To Trust or not to Trust, telle est la question. Et si nous renversions quelq...
Reinsta(ng Trust in the Digital Age
1. Prof.
Jean-‐Henry
Morin
University
of
Geneva
–
CUI
Ins8tute
of
Informa8on
Service
Science
Faculté
des
Sciences
de
la
Société
Jean-‐Henry.Morin@unige.ch
@jhmorin
Reinsta(ng
Trust
in
the
Digital
Age
PwC 5th Digital Trust Conference
Geneva
March 17, 2015
2. Who has NEVER « worked around » security
policies to legitimately complete work that systems
Prevented from doing ?
3. 3
Security
is
bypassed,
not
a2acked
Inspired by Adi Shamir, Turing Award lecture, 2002
Foreword
Human
Factor
4. Outline
• A bit of context and technology
• 3 eras of Trust
• Revisiting technology
• Co-Compliance Principle and Digital Responsibility
• Conclusions & Take Away
• Q & A
7. Organizations & Corporate Sector :
Corporate Security Policies
53% admit circumventing corporate security policies to
get the work done (EMC RSA Security, 2008)
Among the most cited reasons justifying circumventing
corporate security policies (Cisco, 2008)
a) Doesn’t correspond to the operational reality nor to what is
required to get the work done
b) Need to access applications not belonging to or authorized by
corporate IT policies to work
Consequences : increase in risks and costs
• Requires « creativity » to get the job done !
• Increased stress due to unauthorized actions
• Inefficiencies
• Untraceable transgressions / violations
8. Informa8on
Protec8on
&
Control
Today
Perimeter
based
and
Access
Control
Lists
(ACL).
Beyond
?
Not
much…
?
Mobile Worker
Corporate Network
VPN
15. A Paradox
We talked about Trust and Trusted Computing
in the digital age…
…but everything relied on a distrust
assumption
http://zatoichi.homeip.net/~brain/TrustedComputing.jpg
19. Can IT be fixed ?
• Acknowledging that :
• Security is necessary (managed content)
• Total Security is neither realistic nor desirable
• Given the right User Experience and Business Models
most users smoothly comply (e.g., iTunes)
• Most users aren’t criminals
• We need to take a step back to :
• Critically re-think Security, DRM, Trust
• Reconsider the debate outside the either/or extremes of
total vs. no security
• Factor in, by design, these issues for the development of
systems and services WE all use.
20. Rethinking & Redesigning
• Acknowledge the Central role of the User and User
Experience
• Reinstate Users in their roles & rights and Responsibilities
• Presumption of innocence & the burden of proof
• Fundamental guiding principle to Rethink and Redesign
DRM : Feltens’ “Copyright Balance” principle (Felten,
2005)
“Since lawful use, including fair use, of copyrighted works is in the
public interest, a user wishing to make lawful use of copyrighted
material should not be prevented from doing so by any DRM
system.”
• Claim and Proposition :
• Put the trust back into the hands of the users
• Reverse the distrust assumption
Requires a major paradigm shift
22. Rethinking & Redesigning DRM
• Exception Management in DRM environments, mixing
water with fire ? Not necessarily !
• Reversing the distrust assumption puts the user “in
charge”, facing his responsibilities
• Allow users to make Exception Claims, granting them
Short Lived Licenses based on some form of logging and
monitoring
• Use Credentials as tokens for logging to detect and
monitor abuses
• Credential are Revocable in order to deal with abuse and
misuse situations
• Mutually acknowledged need for managed content while
allowing all actors a smooth usability experience
(Morin and Pawlak, 2007, 2008); (Morin 2008, 2009)
23. Excep8on
Management
in
«
managed
content
»
environments
• Auditable
model
covering
incident
and
abuse
detec;on
as
well
as
revoca;on
• Burden
of
proof
on
the
party
having
a
jus8fiable
“claim”
regarding
abuse
or
incidents
&
presump8on
of
innocence
• Monitoring
in
(near)
real
8me
of
security
policies
Fasoo.com
24. Technology Transfer
Academic partnership with Fasoo.com
• June 2011, Integration of the Exception Management
model as « Provisional Licensing »
January
2015:
85%
of
companies
using
Fasoo
Enterprise
DRM
provide
Excep8on
Management
26. Perspec8ve…
• Take
into
account
the
Human
Factor
by
Design
(People
Centric
Security,
PCS
[T.
Scholtz,
2012])
• Data
Protec8on
in
a
digital
economy
:
– Awareness
raising
and
training
– The
EU
Data
Protec8on
reform:
re-‐appropria;on
of
data
and
personal
informa;on
by
the
people
• Public
Policies
and
Digital
Governance
:
Key
success
factors,
Emergency!
27. To Trust or not to be …
http://world.edu/wp-content/uploads/2013/02/climate-change-skeptics.jpg
Digital
Responsibility
:
Informed
Trust
&
Transparency
28. Co-Compliance
• Emerging principle relying on
« Informed Trust » and « Transparency »
• Co-Compliance (short for collaborative compliance):
collaborative, shared responsibility enabled by digital
technologies allowing both joint elaboration of a decision or
action and the shared evaluation of its result.
Cost : Major paradigm shift !
(Morin,
2014)
29. Digital Responsibility
Some Key characteristics (evolving) :
• User Centered Design
• Account for all stakeholders
• Proportionality of the means to engage
• Integrating the Human Factor
• Openness and Transparency
• Sharing and Collaboration
• Limited and Humble use of the legal instrument
• Leveraging sustainable public policies
(Morin,
2014)
30. Conclusion
• Trust assumes leaving to humans the capacity to
make free moral decision (Exception by Design)
• Trust isn’t blind (managed, informed)
• We are facing a MAJOR challenge of our
participative digital society
Is a socially responsible and sustainable
approach to trust in the digital era possible ?
31. References
J.-H. Morin, “Rethinking DRM Using Exception Management”, chapter III in
Handbook of Research on Secure Multimedia Distribution, S. Lian and Y. Zhang (Eds),
Information Science Reference (ISR), ISBN: 978-1-60566-262-6, IGI Global, March
2009, pp 39-54.
http://www.igi-global.com/reference/details.asp?id=33143
J.-H. Morin, “Exception Based Enterprise Rights Management : Towards a
Paradigm Shift in Information Security and Policy Management”, International
Journal On Advances in Systems and Measurements, issn 1942-261x, vol. 1, no. 1,
2008, pp. 40-49.
http://www.iariajournals.org/systems_and_measurements/
J.-H. Morin, “La responsabilité numérique : Restaurer la confiance à l'ère du
numérique“ FYP éditions, Avril 2014.
http://www.fypeditions.com/responsabilite-numerique/
Think(do)Tank on Service
Science and Innovation
http://thinkservices.info/
h_p://thinkdata.ch/
Swiss
Digital
Agenda
Na8onal
debate
h_p://NumeriCH.ch/
32.
L e t ’ s
b e
D i g i t a l l y
R e s p o n s i b l e
!
Q
&
A
Contacts:
Prof.
Jean-‐Henry
Morin
University
of
Geneva
–
CUI
Ins8tute
of
Informa8on
Service
Science
Faculté
des
Sciences
de
la
Société
h_p://iss.unige.ch/
Jean-‐Henry.Morin@unige.ch
@jhmorin
h_p://ch.linkedin.com/in/jhmorin
h_p://www.slideshare.net/jhmorin
h_p://jean-‐henry.com/
&