The Puchi Herald Reblog

A reblogging blog

It is time for research to think about security and privacy

It is time for research to think about security and privacy

We usually talk about cyber security and privacy related to the world of industry and personal, but today I would make some points related to research in universities.

how much security aware are universities?

This is an interesting topics, looking at the statistics on cyber security attacks I would say security and privacy awareness is not at the first point in their needs.

So bad …

well first of all let’s make a little distinction:

engineering vs the rest

it is out of doubt that engineering universities and research are more cyber security savvy than the rest. Some of them are also actively working and studying the the issue.

but nevertheless the overall cyber security and privacy approach, beside the ones actively working on the subject, is poorly implemented. on the other end engineering universities are full of guys playing with the fire … some will be the defenders of tomorrow, some are the hacker of today (hacker is not necessarily a bad term).

the rest is in a questionable situation, both cyber security and privacy lack of vision and willingness to address the point. even if there are areas that deal with very sensitive data, think healthcare industry.

the result is under our nose, a lot of people with great skills and knowledge on a lot of different subject completely unaware of the consequences of digitalization…. why do you think is so easy to break into healthcare systems, law firms and so on?….

The research issue

there was a time where being a scientist was putting your life at stake, was not easy to be Galileo Galilei at his time. But I hope that anyone with a brain can agree on the fact that science was mandatory to develop our society and way of life.  Science play an important role on human development, and I took science with the largest meaning…not only technology or physics, but medicine,  economy, social science, history, literature, philosophy … in a way culture … the connection and ramification of science with art, as an example, are undeniable… so we should ask ourselves if there can be a world without science.

But science is based on theories more than faith, trials more than prayers, and therefore need a solid trusted based …

the trust is no more here

In this security and privacy unaware environment seldom researchers that are not security focused put attention to security, but nowadays research environment and criminal landscape and geo_political warfare would suggest a different approach. if some years ago the word of a scientist was respected, nowadays seems that politics take over science and data and result are not what they are, consequences of studies and trial, but things are what your political beliefs want it to be.

so we see a rising of “creationists” or other religious para-scientific accreditation as “scientific”, as well the denial of scientific evidence in the name of political or religious beliefs (think at global warming as an example).

When you start a research you need, basically, to start collecting and managing data, use some computational power, share those data with peers…. but those data, those exchanges are what we should take a look for also in terms of privacy and security.

Depending on the nature of the research you can have direct evident privacy and security implications, but even if you are working on not apparently key areas you should put some precautions on the table. Let quickly try to explain why:

data are important

Data are what you have to work on, you sample, collect, store, analyze, transform data.

In a trusted environment you can avoid to care too much, come on i trust you and you trust the others so what can be wrong… but this is no more the reality.

  1. if your data have some kind of value (and i think they have, or you would not use them) you should protect them
  2. if your data are needed to prove your point you should be able to ensure they are reliable
  3. if your data need to be exchanged with others you should be sure what you transmit is what they get, and what you receive comes from a equally trusted source and data itself are trustable.
  4. if you work worth something may be you want some intellectual property on it, and therefore you have to be sure your result are not repudiable, subject to copy or used and\or modified without your knowledge

those 4 points are the the main areas where you should put privacy and security into the equation no matter what your research is.

what is the value?

Every time you have to invest something you make a tradeoff between the invested monetary resources and the expected output. in science this is a hard exercise so i understand most of the time you do not want to look for data protection but try to think how much you depend on those data..

what happen to your research if a ransomware encrypt you data?

what happen if a attacker or a incident poison your data with some bias?

sometimes you can also be a “collateral damage” and not the direct target but, does it make any different to you?

if you are not able to put those consideration on the table you can start wonder what is the value of your job.

protecting means?

usually you set up things using what comes to your hands. this does not means crappy thing but…how much planning have you put on this?

have you considered what happens if you lost your data for a mechanical crash?

or for a hacking attempt?

of for a genuine honest mistake of your developer that write the code that manage your data?

or if your shared repository have to give space to something more important?

and what if someone tamper your data?

and what if someone copy your data?

and what if ….

this kind of scenarios are not your research field, I know, but nevertheless are connected to your job and you should start to consider them.

backup, storage, encryption, access management, Intellectual Property protection, data exchange, computational requirements… all those thing should be managed in a sound reliable plan that foresee current and future needs…

the problem of exchange

another aspect that is really critical is how you can be sure that the data you are exchanging are managed correctly.

the first point when there is an exchange between to point is to be able to trust the point itself. this basically means you want to exchange data with this subject, but may be not with another one (i know you are not all friendly one to the other).

so the point is how you can be sure you are sending the data to the correct source…

When you send something you should assure the counterpart that what he\she\it will receive is what you are sending, data should be managed in a non repudiation and anti tampering way, and also maintain the ownership if needed.

now they can be a genoma of a rock, a clinical trial result on the effect of mars over alopecia, a set of data on relationship between gun distribution and bird control rate, the climate data of the last 100 years in neverland…whatever… you need your data be recognized as:

1) yours

2) truthful even after the transfer

the point here is that otherwise anyone can change assumption and therefore conclusion making you part of a fraud. you should always be able to say, they those were not my data….

and in a moment where politics and science collide once again this is not a minor issue.

food for thought

privacy and cyber security are sons of the current expansion of the digitalization. Those issues are not a side tough but real component of your everyday job even if you are a researcher in areas way far from cyber security, information technology or whatever.

you should also start thinking if those data should be kept public how to maintain, store and allow access to them in a consistent and secure way. Sure you can post them on facebook and tweet them but maybe, just maybe, this would not be the optimal solution.

And you should start thinking about those things before it’s too late. no matter who you are, what you do digital life is here for you too and you should start acting accordingly.

just think about it.

Antonio

 

 

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

It is time for research to think about security and privacy was originally published on The Puchi Herald Magazine

Dear CISO, please talk about business with your board, not technicality.


Dear CISO and Board

I think we should always consider our job as a part of the business. We finally started to consider cyber security and data protection as a serious issue but now the question is how we evaluate a risk in our analysis and business plans…

Current documentations and reports, for risk analysis, presented to most of the boards use just a flag (High, medium, low risk) but does not seems to specify any metric. Without metric it is hard to make sound evaluation and comparison so to the question raised by any member of the board : “does a high risk in XYZ be dangerous as a high risk in ABC” can’t have a credible answer if not on “perception” which is subjective if not backed up by facts..

Security metrics are, as of now, subject of interpretation and discussion but we can simplify the approach to make security analysis somehow credible and understandable.

First of all, to answer to board question what is needed is a common framework of evaluation, that include easy to read metrics, that make comparison understandable even to not cyber security experts, as most of the board member that have to take decision based upon those inputs are.

This is something that goes beyond the Cyber and Information Security Officer tasks, this requires the whole company to start thinking about its cyber security and digital assets, but unless the approach is to take a reactive way of do thing, inputs coming from you should be provided to start outlining this framework and metrics.

Alas cyber security risk analysis is all but simple, mostly if related to business impact, since it requires understanding of cyber security issue and, as well, the business in which the risk is analyzed.

There are two main aspects that need sound and readable metrics:

  1. Risk evaluation
  2. Risk consequences

The first item is used to define how “risky” is something. Measure a risk requires, to simplify a complex matter, to be able to evaluate the probability that something happens, the magnitude of the damage, and the cost for fixing things. Magnitude of the damage and cost to fix things are bound to Risk consequences, that are, basically, the metric that can be used in a board meeting to describe the risk in terms understandable to a non-cyber security aware audience.

I will not enter in the realm of risk evaluation deeply here, you have a deep knowledge and understanding of the issue and I do not want to bore you with my considerations, but let me notice how there is not, apparently, yet a common framework of evaluation spread through your company’s groups and BU on the matter.

If risk evaluation is one key, but mostly technical, aspect, let me point out something on the risk consequences aspect that can be of some use in the future business plans to make them useful from a business perspective and not just a sterile exercise.

Risk consequences can be presented, basically, in some dimensions that are somehow related, the aim here is to understand if a cyber security incident occurs what can be the measures that allow your company to describe it and, therefore, compare with another event.

Would make sense, in my point of view, to present any risk analysis to the board and other managers in those terms:

1)     Monetary cost in terms of loss revenues

2)     Monetary cost in terms of live costs

3)     Impact on market penetration

4)     Impact on brand perception

This would allow to compare an XYZ incident to a ABC incident and answer somehow to Board question, and, moreover, to give a metric to understand where and why to invest in an area instead of another one.

Let me quickly describe the 4 points.

1)     Monetary cost in terms of loss revenues

This is a dimension that can be easily perceived by sales and financial managers. This basically means to be able to estimate how many direct selling activities will be impacted by the incident. The timeframe taken into account is key, of course, since events can have different effect in terms of immediate, medium and long term timeframe.

The evaluation can be presented both in terms of net amount of money or % compared to budget. Both make sense to understand the impact.

2)     Monetary costs in terms of live costs

This basically means to put into account all the live costs related to the incident as fines, legal issues, HWSW replacements, people working on the issue and so on. It is important to separate costs related to the incident to the loss revenue related to the incident.

3)     Impact on market penetration

This is a metric that make sense for a vendor who is trying to expand its footprint in the market as your company is trying to do. It is strictly connected to the direct revenues but also to the growth expectations. This can be represented as a % of the market share.

4)     Impact on brand perception

This last item is the hardest to measure, since it depends on the metric used to value Brand inside your company, since I have been never told what metrics are used I can here just suggest to present the %variation related to the value before the incident.

For what I know this has not been done before on Cyber and Information Security Business Plans. It could be either something sound to present in your future BP or a task for the Cyber and Information Security Office to be implemented for this year if the structure is not able to do this kind of analysis and presentation.

With those 4 points would be possible to both:

make comparison between risks

and

provide to the board an output that can be objectively used to take decision.

Let take, as an example, privacy risk related to GDPR not compliancy.

This approach would allow you to present in the BP set of data to justify expenses and investments every time a risk is presented; something like:

Let me explain the the table to you, of course values are fictitious and timeframe can be adjusted to your reality but i think this can give you almost a basic understanding of what i suggest.

GDPR not compliancy:

1)     customer personal data breach: Columns headers

Short term impact (1-3 months)

It is what happen immediately after the problem, where you have to set up the required operations to make things running again somehow. If you have a Emergency Response Team (You should) this is where you put the costs…

Midterm impact (3 months – one year)

Let be honest, if it is a minor outbreak may be things will be solved quickly, but if the problem is bigger, as your marketing database exposed, you will start considering also legal costs, fines and the impact on your market…

Long Term Impact (1-3 years)

Things have an impact also after your BP, life is nt restricted to your daterange, business is not restricted to daterange, you you should be able to make prediction and analysis way longer than the simple one year timeframe. It is common in any business, so here too.

2)     customer personal data breach: rows headers

Revenue losses

This is the revenue losses that you will have to face upon your budget expectations.

Live costs

This contains what you have to pay, your direct costs that cove, as an example:

  • HWSW replacement
  • Fines
  • Estimated “damaged user” legal issues if someone sue you
  • ransom paid
  • eventual cyber security insurance policy fee rise
  • stop production costs
  • people working on the issue to solve the problem (eventual forensic analysts, cyber experts, lawyers …)

Impact on Market Penetration

This is where you put how the incident will damage your business in terms of your presence and future outlook.

Impact on Brand Perception

this is how your credibility will be affected

With this kind of matrix would be easy to make correct evaluations and comparison. I am not sure this is at the moment something that can be done with the current analysis tools but eventually would be a sound element to put in a BP for a future sound approach to cyber security risk evaluation.

regards

Antonio

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Dear CISO, please talk about business with your board, not technicality. was originally published on The Puchi Herald Magazine

GDPR and the technology market

GDPR and the technology market

Question: will the new privacy policies and laws impact the technology market?

This is an interesting question to ask ourselves; whether we are consumer of the technology market or technology vendors the impact of the new technologies (from cloud to IoT, from industry 4.0 to big data just to name the most acknowledged from a marketing point of view) privacy regulations can affect heavily our behaviours and the market.

so let try to understand what could be the implications of this new focus on privacy and data protection.

First of all we should try to understand what we are talking about.

Privacy, GDPR and the rest.

Privacy: the state of being alone, or the right to keep one’s personal matters and relationships secret:

In nowadays environments the presence of data related technology is pervasive: from business to  personal life technology play a big part of our life.  data related technology means we use technologies that is able to manipulate information: informations are collected, changed, communicated, shared all in form of data. Bit and bytes that describes our job, our business, our personal life.

Although in the past privacy was mainly a physical issue, and therefore legislation was focusing on those aspects, this increasing presence of data collection and sharing makes people realize that there is a new abstraction layer that involve privacy that is no more related to be alone or in a confined physical space, but in a undefined and without borders digital virtual space.

Email, Blogs, social networks, chat, E-commerce, electronic payment, smart phones all this and more shifted the same perception of privacy from a simple concept to something more hard to be defined.

Rulers and consumers started to deal with those issues in the last years whole enterprise and technical world has been remained almost frozen waiting for indications. the first indications that this would have been a wakeup call for enterprise has been the ending of the safe harbour agreement, privacy was not longer a secondary issue even for the economy.

The latest development can be easily identified in the new  European Union’s General Data Protection Regulation (GDPR), which comes into effect in May 2018, has far-reaching implications that extend far beyond the EU.

Businesses that fail to meet the new mandates aimed at protecting personal data face severe consequences. They can be fined up to $20 million, or 4 percent of global revenues — a cost that makes this regulation impossible to ignore.

But other areas of the world are moving toward a more cautious approach toward data privacy, not only Europe. While it is not yet clear how will be the new USA administration approach toward this subject, it is out of doubt that data privacy is becoming a major issue in the next years; how this will impact business is, although, not yet clear.

For sure is that GDPR will enforce companies to deal with a tremendous amount of data to be protected. Any data used to make inferences linked tenuously or otherwise to a living person is personal data under GDPR. Cookie IDs, IP addresses, any device identifier? All personal data. Even metadata with no obvious identifier is caught under the GDPR’s definition of personal data. Truth be told, such assertions are not entirely new. The difference under GDPR is that they will be enforced and the non compliance fined.

Today swathes of business practices unlocking data monetization rely upon data not being considered personal. So they apply weak consent, onward transfer and data reuse concepts. These models are going to change; either by choice, or by obligation.

Data Privacy , Data Protection and Cyber Security

One aspect that is not yet completely perceived and understood is the correlations between data privacy, data security and cyber security. The requirements that enforce the companies to respect data privacy legal requirements are intrinsically bound with the explicit request for data protection and, therefore, cyber security.

GDPR clearly define data should be fairly processed and protected: the implications are not only in terms of procedure to adopt inside the enterprises, but also technical in terms of data manipulation, retention, storage and security.

Recent security outbreaks as the one related to ransomware are an example of how basic cyber security threats can impact directly on this area, as well as common and well known cyber attack directed to data exfiltration.

This is a growing phenomenon and is affecting not only the classical online services (think of classic dating site attacks, as an example, to collect username and passwords) but, as an example, extensively the healthcare industry.

While in the past those outbreaks could have been just a relative minor issue, the new GDPR structure of fines could affect in a heavy way any company, regardless its sector, and some departments that in the past have never considered those issues as a business imperative, as marketing or Human Resource, will have to face a difficult transaction in terms of awareness, policies to be implemented and technology approach.

It is easy to forecast that this situation will shape in the next years the technology market in different areas.

Impact on the technology market

When we talk about the technology market we face different aspects, “technology” as a term can cover a wide range of things. We can talk about hardware vendors or software vendors. We can talk about service vendors (cloud, CRM or whatever you like more), IT enterprise or carrier HW providers, Security vendors, End user HW providers (as smart phone makers).

Recently the trend is to aggregate functions and offering, making those areas overlapping in the same company although not often integrated.

Since all the industry will have to face the new privacy requirements it is to be expected a increase on data privacy expertise requests hitting the market, and a growing demand for IT solutions that will help companies to manage the requirements. this could, as an example, give a small impulse to historically neglected areas as DLP solutions, data categorization solutions and so on.

Some little advance and effort will be probably put also on more traditional areas as backup.

An heavier impact will be seen in the growing online market with the need to protect not only privacy of users but also to save the economic transactions, content providers, social or gaming platforms will be heavily impacted too.

In a second run we will probably see a renewed interest for baseline security solutions, as the stakeholders will, sooner or later, realize that there is no compliance without data protection and there is not data protection without cyber security.

The request for expertise and consulting services will be mostly redirected outside to technology vendors (here considering HW\SW vendors as cisco, hp, huawei, SAP, Microsoft; service vendors as cloud providers – azure, AWS, google –  but also app stores, CRM online providers), consulting companies and technology integrators.

On the other end technology vendors will have to face a strange situations where they will be both requested to provide solutions compliant with the new rules, be the driver of the new requirements and implementations (public-private partnership basically means this)  and in need to implement solutions to protect themselves in different areas as:

Product and Services development

Here vendors will have to start developing products\services considering data protection a major issue. It is clear the impact on cloud or services, where data protection can be easily identified, but also the HW product side will have to face issues. Although it can seems trivial we can remember the problem related to GPS tracking in apple and, at some extension, android happened some years ago. privacy implication with products can be wider than expected, since we have to protect not only the data per se, but also the metadata (this is the wider range of GDPR and new privacy regulations).

Usually we tend not to consider, as an example, system logs as a problem in terms of privacy, but in effect they are if they contains data that can point to a physical person and being used to track somehow the person behaviour.

Firewall and router logs, as an example, could be used to determine what is someone doing online, and therefore can expose information that are subject to GDPR realm. minor features apparently but the truth that also metadata are object of GDPR.

Privacy By design and Privacy Enhanced Technology will be mandatory component of any product\service developement.

Marketing and Sales

Marketing(and or  sales)  has always been considered agnostic towards technology, but the ultimate scope of marketing is to get in touch with the market, this means customers and ultimately people. Marketing activities will get a huge impact towards GDPR requirements both in terms of operations, since is up on marketing to manage a large amount of data coming from outside the company, and communication.

Technology vendors, somehow, will be expected to lead and drive the request both in terms of consulting and example. The result of a breach or misinterpretation of GDPR guidances will impact severely the business from a brand point of view and undermine vendor credibility.

Internal protection

As any other company there will be a direct impact on business operations of any vendor dealing in the technology field. But this case the extension of the problem will not focus just on the standard cyber security procedures, since technology vendors enter, somehow, almost directly on customers IT or data processing infrastructure the request will be to implement an end to end protection system which include GDPR compliance and cyber security application. This will require technology vendors to operate on:

  1. supply chain
  2. production and vulnerability disclosure
  3. product and service delivery

all three area are still trying to develop standards and good practice although something is moving.

So what are the changes expected under the new regulation?

There are around a dozen headline changes which technology companies should be aware of.

Some of the key areas include:

  • Privacy by design and Privacy enhancing technology – privacy by design calls for the inclusion of data protection from the onset of the designing of systems. Companies must also only hold and process data which is absolutely necessary.

Privacy enhancing technology (PET) and Privacy by Design (PbD) are obligatory and mandated requirements under the GDPR. There remains no generally accepted definition of PET or PbD, but PbD is considered an evidencing step for software development processes to take account of privacy requirements. So the incorporation of what can broadly be defined as PET in such solutions represents PbD.

Two particular PET techniques that control downside and enable upside risk are differential privacy & homomorphic encryption.

  • Differential privacy counters re-identification risk and can be applied to anonymous data mining of frequent patterns. The approach obscures data specific to an individual by algorithmically injecting noise. More formally: for a given computational task T and a given value of ϵ there will be many differentially private algorithms for achieving T in a ϵ-differentially private manner. This enables computable optima’s of privacy and also data utility to be defined by modifying either the data (inputs to query algorithms) or by modifying the outputs (of the queries), or both.
  • Searchable/homomorphic encryption allows encrypted data to be analyzed through information releasing algorithms. Considered implausible only recently, advances in axiomatizing computable definitions of both privacy and utility have enabled companies such as IBM & Fujitsu to commercially pioneer the approach.
  • Data processors – those who process data on behalf of data controllers, including cloud-providers, data centres and processors. Liability will extend to these and businesses that collect and use personal data.
  • Data portability: Empowers customers to port their profiles and segmentation inferences from one service provider to another. This is a reflection by lawmakers that data is relevant to competition law, whilst not conceding an imbalance between a companies ability to benefit from data at expenses of us all as citizens.
  • Data protection officers – internal record keeping and a data protection officer (DPO) will be introduced as a requirement for large scale monitoring of data. Their position involves expert knowledge of data protection laws and practices, and they will be required to directly report to the highest level of management.
  • Consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out.Customers consent to privacy policies that change. Being able to prove which contract was agreed to, in court or to a regulator, requires  registration time stamping and tamper resistant logs become de rigueur.As we move into an opt-in world of explicit consent and ubiquitous personal data, data transmissions beyond a website visit must be explicitly permissioned and controlled. In this world, default browser values de-link machine identifiers from search queries. In other words, in this new world, online advertising to EU citizens is in line for fundamental change.And given particular regulatory emphasis on profiling, explicit consent will require loyalty programs to differentiate consent between general and personalized marketing consents. Those consent flags must cascade through registration, reporting and analysis, targeting and profiling, contact center operations and all other processes that handle such data.
  • Breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified. it is underestimate the relationship between breach notification and vulnerability disclosure. While for an end user those two aspect seems to be unrelated, there could be a higher impact on vendors for, at least, a couple of factors:
    • The breach notification could expose the vendor as the main source of the breach itself due to lack of vulnerability management and disclosure.
    • The victim could consider liability against the vendors which “vulnerabilities” caused the breach redirecting to them part of the costs.
  • Right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose.
  • Right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server back-ups and cloud facilities.A framework to comply with this obligation would include the following steps:
    • Spot identifiers which tie together datasets, e.g: machine identifiers link together our social media experiences;
    • Prescribe how re-identifiable data flows in and outside the organization;
    • Document a scalable process to overwrite identifiers in all datasets where re-identification can be established, upon the validated request of a user, and
    • Third party contracts and SLAs should be adjusted to ensure compliance with validated requests.
  • Data Bookkeeping: Field level data, linked to an identifier, flows across geographies and legal entities, processed by machines and people. Organizations will account for these flows with evergreen reporting. It stands to reason that these flows will be threat-modeled for integrity and confidentiality so controls can be readily evidenced upon request.

 

GDPR impact

Privacy regulations as GDPR and the growing awareness and concerns related to data privacy and security are related to the expanding presence in everydays life and business of smart mobile devices able to process data, the growing online market, consolidated trends as cloud services or newcomers as IoT.

Technology market face this transition in front line, and will see the impact of new regulations and customer reactions in several ways. This is both a chance and a problem; implementation of new mandatory requirements will impact all areas, from design and production to sales and delivery. But this will means also new area of business in the consulting area, in the technologies to support GDPR and privacy compliances in the market where data analysis technology, artificial intelligence and other high end technology areas could provide a competitive\price insensitive advance vs the consolidated technology market.

The key success factor is to embrace this change and drive it acquiring internally the needed competences, implementing the correct corrections and driving the needed improvement related to product and services provided.

Future trend will see a prevalence of  technologies related to “data” processing and services related to data vs products. The new Data paradigm is already visible nowadays as example in the Big Data market (take data lake implementation as an example). in terms of technology market this will means to focus on Data Science which will pose a new and somehow unpredictable relationship with privacy regulations.

GDPR Risks and “Data Science”

The term data science describes a process from data discovery, to providing access to data through technologies such as Apache Hadoop (open source software for large data sets) in the case of Big Data; and distilling the data through architectures such as Spark, in-memory and parallel processing. That data science creates value is understood. What isn’t are the risks it exposes investors to under the GDPR, of which there are principally three:

Risk 1: The Unknown Elephant in the Room – Unicity: a general misunderstanding in monetization strategies is that stripping away identifiers of a data model renders the data set anonymous. Such a belief is flawed. So-called anonymous data sets can often, without implausible effort, be re-identified. Unicity is a measure of how easy it is to re-identify data. It quantifies additional data needed to re-identify a user. The higher a data set’s unicity, the easier it is to re-identify. Transactional and geo-temporal data yield not only high monetization potential, they carry statistically unique patterns which give rise to high unicity.

Risk 2: Relevance & Quality: Income, preferences and family circumstances routinely change, and preference data on children is difficult to ethically justify processing. While this creates a problem for predictive analytics, that data and the inferences it engenders can be considered inaccurate at a given point in time, which creates a GDPR cause-of-action. Data quality needs to stay aligned to business objectives.

Risk 3: Expecting the Unexpected: When data science creates unexpected inferences about us, it tends to invalidate the consent that allowed data to be captured in the first place, which, again, is a big deal. Data collected today, particularly from mobile devices, is subject to a constant stream of future inferences that neither the customer nor the collector can reasonably comprehend. Consider a car-sharing app that can model propensity for one-night-stands from usage patterns. While that data may not result in propositions today, the market will consider upside risk/option value to have been created (the market still does not seem to believe in GDPR impact), but this incremental data coming into existence creates downside risk (such data is difficult to find a legal-basis for, given the vagaries of a given consented disclosure).

More generally, the problem of negative correlations is brought to the fore by algorithmic flaws, biased data and ill-considered marketing or risk practices, the enduring example being U.S. retailer Targets’ predictive campaigns to pregnant teenagers, spotted by parents. These are examples of a new form of systemic control failure, leading to potentially actionable GDPR claims.

 

Related articles

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

GDPR and the technology market was originally published on The Puchi Herald Magazine

Why IT companies are so concerned by latest (and future) USA administration moves.

Why IT companies are so concerned by latest (and future) USA administration moves.

Latest USA administration moves are rising a lot of concerns towards the IT community, and a lot of concerns worldwide.

There are, of course, different sentiments related to political beliefs, ethics and moral considerations that should be considered. I will not enter here in the political, ethical and moral arena to present my personal point of view on the specific subject but I would like make some considerations on the IT sector reactions to what is happening.

It is an easy prediction that the future economic outlook will be impacted by USA administration approach and actions, and this can cause understandable reactions on the various stakeholders.

It is interesting to note the different approach from companies that need a global market to survive, as the technological ones, and the ones that rely on local and few other markets.

This difference is, nowadays, more evident on the IT (SW, HW, Services) sector, a highly technological and advanced area that has 2 important needs:

1) highly qualified and skilled personnel

2) a global market to act on

Setting aside the ethical and moral considerations (which are, don’t get me wrong, imperative to anyone), from a business point of view there is no doubt that some markets (as the technological one) need globalization more than other to prosper and survive.

The IT market, although, cover a critical position here, since it is the engine of the 4th industrial revolution and it is facing, as of now, a growing resistance from the older economical model players; comments and reactions I have seen on various platforms are mostly expression of this growing sentiment.

The IT market needs, market historically leaded by USA companies, has been able to growth thanks mainly to innovation, openness and intercultural exchange.

People working in this sector belongs to different ethnic groups, countries and religions bringing, due to this diversity, high value thanks to their experience and approach. In order to create something new (which is what all the Information technology industry is about) a different approach to things is needed. It is not a case that the IT industry in USA has historically found in the open approach (in terms of market and human resources) a tremendous advantage which brought USA to lead the IT market.

IT CEOs are understandably concerned that the environment that made them prosper now can change dramatically. USA administration announced economic protectionism and other rumored or in place actions (last but not least the improperly so called “muslim” ban) could, as a matter of facts, harms those company’s ability to growth and prosper.

In this view it is totally understandable the concerns of important CEOs towards the present and future actions of USA government and the need to address those concerns openly in public.

If, as rumor says, one of the next moves will be to target H-1B visas (working visas) this will heavily affect those companies that will be forced to rethink their approach to the technological market may be forcing them, as an example, to move R&D facilities to more friendly shores.

The truth behind this is that the need for qualified people in the IT sector is still growing to a rate that there is no single nation, nor even USA, that can provide the resources needed to back up this development; therefore the need for qualified and skilled people coming from virtually anywhere is imperative for this sector.

Like it or not some political issues does affect the economic of some sectors, therefore is absolutely understandable that the technology market reacts toward an approach that can undermine its chance to grow, expand, and ultimately bring value to a country in terms of economic wealth and image.

It is worth to notice also that the IT sector is changing, the technologies are shifting from products to services that need a worldwide market to be remunerative. From Cloud to IoT, passing through security and Big data all the recent technology trends calls for the most open and widest possible market.

But there is another factor to take into account; the consolidated IT technologies that need a limited innovation approach are now offered also by emerging competitors in countries outside USA as china and others.

Even if not ready to provide, in most cases, a disruptive technologies advance those companies are able to produce, in the consolidated technology market, a stable product implementation and constant improvement in a price\competitive fashion. Quality issues in consolidated technology fields are a minor concerns since products tend to be aligned.

If we add the geopolitical issues that lead, as an example, some countries to start looking for alternatives to USA products (China, Russia, Pakistan, India are an example, but understandable the middle east area in the future) the picture is more clear.

This is not politic, but economy.

One further economical consideration, the inevitable shift to a so called “data economy” (the real meaning of the 4th industrial revolution) is something that should be driven. Closing the economy to the old models although make you feel in your “comfort zone” will just retard the inevitable, creating more later costs to adapt.

But there are also ethical and moral consideration to be taken into account, and most of those CEO for once demonstrate that business and ethics can match, probably due not only to their business but also their heritage.

Kudos to Satya Nadella , Brad Smith, Sundar Pichai, Tim Cook, Mark Zuckerberg and the others that put business and ethics as a matter and speak out.

Antonio

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Why IT companies are so concerned by latest (and future) USA administration moves. was originally published on The Puchi Herald Magazine

Happy Chinese new Year -新年快乐

Happy Chinese new Year -新年快乐

To all my chinese friends and colleagues I send my best wishes for prosperous and healthy new year. Enjoy the spring festival!

 

 

 

 

 

 

 

我所有的中国朋友和同事我送上我的祝福的繁荣和健康的新的一年。

English: Chinese lunar New Year money god post...
English: Chinese lunar New Year money god poster in Hong Kong. ‪中文(繁體)‬: 財神到 (Photo credit: Wikipedia)

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Happy Chinese new Year -新年快乐 was originally published on The Puchi Herald Magazine

Watching the new presidents’ acts and talks (and the possible future outlook) And I am scared

Watching the new presidents’ acts and talks (and the possible future outlook) And I am scared

does the floor color make a difference here? really?

I usually do not write here about political stuff, if not in rare occasions but, hey, this is my blog at the end so I can express my feeling and thoughts.

I was watching today some videos related to USA president elected Donald Trump and his approach to the news (he would tweet: Fake news, sad!) and, honestly, I am scared to dead.

I do not like Mr Trump, USA citizens elected him so I have to cope with that, but this does not means I have to like him. I found most of his tweet questionable, his cult of personality disturbing, his approach with media alarming.

This does not means of course that media are always right, but is unthinkable to me that in a open democracy a president can consider communication a one-way affair and anyone who criticize him is “fake news“, “bad person”, “untrusty” or whatever mr Trump consider worth to put in a tweet.

let say the first days of his activity made me more worried than ever.

It was like the silly polemic on the amount of people watching his ceremony live. more than Obama one? Less than Obama one? the point was he could have managed, for my taste, the whole affair differently… claiming false statement was not the best presentation to the world… but the whole Trump administration seems to be  suffering from a severe news detachment, funny form a man that owe so much to the media.

Will mr Trump makes America great again? I am not so sure and, honestly, I haven’t understood what means america being great again, and what will be the price the world will have to pay for his vision. for sure at the moment I saw a clear detachment from actual data (take economic and crime data in USA compared to mr Trump assumptions) and a willingness to not respond to any doubt. He is autoreferential, he is the unquestionable metric for truth, ethics and results.

I saw this in the near past, from president Duterte from philippine, or Zuma in South africa, or turkey president Erdoğan or in a less recent past from Benito Mussolini or Hitler.

What they have in common? Extreme nationalism, cult of personality, hate for free press, being autoreferential.

I am not saying here that Mr. Trump will be like Mussolini, I am saying that there is a common pattern, and when I listen to absurd justifications like the ones presented to justify the false statements related to the crowd presence during mr Trump ceremony I am frankly scared to death.

But Trump, Erdogan, Duterte are a symptom of a bigger problem

We are on the verge of a 4th industrial revolution, but people of the countries all around the world seems to be oriented to close themselves into their borders in an attempt to protect themselves from the inevitable change. Alas changes will eventually come anyway and this is scary. Protectionism and nationalism are the first answer to change. But in the new world that we are shaping what will the consequences be?

If USA citizen will try to close their country (build the wall, remember) is in their right although not sure in their interest. Sure they are a big market, but it is not self sufficient. Without selling their stuffs outside how much USA economy will be affected?  Why a mexican should then buy a USA car instead of an European or Japanese or Chinese or Indian one? or why we should take a USA air flight unless we are forced to? (I actually travel emirates when I can).

But also why we should buy apple or use googleandroid? And the whole new list of technologies that will shape the new economy?  because this is the point, the new industrial revolution will put its root on data sharing… we will move from products to services, and to justify the investment needed we will have to scale at an international level.

Hate calls hate, racism calls racism, violence calls violence, disrespect calls disrespect. I know you don’t see it in your leader at the end you have to support him because it is what you created with your hands (vote) to cover your fears, but you should try to see it in other reactions where this is going …

Like it or not, this new economy will force to change our approach to job, new jobs will comes while other will die. Alas the trend is moving away from manual jobs to more skilled ones, more focused on the new technologies. Not only engineering, a whole bunch of new knowledge workers that will reshape the current middle class.

But we are in the middle of this change, we can’t see the light yet we just see the scary shadows of the tunnel. The good news is that all the industrial revolutions increased the number of workers, but at the same times have been shaped by crisis and, worst scenario, wars. We are experiencing the economic crisis right now (it is not over i am afraid) but we are (as people did in the past) addressing the new with old recipes.

In a Hyperconnected world as we are attempt to leverage censorship are questionable. China, north korea, Saudi Arabia, Iran will be the new references for the once flag of freedom of speech?

This is not just a USA issue, the rise of populism in Europe and in the rest of the world is a sign that this feeling is running through all the population of the biggest democracies (where you do not have democracy, well, you do not have the right to question the government and its rule).

The whole Brexit rhetoric has been based on this kind of assumptions (regain the control of our destiny, of our nation, of our economy so we will be again bigger, better, stronger …)that is not so different from the Front Nationale or Lega nord statements, or the Grillo’s claim of the need of a “strong man”.

What a twisted world it has become? Ironically the champion of capitalism, at the moment, is china with its free trade and free commerce slogans, while we ought to russia the safety for someone who disclosed USA attempt to hack million of USA and worldwide citizens.

Willingly or not the change will come, no matter what. The point is how much we will have to suffer because of this resistance.and remember each time you do not drive the change the change drives you.

hope for the best but prepare for the worst… at the moment I am scared because I see the down of an old era trying to strake the last shots, and they will hurt…

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Watching the new presidents’ acts and talks (and the possible future outlook) And I am scared was originally published on The Puchi Herald Magazine

Happy new insecure 2017: my resolutions and wishlist for new year

Happy new insecure 2017: my resolutions and wishlist for new year

Here we are, a new year comes and we, as cyber security expert, will keep warning the world about the deeply insecure world we are living.

And we will announce new technologies and new devastating scenarios related to new technologies. IoT and Cloud will rise their evil face while bad people will be lurking in the dark waiting to attack the innocent lamb crossing the road.

But, in all of this, the most of the damage will be still done by bad designed systems, by managers that does not understand what means living in a digital world, by politicians that understand cyber security issues only when they have something to gain, by entrepreneurs that still will invest in security as a disturbing side effect.

If I can make a wish for the new year is to see finally a different approach to information security, an approach that take into account that

1) to be secure you need well designed systems first and then cover it with some security geek technologies. If the design is crap all your security is crap no matter what you use on top

2) there is not security if your devices are not designed with security in mind, good code and code lifecycle is the best insurance, so if you buy the cheapest then do not cry … is your job to look for what you need and so yes is your fault if something goes wrong.

3) that finally companies, managers, entrepreneurs understand that security is within process, and not just a bunch of technologies put on top of something that you do not have the slightest idea what it is, you can’t protect what you don’t understand

4) that if people do not understand then people will not follow even the most basic rules, so training is not an optional, but the very basic. And to be sure the first that have to learn are the “CxO” which should get off the throne and start learning the world they crafted.

5) that if we keep thinking that IoT is wonderful but do not understand what IoT will bring in terms of cultural and technical problem we still will never understand what means putting security on this.

6) that if you hire an expert and then you don’t listen to himher then you are wasting hisher and your time. then do not blame the messenger.

7) that if you think that this complex field we call security can be covered by a junior that knows it all you are probably wrong unless the junior is a genious

8) that if you, security expert, think your counterpart has the slightest idea what you are talking about, you are probably wrong because you did not realize they do not understand what they does not know.

9) that all of this is part of the business, and therefore the business should took all this as one of its element, and not just a nasty annoying add on.

10) that next time someone talk about APT tells you the truth, the only way to stop an APT is to stop the attacker otherwise…. it would not be an APT

I know I know I am a but naive and still believe in fairy tales…

 

happy safe and secure 2017 to you all

security awarenesssecuritysecurity culture2017

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Happy new insecure 2017: my resolutions and wishlist for new year was originally published on The Puchi Herald Magazine

%d bloggers like this: