http://www.csc.com/ee/ CSC Blog en pgustafs@gmail.com Copyright 2008 2008-07-01T02:25:00-05:00 http://www.csc.com/ee/lef/being_perfect_delivers_nothing/ Here we go again.  In the latest round of annual security surveys we now have the “2008 Security Survey” from InformationWeek.  As presented by its authors, the main message of this survey is that “risk management” is the answer to the woes of continued investments in security that has seemingly no real improvement.  The survey is thorough in its analysis of the data collected, and even goes on to point to applications of “risk management” by industries like insurance as models of a proactive strategy that should be emulated by information security managers as well. The survey once again confirms earlier conclusions and collections of anecdotal evidence that emerge year after year in surveys taken and published not only by InformationWeek but others (e.g., “Global Security Survey” from CIO, “State of Information Security” from CSO, the industry-specific Global Security Surveys from Deloitte, and the “Global State of Information Security” done annually by PriceWaterhouseCoopers, CIO and CSO). While every one of these surveys delivers powerful reminders of “where we are” with regard to our current information security practices and status, there seems to be a consistent thread of “why are we stuck?” along with exhortations to be more diligent (like the insurance industry) in performing “risk management” to help determine investment and response priorities.  Apparently, no matter how well we do, it’s just not good enough. What If We Could Perform Information Risk Management “Perfectly”? No matter where or how it is applied, risk management, including information risk management, is a purely defensive strategy that works in two ways: 1. Protect what value already exists even if some “bad stuff” happens. 2. Reduce the chances of “bad stuff” happening. While you can see these two objectives expressed in various equations or toolsets or hundreds of different metrics, all of the expressions represent the same two foundation objectives.  Some industries (e.g., gambling, insurance and investment) have evolved more mature tools and techniques to apply the foundations of risk management to their specific industries.  Information risk management has not evolved nearly as well. What if, despite our acknowledged shortcomings, we could apply information risk management “perfectly” to our enterprise?  What would happen to the existing enterprise information value at risk?  According to the foundation equations of information risk exposure, our information risk would become zero!  And, according to all of the most public of surveys, this is exactly the state we desire. But, wait!  If we could do information risk management perfectly, what would happen to the total value of the enterprise?  The answer is equally clear: we would not add a single nickel of value to the enterprise! Somehow, that takes the luster off of the so-called desirable state.  Somehow, pure traditional information risk management doesn’t seem like enough.  Seen through the eyes of senior leaders of business and government enterprises, this outcome falls short of where we need to go today. Spending “the Other Side of the Coin” According to the Digital Trust report series there’s another (longstanding) side to this coin of information risk management.  Rather than focus on defense and the preservation of as much existing enterprise value as seems “reasonable,” digital trust applies security technology and services to: 1. Create new value. 2. Increase the chances of “good stuff” happening. This is referred to in digital trust as “the other side of the coin” for security services and technologies, and points to a whole new strategy for making decisions about security investments.  Furthermore, the digital trust research results show that “you can’t spend just one side of the coin.” That is, by using a digital trust strategy, the information risk exposure reduction is achieved as a beneficial side effect.  Check out all the volumes of the Digital Trust series to see how this strategy works and how others are capturing payoffs.  In particular, scan volumes 1 and 8 (Volume 8 coming soon) for the “quick study” tour. Digital trust calls on the enterprise to “aim higher” for value creation with security services and technologies, knowing that risk exposure will be reduced as well.  It also calls for a change in the security governance approaches used by the enterprise, especially a change in the assignments and responsibilities assigned to information security leaders.  Digital trust is a learned behavior. What About Next Year’s “State of Information Security” Report? As long as we continue to focus on the defense of traditional information risk management, we can expect the next reports on “the state of information security” to show marginal shifts in performance (one way or the other) and to encourage the deployment of different kinds of technologies and practices to deliver marginal improvements in the protection of enterprise value that already exists.  And, since nearly all of our theoretical foundations for risk management (including as applied to information and information services) were discovered and proven during the Renaissance, we have 250 years of evolved behavior and practice to overcome.  (See Peter L. Bernstein’s book, Against the Gods: The Remarkable Story of Risk.) The annual surveys often note that we measure IT risk management budgets as a percentage of the overall IT budget.  Yet, we find no dependable (and positive) correlation between the percentage assigned and the results achieved.  In fact, in many places we often see attempts to determine just how small that percentage can be before results appear to become measurably worse. If we want the reports to change, and we want security services and technologies to provide real payoffs to the enterprise, then a digital trust strategy provides a way to go.  Some enterprises are already showing signs of digital trust, and those might be better examples for us to follow than even the most sophisticated applications of traditional risk management. Aim higher. Digital Trust 2008-07-01T03:25:00-05:00 http://www.csc.com/ee/lef/dont_put_a_freeze_on_liquid_security/ Hooray for virtual computing environments!  Freeing the digital enterprise (and users of the digital enterprise) from the shackles of physical platforms and the replication of operating systems and applications everywhere is crucial to capturing the value potential of the “liquid enterprise” (see Volume 5 of the Digital Trust series).  But the payoffs of a liquid enterprise cannot be created and sustained unless there is equally liquid security to flow over, through and around the (newly) liquid digital enterprise. Liquid security is digital trust when time, place and platform are irrelevant.  As long as digital trust remains “liquid,” then the enterprise can indeed create and capture new value with such techniques as dissolving the intranet altogether, letting users apply their own “consumer IT” for their job, and making all kinds of applications and data usable in all kinds of circumstances, regardless of the networking, platform or support environment.  This is the power of liquid security, and virtual computing technology is one clear contributor to that value creation and capture.  When the right kind of digital trust remains liquid, only the application matters. Hoping the Phantom Remembers Digital Trust But, as IBM reminds us, “virtual computing environments still need real security.” To that end, IBM has begun a research initiative named Phantom designed to find and fix security vulnerabilities in virtual computing environments.  Now, such an initiative is laudable.  But it is also reminiscent of the “find and fix” vulnerability programs begun and maintained by every operating system and major application vendor worldwide.  In fact, Tuesdays have assumed a whole new dimension on the weekly calendar with the regular release by Microsoft of patches and fixes to vulnerabilities discovered through its “find and fix” program. Here’s hoping that the Phantom researchers remember the fundamental reasons for virtualization technology, and especially the value creation and capture possibilities with digital trust (in the form of liquid security).  Otherwise, hypervisors and the “applications” that can operate on specific hypervisors will be in danger of becoming as balkanized as operating systems and their own applications.  While VMware continues to be the most well known virtual computing environment, Citrix/Xen, Microsoft Hyper-V, Oracle VM, Sun xVM, Parallels and a host of other alternatives are pushing hard for market share.  Integrators are lining up with one or more “virtual vendors” to offer design, installation, applications porting and even complete operating services.  Furthermore, other levels of virtualization for the liquid enterprise are also great sources of liquid security and subsequent payoffs.  RingCube’s MojoPac and RedCannon’s KeyPoint Access illustrate the value of liquid security without having to become “virtual in the extreme.” Keep Liquid Security Liquid So, let’s give a hearty “hurrah” for the Phantom, and let’s remind the Phantom that virtual computing environments need not be burdened with exactly the same kind of “real security” that we’ve plowed into operating systems and applications.  While we are researching the vulnerabilities of virtual computing environments, and planning to insert mechanisms to “lock down” hypervisors and virtual machine monitors, let’s also remember to keep liquid security liquid. The techniques we use for “real” operating systems and applications have led us to “patch Tuesday” and to platform and configuration dependencies that almost make more problems than they solve.  If we follow exactly the same model for our virtual computing environments, then we’ll no doubt end up with a “virtual Tuesday” patching nightmare, compounding the technology update calendar we already must follow. Only the application matters … only the application matters … only the application matters … Digital Trust 2008-06-15T15:51:00-05:00 http://www.csc.com/ee/lef/virr_its_sure_cold_without_digital_trust/ Hope Springs Eternal for a Measure on Risk You have to admire the “never say die” spirit of those trying to put a measure on risk.  Hundreds of different kinds of risk ratings, indemnification schemes, fairness guarantees, reputation rankings, test certifications, zero-vulnerability disclosures, insurance criteria, and even “goodness scores” have been tried.  Some of these attempts have succeeded within their own targeted domains (e.g., online Internet commerce), but no single measure works across the entire digital enterprise.  And so, the search for a globally accepted measure of risk continues.  Moody’s Investor Services is the latest to try with its recently announced Vendor Information Risk Rating (VIRR) Service. This announcement is reminiscent of attempts by insurance companies in the late 1990s to establish a risk threshold measure for e-commerce or hacker/virus policies.  Often offered with what is commonly called a “survey” feature, applicants must undergo a risk assessment of enterprise Web practices and technology to see if their “risk” qualifies for a measure of insurance.  (See this report, which requires that you click the link, scroll to the bottom, and click Resources, then Construction Newsletters, then “Insurance for Internet-Related Risks,” November 8, 1999). Theoretically, the results of the risk survey determine premiums and coverage.  Companies like AIG, Chubb, Zurich, and various Lloyds underwriters advertise such insurance.  But, their “surveys” are unique to each insurer.  Likewise, at least 10 major insurers offer identity theft insurance, but such insurance requires a survey of sorts as well, and those surveys once again differ.  (See Volume 2 of the Digital Trust report series, Identity Management, p. 23.) So far, all attempts at measuring risk have fallen short. Turn the Coin Over … Measuring Digital Trust Volume 7 of the Digital Trust report series, Transparency and Assurance, examines this circumstance not by focusing on the purely defensive strategy of information risk management – i.e., a “risk ranking” – but rather by looking for ways in which value is actually created with a security technology or service – i.e., “digital trust.” Digital trust is the flip side of the information risk management coin.  By asking the seemingly nonsensical question “How much does digital trust weigh?” Volume 7 shows how digital trust actually has heft, and lists value outcomes that represent measures of payoff to the enterprise.  Digital trust has “weight,” and that weight can be substantial.  The “measure” for digital trust is the enterprise payoff and the payoff potential.  The greater the payoff, the greater (the “heavier”) the measure becomes, and the more value the measure represents. Measure Without Value? It’s hard to see how any measure of risk can succeed if it doesn’t carry with it a value for having a “good” measure.  The payoff of having a good VIRR is not disclosed in the Moody’s announcement.  But, it is possible that VIRR can be flipped over to see the digital trust payoff.  If a “better” VIRR attracts customers, or reduces the need for manpower, or satisfies some compliance mandate (like PCI DSS), or even improves the enterprise financial ranking, then we’re likely to see enterprises “warm up” to VIRR. If not, VIRR is likely to stay pretty cold. Digital Trust 2008-03-12T22:55:00-05:00 http://www.csc.com/ee/lef/get_wet_with_ted/ Liquid Security Arrives “Down Under” The Commonwealth Scientific and Industrial Research Organisation (CSIRO) is Australia’s national science agency and one of the largest and most diverse research agencies in the world.  As Australia’s single largest employer of scientists, CSIRO ventures into research across 17 divisional topics covering everything from entomology to textiles. On of its latest announcements was TED – the Trust Extension Device .  According to CSIRO, TED “makes trust portable” by creating a miniature trust verification environment consisting of a small operating system, a few applications, and some encrypted data, and then placing that trust environment onto a portable device, such as a USB memory stick or mobile phone. Plugging the TED into any computing platform then provides a completely isolated computing environment.  That “TED environment” proceeds to establish “trust” with a remote enterprise server before any application runs.  The idea is that both ends of the transaction must prove their identity to each other and provide evidence that the computing environments are what they claim to be. By making trust “portable” in this way, CSIRO’s TED research has shown again how “liquid security” can create value with security services and technology.  TED is yet another example of Digital Trust that’s been liberated from dependence on time, place or platform – precisely the topic of Volume 5, Liquid Security, in the Digital Trust report series. Digital Trust Is Already Liquid As a research organization, CSIRO is now seeking expressions of interest from parties seeking to license their technology.  There are, however, technologies that deliver similar outcomes that are already commercialized and already making digital trust “wet” with value for the enterprise.  Such digital trust technology as RedCannon’s KeyPoint Access, RingCube’s MojoPac, or moka5’s LivePC offer the same category of value creation by making a personal computing environment (including trust properties) “liquid.” They deliver liquid security so you can “put a PC in your pocket” no matter where you are or what’s available to you.  With liquid security only the application matters. So, whether you decide to dip your technology toes into liquid security with research results like TED, or you choose to dive into value creation with other liquid security technologies that have already surfaced in the commercial market, make sure you consider the full extent of the value that can be created with liquid security. Bring a towel, and take the plunge with Volume 5 on Liquid Security. Digital Trust 2008-02-29T22:27:00-05:00 http://www.csc.com/ee/lef/trust_tense/ Fly Faster with Digital Trust Frequent flyers in the US have known for awhile that the Registered Traveler (RT) program, operated by the Transportation Security Administration (TSA), is one good way to capture value in digital trust and “spend it” for convenience and speed. (The Registered Traveler program, and its ability to put a “price” on the value of individual identity carried in digital trust technology, is described in Volume 2, Identity Management, of the Digital Trust report series, p. 19). Personal identifying information needed to accelerate flyers through security lines at selected airports has been valued at about $100 per year by RT program vendors (plus a few dollars for government fees), and about 70,000 users have agreed. Judging by the number of travelers signing up for the program, the trial phases of the program seem to be successful, and expansion is “in the air.” (No pun intended.) The key to success with the RT program is the ability for individual flyers to volunteer personal background data for background checking (including certain biometric data), and then present unambiguous evidence of their identity in special security screening lines established by security vendors at certain airports.  That evidence is carried in digital credentials, and depends on digital trust technology to deliver the payoff (i.e., speedy and reliable passage through security screening lines). Competition with Digital Trust The digital trust payoff for this business has spawned greater and greater competition among vendors who are approved to offer the RT service.  Through 2007, five vendors met TSA’s minimum criteria to offer RT services.  Four of those five were operating services using their selected digital trust mechanisms.  Unfortunately for individual flyers, each vendor has its own digital trust technology for identity evidence and credentials, although all digital trust technology used must meet certain TSA standards (compliance strikes again).  So, flyers enrolled in one approved vendor’s program (at certain airports) cannot participate in another approved vendor’s program (at other airports being serviced).  The specific technologies used to satisfy applicable standards can and do vary.  On the other hand, this is the stuff of competition. Broadening the Business of Digital Trust in Identity So far, Verified Identity Pass, with its program called “Clear,” is the top provider.  The others are continuing to operate their programs, but “Clear” remains the leading service.  The digital trust technology used in Clear is a smart ID card. Yesterday, a new entrant won TSA approval to operate an RT service. Priva Technologies is entering the market with its “ClearedKey” (or just “Cleared”) service.  Priva supplies their digital trust using its Cleared Security Platform that combines a token with a fingerprint reader.  Moreover, Priva intends for “Cleared” to compete with more than just better prices.  In fact, Priva intends to offer storage for an electronic ticket, an option for electronic “coupons” for free beverages or other items that fliers may want, and perhaps even a combination with its broader retail shopping and payment solution.  Who knows?!  The same digital trust technology used to speed you through a security line at an airport might also help you to buy clothes or lunch! “Tense” Matters Flyers now must pay attention to the “tense” of their RT program!  Both “Clear” and “Cleared” (as well as rtGO and FlyBy) provide digital trust to deliver a payoff of convenience and speed for travelers who value such convenience enough to pay for it.  Users of any of those vendor services move quickly through a security line at an airport.  But, read the signs carefully.  Being in the “Clear” to board is not the same as being “Cleared” for takeoff, at least not as far as the digital trust technology is concerned! Digital Trust 2008-02-20T01:38:00-05:00 http://www.csc.com/ee/lef/walking_on_trustshells/ The Speed of Digital Trust Stephen M.R. Covey had it right: “Nothing is as fast as the speed of trust.” While Covey’s book, The Speed of Trust, wasn’t speaking about the kind of trust that can come from the digital enterprise itself, his reality for self trust, relationship trust and stakeholder trust is equally true for “digital trust.” That’s the conclusion of the Digital Trust report series.  And, that’s the lesson that was taught again when Geeks.com began notifying customers that their personal and financial data may have been compromised.  (See article.) But, it wasn’t the lesson of yet another online retailer suffering a data breach.  Geeks.com was doing the right thing by notifying customers of a possible data breach. No, the real “fast traveling news” was the hullabaloo of questions about the Hacker Safe trustmark from ScanAlert (since acquired by McAfee) that was evident on the Geeks.com Web site.  Hacker Safe was supposed to prevent such breaches!  Is claiming trust using a trustbroker like “walking on eggshells”?  Is digital trust that fragile? Zoom Zoom The message of an intrusion despite the Hacker Safe trustmark moved quickly, in accordance with the realities of digital trust.  Once the original disclosure became known on computerworld.com, the news was blogged and re-blogged, questioned and highlighted as fast as Web sites and RSS feeds could go.  Sites like slyck.com, DP’s security bits, techzonez.com and others quickly relayed and replayed the story.  In some cases, fuel was added to the fire of conversation when InformationWeek reported just three days later that other “Hacker Safe” sites may also have been vulnerable to cross-site scripting. Not Humpty Dumpty But, other realities of digital trust have also become evident.  The latest volume in the Digital Trust series, Volume 7 on Transparency and Assurance, shows that trust, including digital trust, can be both created and destroyed.  It also reveals that digital trust is a function of both competence (including the scope and execution of the digital techniques involved) and results over time (i.e., reputation). Volume 7 examines the ways to create, grow, convey and claim digital trust.  Using trustmarks is but one.  In fact, this volume finds that there are over 200 trustmarks, each one offering their own measure of trust, and that some can be empty or even “imaginary”!  But, some deliver real results, based mainly on a combination of competence and commitment to reputation. ScanAlert is responding to the reports, and is using (digital) trust reinforcing measures to sustain the value and effectiveness of its trustmark.  Other (real) trust brokers operate in like fashion.  The real issue beyond whether or not the Hacker Safe emblem is supposed to protect against cross-site scripting or not, or whether Hacker Safe “should” have prevented the Geeks.com data breach, is this: How do you know if digital trust is present, and how much digital trust is delivered? How Much Does Digital Trust Weigh? That’s the question explored in Volume 7.  Digital trust is real, and we know it works.  So how do we measure it?  How much does it “weigh” anyhow?  Take a read of volume 7. . . Digital Trust 2008-02-05T23:15:01-05:00 http://www.csc.com/ee/lef/digital_trust_in_the_middle/ We legislate, mandate and regulate a lot of online behaviors.  Perhaps one of our “favorites” (judging by the amount of discussion and reference it generates) is online privacy rights.  In the U.S., state after state has followed California’s lead for a breach notification law.  As of December 12, 2007 at least 39 states in the U.S. have enacted legislation requiring notification of security breaches involving personal information.  Proposed national legislation has already been introduced in Congress (but not yet passed). And, the U.S. is not alone.  For example, Canada has two federal privacy laws, plus every province and territory (except Newfoundland) also contributes guidelines and regulations covering the protection of personal information.  Likewise, the now-famous European Privacy Directive 95/46/EC is reflected in legislation and regulation in member countries throughout Europe.  Similar circumstances can be found around the world. Breaches Create Headlines and Collective Outrage With so much data being submitted and used in digital form, it’s no wonder that breaches occur.  And, with so much legislation and regulation requiring notification and response, it’s also no wonder that such breaches create headlines and outrage.  From the spectacular TJX breach to much smaller events involving just a few hundred accounts, the list goes on and on.  Most occurrences get a headline and a hearing, but some get official investigations and discussions even in Congress and Parliament.  Each event diminishes public trust in the handling of digital data. But Companies and Individuals Still Choose to Provide Personal Data for the Right Payoff Notwithstanding all the alarm bells and personal data breach episodes that seem to occur nearly every day, new online businesses continue to offer services that depend on the voluntary submission of sensitive personal data.  And, WE DO IT!  Companies do it and individuals do it.  In fact, on the corporate front, Nicholas Carr observes in Wired that “the two most popular Web-based business applications right now are for managing payroll and customer accounts – some of the most sensitive information companies have.” Individual users also are willing to opt for value, even at the risk of privacy.  For example, The Wall Street Journal reports on two online services that help individuals manage their cash, share investment stories, track spending and trade tips: Wesabe and Geezeo.  The Baltimore Sun adds Mint to the conversation.  All three are a combination of financial advisor and social networking.  And, two of the three require users to provide some personal data, including the information needed to log in to online bank and financial accounts.  Now, that’s real (digital) trust! In spite of privacy data breach after privacy data breach, these three online businesses (among others) have started a service that depends exclusively on the “deposit” of sensitive personal information!  How can this be? Digital Trust Up Front All of these companies confront the issue of (digital) trust right up front.  All claim to have “bank-level data security,” highlighting extensive use of SSL 128-bit encryption.  Most describe some sort of anonymous style of login and a minimalist approach to data storage.  All claim to avoid sharing of information unless it’s through a banking-approved third party. Some take even more steps to claim digital trust.  For example, some promote trustmarks as further proof for digital trust.  Mint displays “VerSign Secured,” “TRUSTe” and “HACKER SAFE” on its home page, and Geezeo displays “VeriSign Secured.” On the other hand, Wesabe shows no trustmarks but does reassure users that using Wesabe is “just as secure” as using your bank’s site.  Wesabe’s technology places an agent on the user’s PC to perform the account logins and information transfer, but the need for digital trust remains. These social-financial services sites will succeed or fail based on their ability to deliver digital trust to their users.  Despite the continuing saga of personal data breaches and identity theft, digital trust can make a difference even in the most sensitive of services if the payoff is real. The ability to create, grow, convey and claim digital trust is the topic of Volume 7 of the Digital Trust report series, “Transparency and Assurance: Putting a Measure on Digital Trust.” Sites like Mint, Geezeo and Wesabe are operating on the realities of digital trust.  You can create it.  You can grow it.  You can convey it to users.  And, it does create value.  But it doesn’t happen automatically.  These sites are “banking” on having enough digital trust to persuade users to claim the benefits of interactive personal finance management. Digital Trust 2007-12-28T18:08:01-05:00 http://www.csc.com/ee/lef/the_never_ending_breach/ Are you “in the club?” Do you receive regular (daily) updates of information security news and events right in your inbox?  I do, and I find the services very helpful (as long as I keep up on my end).  For example, the SANS Institute provides a free subscription service to NewsBites@sans.org by filling in some data at their portal.  SC Magazine provides a similar SC Magazine Newswire service, newsletters@scmagazineus.com, for subscribers who register here. If you are “in the club” then you have probably noticed that just about every issue of every newsletter contains a description of some information breach happening somewhere.  In fact, the SANS NewsBites has a section entitled “ATTACKS, INTRUSIONS, DATA THEFT & LOSS” that invariably describes yet another data breach (or two or three or more), sometimes with commentary relating the breach to previous events or conditions.  That’s no wonder considering that the Privacy Rights Clearinghouse lists 274 data breaches so far in just 2007 alone! Why is it …? The sheer repetitiveness of data breach reports begs the question: “Why is it that data breaches happen over and over and over ... ?” There can be only two logical conclusions: 1.  The technologies to protect against data breaches and information protection violations are available and simply not being deployed (it has happened before); or 2.  Technologies to protect against certain kinds of information violations simply do not exist. Sometimes the technologies do exist to blunt the breach (even if they do not stop the source of the breach).  For example, technology to encrypt entire hard drives or prevent the storage of data on ultra-portable peripherals (e.g., thumb drives) is readily available and would certainly be useful as antidotes to this circumstance. On the other hand, sometimes, even when we do everything perfectly with the security technologies available, nasty things happen to good digital enterprises.  This is the condition examined in Volume 6 of the Digital Trust report series, eThreats and Countermeasures. eThreats are eTernal In the Digital Trust report series, eThreats are those exposures that occur “even when you’ve done everything right.” And, digital trust technologies are those security technologies that are capable of generating value for the enterprise as well as reducing the risk of loss for the value that is already present.  The question in Volume 6 revolves around what digital trust can be used to respond to eThreats. The research effort explores the pernicious problems of eThreats by examining four specific techniques as representative of the general class of eThreats: • Cross-site scripting • Phishing (in all its variety) • Open source information gathering (a.k.a. Google hacking) • No-tech hacking While there are partial digital trust answers, the major conclusion is that “eThreats are eTernal” (for now).  Digital trust can make a helpful dent in consequences, but it is not able to solve the problem (and generate enterprise value). For now, we can rest easy that the security newsletters will always have breaches (and consequences) to report.  I repeat: eThreats (and data breach consequences) are eTernal. Digital Trust 2007-10-17T10:26:01-05:00 http://www.csc.com/ee/lef/health_and_vault_are_bedfellows/ Now here’s something you don’t see every day: the words “health” and “vault” in the same sentence.  Oh sure, we expect to see “health” and “exercise” or “health” and “diet” or even “health” and “medicine,” … but “health” and “vault”? Well, let’s all get used to it because Microsoft has launched HealthVault, a free advertising-supported health portal.  (See article.) Others like Revolution Health, WebMD and a number of insurance companies have been working on, or offering, similar portals that allow people to upload their medical records to a Web site and then choose to share that data with doctors, other health care providers or family members.  Like all the others, Microsoft has offered assurances about patient control over all data submitted and the privacy of all personal information.  But health care information automation in the U.S. has struggled under concerns about the protection of private information and the inability to exchange health care data from one user or application to another.  Despite the efforts under the Health Information Portability and Accountability Act (HIPAA), and studies that show huge potential for cost savings in the health care system in excess of $500 billion over 15 years, the U.S. does not yet enjoy the same progress as some other countries have seen (e.g., Germany, Britain). Value for Everyone? If Microsoft (and Revolution Health, WebMD and various insurance companies) is successful over time in its claims of data protection and privacy for the individual, then the individual patient can obtain value from this service.  (None of the health care portal providers have offered up the transparency and evidence of design, deployment and operation to confirm and expand on the digital trust claims being made.) But, this service, and the digital trust that accompanies it, does not offer value to the other important constituencies involved, so it is limited in its ability to pull health care information automation together for the big payoff. For example, doctors, clinics and hospitals need other kinds of digital trust beyond mere patient records confidentiality to capture value in the service.  Imagine automatic (wireless) digital blood pressure cuffs, thermometers and even digital (wireless) stethoscopes easily, reliably and securely collecting, recording and transmitting patient data to a (secure) standard repository of clinical data (maybe even the HealthVault)!  Parts of this scenario have already been built and are being used in smaller ways.  For example, devices like the Health Buddy are used today in the Health Hero Network.  Or, imagine government accountability reports and pharmacy controls being included automatically!  These functions deliver value for other constituencies needed to succeed in overall value capture.  And, they need different kinds of digital trust to come along with them. Been There Before! The Digital Trust report series has chronicled this kind of circumstance before.  The whole scenario around electronic voting (see Volume 4 on “Compliance Management: the Business of Keeping the Business in Business” ) illustrates what happens when digital trust is absent for an important constituency.  In that case, election boards captured value from a claim of digital trust, but individual voters did not see the (different) digital trust necessary for their value payoff.  Only today, as digital trust features and evidences are being made mandatory through law and regulation, do we see the full value trail for electronic voting. Maybe that’s what it will take for digital trust to emerge completely enough for all of the constituencies involved in health care information automation.  It would be a shame, however, if all we did was wait for law and regulation to force it to happen when the digital trust technology we need is already here. The first tenet of the Hippocratic Oath is “First, do no harm.” While I’m sure we’ll need a little bureaucratic boost to get standard formats and protocols, I’m also pretty sure that even Hippocrates himself would want us to press on with integrated technology, including digital trust technology, to deliver the tremendous value of better health care at less cost. Digital Trust 2007-10-08T15:02:00-05:00 http://www.csc.com/ee/lef/and_the_beat_goes_on/ Just in case you were wondering, there are many people who do not see intellectual property piracy as a victimless crime.  The latest study cited yesterday in the Washington Post identifies costs to the U.S. economy of $58 billion per year and a loss of over 350,000 jobs in the entertainment industry and its supplying industries.  Moreover, a companion interview with NBC Universal CEO Jeff Zucker on CNBC reported $2.6 billion a year in lost tax revenue, adding to the pain. Not just tunes, videos and software So, real penalties to a lot of real people are occurring up and down the value chain in the entertainment industry, with much greater impacts even beyond that industry.  And, it’s a global problem.  For example, as reported in the latest study, of the 13 billion U.S.-recorded songs estimated to have been illegally downloaded in 2005, 9 billion were downloaded overseas.  Further, as pointed out in Volume 3 of the Digital Trust report series (“Intellectual Property Protection: Minding your Mind Power” ), the problems and penalties do not stop with the entertainment industry.  Intellectual property (IP) of all kinds in nearly every enterprise of the S&P 500 accounts for about 80% of the total value of the enterprise!  Protecting IP while enhancing the value of those intangible assets is a prime objective of digital trust. Calling for better digital trust technology The latest data also shows that law enforcement and consumer awareness are important in solving the problem.  But, at best, they just help us “hold our own.” Even when content producers make some content free (e.g., see the new Hulu.com advertising-supported site for Fox and NBC programming), the problem gets extended elsewhere in the value chain.  Without better digital trust technology to help deliver fair value for fair use (both inside and outside the entertainment industry), we’ll continue to wage a series of skirmishes to eliminate some illegal outlets and production facilities even while others get started.  We’ll also unnecessarily restrain value capture for IP because we just can’t figure out how to protect it outside the legitimate (licensed) distribution.  This ends up being a case of IP protection “whack-a-mole” as new techniques for violation crop up just as fast as old ones are shut down. Digital trust technology for IP protection is gradually improving, but there’s still big room for improvement.  Here’s a case where value generation through security is staring us in the face; all we need are a few better ideas! Digital Trust 2007-10-04T14:44:00-05:00