Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard."— Presentation transcript:

1 On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont marco.casassa-mont@hp.com Hewlett-Packard Labs Bristol, UK

2 Presentation Outline  Background & Privacy Concepts  What is Information Lifecycle Management (ILM)?  What is Identity Management (IDM)?  Current Privacy Management in Enterprises  Moving Towards Privacy-Aware ILM in Enterprises  Conclusions

3 Presentation Outline  Background & Privacy Concepts  What is Information Lifecycle Management (ILM)?  What is Identity Management (IDM)?  Current Privacy Management in Enterprises  Moving Towards Privacy-Aware ILM in Enterprises  Conclusions

4 PRIVACY Regulations (incomplete list …) Regulatory Compliance (Example of Process) Privacy: An Important Aspect of Regulatory Compliance for Enterprises

5 Privacy Policies Limited Retention Limited Disclosure Limited Use Limited Collection Consent Purpose Specification Privacy Rights Privacy Permissions Privacy Obligations Privacy Policies for Personal Data: Core Principles

6 Identity Management Solutions Information Lifecycle Management Solutions Enterprise Identity Information/ Confidential Data Management of Data/Confidential Data in Enterprises Others (ad-hoc, etc.) Systemic Approaches …

7 Presentation Outline  Background & Privacy Concepts  What is Information Lifecycle Management (ILM)?  What is Identity Management (IDM)?  Current Privacy Management in Enterprises  Moving Towards Privacy-Aware ILM in Enterprises  Conclusions

8 Information Lifecycle Management (ILM) Information Lifecycle Management (ILM) is a comprehensive Approach to Manage Information Systems’ Data and associated “Metadata” from Creation and Initial Storage to the time when it becomes Obsolete and is Deleted:  Deal with User Practices  Automate Storage Procedures  Information Retrieval Information Lifecycle Management Automates:  Process of Organising Data into Separate Tiers  Data Migration between Tiers based on Policies

9 Information Lifecycle Management (ILM) Information Lifecycle Management (ILM) provides degrees of support for the following Information/Data Management Phases: Assessment Data Analysis Classification Automation Review

10 Information Lifecycle Management (ILM) Information Lifecycle Management (ILM) Automation Technologies: ILM Policy Engine Search and Classify ILM Policy Audit Information/ Document Mover Secure Access Source: “Data Protection and Information Lifecycle Management Ed. Prentice Hall, Author: Petrocelli”

11 Information Lifecycle Management (ILM) Current Privacy Management Capabilities:  Little or No Explicit Management of Privacy Policies  Limited Privacy Capabilities, such as Data Retention/Deletion and Access Control  No Advanced Support for Privacy Obligations  Proprietary/Ad-hoc Solutions  Lack of Integration/Interoperability with Other Solutions

12 Presentation Outline  Background & Privacy Concepts  What is Information Lifecycle Management (ILM)?  What is Identity Management (IDM)?  Current Privacy Management in Enterprises  Moving Towards Privacy-Aware ILM in Enterprises  Conclusions

13 Identity Management (IDM) Enterprise Identity Management Solutions deal with the Management of Digital Identities, User Accounts and User Profiles. Provide services to Applications. Support core Functionalities:  Authentication, Authorization, Audit  User Provisioning and Account Management  Data Storage  Links to Legacy Systems and Data Consolidation

14 Identity Management (IDM) State-of-the-Art of Identity Management Solutions: Privacy Mgmt Directories Meta- Directories Virtual Directories Data Repository Components Authentication Authorization Auditing Security Components Provisioning Longevity Lifecycle Components Single Sign-On Personalization Consumable Value Components Self Service Management Components Fed. Mgmt User Mgmt Access Control Databases

15 Identity Management (IDM) Current Privacy Management Capabilities:  Limited Management of Privacy Policies  Focus Mainly on Privacy-Aware Access Control  No Real Support for Privacy Obligations  Proprietary/Ad-hoc Solutions  Lack of Integration/Interoperability with Other Solutions

16 Presentation Outline  Background & Privacy Concepts  What is Information Lifecycle Management (ILM)?  What is Identity Management (IDM)?  Current Privacy Management in Enterprises  Moving Towards Privacy-Aware ILM in Enterprises  Conclusions

17 Personal Data Applications & Services PEOPLE ENTERPRISE Privacy Legislation (EU Laws, HIPAA, COPPA,SOX, GLB, Safe Harbour, …) Customers’ Expectations Internal Guidelines Regulatory Compliance Customers’ Satisfaction Positive Impact on Reputation, Brand, Customer Retention Enterprise Privacy Management Impact on Enterprises and Opportunities Regulations, Standards, Best Practices Enterprise IT Infrastructure IT Alignment Policy Enforcement Policy Development Transparenc y Monitoring Reporting Effective Enterprise Privacy depends on Good Governance Practices

18 Data Governance in Enterprises  Personal Data and Digital Identities  Handled with “Identity Management” Solutions (IDM) …  Subject to Privacy Policies  (Sensitive) Documents and Other Data  Handled with “Information Lifecycle Management” Processes and Solutions (ILM) and Other Approaches …  Might Contain Personal Data …  If so, Subject to Privacy Policies

19 Current IDM and ILM Solutions Exists a Dichotomy between:  “Identity Management” Solutions (IDM) …  “Information Lifecycle Management” Processes and Solutions (ILM)… Various Reasons:  Different Nature of Managed Information  Different Business Requirements  Different Information Usage Patterns Identity Management (IDM) Identity Management (IDM) Information Lifecycle Management (ILM) Information Lifecycle Management (ILM)

20 IDM and ILM: Common Aspects … Current Dichotomy Doesn’t Help To Manage Privacy  Both handle Confidential Data  Both need to Address Privacy Management  No Integrated Management of Privacy Policies  Duplication of Efforts  Privacy still based on Human Processes:  Prone to Mistakes and High Costs

21 Requires Well-Planned, Systemic and Ongoing Efforts:  Privacy Policies and Preferences can Change over time  Data and Confidential Documents can be subject to different Privacy Laws  Data needs to be Disposed or Transformed over time Enterprise Privacy Management [1/2]

22 Enterprise Privacy Management [2/2] Privacy-aware Access Control  Most of Privacy Solutions (+ R&D Work) currently focusing here Privacy Obligation Management  No “Privacy-aware” Solutions are really available …  Obligations dictate Duties and Expectations …  Obligations are Transversals to ILM and IDM:  Impact on Information Lifecycle Management (Retention, Deletion, Notifications, Transformation, etc.)  Impact on Identity Information/ Identity Management  Under-emphasised Area … Privacy Rights Privacy Permissions Privacy Obligations Privacy Rights Privacy Permissions Privacy Obligations

23 Identity Management Solutions Information Lifecycle Management Solutions Enterprise Identity Information/ Confidential Data Privacy Obligations Focus on Privacy-aware Information Lifecycle Management

24 Open Issues Issues to be Addressed to enable Privacy-Aware Information Lifecycle Management: Lack of Automation  Lack of Automation  Human-based Processes  High Cost, Prone to Mistakes Lack of Integration (e.g. ILM and IDM)  Lack of Integration (e.g. ILM and IDM)  Duplication of Efforts  Lack of Centralization

25 Presentation Outline  Background & Privacy Concepts  Current Privacy Management in Enterprises  What is Information Lifecycle Management (ILM)?  What is Identity Management (IDM)?  Moving Towards Privacy-Aware ILM in Enterprises  Conclusions

26 Privacy-aware Information Lifecycle Management “Privacy-Aware Information Lifecycle Management is the Process of Ensuring that the Lifecycle of Personal and Confidential Data (inclusive of any Confidential Document) is Managed according to stated Privacy Policies, Users’ Preferences and Enterprise Privacy Guidelines”

27 Privacy-aware Information Lifecycle Management  Requirements, Core Properties and Features  HP Labs Current R&D Work in this Area  Next Steps

28 Requirements [1/2] Dictated by Privacy Laws, Best Practices, Common Sense:  Enterprise should clearly state the Purposes for collecting personal/confidential data and Processing Criteria  Openness and Transparency over Enterprise Processes  People should:  Be enabled to express their Privacy Preferences (e.g. Deletion)  Be Notified of changes affecting the management of their personal data  Retain a degree of Control on their data  Lifecycle of Data driven by all these Aspects

29 Requirements [2/2]  Enforcement and Compliance Checking of Privacy Obligations Importance of Automating the Handling Privacy Obligations to Enable Privacy-Aware Information Lifecycle Management Importance of doing this across ILM and IDM Solutions

30 Privacy-aware Information Lifecycle Management Solutions Expected Core Properties and Functionalities:  Explicit Modelling of Personal/Confidential Data  Explicit Representation of Privacy Policies ( e.g. Obligations )  Integrated Management of these Policies ( e.g. Security Policies )  Deployment and Enforcement of these Policies:  Leveraging IDM and ILM Infrastructures  Integrated Monitoring and Checking for Compliance

31 Privacy-aware ILM: Our Approach HP Labs R&D Work on Privacy Obligation Management Usage of an Obligation Management System (OMS) as Foundation of Privacy-aware ILM, across ILM and IDM Solutions

32 Obligation Management System Obligations Scheduling Obligations Enforcement Obligations Monitoring Personal Data (PII) Data Subjects Administrators ENTERPRISE Obligation Management System (OMS): Model Privacy Obligations Privacy Preferences

33 OMS to Enable Privacy-aware ILM [1/3] Obligation Management System (OMS):  Centralised Modelling and Abstraction of Managed Data  Centralised Representation and Authoring of Privacy Obligations  Orchestrates the Deployment, Enforcement and Monitoring of Obligations within Existing ILM and IDM Systems

34 OMS to Enable Privacy-aware ILM [2/3] Obligation Management System Obligation Management System ILM Systems IDM Systems Other … Data RepositoriesDoc. Repositories Other Storage … Enterprise Information Policy Control Policy Control Policy Control Privacy Preferences Privacy Policies & Models

35 Identity Management Solution (IDM) Identity Management Solution (IDM) Information Lifecycle Management Solution (ILM) Information Lifecycle Management Solution (ILM) Obligation Management System (OMS) Data Abstraction and Modelling Obligation Policy Representation & Lifecycle Mgmt Obligation Deployment & Enforcement Obligation Monitoring Users Data + Privacy Preferences Adaptors Administrators Obligation Policies Models ENTERPRISE Deploy Policies & Enforce Monitor & Compliance Check OMS to Enable Privacy-aware ILM [3/3]

36 Current Status and Next Steps OMS System: HP Labs Proof of Concept  Integrated with IDM Solution  Exploring its Integration with ILM Solution Need to Further Explore some Security Implications First Step Towards Privacy-aware ILM  Current Objective: Create Awareness of Privacy-aware ILM Work in Progress …

37 Presentation Outline  Background & Privacy Concepts  Current Privacy Management in Enterprises  What is Information Lifecycle Management (ILM)?  What is Identity Management (IDM)?  Moving Towards Privacy-Aware ILM in Enterprises  Conclusions

38 Conclusions  Importance of Privacy Management for Enterprises  Obligation Management is Key to Privacy-aware Information Lifecycle Management  Current Obligation Management: underestimated, ad-hoc, …  Need to Centralise Obligation Policies for their Enforcement/Monitoring & Integrate with current ILM and IDM Solutions  Importance of Creating Awareness of Need for a Comprehensive, Enterprise-wide Privacy-aware Information Lifecycle Management  HP Labs: Work in Progress …

Download ppt "On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard."

Similar presentations

ONS Research Data Access Strategy AGENDA Background and context Confidentiality The Strategy.

ONS Research Data Access Strategy AGENDA Background and context Confidentiality The Strategy.
Presentation by Priyanka Sawarkar

Presentation by Priyanka Sawarkar
VERS Development and Thinking Howard Quenault and Nicholas Leask.

VERS Development and Thinking Howard Quenault and Nicholas Leask.
Compliance Requirements for Business-process driven SOAs

Compliance Requirements for Business-process driven SOAs
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises.
Oncor’s EIM Program.

Oncor’s EIM Program.
Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005.

Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Managing Digital Identities: Challenges.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Managing Digital Identities: Challenges.
Security Controls – What Works

Security Controls – What Works
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Policy Management: An Overview Marco.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Policy Management: An Overview Marco.
IBM Global Services © 2003 IBM Corporation Privacy Technology and the Public Sector CACR Conference November 6, 2003 IBM Global Services.

IBM Global Services © 2003 IBM Corporation Privacy Technology and the Public Sector CACR Conference November 6, 2003 IBM Global Services.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Panel: Business Impact of Research.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Panel: Business Impact of Research.
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.

Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
LEVERAGING THE ENTERPRISE INFORMATION ENVIRONMENT Louise Edmonds Senior Manager Information Management ACT Health.

LEVERAGING THE ENTERPRISE INFORMATION ENVIRONMENT Louise Edmonds Senior Manager Information Management ACT Health.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

Similar presentations

Ads by Google