Reinsta(ng Trust in the Digital Age
•
0 j'aime•512 vues
Talk given at PwC Digital Trust 2015 in Geneva, Switzerland. http://www.pwc.ch/digitaltrust2015
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (19)
Similaire à Reinsta(ng Trust in the Digital Age
Similaire à Reinsta(ng Trust in the Digital Age (20)
Plus de University of Geneva
Plus de University of Geneva (20)
Reinsta(ng Trust in the Digital Age
- 1. Prof. Jean-‐Henry Morin University of Geneva – CUI Ins8tute of Informa8on Service Science Faculté des Sciences de la Société Jean-‐Henry.Morin@unige.ch @jhmorin Reinsta(ng Trust in the Digital Age PwC 5th Digital Trust Conference Geneva March 17, 2015
- 2. Who has NEVER « worked around » security policies to legitimately complete work that systems Prevented from doing ?
- 3. 3 Security is bypassed, not a2acked Inspired by Adi Shamir, Turing Award lecture, 2002 Foreword Human Factor
- 4. Outline • A bit of context and technology • 3 eras of Trust • Revisiting technology • Co-Compliance Principle and Digital Responsibility • Conclusions & Take Away • Q & A
- 5. Context (I) Organiza8ons & Corporate sector
- 6. 53 % !!! 6
- 7. Organizations & Corporate Sector : Corporate Security Policies 53% admit circumventing corporate security policies to get the work done (EMC RSA Security, 2008) Among the most cited reasons justifying circumventing corporate security policies (Cisco, 2008) a) Doesn’t correspond to the operational reality nor to what is required to get the work done b) Need to access applications not belonging to or authorized by corporate IT policies to work Consequences : increase in risks and costs • Requires « creativity » to get the job done ! • Increased stress due to unauthorized actions • Inefficiencies • Untraceable transgressions / violations
- 8. Informa8on Protec8on & Control Today Perimeter based and Access Control Lists (ACL). Beyond ? Not much… ? Mobile Worker Corporate Network VPN
- 9. Context (II) Entertainment & Media sector
- 10. © & the RIAA Scum Bird http://bit.ly/akxivr
- 11. 1 Technology DRM
- 12. How did we get here… … a dystopian scenario ? http://www.flickr.com/search/?q=DRM
- 13. 3 eras of trust • Before – Suspicion • Today – Breach of Trust • Tomorrow – The rise of « informed Trust » h_p://eloquentscience.com/wp-‐content/uploads/2012/05/past-‐ present-‐future-‐sign1.jpg
- 14. < Before> Suspicion & Distrust 18th century Jeremy Bentham’s Panop8con
- 15. A Paradox We talked about Trust and Trusted Computing in the digital age… …but everything relied on a distrust assumption http://zatoichi.homeip.net/~brain/TrustedComputing.jpg
- 16. < Today > Massive Breach of Trust
- 17. 2013 = PRISM & Co.
- 18. < Tomorrow > The rise of « Informed Trust »
- 19. Can IT be fixed ? • Acknowledging that : • Security is necessary (managed content) • Total Security is neither realistic nor desirable • Given the right User Experience and Business Models most users smoothly comply (e.g., iTunes) • Most users aren’t criminals • We need to take a step back to : • Critically re-think Security, DRM, Trust • Reconsider the debate outside the either/or extremes of total vs. no security • Factor in, by design, these issues for the development of systems and services WE all use.
- 20. Rethinking & Redesigning • Acknowledge the Central role of the User and User Experience • Reinstate Users in their roles & rights and Responsibilities • Presumption of innocence & the burden of proof • Fundamental guiding principle to Rethink and Redesign DRM : Feltens’ “Copyright Balance” principle (Felten, 2005) “Since lawful use, including fair use, of copyrighted works is in the public interest, a user wishing to make lawful use of copyrighted material should not be prevented from doing so by any DRM system.” • Claim and Proposition : • Put the trust back into the hands of the users • Reverse the distrust assumption Requires a major paradigm shift
- 21. From Utopia to Reality … The Excep8on Management Model
- 22. Rethinking & Redesigning DRM • Exception Management in DRM environments, mixing water with fire ? Not necessarily ! • Reversing the distrust assumption puts the user “in charge”, facing his responsibilities • Allow users to make Exception Claims, granting them Short Lived Licenses based on some form of logging and monitoring • Use Credentials as tokens for logging to detect and monitor abuses • Credential are Revocable in order to deal with abuse and misuse situations • Mutually acknowledged need for managed content while allowing all actors a smooth usability experience (Morin and Pawlak, 2007, 2008); (Morin 2008, 2009)
- 23. Excep8on Management in « managed content » environments • Auditable model covering incident and abuse detec;on as well as revoca;on • Burden of proof on the party having a jus8fiable “claim” regarding abuse or incidents & presump8on of innocence • Monitoring in (near) real 8me of security policies Fasoo.com
- 24. Technology Transfer Academic partnership with Fasoo.com • June 2011, Integration of the Exception Management model as « Provisional Licensing » January 2015: 85% of companies using Fasoo Enterprise DRM provide Excep8on Management
- 25. Ongoing Work … • DRM, Security, Trust & Block Chain • Security Policy Design framework
- 26. Perspec8ve… • Take into account the Human Factor by Design (People Centric Security, PCS [T. Scholtz, 2012]) • Data Protec8on in a digital economy : – Awareness raising and training – The EU Data Protec8on reform: re-‐appropria;on of data and personal informa;on by the people • Public Policies and Digital Governance : Key success factors, Emergency!
- 27. To Trust or not to be … http://world.edu/wp-content/uploads/2013/02/climate-change-skeptics.jpg Digital Responsibility : Informed Trust & Transparency
- 28. Co-Compliance • Emerging principle relying on « Informed Trust » and « Transparency » • Co-Compliance (short for collaborative compliance): collaborative, shared responsibility enabled by digital technologies allowing both joint elaboration of a decision or action and the shared evaluation of its result. Cost : Major paradigm shift ! (Morin, 2014)
- 29. Digital Responsibility Some Key characteristics (evolving) : • User Centered Design • Account for all stakeholders • Proportionality of the means to engage • Integrating the Human Factor • Openness and Transparency • Sharing and Collaboration • Limited and Humble use of the legal instrument • Leveraging sustainable public policies (Morin, 2014)
- 30. Conclusion • Trust assumes leaving to humans the capacity to make free moral decision (Exception by Design) • Trust isn’t blind (managed, informed) • We are facing a MAJOR challenge of our participative digital society Is a socially responsible and sustainable approach to trust in the digital era possible ?
- 31. References J.-H. Morin, “Rethinking DRM Using Exception Management”, chapter III in Handbook of Research on Secure Multimedia Distribution, S. Lian and Y. Zhang (Eds), Information Science Reference (ISR), ISBN: 978-1-60566-262-6, IGI Global, March 2009, pp 39-54. http://www.igi-global.com/reference/details.asp?id=33143 J.-H. Morin, “Exception Based Enterprise Rights Management : Towards a Paradigm Shift in Information Security and Policy Management”, International Journal On Advances in Systems and Measurements, issn 1942-261x, vol. 1, no. 1, 2008, pp. 40-49. http://www.iariajournals.org/systems_and_measurements/ J.-H. Morin, “La responsabilité numérique : Restaurer la confiance à l'ère du numérique“ FYP éditions, Avril 2014. http://www.fypeditions.com/responsabilite-numerique/ Think(do)Tank on Service Science and Innovation http://thinkservices.info/ h_p://thinkdata.ch/ Swiss Digital Agenda Na8onal debate h_p://NumeriCH.ch/
- 32. L e t ’ s b e D i g i t a l l y R e s p o n s i b l e ! Q & A Contacts: Prof. Jean-‐Henry Morin University of Geneva – CUI Ins8tute of Informa8on Service Science Faculté des Sciences de la Société h_p://iss.unige.ch/ Jean-‐Henry.Morin@unige.ch @jhmorin h_p://ch.linkedin.com/in/jhmorin h_p://www.slideshare.net/jhmorin h_p://jean-‐henry.com/ &