Identity, Data, Privacy and Security – Tumbling Together

For over a decade, the Federal Government has had numerous efforts and initiatives on identity and access management (IAM). These efforts morphed into identity, credential, and access management (with of course its own acronym, ICAM), underscoring a fundamental principle of … Continue reading

Data Security – Crossing the Chasm

If your organization is engaging in information sharing (internal or external, it doesn’t matter) or if your organization is trying to optimize critical data sets through a ‘capture once, use many’ strategy, then a strong data security plan will serve as an effective enabler to accomplishing these goals.

But, most data owners don’t speak security-ese. Most enterprise architects (EAs) don’t either. The security folks on the other hand, are great at what they do – as long as they can lock it up, throw up walls, build the moats, and set up a strong defense posture. This approach, however, tends to slow or stop appropriate information sharing and information optimization efforts.

For an organization to effectively utilize, optimize, and share its information assets there needs to be a middle ground between complete openness and complete closure. And this middle ground really needs to be reached first by the data owners or EAs by crossing the chasm over to security.

Data, particularly highly sensitive or highly critical data, needs to be secured, protected, and distributed only to those with need-to-know rights. Too often what I’ve seen in EA documents or data governance plan is a box on a drawing for security that ends up being a black box where too often projects go to die.

The ‘Roles-based Access Control’ box needs to go far beyond this one line and do much more to:

  • enable data to be leverage and re-purposed appropriately, to
  • build trust in processes and policies around information sharing and re-use, and, to
  • increase confidence in policy enforcement

I’ve seen too often the default mode of trying to protect all data assets in the same way, and applying the same policy enforcement controls for any and all transactions and requests. The problems with this approach include the slowdown or stoppage of legitimate information requests and the inflated costs of trying to protect everything the same way.

Business data owners should provide the leadership to the architects and security teams regarding the rules, roles, and processes to accomplish SIMULTANEOUSLY the appropriate distribution and use of information assets and the security and privacy of those assets.

This requires a risk-based approach (not all data is created equal) to data security classification; a knowledge of the business rules and regulations that guide the usage of data assets; a sophisticated identity and access management system that includes roles, rules, and attribute based provisioning; and a strong policy enforcement engine. Other tools and technologies that can be useful are a meta-data tool, multi-factor authentication technologies, and an attribute exchange mechanism.

Again, it’s the responsibility of the business data owners to lead and guide the technologists to choose and implement the enabling technologies in the most appropriate way to achieve the business goals while securing systems and data and remaining in compliance with all applicable federal, state, and international laws.

Medical Apps and Identity Management

Wired.com recently ran an article discussing the impact and challenges of the mobile healthcare app market. Not only are doctors getting new apps to help them do their work, but there are hundreds of consumer medical apps available now.  In fact, just the other night, a friend gave me a very cool demo of a product called Up, from Jawbone (the maker of Jambox) which (directly from their website) “is the combination of a wristband and iPhone® app that tracks your activity and sleep and inspires you to move more, sleep better and eat smarter.”

One can easily envision the day when access to individual electronic medical records and images are available through an app, which is what the Wired.com story was suggesting. I personally, being a fairly frequent business traveler, as well as having moved several times in my adult life, would find this one-stop access to my medical records via a mobile device to be extremely useful.

However, what’s missing from this conversation is the concept of identity management (IdM) and privacy. While it’s fairly easy to envision how a controlled health information network environment can appropriately manage access to medical records, it’s a big leap to open that network up to anyone with a smart phone or iPad. This is where the burgeoning digital identity management ecosystem will make immediate impact.

When I try to access my electronic health records via my iPad, there are a number of assertions, authentications, and authorizations that will need to occur in order for the records to be released AND for the medical provider to be incompliance with HIPAA.  Technologies exist for this in both the master data management (identifying me uniquely and making sure it’s MY information that I receive) and IdM (digitally binding an identity token to me and accepting that token as a relying party for strong authentication and authorization to perform an electronic transaction) areas. The much harder work is on the supporting policy and process swim lanes to ensure the right controls and rules are in place to be enabled by the technology.

Lots of exciting work still to come over the next 5-10 years in this market!

CDO Insights – Starting an Enterprise Data Program from Scratch

In 2009, I became the Chief Data Officer of the State of Colorado, the first for a state in the country. It was a tremendous opportunity, as well as an honor, to be appointed by a governor – and supported by a legislature – who truly had the vision and understood the role of data in an organization to truly transform service delivery and performance management across an enterprise.

There were two primary challenges in creating this role in the enterprise. The first was the development of a strong operational model for the role. What is the span of authority a Chief Data Officer (CDO) should have, both strategically and tactically? How does this authority get created and embedded, via policy, budget, and operations? How and with whom will this role engage across enterprise lines of business (in this case, the executive branch agencies, the legislature, and key stakeholders at the state and local level)? What kind of team is needed to support the CDO?

The second challenge was that the State literally had no history of enterprise architecture or data management principles and policies.  Creating value quickly to both build momentum and to increase support among the skeptics would be critical. There was an abundance of opportunities and work to be done, which I will discuss in a later post.

The Chief Data Officer role can be a crucial part of the C-level, strategic thinking of an enterprise in the era of all things digital and data. It’s been said ad naseum that data and information are some of the most important assets that organizations – private and public sector, large and small businesses alike – have. And of course, it’s true. However, it’s been my observation that most organizations still very much struggle with their level of sophistication around how to really manage, integrate, and leverage this major asset class in a way that drives opportunity, transformation, bottom line results, stock price increase, or improvements in service delivery.  It’s surprising there’s not been more momentum to create this role within organizations.

A strong enterprise information management program can result in the following benefits to organizations:

  • Customer-centric integrated information environment
  • Access to robust information and delivery of that information where needed, including to mobile devices
  • Economies of scale and reduced development efforts and operational costs
  • Consistent and reliable information, with the ability to layer on strong advanced analytics
  • More agile and proactive business operations
  • Platform scalability with more shared services
  • Data as a service, capturing data once and leveraging it across multiple business processes and applications
  • Trust framework that enables appropriate information sharing and access while ensuring privacy, confidentiality, and compliance

An obvious question is: shouldn’t this be what the Chief Information Officer (CIO) should do? Perhaps, but the reality in most organizations is that the CIO is focused on the technology and operations that support the organizational data needs. This by itself is an enormous challenge. Most CIOs are very good consultative partners with regards to how technology can support business operations.However, the true ownership and stewardship of data and information rests on the business side of the house, not with the technologists.

Therefore, the executive suite needs someone who can oversee the strategic business application of its information assets enterprise-wide. Someone who advocates for information; who can facilitate cross-departmental discussions about information; who’s responsibility it is to optimize existing information assets, to identify information gaps, and to work with units to acquire needed data (structured and unstructured); someone who build the trust and partnerships across the organization (chief diplomatic officer? – more on this in a future post); and, someone who can set organizational standards and policies for enterprise information management to improve quality, accuracy, and usability of critical core data assets. These are at the center of a CDO’s responsibilities.

I think that over the next decade, we will see much great interest in and a maturing of the role of the Chief Data Officer in the same way we’ve seen the Chief Information Officer, Chief Strategy Officer, or Chief Information Security Officer roles mature.