Presentation is loading. Please wait.

Presentation is loading. Please wait.

3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission.

Similar presentations


Presentation on theme: "3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission."— Presentation transcript:

1 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission Impossible? ( ) Robert J. Robbins (206)

2 Biomedical Research Institutions Information Technology Exchange Robert J. Robbins (206) ( ) 3-5 October 2007© 2007, BRIITE Implementing Security without Inhibiting Research: Mission Impossible?

3 Implementing Security without Inhibiting Research: Mission Impossible? Biomedical Research Institutions Information Technology Exchange ( Robert J. Robbins (206) Impossible? Maybe not. But it is very hard. 3-5 October 2007© 2007, BRIITE

4 (206) Implementing Security without Inhibiting Research: Mission Impossible? Impossible? Maybe not. But it is very hard. Biomedical Research Institutions Information Technology Exchange ( Robert J. Robbins 3-5 October 2007© 2007, BRIITE The challenge is real, yet we all need to figure out how to implement some kind of solution anyway.

5 5 © 2007, BRIITE (206) Implementing Security without Inhibiting Research: Mission Impossible? Impossible? Maybe not. But it is very hard. Biomedical Research Institutions Information Technology Exchange ( Robert J. Robbins 3-5 October 2007© 2007, BRIITE The challenge is real, yet we all need to figure out how to implement some kind of solution anyway. And, we had better be prepared to replace our solution with a better solution every few years for the next decade.

6 6 © 2007, BRIITE The Problem Culture clash between research and security.

7 7 © 2007, BRIITE The Problem Culture clash between research and security. Work occurs within decentralized organizations.

8 8 © 2007, BRIITE The Problem Culture clash between research and security. Work occurs within decentralized organizations. Work occurs across institutional boundaries.

9 9 © 2007, BRIITE The Problem Culture clash between research and security. Work occurs within decentralized organizations. Work occurs across institutional boundaries. Problem keeps changing.

10 10 © 2007, BRIITE The Problem Culture clash between research and security. Work occurs within decentralized organizations. Work occurs across institutional boundaries. Problem keeps changing. Rules keep changing.

11 11 © 2007, BRIITE The Problem Culture clash between research and security. Work occurs within decentralized organizations. Work occurs across institutional boundaries. Problem keeps changing. Rules keep changing. Solution keeps changing.

12 12 © 2007, BRIITE The Problem Culture clash between research and security. Work occurs within decentralized organizations. Work occurs across institutional boundaries. Problem keeps changing. Rules keep changing. Solution keeps changing. Human-subjects work is especially challenging.

13 Culture Clash

14 14 © 2007, BRIITE Culture Clash SECURITY closed RESEARCH open

15 15 © 2007, BRIITE Culture Clash SECURITY closed planned RESEARCH open opportunistic

16 16 © 2007, BRIITE Culture Clash SECURITY closed planned structured RESEARCH open opportunistic creative

17 17 © 2007, BRIITE Culture Clash SECURITY closed planned structured respect authority RESEARCH open opportunistic creative challenge authority

18 18 © 2007, BRIITE Culture Clash SECURITY closed planned structured respect authority process driven... RESEARCH open opportunistic creative challenge authority one-off mentality...

19 Decentralized Organizations

20 20 © 2007, BRIITE Decentralized Organizations Would this work in your organization:

21 21 © 2007, BRIITE Decentralized Organizations Would this work in your organization: Your convenience is no reason for me to sacrifice the security of my network…

22 22 © 2007, BRIITE Decentralized Organizations Would this work in your organization: But it does work in the military, where this quote originates. Your convenience is no reason for me to sacrifice the security of my network…

23 23 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F):

24 24 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network.

25 25 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research.

26 26 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research. N:With a little effort you should be able to find a work-around.

27 27 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research. N:With a little effort you should be able to find a work-around. F:My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research.

28 28 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research. N:With a little effort you should be able to find a work-around. F:My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research. N:What do you know about network security? Youre just an end user.

29 29 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research. N:With a little effort you should be able to find a work-around. F:My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research. N:What do you know about network security? Youre just an end user. Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions.

30 30 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research. N:With a little effort you should be able to find a work-around. F:My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research. N:What do you know about network security. Youre just an end user. Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions. POP QUIZ

31 31 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research. N:With a little effort you should be able to find a work-around. F:My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research. N:What do you know about network security. Youre just an end user. Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions. The most likely outcome was:

32 32 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research. N:With a little effort you should be able to find a work-around. F:My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research. N:What do you know about network security. Youre just an end user. Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions. The most likely outcome was: 1.The researcher totally changed his research program to meet the new security standards, or...

33 33 © 2007, BRIITE True Story Conversation between network administrator (N) and faculty member (F): N:These changes will improve the security of our network. F:But they will make it impossible for my lab to carry out its research. N:With a little effort you should be able to find a work-around. F:My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research. N:What do you know about network security. Youre just an end user. Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions. The most likely outcome was: 1.The researcher totally changed his research program to meet the new security standards, or... 2.The network administrator found himself with the opportunity to spend more time with his family.

34 Work Spans Institutional Boundaries

35 35 © 2007, BRIITE Much biomedical research is now conducted by teams of collaborators, often spanning multiple institutions. Research that starts at one institution segues into multi-institutional work as students graduate, post-docs move on, and other changes occur. Work Spans Institutions

36 36 © 2007, BRIITE Research often is accomplished by INFORMAL teams of workers, spanning multiple organizations. These teams dynamically come into existence to meet a research need, then disband. Work Spans Institutions

37 37 © 2007, BRIITE Portions of tens (or hundreds) of such teams exist at any one time within any research organization. These teams are often not based on any formal relationships between the home institutions of the researchers. Work Spans Institutions

38 38 © 2007, BRIITE Delivering high quality security across such teams either involves: a proliferation of accounts across institutions, or a security system designed for a totally decentralized federation Work Spans Institutions

39 39 © 2007, BRIITE Delivering high quality security across such teams either involves: a proliferation of accounts across institutions, or a security system designed for a totally decentralized federation Work Spans Institutions No currently available security system is designed to meet the needs of a totally decentralized federation.

40 Problem Keeps Changing

41 41 © 2007, BRIITE Changes in Problem Scope Achieving security of research systems:

42 42 © 2007, BRIITE Changes in Problem Scope Achieving security of research systems: within labs

43 43 © 2007, BRIITE Changes in Problem Scope Achieving security of research systems: within labs across labs

44 44 © 2007, BRIITE Changes in Problem Scope Achieving security of research systems: within labs across labs across departments

45 45 © 2007, BRIITE Changes in Problem Scope Achieving security of research systems: within labs across labs across departments across campuses

46 46 © 2007, BRIITE Changes in Problem Scope Achieving security of research systems: within labs across labs across departments across campuses across institutions

47 47 © 2007, BRIITE Changes in Problem Scope Achieving security of research systems: within labs across labs across departments across campuses across institutions across state boundaries

48 48 © 2007, BRIITE Changes in Problem Scope Achieving security of research systems: within labs across labs across departments across campuses across institutions across state boundaries across national boundaries

49 49 © 2007, BRIITE Changes in Problem Domain New problems keep arising: financial system confidential data on lost laptops web site break-ins student music downloads termination policies HIPAA...

50 50 © 2007, BRIITE Changes in Logical Status Some change is so profound that jokes become reality.

51 51 © 2007, BRIITE Changes in Logical Status Some change is so profound that jokes become reality. Sarcastic comment: DNA is inherently identifiable. Pretty soon well have to start putting deliberate errors into DNA sequences before we can share them…

52 52 © 2007, BRIITE Changes in Logical Status Some change is so profound that jokes become reality. Sarcastic comment: DNA is inherently identifiable. Pretty soon well have to start putting deliberate errors into DNA sequences before we can share them… Recent article in Science

53 53 © 2007, BRIITE Changes in Logical Status Page 2: Tactics for de-identifying genomic data:

54 54 © 2007, BRIITE Changes in Logical Status Page 2: Tactics for de-identifying genomic data:

55 55 © 2007, BRIITE Changes in Logical Status Page 2: Tactics for de-identifying genomic data: When reality starts to resemble parody, things are getting too complex for comfort.

56 Rules Keep Changing

57 57 © 2007, BRIITE Rules Keep Changing HIPAA Sarbanes Oxley News stories of lost laptops Internal audit departments Non-research savvy auditors Engaged boards of directors...

58 Solution Keeps Changing

59 59 © 2007, BRIITE Solution Keeps Changing We need comprehensive support for implementing security in a totally decentralized federation. No such solution exists. So we keep implementing the approximation du jour (or maybe de jure).

60 Human Subjects Research

61 61 © 2007, BRIITE What is Human Subjects Research? Certain activities are obviously human subjects research, appropriately covered by IRB rules and procedures. But, where are the limits? What activities are covered and what are not? Effect of food additive? Price of popcorn in movie theaters? Production of recipe book?

62 62 © 2007, BRIITE HSR Criteria Project: MBA student wants to interview theater managers about price of popcorn at different times and for different features. Problem: Should this activity be considered research involving human subjects covered by 45 CFR part 46? Answer:

63 63 © 2007, BRIITE HSR Criteria Project: MBA student wants to interview theater managers about price of popcorn at different times and for different features. Problem: Should this activity be considered research involving human subjects covered by 45 CFR part 46? Answer:

64 64 © 2007, BRIITE HSR Criteria Project: MBA student wants to interview theater managers about price of popcorn at different times and for different features. Problem: Should this activity be considered research involving human subjects covered by 45 CFR part 46? Answer:

65 65 © 2007, BRIITE Project: MBA student wants to interview theater managers about price of popcorn at different times and for different features. Problem: Should this activity be considered research involving human subjects covered by 45 CFR part 46? Answer: HSR Criteria ?

66 66 © 2007, BRIITE HSR Criteria Project: Research team wants to interview IRB heads, security officers, other institutional leaders to determine the policy requirements governing the deployment of multi-site digital security systems. Problem: Should this activity be considered research involving human subjects covered by 45 CFR part 46?

67 67 © 2007, BRIITE HSR Criteria Project: Research team wants to interview IRB heads, security officers, other institutional leaders to determine the policy requirements governing the deployment of multi-site digital security systems. Problem: Should this activity be considered research involving human subjects covered by 45 CFR part 46?

68 68 © 2007, BRIITE HSR Criteria Project: Research team wants to interview IRB heads, security officers, other institutional leaders to determine the policy requirements governing the deployment of multi-site digital security systems. Problem: Should this activity be considered research involving human subjects covered by 45 CFR part 46? ?

69 END


Download ppt "3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission."

Similar presentations


Ads by Google