Welcome to my site...

A chinese lion statue

Thanks for visiting my website. You can learn more about me and all the many projects I am involved with my browsing this site. Below you will find the most recent articles published in all the different sections of my website. If you want to view articles on a specific area, please cick on one of the category links above. You can also follow the other links to learn more about me and my non-technical interests.

I'm glad you decided to drop in, feel free to leave comments on any article or to use the contact page to get in touch with me.

Conflicting Parties and Privacy Policies PDF Print E-mail
Security - Enterprise Security
Monday, 08 December 2008 14:52

 

Summary

Tim Wilson’s article [1] on privacy policy development and implementation describes the conflicts that arise between business units, executives, and external parties during privacy policy development, as well as the difficulties in implementing a privacy policy once developed. The main example cited in the article was a conflict between the Chief Privacy Officer (CPO) and the marketing group. The CPO’s goal is to protect individuals, and generally wants to maintain the least amount of data necessary for any given individual. At the same time, marketing organizations want the most information per individual possible in order to best target there audience. Other parties who may be involved include customers, who do not want organizations to have too much information and law enforcement whose investigations are often dependent upon access to such personal information. The article notes that there does not seem to be any easy way to address this problem, but that awareness that many different stakeholders should provide input and receive consideration in the privacy policy is important.

The second topic of the article is that problems can arise in implementing and enforcing a given privacy policy. Even if all parties are in harmonious agreement, it may not be possible to implement the resulting policy. For example, there may not be any existing tool or configuration option in existing software to meet the needs of the policy. Another issue cited in the article is that budget limitations may prevent the implementation. Enforcement can also be hindered through resale of customer data. Customers may remove themselves from one organization’s records, yet still receive information through that organization’s third party partners, in effect invalidating their previous opt-out. This scenario may violate the security policy, but preventing it may not be possible or require expensive changes to everyday operating procedures.

 

Relationship to Enterprise Security

While privacy is not officially part of the CIA (confidentiality, integrity, availability) principle, it is still an important aspect of the security mindset. As defined in lecture, privacy is “the right of an individual to control the disclosure and use of their personal information”. Safeguards must exist on both systems and data itself in order to protect such private information. The enterprise is responsible for safeguarding a great deal of personal and private data, both for employees and customers. For example, a company maintains contact information for customers and partners, as well as payroll information for employees. Because this data is most likely stored in information systems, it falls under the IT security staff to protect it. In addition, privacy will continue to grow in importance as the number of contract employees and external users of organizational data increases. For example, it is imperative to protect internal user data from outsourced operators that interact with the internal systems.

This article also deals with the development of policy. This is important for enterprise security because decisions are never simple and cannot be made arbitrarily; rather, good policy evaluates the needs of all stakeholders. The development of a coherent policy which is actually able to be implemented is crucial to the success of the enterprise security team. The policy sets out the rules and desired outcomes, and is used as the basis for all action-decisions in order to preempt and react to security incidents. Stakeholders could include various executives, departments, and regulators. The policy developers must consider all stakeholders and then prioritize (government regulations may out rule the marketing department’s desire to hold information for a lengthy period of time). Because enterprise security is primarily concerned with the interactions of technical systems and humans, policy can be seen as defining the protocols and rules of interaction.

 

Analysis/Discussion

The results of the study and article are not surprising. It is increasingly difficult in large modern organizations to have harmony and similar view points throughout the enterprise. One would not expect employees in the accounting department to understand all the complexities of setting up the technological controls on the accounting software provided by the IT department. As a result, policy development can be very slow and can see very strong resistance when one or more group’s desires cannot be met. Needs assessment interviews may need to be conducted, and policies should be reviewed and updated on a regular basis. 

Enterprise security, for IT, was not a top priority until very recently. Now that it has become a top objective for most organizations, best practices and standardization will continue to emerge. While best practices do not present the terminal solution for everyone, a simplified understanding will allow a greater number of IT administrators to protect their organizations. To be successful at higher levels of management in IT, it is important to understand how the IT goals will meet the business objectives of the organizations. This requires a full view of the business and must take into account external view points.

I took some time to review the original report [2] by HP Labs cited in the article. If I was in the position to create a policy, I would find this report very useful, and I believe the interview cases could apply to many other real world operations. The report is focused on customers and end users not the direct privacy concerns of the organization, which may be more obvious to most security and privacy administrators. I think it is very important to consider these “citizen” or “customer” concerns; while an organization may put a strong emphasis on protecting its own information, it should take care with others information as this could result in regulatory penalties, lost customer, and lost business partners. Internal trade secrets may be important, but the aggregate value of this third party information would tend to have a higher total value and may be a more desirable target than organization secrets for an attacker.

 

Bibliography

1. Wilson, Tim. Conflicting Interests Pose Huge Challenge To Privacy Policies . DarkReading. [Online] United Business Media LLC, November 7, 2008. [Cited: December 5, 2008.] http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=212001183.
2. Nickel, Cyndi, Sander, Tomas and Bramhall, Pete. The Driving Motivations of Stakeholders in the Delivery of Privacy by Enterprises. s.l. : HP Laboratories, 2008. HPL-2008-153.

 

 

Tags enterprise security :: privacy
 
Evolution of the Public Network & Its Protocols (Report) PDF Print E-mail
Networking - Internet and Public Networks
Thursday, 02 October 2008 00:00

Below is a formal report, if you would prefer you can view a much more simple PowerPoint presentation of this topic here.

 

The ever increasing number of internetworked devices and data intensive applications creates great strain on global infrastructure and backbone networks. These functional demands require enormous amounts of data to move at near instantaneous speeds. Thus, the public network (which is the aggregate of backbone and service provider internetworks) requires continued evolution to keep pace with ever increasing flow of data. It is important to have an understanding of how data traverses the public network; the separation between organizational segments and individuals increases as globalization creates new long distance and international connections among people. The decisions made by the public network designers will dictate the speed of business and communication. This survey will analyze trends in design and protocols on the public network over time. By analyzing the strengths and weakness of individual technologies, rational behind emerging technologies can be better understood. This survey will help the student and IT administrator gain insight into the greater networking world, which will assist in effective decision making in terms of service acquisition and application deployment.

Over time, the nature of traffic traversing the public network has become increasingly diverse. Initially, traffic was uniform and highly predictable. Telephone conversations and television transmission generally have static bandwidth requirements; spikes and peak times (nights, holidays, announced events) are usually predictable. However, the emergence of the Internet and corporate site interconnects over public networks has greatly changed the nature of traffic flows. Internet traffic is bursty and often involves multiple conversations between distinct transmitters and receivers over the same paths. Shifts, spikes, and other changes are less predictable because they often are responses to news, recent events, or other factors that the provider cannot anticipate. Also, while most traffic years ago was local (80% local, 20% long haul), the inverse is true today were most traffic is long-haul and is directed between a few major cities (Greenfield, 2002, p. 9). As a result of these changes the public network requires new protocols to meet the changing traffic requirements. Not only has the type of traffic changed, but now there are increasing demands for quality of service (QoS) and new traffic intensive services are emerging.

One of the earliest popular technologies for the public network was Asynchronous Transfer Mode (ATM). ATM was initially developed by a French Telecommunications company in the 1970s as the foundation for their cable television infrastructure. ATM was well suited for both voice and video because it is connection-oriented and offers a higher QoS compared to a protocol such as Ethernet, which has no built-in QoS and is connectionless. Another distinction between ATM and Ethernet is that ATM has a small fixed-length packet; this design reduces delay and jitter, a problem associated with changes in delay (Greenfield, 2002, p. 34). While these characteristics are strengths for voice and video, they cause problems for data based traffic. The current TCP/IP protocol used on the layers above ATM does not map well to the fixed-size of ATM resulting in wasted bits being sent for every 50 bytes of data. In addition, “running IP over ATM requires an enormous amount of [expensive] additional software” (Greenfield, 2002, p. 35). In implementation, ATM achieves maximum performance when its virtual circuits (the logical connections that result from being connection-oriented) are fully meshed. As a result, there is significant routing overhead as the network scales upward (Greenfield, 2002, p. 192). ATM’s popularity is on the decline; however, the phasing out and replacement of this technology has been slow due to the large investment and support made by providers during its inception.

While ATM was designed to handle relatively uniform and simple traffic flows, synchronous optical networking (SONET) claims to be designed as a generic carrier for both smooth and burst traffic. SONET was developed and is used in the United States; it was later incorporated into Synchronous Digital Hierarchy (SDH) as a global standard. The difference between SONET and SDH deals with data rates used in the rest of the world, but for the most part the two are very similar. The overall technology will be discussed based on SONET in this survey. SONET is an optical multiplexing technology that is used for interconnecting multiple points in the public network. Unlike ATM, it is synchronous and based on time division multiplexing. The synchronous nature allows for higher speeds and does not require as much overhead, such as bit stuffing, used in asynchronous communications (Tektronix, p. 5). An important aspect of any technology used for the public network is management and traffic engineering abilities. A SONET frame can contain a great amount of overhead, which allows for “simpler multiplexing and greatly expanded operations, administration, maintenance, and provisioning (OAM&P) capabilities” (Tektronix, p. 16). SONET can carry very large payloads (50MB+) and was designed to easily scale the traditional hierarchal data streams used in telecommunications such as T1 and T3; this greatly simplifies the multiplexing and demultiplexing process because data streams are not divided in an irregular manner. Unlike other optical multiplexing technologies, SONET can exists in topologies besides point-to-point (hub, point-to-multipoint, ring).The ring design is the most common because it offers a high degree of protection and resiliency with a minimal investment in physical wiring (Greenfield, 2002, p. 134). SONET incurs a lower total cost of ownership (TCO) because it is a recognized standard, which increases vendor interoperability. In addition, SONET requires less equipment than other similar technologies which also lowers costs (Tektronix, p. 40). As a general backbone structure, SONET provides many benefits. However, there is limited flexibility in SONET. SONET equipment cannot easily provide lines and different speeds, forcing customers to purchase more than is sufficient for their needs. Another major problem is that when a link is established between two points two symmetric links are created; however, Internet traffic is inherently asymmetrical and bursty, which leads to wasted bandwidth for data traffic. (Greenfield, 2002, pp. 139-140).  Despite its shortcomings, SONET has remained popular due to its relative low cost and management features.

As new technologies continue to replace legacy ATM and SONET networks, the business case dictates that their financial costs should not outweigh their functional benefit. One such technology that has garnered great attention is Dense Wave Division Multiplexing (DWDM) for optical networks. Its popularity can be attributed to its ability to provide improved performance using elements of the current public network infrastructure. In a DWDM system, multiple carriers (different wavelengths/colors) transmit independently of each other and can have different traffic characteristics. A system is considered DWDM if it has eight or more carriers in a single fiber. The goal is to maximize the number of available carriers in the existing installed fiber (Horak, 2001, p. 2). Because each carrier is separate, optical switching allows for the signal to be rerouted without electro-optical conversion. DWDM enables very high data rates, easily hundreds of gigabits per second, over one physical medium. While DWDM equipment is significantly less expensive then SONET, there are of course some disadvantages. Each carrier can only accept one type (e.g. PCM Voice or TCP/IP data) at a given time, different streams cannot be mixed. This is ineffective because it leads to underutilization and undercuts QoS because all traffic on a carrier is given the same consideration en route (Horak, 2001, p. 3). While DWDM presents many technical advantages, the costs of replacing highly functional SONET networks may serve as a deterrent. The reader should note that networks can be designed that use SONET over DWDM.

Another technology which hopes to build upon existing infrastructure is Resilient Packet Ring (RPR). RPR was designed to incorporate the best aspects of SONET and Ethernet. One the critical goals of RPR was to create a technology that could serve all types of communications, not solely data or voice. To meet QoS demands there are three traffic classes: Synchronous (high quality voice), guaranteed, and best effort traffic (Greenfield, 2002, p. 157). RPR can easily integrate into the ring architecture that exists with SONET networks. RPR uses at least two rings, operating in opposite directions, which allows for faster end-to-end delivery by taking the shortest path. Another interesting ability of RPR, compared to SONET, is spatial reuse, which is a process where the bandwidth used by one transmission can be reclaimed by another after the first transmission is stripped from the ring. Compared to Ethernet, there is much less intermediary processing of traffic (Green & Schlicht, 2002). RPR’s greatest strength is that it can easily and inexpensively interface with SONET and Ethernet infrastructures and substitute for one or the other depending on the situation.

            While many new technologies are being developed for the public network, there are many who would like to see ubiquitous Ethernet deployed end-to-end. Ethernet’s popularity and low cost make it popular; however, it is poorly suited for the public network. As stated earlier, traffic engineering and QoS are important for a mixed multimedia public network, and are not standard features of Ethernet. In addition, Ethernet works best in a meshed environment; however, it presents little advantage in the current networks which are physically rings (Greenfield, 2002, p. 156). Ethernet could possibly be used at the WAN level, but would require extra provisions and overhead to be added for traffic of a connection-oriented nature. However, Ethernet is enticing because it would reduce the number of layers and conversion for end-to-end transmission (Kerner, 2008). For the time being providers will likely continue to use multiple technologies to build out their networks.

            The issues concerning the build out and evolution of the public network are numerous. Realistically, there will be no decisive “winner” because providers will make purchasing and implementation decisions based on many factors including cost, user demands, and predictions of the future nature of traffic. TCP/IP continues to grow in importance. If VoIP and IPTV can completely replace traditional telephone and cable television traffic may become more uniform. This could lead to simplified decisions for protocols in the future. With the physical medium being capable of ever higher speeds, overhead and latency become less important. RPR to this point has not been highly adopted, but shows the greatest potential for success. It easily integrates with the public network’s physical infrastructure and can handle multiple traffic flows. Its low price and relative ease of connection to Ethernet make it a strong contender. While it would be desirable, even at high speeds Ethernet lacks the robustness and management capabilities that the public network requires. A successful technology would easily interface with Ethernet and must provide a high level of management and yield a low TCO.

 

 

 

References

 

Eogogics Inc. (2005). Tutorial on Optical Networking. Retrieved September 5, 2008, from Eogogics Knowledge Center: http://www.eogogics.com/talkgogics/tutorials/optical-networking

Green, M., & Schlicht, L. (2002, September 3). Maximize the Metro With Resilient Packet Ring. Retrieved September 16, 2008, from CommsDesign: http://www.commsdesign.com/showArticle.jhtml;jsessionid=OBV1GC3HCJ2AAQSNDLPSKH0CJUNN2JVN?articleID=16505799

Greenfield, D. (2002). The Essential Guide to Optical Networks. Upper Saddle River, NJ: Prentice Hall PTR.

Horak, R. (2001, April 3). SONET vs. DWDM. Retrieved September 16, 2008, from Call Center Magazine: http://www.callcentermagazine.com/GLOBAL/stg/commweb_shared/shared/article/showArticle.jhtml?articleId=8704557&pgno=1

Kerner, S. M. (2008, January 11). Ethernet Traffic Doubles, While ATM and SONET/SDH Dip. Retrieved September 16, 2008, from Optically Networked: http://www.opticallynetworked.com/news/article.php/3721101

Optical Networks: DWDM and SONET. (2008). Retrieved September 16, 2008, from The Insight Research Corporation: http://www.insight-corp.com/reports/opticalnetworks.asp

Tektronix. (n.d.). Synchronous Optical Network. Retrieved September 5, 2008, from www.noc.garr.it/docum/Pos/sonet-textronix.pdf

 

 

Tags resilient packet ring :: ethernet :: sonet :: DWDM
 
Web Server Auditing for HIPAA §164.312(a)(1) PDF Print E-mail
Security - Enterprise Security
Thursday, 08 May 2008 05:56

This section of HIPAA is concerned with access control. In the IT infrastructure of a Medical organization, proper access is essential for patient privacy. Furthermore, access must be restricted to a “need to know” basis to prevent leaks to unauthorized third parties. To this end, this audit seeks to a) make sure all access is restricted (that is to say requires some more of credential validation before access) and auditable to a unique single identity (group or individual) and b) to make sure that the user credentials (passwords, pins, etc) are strong and secure within reason. By enforcing the above aspects of HIPAA the organization can be sure that all access is secure and that patient privacy and confidentiality are maintained. This aspect of HIPAA is also important for legal issues that may arise from a lawsuit or employee misconduct.

The exact text for this section is:

Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health and records information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).

Source: CFR 45 - 164 - 312

You can view the embedded presentation below using the SlideShare applet below. The demo video form YouTube is automatically embedded for your convenience..


Auditing web servers for HIPAA compliance - §164.312(a)(1)
View more documents from Eric Goldman.


Some good references to get started with HIPAA:


If you would like more information, please feel free to contact me



Tags HIPAA :: privacy :: web security :: auditing :: password cracking :: MySQL :: LAMP :: input sanitization
 
<< Start < Prev 1 2 3 4 5 Next > End >>

Page 5 of 5