Find us on
My Computer Ate My Data, Changed My Students' Grades and Stole My Money
Computation Privacy and Regulatory Compliance Mechanisms for the Cloud
Keynote: Securing IT in Healthcare: Part III
ISTS Information Pamphlet
Many modern industries share and operate on information. As with the rest of society, these industries are moving their operations into electronic settings. In some fields (such as the financial sector), operating on data electronically offers a vital competitive edge; in other fields (such as in health care), operating on data electronically can be a very desirable cost-cutting measure. In both cases, firms are faced with the challenge of channeling the right information to employees, while ensuring that these information systems don't provide data entitlements that inappropriately enable misuse or violate customer privacy. At the same time, these industries are facing increased pressure from American and international governments to comply with new regulations regarding shared data-regulations that are well intentioned, but that perhaps do not fulfill the purpose their writers intended.
This situation creates a volatile mix of problems. Businesses seek to embed their information processes into technological systems, yet many problems cannot be solved using current technologies. Some enterprises (including many in the financial sector) are forced to build custom applications to meet their business goals. Enterprises also need to make rational business and technical decisions that balance information security risk with the cost of risk countermeasures, yet evaluating this risk and estimating that cost is in itself a hard problem.
This situation also offers exciting opportunities for research and education. Dartmouth has expertise that is highly relevant in this space: the PKI/Trust Lab in the Computer Science Department does cutting-edge research in the development of technology that effectively embodies real-world trust patterns, and the Center for Digital Strategies at Tuck is a thought leader in business-technology interaction.
This interdisciplinary project will thus examine both the underlying organizational and business causes, as well as the business costs, of risky information security practices in enterprises. Building on insights gained in Phase 0 (currently in progress under the name IRIPS and funded outside of this proposal), Phase 1 of this project will focus on employee entitlement in financial sector, including role development and lifecycle management.
We will expand the field study collaboration we started in Phase 0, and deliver a document outlining the key security challenges facing developers and managers in enabling appropriate information access. Based on those results we will develop models for entitlement provisioning and role lifecycle management. Additionally, we will develop a simulation to examine the flow of employees and their information needs in a simplified organization, and test our provisioning model on simulated enterprises. In Phase 2 of this project we will complete our work in the financial sector and begin a pilot investigation in the health care industry, with the objective of comparing the problems, issues, techniques and strategies we examined in the first phase and evaluate their possible effectiveness in healthcare.
Overall, understanding the information flows required by enterprises, and the usability and cost issues that constrain effective information security solutions for those flows, will enable researchers to better craft and evaluate information security technology for all business sectors. Researchers in security, PKI, and authorization lament the gap between lab technology and real-world humans; by working in collaboration with financial and healthcare organizations, we hope to reduce that gap and improve the state of information security technology in enterprise environments. This project will benefit data-centric industries, government regulators, technology innovators, and the general public by exploring current practices, current problems, and developing new theories for better mapping security into a data-oriented organization.
Last Updated: 3/14/13