COLLABORATION & COMPLIANCE Identity Management meets Risk Management

14
COLLABORATION & COMPLIANCE Identity Management meets Risk Management Policy Physics meets Unintended Consequences Terry Gray, PhD Chief Technology Architect & Therapist University of Washington NAAG Identity Panel 15 June 2010

description

COLLABORATION & COMPLIANCE Identity Management meets Risk Management Policy Physics meets Unintended Consequences. Terry Gray, PhD Chief Technology Architect & Therapist University of Washington NAAG Identity Panel 15 June 2010. WHO, ME ?. Accused killer to use an insanity defense - PowerPoint PPT Presentation

Transcript of COLLABORATION & COMPLIANCE Identity Management meets Risk Management

Page 1: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

COLLABORATION & COMPLIANCE

Identity Management meets Risk Management

Policy Physics meets Unintended Consequences

Terry Gray, PhDChief Technology Architect & TherapistUniversity of WashingtonNAAG Identity Panel 15 June 2010

Page 2: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

2

WHO, ME ?

Rap singer arrested Rap singer arrested in slayingin slaying"Terry Gray did not murder anyone," Alexander said. "They arrested the wrong man. Terry wasn't even in the building when it happened."

http://www.latimes.com/news/local/la-me-rapper10march1094,0,7499869.story

Accused killer to use Accused killer to use an insanity defensean insanity defense

Citing a family history of bipolarity and murder, the attorney for accused killer Terry Gray says Gray will rely on an insanity defense.

http://www.realpagessites.com/attyatlaw/newsarticles/article.nhtml?uid=10003

Page 3: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

3

MISTAKEN ID?

http://www.dallasdesperados.com/images/coach_gray_terry.jpg

http://1.bp.blogspot.com/_bOKmjbY7wEo/SwF3evlnsnI/AAAAAAAABMI/cjL2xs-dP2E/s1600/Terry+Gray+with+Owl.JPG

http://cdn1.ioffer.com/img/item/737/389/96/839e_1.JPG

Page 4: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

Technology Policy

Page 5: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

5

CONTEXT: Research Universities

Mission: discovery & innovation Means: extreme collaboration–Globally, at scale, crossing many boundaries

– Seamless and simple resource sharing Culture: decentralized; diffuse authority– Collections of many independent businesses

– A microcosm of “the Internet”

“Industry turns ideas into money; Universities turn money into ideas.” --Craig Hogan

http://liu.english.ucsb.edu/wiki1/im

ages/4/4c/Collaboration.gif

Page 6: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

IDENTITY ISSUES IN COLLABORATION Multiple Account Madness and role of Federated access

– How many credentials?

– Single ID: convenience vs. “Single Point of Failure”

– Institutional vs. consumer identities

Role of identity providers & trust fabrics– Reputational risk

– Transitive trust, e.g. Zoho via Google: bug or feature?

Contradictions– Access control complexity leads to no access control

– The role of anonymity and pseudonyms

– Jurisdictions: data location, prevailing law; sunshine states

Page 7: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

7

WHAT DO WE FEAR ?

“Stolen identities used to buy furniture and tummy tuck, police allege”

http://www.chicagotribune.com/news/ct-met-identity-theft-charges-20100605,0,7395352.story

Page 8: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

WHAT DO WE FEAR ?

Individuals- Identity theft and identity errors

- Privacy invasion (direct or via correlation and inference)

- Undesired disclosure or modification of identity or content

- Loss of civil liberties: Unreasonable or incorrect search / seizure

- Crippling complexity

Institutions- Compliance violations and costs (financial or reputational)

- Compliance and opportunity costs / complexity / backlash

- Identity or access control errors and their consequences

- Undermining the effectiveness of our faculty/staff/students

Page 9: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

WHO DO WE FEAR?

Page 10: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

Study Shows Targeted Ads Make Users Uneasy * By Terrence Russell * April 10, 2008

“TOTAL INFORMATION AWARENESS”

http://www.wired.com/epicenter/2008/04/study-shows-tar/

Even without ads, many are worried!

Page 11: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

GETTING ON LISTS IS SO EASY…

Sen. Kennedy Flagged Sen. Kennedy Flagged by No-Fly Listby No-Fly List

By Sara Kehaulani GooWashington Post Staff WriterFriday, August 20, 2004

U.S. Sen. Edward M. "Ted" Kennedy said yesterday that he was stopped and questioned at airports on the East Coast five times in March because his name appeared on the government's secret "no-fly" list.

Computer Glitch caused NY Computer Glitch caused NY Police to raid wrong housePolice to raid wrong house

      By: Justin McGuire | March 20th, 2010

Here is a shocking incident of insensitivity, an octogenarian couple Walt and Rose Martin who are 83 and 82 respectively, had their house raided an incredible 50 times in the last 8 years leaving them scared and wary of the police. New York Police Department claims that this was caused due to a glitch in the computer.

http://www.manhattanstyle.com/news/computer-glitch-caused-ny-police-to-raid-wrong-house/

http://www.washingtonpost.com/wp-dyn/articles/A17073-2004Aug19.html

Page 12: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

12

THE ROLE OF FEDERATION & SSO

http://farm1.static.flickr.com/237/446791372_ec19181a63.jpg?v=0

- Helps with “Multiple Account Madness”

- Can reduce collaboration friction

- Can convey attributes - e.g. OverLegalAge, or first-responder skills

- Can reduce data correlation risks

- Brings “transitive trust” risks- Crossing organizational policy boundaries

- Crossing legal jurisdiction boundaries

Page 13: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

WHAT DO WE NEED ?

Updated laws for privacy protectionHIPAA plus EU “Fair Information Practices”

Fundamental right to correct the record

4th Amendment applied to data held by 3rd parties

Role for anonymity (whistle-blower, stalker victim, dissident, secret agent)

No single points of (identity) failure, nor very high-value targets (cf. RealID)

No security theater; unintended consequences (cf. Pre-paid cell registration)

Improved identity infrastructurePrivacy-preserving (non-correlatable) federated identities

Pervasive trust fabrics (e.g. InCommon) IT +

Gove

rnm

ent

Partn

ersh

ip

Page 14: COLLABORATION & COMPLIANCE Identity Management  meets  Risk Management

DISCUSSION