Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Presentation Outline PowerPoint Presentation
Download Presentation
Presentation Outline

Presentation Outline

178 Vues Download Presentation
Télécharger la présentation

Presentation Outline

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the ContextMarco Casassa Montmarco.casassa-mont@hp.comHewlett-Packard LabsBristol, UK

  2. Presentation Outline • Background & Privacy Concepts • What is Information Lifecycle Management (ILM)? • What is Identity Management (IDM)? • Current Privacy Management in Enterprises • Moving Towards Privacy-Aware ILM in Enterprises • Conclusions

  3. Presentation Outline • Background & Privacy Concepts • What is Information Lifecycle Management (ILM)? • What is Identity Management (IDM)? • Current Privacy Management in Enterprises • Moving Towards Privacy-Aware ILM in Enterprises • Conclusions

  4. PRIVACY Privacy: An Important Aspect of Regulatory Compliance for Enterprises Regulatory Compliance (Example of Process) Regulations (incomplete list …)

  5. Purpose Specification Consent Privacy Permissions Limited Collection Privacy Obligations Privacy Rights Limited Use Limited Disclosure Limited Retention Privacy Policies for Personal Data: Core Principles Privacy Policies

  6. Management of Data/Confidential Datain Enterprises Systemic Approaches … Others (ad-hoc, etc.) Information Lifecycle Management Solutions Identity Management Solutions Enterprise Identity Information/ Confidential Data

  7. Presentation Outline • Background & Privacy Concepts • What is Information Lifecycle Management (ILM)? • What is Identity Management (IDM)? • Current Privacy Management in Enterprises • Moving Towards Privacy-Aware ILM in Enterprises • Conclusions

  8. Information Lifecycle Management (ILM) • Information Lifecycle Management (ILM) is a comprehensive • Approach to Manage Information Systems’ Data • and associated “Metadata” from Creation and Initial Storage to • the time when it becomes Obsolete and is Deleted: • Deal with User Practices • Automate Storage Procedures • Information Retrieval • Information Lifecycle Management Automates: • Process of Organising Data into Separate Tiers • Data Migration between Tiers based on Policies

  9. Information Lifecycle Management (ILM) Information Lifecycle Management (ILM) provides degrees of support for the following Information/Data Management Phases: Assessment Data Analysis Classification Automation Review

  10. Information Lifecycle Management (ILM) Information Lifecycle Management (ILM) Automation Technologies: ILM Policy Engine Search and Classify ILM Policy Audit Information/ Document Mover Secure Access Source: “Data Protection and Information Lifecycle Management Ed. Prentice Hall, Author: Petrocelli”

  11. Information Lifecycle Management (ILM) • Current Privacy Management Capabilities: • Little or No Explicit Management of Privacy Policies • Limited Privacy Capabilities, such as Data Retention/Deletion and Access Control • No Advanced Support for Privacy Obligations • Proprietary/Ad-hoc Solutions • Lack of Integration/Interoperability with Other Solutions

  12. Presentation Outline • Background & Privacy Concepts • What is Information Lifecycle Management (ILM)? • What is Identity Management (IDM)? • Current Privacy Management inEnterprises • Moving Towards Privacy-Aware ILM in Enterprises • Conclusions

  13. Identity Management (IDM) • Enterprise Identity Management Solutions deal with the • Management of Digital Identities, User Accounts and User Profiles. Provide services to Applications. Support core Functionalities: • Authentication, Authorization, Audit • User Provisioning and Account Management • Data Storage • Links to Legacy Systems and Data Consolidation

  14. Identity Management (IDM) State-of-the-Art of Identity Management Solutions: Management Components User Mgmt Privacy Mgmt Access Control Fed. Mgmt Consumable Value Components Single Sign-On Self Service Personalization Lifecycle Components Longevity Provisioning Security Components Authorization Authentication Auditing Data Repository Components Meta- Directories Databases Directories Virtual Directories

  15. Identity Management (IDM) • Current Privacy Management Capabilities: • Limited Management of Privacy Policies • Focus Mainly on Privacy-Aware Access Control • No Real Support for Privacy Obligations • Proprietary/Ad-hoc Solutions • Lack of Integration/Interoperability with Other Solutions

  16. Presentation Outline • Background & Privacy Concepts • What is Information Lifecycle Management (ILM)? • What is Identity Management (IDM)? • Current Privacy Management in Enterprises • Moving Towards Privacy-Aware ILM in Enterprises • Conclusions

  17. Regulations, Standards, Best Practices Policy Development • Effective Enterprise • Privacy depends on • Good Governance • Practices Reporting IT Alignment Transparency Policy Enforcement Monitoring Privacy Legislation (EU Laws, HIPAA, COPPA,SOX, GLB, Safe Harbour, …) Internal Guidelines Enterprise IT Infrastructure Customers’ Expectations Applications & Services • Impact on Enterprises and • Opportunities Personal Data PEOPLE ENTERPRISE Positive Impact on Reputation, Brand, Customer Retention Customers’ Satisfaction Regulatory Compliance Enterprise Privacy Management

  18. Data Governance in Enterprises • Personal Data and Digital Identities • Handled with “Identity Management” Solutions (IDM) …  Subject to Privacy Policies • (Sensitive) Documents and Other Data • Handled with “Information Lifecycle Management” Processes and Solutions (ILM) and Other Approaches … • Might Contain Personal Data … • If so, Subject to Privacy Policies

  19. Current IDM and ILM Solutions • Exists a Dichotomy between: • “Identity Management” Solutions (IDM) … • “Information Lifecycle Management” Processes and Solutions (ILM)… Identity Management (IDM) Information Lifecycle Management (ILM) • Various Reasons: • Different Nature of Managed Information • Different Business Requirements • Different Information Usage Patterns

  20. IDM and ILM: Common Aspects … • Both handle Confidential Data • Both need to Address Privacy Management • No Integrated Management of Privacy Policies • Duplication of Efforts • Privacy still based on Human Processes: • Prone to Mistakes and High Costs Current Dichotomy Doesn’t Help To Manage Privacy

  21. Enterprise Privacy Management [1/2] • Requires Well-Planned, Systemic and Ongoing Efforts: • Privacy Policies and Preferences can Change • over time • Data and Confidential Documents can be • subject to different Privacy Laws • Data needs to be Disposed or Transformed • over time

  22. Privacy Permissions Privacy Permissions Privacy Obligations Privacy Obligations Privacy Rights Privacy Rights Enterprise Privacy Management [2/2] • Privacy-aware Access Control • Most of Privacy Solutions (+ R&D Work) currently focusing here • Privacy Obligation Management • No “Privacy-aware” Solutions are really available … • Obligations dictate Duties and Expectations … • Obligations are Transversals to ILM and IDM: • Impact on Information Lifecycle Management (Retention, Deletion, Notifications, Transformation, etc.) • Impact on Identity Information/ Identity Management • Under-emphasised Area …

  23. Focus on Privacy-aware Information Lifecycle Management Information Lifecycle Management Solutions Identity Management Solutions Privacy Obligations Enterprise Identity Information/ Confidential Data

  24. Open Issues • Issues to be Addressed to enable Privacy-Aware Information Lifecycle Management: • Lack of Automation • Human-based Processes • High Cost, Prone to Mistakes • Lack of Integration (e.g. ILM and IDM) • Duplication of Efforts • Lack of Centralization

  25. Presentation Outline • Background & Privacy Concepts • Current Privacy Management in Enterprises • What is Information Lifecycle Management (ILM)? • What is Identity Management (IDM)? • Moving Towards Privacy-Aware ILM in Enterprises • Conclusions

  26. Privacy-aware Information Lifecycle Management “Privacy-Aware Information Lifecycle Management is the Process of Ensuring that the Lifecycle of Personal and Confidential Data (inclusive of any Confidential Document) is Managed according to stated Privacy Policies, Users’ Preferences and Enterprise Privacy Guidelines”

  27. Privacy-aware Information Lifecycle Management • Requirements, Core Properties and Features • HP Labs Current R&D Work in this Area • Next Steps

  28. Requirements [1/2] • Dictated by Privacy Laws, Best Practices, Common Sense: • Enterprise should clearly state the Purposes for collecting personal/confidential data and Processing Criteria • Openness and Transparency over Enterprise Processes • People should: • Be enabled to express their Privacy Preferences (e.g. Deletion) • Be Notified of changes affecting the management of their personal data • Retain a degree of Control on their data • Lifecycle of Data driven by all these Aspects

  29. Requirements [2/2] • Enforcement and Compliance Checking of • Privacy Obligations • Importance of Automating the Handling Privacy Obligations to Enable Privacy-Aware Information Lifecycle Management • Importance of doing this across ILM and IDM Solutions

  30. Privacy-aware Information Lifecycle Management Solutions • Expected Core Properties and Functionalities: • Explicit Modelling of Personal/Confidential Data • Explicit Representation of Privacy Policies (e.g. Obligations) • Integrated Management of these Policies (e.g. Security Policies) • Deployment and Enforcement of these Policies: • Leveraging IDM and ILM Infrastructures • Integrated Monitoring and Checking for Compliance

  31. Privacy-aware ILM: Our Approach • HP Labs R&D Work on Privacy Obligation • Management • Usage of an Obligation Management System (OMS) • as Foundation of Privacy-aware ILM, across • ILM and IDM Solutions

  32. Obligation Management System Obligations Monitoring Obligations Enforcement Obligations Scheduling Privacy Preferences Privacy Obligations Personal Data (PII) Obligation Management System (OMS): Model Data Subjects Administrators ENTERPRISE

  33. OMS to Enable Privacy-aware ILM [1/3] • Obligation Management System (OMS): • Centralised Modelling and Abstraction of Managed Data • Centralised Representation and Authoring of Privacy Obligations • Orchestrates the Deployment, Enforcement and Monitoring of Obligations within Existing ILM and IDM Systems

  34. OMS to Enable Privacy-aware ILM [2/3] Privacy Preferences Obligation Management System Privacy Policies & Models Policy Policy Policy Control Control Control Other … ILM Systems IDM Systems Enterprise Information Doc. Repositories Data Repositories Other Storage …

  35. Obligation Management System (OMS) OMS to Enable Privacy-aware ILM [3/3] Data + Privacy Preferences Obligation Policies Models Data Abstraction and Modelling Obligation Policy Representation & Lifecycle Mgmt Users Obligation Deployment & Enforcement Obligation Monitoring Administrators Adaptors Adaptors Deploy Policies & Enforce Monitor & Compliance Check Identity Management Solution (IDM) Information Lifecycle Management Solution (ILM) ENTERPRISE

  36. Current Status and Next Steps • OMS System: HP Labs Proof of Concept • Integrated with IDM Solution • Exploring its Integration with ILM Solution • Need to Further Explore some Security Implications • First Step Towards Privacy-aware ILM • Current Objective: Create Awareness of Privacy-aware ILM • Work in Progress …

  37. Presentation Outline • Background & Privacy Concepts • Current Privacy Management in Enterprises • What is Information Lifecycle Management (ILM)? • What is Identity Management (IDM)? • Moving Towards Privacy-Aware ILM in Enterprises • Conclusions

  38. Conclusions • Importance of Privacy Management for Enterprises • Obligation Management is Key to Privacy-aware Information Lifecycle Management • Current Obligation Management: underestimated, ad-hoc, … • Need to Centralise Obligation Policies for their Enforcement/Monitoring &Integrate with current ILM and IDM Solutions • Importance of Creating Awareness of Need for a Comprehensive, Enterprise-wide Privacy-aware Information Lifecycle Management • HP Labs: Work in Progress …