for this in both the master data management (identifying me uniquely and making sure it’s MY information that I receive) and IdM (digitally binding an identity token to me and accepting that token as a relying party for strong authentication and authorization to perform an electronic transaction) areas. The much harder work is on the supporting policy and process swim lanes to ensure the right controls and rules are in place to be enabled by the technology.

Lots of exciting work still to come over the next 5-10 years in this market!