SlideShare una empresa de Scribd logo
1 de 164
IT perspectives

             Jerry Fishenden
Director, Centre for Technology Policy Research
           Visiting Senior Fellow, LSE
•   an underlying thesis
outline   •   introduction
          •   context
          •   mind the GAP ...
          •   ... the UK
          •   privacy and security
          •   what next?
          •   conclusion
thesis: we lack a consensus on, and balance
                      of:

               - public policy
          - technological aptness
                - user benefit
introduction
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
context
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
the myth of fast technology




                 Source: “Sketching User Experiences”,
                 Bill Buxton
The Everett Rogers Technology Adoption Lifecycle model
prediction horizons

    •   3-5 years:
         – highly predictable
         – products already in development
    •   5-10 Years:
         – relatively predictable
         – basic technologies identified
    •   10-15 years:
         – less predictable
         – new basic technologies will disrupt
         – trends are the only guide
the myth of fast technology


       •   the mouse – invented c.1964
       •   the CD – c.1965
       •   the fax – c.1843
       •   LCDs – c.1888
mind the GAP ...
World Bank Experience

        •   “Information system projects appear to
            have an alarmingly high failure rate, even
            in developed countries — half of large
            implementations fail, half suffer disputes.”
        •   “It is estimated that more than 80 percent
            of World Bank projects have an
            informatics component. Many of these
            components meet essential development
            needs. It is vital therefore, that they are
            planned and implemented to bring lasting
            benefit.”



                                           World Bank, 2004
http://www.computerweekly.com/Articles/2007/05/21/223915/only-a-third-of-government-it-projects-succeed-says.htm
some challenges

  • governance
          • competing needs of many diverse stakeholders
          • more demands than capacity
          • everyone is an IT expert
  • architecture
          • rapidly increasing systems complexity
          • delivering new services increases complexity
          • operations and maintenance budget growing
  • procurement
          • severe budget and cost control pressures
          • procurement cycles not responsive to
            organisational need
why governments should lead in
      effective use of IT
           • IT is an important enabler of
             improved service delivery and
             effectiveness
           • government use of IT can
             drive private sector adoption
             and capacity building
           • effective use of IT drives local
             market for IT skills and service
             provision
           • in the UK, government
             accounts for around 55% of all
             IT expenditure ….
the GAP principles
  Governance
  •   IT is a service provider to the business - business units and
      information technology organisations need to be intimately linked
      through managed engagement processes.
  •   the Chief Information Officer (CIO) requires real authority - CIOs
      need effective authority to mandate architecture standards across
      organisational boundaries.
  Architecture
  •   the future of business is networked – adoption of architectures
      based on XML and underlying internet standards maximise flexibility
      and improve speed of delivery of new services.
  Procurement
  •   architecture is the foundation - a long term strategic model is
      required for core architecture procurement
  •   service orientation in architecture enables flexibility – shorter term
      tactical models can be used to procure from smaller, local or
      specialized suppliers
  •   Service Level Agreements alone do not guarantee success – good
      governance and architecture are required to enable effective
      operations outsourcing
IT governance
IT governance is about assigning decision rights
and creating an accountability framework that
encourages desirable behaviour in the use of IT
               (Source: CISR (Center for information Systems Research)
               Sloan School of Management, MIT and Gartner EXP)

CISR also states that IT governance should cover five IT
  domains:
   •   IT ‘maxims’ or policies
   •   IT infrastructure strategy
   •   IT architecture
   •   Business application portfolio management
   •   IT investment and prioritisation.
                                                                         Source: CISR & Gartner EXP
assessing IT governance
   Your total score             Status of your governance
   00 to 08                     Poor, needs serious attention
   09 to 16                     Good start, could be improved
   17 to 24                     Good, keep improving
   25 to 32                     Very good, little room for improvement


Score yourself for 1 to 4 (1 = not at all, 4 = completely) for:
    –   We follow a set of agreed IT policies
    –   We follow an agreed IT infrastructure strategy
    –   We enforce agreed architecture standards
    –   Applications are managed to an agreed portfolio strategy
    –   IT investment is prioritized according to a government policy framework
    –   We follow an agreed procurement policy
    –   We follow a standard project management methodology
    –   We carry out post implementation benefits analysis and review
characteristics of effective governance

                • an agreed definition of architecture and
                  its associated minimum standards
                  adopted across the entire organisation
                • CIO and IT organisations empowered to
                  enforce architecture and standards
                • government ministers and internal IT
                  leaders must be co-stakeholders to
                  collaborate and have voice on long
                  term IT strategy
                • change management processes ensure
                  rigour in operations
                • financial models and budgets adopted
                • opportunity to provide shared services
                  and / or outsourced
“good” architecture...?
effective procurement
     • encourage a diverse supply-side marketplace
         – avoid over-dependency on a limited number of
           big suppliers
     • distinct architecture / procurement models:
         – core architecture services
         – operational infrastructure services
         – applications and application services
     • effective enterprise architecture creates:
         – new approach to supplier selection, time
           horizons and selection criteria for each
         – reduced dependence on the classic challenge
           of outsourcing the end to end infrastructure
         – lower complexity allowing for smaller, local
           suppliers, lower costs and improved flexibility
           and versatility.
applying the GAP principles in
         government

     •   Governance
          – IT is a service provider to government and the citizen.
          – agencies and information technology organisations need to be
            intimately linked to national policy priorities through managed
            engagement processes.
          – the Chief Information Officer (CIO) requires real authority. A pan-
            government CIO role must exist and needs effective authority to
            mandate information and architecture standards across government.
     •   architecture
          – the future of government is networked. Adoption of architectures
            based on XML and underlying internet standards maximise flexibility
            and improve speed of delivery of new government services.
     •   procurement
          – architecture is the foundation. A long term strategic model is required
            for core architecture procurement
          – Service orientation in architecture enables flexibility. Shorter term
            tactical models enhance opportunities for local technology providers
          – Service Level Agreements alone do not guarantee success – good
            governance and architecture are required to enable effective shared
            service models
recommended changes
• establish:
   – an IT investment council as a component of the
     government executive office
   – an applications committee, as a subset of the IT
     investment council, to prioritise and maintain
     applications portfolio
   – an architecture advisory group to ensure compliance
   – a technical advisory group to advise on technical
     matters, including infrastructure strategy compliance
   – a programme-project management office to ensure
     PPM compliance
   – a project review board for each major project
... the UK
... could do better?
• The UK is “apparently a world leader in ineffective IT
  schemes for government”

• Dunleavy et al observe that:
   – “.... a large number of projects have been scrapped in the last
     decade, with significant losses of complete investments or with
     partial write-offs of investment. This record is closely associated
     with a pattern of price rises in contracts over implementation
     periods and of significantly less functionality for implemented
     systems than initially expected.”

   (Source: Dunleavy, P., Margetts, H., Bastow, S., Tinkler, J. Digital Era Governance. Oxford
                                      University Press, 2008)
... could do better?
• “... the greater the power of the IT industry,
  the less effective the performance of
  government IT has been.”
  – (Source: Dunleavy, P., Margetts, H., Bastow, S., Tinkler, J. Digital Era Governance. Oxford
    University Press, 2008 (p130))

• just 11 companies provide 80% of public
  sector business in the ICT sector
  – (Source: House of Commons Public Accounts Committee, Twenty-Seventh Report,
    Session 2004-05, 6 April 2005)

• 2010 … just 1 company with c. 60% of all
  public sector IT business …?
• in the digital age, you don't need
                 to own or hold everything
    new          yourself in order to provide an
                 integrated service
realities of      – you can exploit each other's
                    investments (across
    the             public/private sectors – and the
                    “personal sector”): the outcome,
“intelligent        for once, can be greater than the
                    sum of the parts ...
   state”         – ... and the citizen lives at the
                    centre
http://www.cps.org.uk/cps_catalog/it
%27s%20ours.pdf
... a flashback to last century
the evolving Internet



                                                   Personal

                  Transactional



Informational




                “Are social computing themes like user-
                generated content and communication
                fundamentally changing the rules of
                business? We think they are—in a big
                way.”
                Forrester Research
the Internet as grid
        • it’s not just the Web
        • the Internet drives
          services, not Web sites
        • the Internet as grid
          changes everything
enabled by Internet evolution



  Xbox Live




evolution      Web Services and APIs are evolving 1st party web sites into rich, serious
               development platforms for next generation Internet applications

               • shorter time to delivery    • broader, more compelling experiences
benefits       • better reliability          • support for multiple devices
               • wider syndication
London School of Economics, February 2010, Jerry Fishenden
public
policy

         technology
the existing focus

• server consolidation
• the development of a common structure for servers
  and applications
• automating the deployment of servers and
  applications within that common structure
• improving overall security, data protection and
  privacy practices (including at the local, regional or
  branch office level)
• improving security through improved identity
  management
• virtualisation and rationalisation in the data centre
• desktop and mobile platform optimisation
• driving down the 76% of IT budget costs spent on IT
  services
Government
                                      (provider/producer centric
                                      view




Education   Tax   Welfare                 Health             ...etc




                            citizen
Government
                                      (provider/producer centric
                                      view




Education   Tax   Welfare                 Health             ...etc




                            citizen
From                                                                   To
                    •     Function oriented                               •      Process oriented
                    •     Build to last                                   •      Build to change
                    •     Prolonged                                       •      Incrementally built
                          development cycles                                     and deployed
                    •     Internal focus                                  •      External and internal focus



              •     Application silos                                       •     Orchestrated solutions
              •     Tightly coupled                                         •     Loosely coupled
              •     Object oriented                                         •     Message oriented
              •     Known implementation                                    •     Abstraction



Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland
Revenue and the Cabinet Office.
Current Focus                                       Internal User




                                                                                                                 Future Focus
                                    Business     Business      Business      Business
                                    Function     Function      Function      Function
                                       A            B             C             X




                                                                                                 User
                                                                                               Process A




                                                                                                  User                          External User
                                                                                                Process B




                                                                                                   User
                                                                                                 Process C




Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland
Revenue and the Cabinet Office.
London School of Economics, February 2010, Jerry Fishenden
Local
         Government




                           Central
                         Government


Government
 Gateway

                             Businesses




              Voluntary
             Organisations
Local
         Government




                           Central
                         Government


Government
 Gateway

                             Businesses




              Voluntary
             Organisations
London School of Economics, February 2010, Jerry Fishenden
the architecture in 2004 ...
                           applications
                          aggregate the
                          services into a
                      presentation channel
                                                                                                                                the GSI and the
                      for specific business
                                                                               Users                                            Internet provide
                            processes
                                                       presentation                            PC                                 the common
                                                                           web site                              helpdesk
                                                          layer                             application                          message bus

                      a growing number of
                         “headless” web
                            services                                       message bus (Internet/GSI)




                                                    Gateway           Gateway          Gateway                       secure
                                                                                                    payments
                                                     STS               A&A               TxE                        messaging




                          the Gateway provides
                          mediation for the non-                       Gateway          Gateway       Gateway
                          web services world, via                        DIS              DIS           DIS
                            the hub and spoke
                           transactional model
                                                                        Dept             Dept             Dept




Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland
Revenue and the Cabinet Office.
... the proposed next step
                                                                                              new services
                                                                                             are added into                      departments
                                                                                                the pool                           directly
                                                     Users                                                                       expose their
                                     presentation                        PC
                                                                                                                                 own services
                                                    web site                             helpdesk          rules          Dept
                                        layer                         application                                                onto the bus


                                                                        message bus (Internet/GSI)




                                        Gateway     Gateway           Gateway                         secure
                                                                                       payments                    Dept
                                         STS         A&A                TxE                          messaging




                     the Gateway continues
                    to provide mediation for
                                                             Gateway         Gateway
                      the non-web services                     DIS             DIS
                      world, via the hub and
                          spoke model
                                                               Dept             Dept




Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland
Revenue and the Cabinet Office.
... the end goal?
                                                                                        depts adopt
                                                                                          busses
                                                                                         internally
                                                                                                                  message bus

                                                    Users

                                   presentation                    PC
                                                   web site                      helpdesk              rules             Dept
                                      layer                     application



                                                                                                                                 other trusted
                                                                   message bus (Internet/GSI)
                                                                                                                                  credentials
                                                                                                                                are supported


                                      Gateway      Gateway                     secure                          Trusted
                                                               payments                             Dept
                                       STS          A&A                       messaging                         STS



                                                                                                message bus
                        legacy hub and
                           spoke is
                          deprecated




Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland
Revenue and the Cabinet Office.
http://www.makeitbetter.org.uk/
London School of Economics, February 2010, Jerry Fishenden
http://www.makeitbetter.org.uk/?page_id=298
London School of Economics, February 2010, Jerry Fishenden
http://wiki.idealgovernment.com/IdealGovernmentITStrategy
http://wiki.idealgovernment.com/governance
key issues
• how do we get public sector IT to where it
  needs to be?
• how do we keep “lights on” while ensuring
  new projects are conceived and delivered in
  new ways?
• how do we do things in new ways without
  risking failures in the transition period?
http://www.direct.gov.uk/en/index.htm
http://www.gateway.gov.uk/
http://www.hmrc.gov.uk/index.htm
... come and contribute!



http://wiki.idealgovernment.com/IdealGovernmentITStrategy
privacy and security
whatever happened to privacy anyway ...?
subscribes to
                                         shops at
              Vodaphone
             (source: mobile phone)      Morrisons
                                      (source: loyalty card and
                                            credit card)




  overweight
   (source: connected
    bathroom scales)
                                                     alcoholic
                                                  (source: The Red Lion
                                                          EPOS)




                                                 iPod owner
                                                   (source: RFID tag




fashion victim
(source: street CCTV)
we need trust in our digital lives
        • any systems – private or public sector –
          need to:
           – recognise the importance of the rule of
             law, security, and privacy and other core
             democratic freedoms in contributing to
             trustworthiness
           – honour European values such as privacy,
             freedom of expression, protection of
             minorities, freedom of association, and
             freedom of belief
        • the public sector has a key role in
          overall governance and compliance in
          support of these important values
https://trustworthyict.inteco.es/




http://www.think-trust.eu/general/news-
events/riseptis-report-published.html
… not this …
… or this …
security
• high public awareness of security
  issues
• the Internet is a great medium
  for committing crime
     • global reach
     • anonymity
     • lack of traceability
• profits for committing crimes are
  going up
• time to exploit is decreasing
not a great model either …

                  your name, bank account
                  number, sort code number
                  … (conveniently embossed
                  for easy skimming)




     … your signature,                       234
     “security code” and
     “automated hacking
     magnetic strip”
improvements
http://www.bbc.co.uk/blogs/newsnight/susanwatts/
2010/02/new_flaws_in_chip_and_pin_syst.html
technology vulnerabilities




source: http://www.cenzic.com/
other vulnerabilities
time to exploit

                                               Most attacks
                                                occur here
                                              (why does this
                                                gap exist?)


Product   Vulnerability     Vulnerability     Fix      Fix deployed
  ship     discovered      made public/     deployed   at customer
                          Component fixed                   site
an evolving threat
                                                       Largest segment by
                                                       $ spent on defence

National Interest                                            Spy
                       Largest area by $ lost

  Personal Gain                            Thief               Fastest
                                                               growing
   Largest area                                                segment
     by volume                            Trespasser
 Personal Fame



        Curiosity     Vandal                       Author


                    Script-Kiddy Undergraduate     Expert     Specialist
botnets


• “botnets serve various purposes, including denial-of-service
  attacks, creation or misuse of SMTP mail relays for spam, click
  fraud, and the theft of application serial numbers, login IDs,
  and financial information such as credit card numbers. The
  botnet owner community features a constant and continuous
  struggle over who has the most bots, the highest overall
  bandwidth, and the largest amount of "high-quality" infected
  machines (commonly university, corporate, and even
  government machines).”

Wikipedia
botnets




          http://www.thinq.co.uk/news/201
          0/2/11/battle-of-the-botnets-
          breaks-out/
http://www.computerworld.com.au/index.php
/id;481069848
forensics of a virus

       July 1                     July 16                 July 25                      Aug 11
         vulnerability            bulletin & patch
       reported to us /               available         exploit code in public         worm in the wild
       patch in progress             no exploit

   Report                    Bulletin                 Exploit                     Worm
        Vulnerability in         MS03-026 delivered       X-focus (Chinese          Blaster worm
         RPC/DDOM reported         to customers              group) published           discovered –; variants
        MS activated highest      (7/16/03)                 exploit tool               and other viruses hit
         level emergency          Continued outreach       MS heightened efforts      simultaneously (i.e.
         response process          to analysts, press,       to get information to      “SoBig”)
                                   community, partners,      customers
                                   government agencies




        Blaster shows the complex
        interplay between security
        researchers, software
        companies, and hackers
                                                     Source: Microsoft
honeypot projects

   • six computers attached to Internet
       – different versions of Windows, Linux and Mac OS
   • over the course of one week
       – machines were scanned 46,255 times
       – 4,892 direct attacks
   • no up-to-date, patched operating systems
     succumbed to a single attack
   • all down rev systems were compromised
       – Windows XP with no patches
       – infested in 18 minutes by Blaster and Sasser
       – within an hour it became a "bot"
           Source: StillSecure,
           see http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html
example security engineering
              response: the Security Development
                           Lifecycle
  Requirements           Design                       Implementation                          Verification             Release                   Response




                                                Guidelines & Best Practices
                                                Coding Standards
                                                Testing based on threat                                                                            Security
                                                models                                                       Final Security Review (FSR)           Response
                                                Tool usage                                                   Review threat models                  Feedback loop
Product Inception                                                                                            Penetration Testing                   - Tools/
Assign resource               Threat Modeling                                                                Archiving of Compliance Info            Processes
Security plan                 Models created                                                                                                       - Postmortems
                              Mitigations in design           Security Docs &                                                                      - SRLs
                              and functional specs            Tools                   Security Push
                                                              Customer deliverables   Security push training                                RTM &
                                                              for secure deployment   Review threat models                                  Deployment
                    Design
                    Design guidelines applied                                         Review code                                           Signoff
                    Security architecture                                             Attack testing
                    Security design review                                            Review against new threats
                    Ship criteria agreed upon                                         Meet signoff criteria
a technology framework
• secure infrastructure
    – safeguards that protect against malware, intrusions and unauthorised
      access to personal information, and help protect systems from evolving
      threats
• identity and access control
    – systems that help protect personal information from unauthorised
      access or use, and provide management controls for identity access and
      provisioning
• data encryption
    – safeguards that protect sensitive personal information by converting
      data into incomprehensible code that requires a key held by an
      authorised recipient to decode
• document protection
    – protection of personal information stored in documents throughout the
      entire life cycle of the document
• auditing and reporting
    – monitoring to verify the integrity of systems and data in compliance
      with business policies
not citizen centric – password fatigue
phishing & phraud
                                             Source: http://www.antiphishing.org




   The number of unique phishing          The number of unique phishing
reports submitted in the third quarter     websites detected during the
 of 2009 reached an all-time high of      third quarter of 2009 reached a
               40,621                    new record in August with 56,362
London School of Economics, February 2010, Jerry Fishenden
the impact of phishing



                         • most people are spoofed
                            – over 60% have visited a fake or spoofed site
                         • people are tricked
                            – over 15% admit to having provided personal
                              data
                         • target for spoofing attacks
                            – banks, credit card companies, Web retailers,
                              online auctions (e-bay) and mortgage
                              companies.
                         • economic loss for a small number of people
                            – slightly more than 2%
                            – average cost of $115 dollars



                                        Source: TRUSTe
outcome of social engineering


  typical information posted on hacker forum
      First name: XXXXXXXXXX
      Lastname: XXXXXXXXXXX
      Address: XXXXXXXXXXX
      City: BALTIMORE
      State: MD
      Zipcode: 21211
      Phone: 410-XXXX-XXXX
      SSN: XXX-XX-XXXX
      Driver's license: XXXXXXXXXXXXX
      DOB: X-XX-19XX
      Cardnumber: XXXXXXXXXXX
      Expiry Date: XX-XXXX
      CVV2: XXX
      ATM Pin: XXXX
      Paypal email: XXXXXX@yahoo.com
      Paypal Password :XXXXXXXXXXX
      IP address: XXX.XXX.XXX.XXX
some issues ...
  • the economics of computing makes the
    collection, storage, analysis and
    dissemination of data cost effective (e.g.,
    spam)
  • there is often a tension between
    government and regulatory requirements,
    business strategies, and citizen/customer
    expectations
      – Security and Privacy can be both synergistic
        and antagonistic
  • new technologies raise important privacy
    concerns (e.g., biometrics, GPS)
  • what constitutes an “invasion of privacy”
    may be unclear and may be dependent on
    local laws and customs
privacy technologies
    •   Anti-Spam and Anti-Spyware
    •   Rights Management
    •   Filtering Technologies
    •   Authentication Technologies
    •   Parental Controls, Pop Up
        Blockers, Phorm-blocker, Junk
        Email, Ad Blockers, etc.
today - commonplace
  • fingerprints
    – commonplace: from Disney to your
      PocketPC to US Visit to your home
      PC keyboard and mouse
    – increasingly a commodity item
today – less common
    • iris recognition
      – working in limited contexts:
         • airports
         • UAE
tomorrow?


       • commoditised
         biometrics–
         from our gait to
         our DNA ...?
source: fishenden.com
reminder - outcome of social engineering


  typical information posted on hacker forum
      First name: XXXXXXXXXX
      Lastname: XXXXXXXXXXX
      Address: XXXXXXXXXXX
      City: BALTIMORE
      State: MD
      Zipcode: 21211
      Phone: 410-XXXX-XXXX
      SSN: XXX-XX-XXXX
      Driver's license: XXXXXXXXXXXXX
      DOB: X-XX-19XX
      Cardnumber: XXXXXXXXXXX
      Expiry Date: XX-XXXX
      CVV2: XXX
      ATM Pin: XXXX
      Paypal email: XXXXXX@yahoo.com
      Paypal Password :XXXXXXXXXXX
      IP address: XXX.XXX.XXX.XXX
• so will biometrics be any different from
  biographics… ?
     Internet hacker forum
        RH Index Finger Image (JPEG2000): XXXXXXXXXXX
        L Eye Iris Image (JPEG2000) : XXXXXXXXXXX
        L Eye Iris Image (RAW): XXXXXXXXXXX
        …..

• … if using our biometrics becomes routine,
  they become open to universal capture by
  third parties
         – not just technology – “protocols” too
             » who is entitled to take and store our biometrics?
             » what happens when “everyone” has them ?
criminalisation of the Internet
           • greater use and greater value attract
             professionalised international
             criminal fringe
              – dysfunctional, ad-hoc nature of
                identity patchwork
              – phishing and pharming (“phraud”) at
                1000% CAGR

           • the ad hoc nature of internet
             identity cannot withstand the
             growing assault of professionalised
             attackers
              – we can predict a deepening public
                crisis
towards an identity metasystem
        • diverse needs of players mean integrating
          multiple constituent technologies

        • not the first time we’ve seen this in computing
            – think back to things as basic as abstract display
              services made possible through device drivers

        • we need a unifying “identity metasystem”
            – protect applications from complexities of systems
            – allow digital identity to be loosely coupled

        • avoid need to agree on dominant technologies a
          priori – they will emerge from the ecosystem
the Laws of Identity
the “laws”
                                                        Directed Identity
                                                           A universal identity metasystem must support
                                                           both “omnidirectional” identifiers for use by
                                                           public entities and “unidirectional” identifiers
                                                           for private entities, thus facilitating discovery
                                                           while preventing unnecessary release of
                                                           correlation handles.
User Control and Consent                                Pluralism of Operators and Technologies
                                                           A universal identity metasystem must channel
   Digital identity systems must only reveal               and enable the interworking of multiple identity
   information identifying a user with the user’s          technologies run by multiple identity providers.
   consent.
                                                        Human Integration
Limited Disclosure for Limited Use                         A unifying identity metasystem must define the
   The solution which discloses the least                  human user as a component integrated through
   identifying information and best limits its use is      protected and unambiguous human-machine
   the most stable, long-term solution.                    communications.
The Law of Fewest Parties                               Consistent Experience Across Contexts
                                                           A unifying identity metasystem must provide a
   Digital identity systems must limit disclosure of       simple consistent experience while enabling
   identifying information to parties having a             separation of contexts through multiple
   necessary and justifiable place in a given              operators and technologies.
   identity relationship.
the “laws”
                                                         Directed Identity
                                                            A universal identity metasystem must support
                                                            both “omnidirectional” identifiers for use by
                                                            public entities and “unidirectional” identifiers
                                                            for private entities, thus facilitating discovery
                                                            while preventing unnecessary release of
                                                            correlation handles.
User Control and Consentinformation                      Pluralism of Operators and Technologies
  the user decides which                                    A universal identity metasystem must channel
   Digital identity systems must only reveal                and enable the interworking of multiple identity
        to reveal to another party
   information identifying a user with the user’s           technologies run by multiple identity providers.
    consent.
                                                         Human Integration
Limited Disclosure for Limited Use                          A unifying identity metasystem must define the
    The solution which discloses the least                  human user as a component integrated through
    identifying information and best limits its use is      protected and unambiguous human-machine
    the most stable, long-term solution.                    communications.
The Law of Fewest Parties                                Consistent Experience Across Contexts
                                                            A unifying identity metasystem must provide a
    Digital identity systems must limit disclosure of       simple consistent experience while enabling
    identifying information to parties having a             separation of contexts through multiple
    necessary and justifiable place in a given              operators and technologies.
    identity relationship.
the “laws”
                                                        Directed Identity
                                                           A universal identity metasystem must support
                                                           both “omnidirectional” identifiers for use by
                                                           public entities and “unidirectional” identifiers
                                                           for private entities, thus facilitating discovery
                                                           while preventing unnecessary release of
                                                           correlation handles.
User Control and Consentinformation                     Pluralism of Operators and Technologies
  the user decides which                                   A universal identity metasystem must channel
   Digital identity systems must only reveal               and enable the interworking of multiple identity
        to reveal to another party
   information identifying a user with the user’s          technologies run by multiple identity providers.
    consent.
                                                        Human Integration
Limited Disclosure for Limited Use
      systems don’t disclose more                          A unifying identity metasystem must define the
   information than is necessary in a
   The solution which discloses the least                  human user as a component integrated through
   identifying information and best limits its use is      protected and unambiguous human-machine
                 given context
   the most stable, long-term solution.                    communications.
The Law of Fewest Parties                               Consistent Experience Across Contexts
                                                           A unifying identity metasystem must provide a
    Digital identity systems must limit disclosure of      simple consistent experience while enabling
    identifying information to parties having a            separation of contexts through multiple
    necessary and justifiable place in a given             operators and technologies.
    identity relationship.
the “laws”
                                                         Directed Identity
                                                            A universal identity metasystem must support
                                                            both “omnidirectional” identifiers for use by
                                                            public entities and “unidirectional” identifiers
                                                            for private entities, thus facilitating discovery
                                                            while preventing unnecessary release of
                                                            correlation handles.
User Control and Consentinformation                      Pluralism of Operators and Technologies
  the user decides which                                    A universal identity metasystem must channel
   Digital identity systems must only reveal                and enable the interworking of multiple identity
        to reveal to another party
   information identifying a user with the user’s           technologies run by multiple identity providers.
    consent.
                                                         Human Integration
Limited Disclosure for Limited Use
       systems don’t disclose more                          A unifying identity metasystem must define the
   information than is necessary in a
    The solution which discloses the least                  human user as a component integrated through
    identifying information and best limits its use is      protected and unambiguous human-machine
                  given context
    the most stable, long-term solution.                    communications.
The Law of discloseParties data only                     Consistent Experience Across Contexts
   systems Fewest identity                                  A unifying identity metasystem must provide a
     Digital identity systems must limit disclosure of      simple consistent experience while enabling
       to those with a necessary and
     identifying information to parties having a            separation of contexts through multiple
     necessary and justifiable place in a given
    justifiable place in the relationship                   operators and technologies.
     identity relationship.
the “laws”
                                                         Directed Identitybroadcast identifiers for
                                                             supports both
                                                             A universal identity metasystem must support
                                                                public entities and “unidirectional”
                                                             both “omnidirectional” identifiers for use by
                                                                     identifiers for private ones
                                                             public entities and “unidirectional” identifiers
                                                             for private entities, thus facilitating discovery
                                                             while preventing unnecessary release of
                                                             correlation handles.
User Control and Consentinformation                      Pluralism of Operators and Technologies
  the user decides which                                     A universal identity metasystem must channel
   Digital identity systems must only reveal                 and enable the interworking of multiple identity
        to reveal to another party
   information identifying a user with the user’s            technologies run by multiple identity providers.
    consent.
                                                         Human Integration
Limited Disclosure for Limited Use
       systems don’t disclose more                           A unifying identity metasystem must define the
   information than is necessary in a
    The solution which discloses the least                   human user as a component integrated through
    identifying information and best limits its use is       protected and unambiguous human-machine
                  given context
    the most stable, long-term solution.                     communications.
The Law of discloseParties data only                     Consistent Experience Across Contexts
   systems Fewest identity                                   A unifying identity metasystem must provide a
     Digital identity systems must limit disclosure of       simple consistent experience while enabling
       to those with a necessary and
     identifying information to parties having a             separation of contexts through multiple
     necessary and justifiable place in a given
    justifiable place in the relationship                    operators and technologies.
     identity relationship.
the “laws”
                                                         Directed Identitybroadcast identifiers for
                                                             supports both
                                                             A universal identity metasystem must support
                                                                public entities and “unidirectional”
                                                             both “omnidirectional” identifiers for use by
                                                                     identifiers for private ones
                                                             public entities and “unidirectional” identifiers
                                                             for private entities, thus facilitating discovery
                                                             while preventing unnecessary release of
                                                             correlation handles.
                                                              works across multiple technologies run
User Control and Consentinformation                      Pluralism ofdifferent identity providers,
                                                                  by Operators and Technologies
  the user decides which                                     A universal identity metasystem must channel
   Digital identity systems must only reveal                           including government
                                                             and enable the interworking of multiple identity
        to reveal to another party
   information identifying a user with the user’s            technologies run by multiple identity providers.
    consent.
                                                         Human Integration
Limited Disclosure for Limited Use
       systems don’t disclose more                           A unifying identity metasystem must define the
   information than is necessary in a
    The solution which discloses the least                   human user as a component integrated through
    identifying information and best limits its use is       protected and unambiguous human-machine
                  given context
    the most stable, long-term solution.                     communications.
The Law of discloseParties data only                     Consistent Experience Across Contexts
   systems Fewest identity                                   A unifying identity metasystem must provide a
     Digital identity systems must limit disclosure of       simple consistent experience while enabling
       to those with a necessary and
     identifying information to parties having a             separation of contexts through multiple
     necessary and justifiable place in a given
    justifiable place in the relationship                    operators and technologies.
     identity relationship.
the “laws”
                                                         Directed Identitybroadcast identifiers for
                                                             supports both
                                                             A universal identity metasystem must support
                                                                public entities and “unidirectional”
                                                             both “omnidirectional” identifiers for use by
                                                                     identifiers for private ones
                                                             public entities and “unidirectional” identifiers
                                                             for private entities, thus facilitating discovery
                                                             while preventing unnecessary release of
                                                             correlation handles.
                                                              works across multiple technologies run
User Control and Consentinformation                      Pluralism ofdifferent identity providers,
                                                                  by Operators and Technologies
  the user decides which                                     A universal identity metasystem must channel
   Digital identity systems must only reveal                           including government
                                                             and enable the interworking of multiple identity
        to reveal to another party
   information identifying a user with the user’s            technologies run by multiple identity providers.
    consent.
                                                         Human Integration
Limited Disclosure for Limited Use
       systems don’t disclose more                           A unifying identity metasystem must define the
   information than is necessary in a
    The solution which discloses the least                   human user as a component by real people
                                                             works with and is usable integrated through
    identifying information and best limits its use is       protected and unambiguous human-machine
                  given context
    the most stable, long-term solution.                     communications.
The Law of discloseParties data only                     Consistent Experience Across Contexts
   systems Fewest identity                                   A unifying identity metasystem must provide a
     Digital identity systems must limit disclosure of       simple consistent experience while enabling
       to those with a necessary and
     identifying information to parties having a             separation of contexts through multiple
     necessary and justifiable place in a given
    justifiable place in the relationship                    operators and technologies.
     identity relationship.
the “laws”
                                                         Directed Identitybroadcast identifiers for
                                                             supports both
                                                             A universal identity metasystem must support
                                                                public entities and “unidirectional”
                                                             both “omnidirectional” identifiers for use by
                                                                     identifiers for private ones
                                                             public entities and “unidirectional” identifiers
                                                             for private entities, thus facilitating discovery
                                                             while preventing unnecessary release of
                                                             correlation handles.
                                                              works across multiple technologies run
User Control and Consentinformation                      Pluralism ofdifferent identity providers,
                                                                  by Operators and Technologies
  the user decides which                                     A universal identity metasystem must channel
   Digital identity systems must only reveal                           including government
                                                             and enable the interworking of multiple identity
        to reveal to another party
   information identifying a user with the user’s            technologies run by multiple identity providers.
    consent.
                                                         Human Integration
Limited Disclosure for Limited Use
       systems don’t disclose more                           A unifying identity metasystem must define the
   information than is necessary in a
    The solution which discloses the least                   human user as a component by real people
                                                             works with and is usable integrated through
    identifying information and best limits its use is       protected and unambiguous human-machine
                  given context
    the most stable, long-term solution.                     communications.
The Law of discloseParties data only                     Consistent Experience Across Contexts
   systems Fewest identity                                   A unifying identity metasystem must provide a
     Digital identity systems must limit disclosure of         behaves the same way wherever and
                                                             simple consistent experience while enabling
       to those with a necessary and
     identifying information to parties having a             separation of contexts you use multiple
                                                                          however through it
     necessary and justifiable place in a given
    justifiable place in the relationship                    operators and technologies.
     identity relationship.
the 'laws' define a citizen-centric metasystem


                                        Applications
                                           Existing & New



            Technologies
            X509, Kerberos, x509                                  Governments




           Devices                             Me                   Organisations
        PCs, Mobile, Phone




                          Individuals
                         Work & Consumer                    Businesses
Mr Cameron suggests rethinking
                            the whole issue ...




                                          ... the second principle, says
                                          Mr Cameron, should be to keep
                                          down the risk of a breach by
                                          using as little information as
                                          possible to achieve the task
                                          in hand. This approach, which
                                          he calls “information
                                          minimalism”, rules out keeping
                                          information “just in case”.


                                          Third, identity systems must
                                          be able to check who is asking
                                          for the information, not just
Source: The Economist Feb
16th-22nd 2008                            hand it over.



                                           ... the final principle is a
                                           thorough understanding of the
                                           human factor
minimal disclosure tokens / U-Prove
minimal disclosure tokens: basics


Name:      Alice Smith                DOB:        03-25-1976
Name:      Alice Smith
Address:
Address:   1234 Crypto, Seattle, WA
           1234 Crypto, Seattle,      Reputation: high
Status:    gold customer
Status:    gold customer              Gender:     female
minimal disclosure tokens: basics


                                                      Which adult
                                    Prove that        from WA is
                                   you are from          this?
                                   WA and over
                                        21

                           ?                      ?

Name:    Alice Smith
Address: 1234 Crypto, Seattle, WA
         DOB:          03-25-1976 proof
                           Over-21
Status:  gold customer
         Reputation: high
         Gender:       female
authenticated anonymity
                          Prove that
                          you are a
                             gold
                          customer




Name:     Alice Smith
Address: 1234 Crypto, Seattle, WA
Status:   gold customer
unlinkable data sharing
   Name:    Alice Smith
   Address: 1234 Crypto, Seattle, WA
   Status:  gold customer




                            ?            UserID:
                                         City:
                                                   Alice S.
                                                   Seattle, WA
                                                          ?
                  No unwanted linkages




Name:     Alice Smith
           UserID: Alice S.
Address: 1234 Crypto, Seattle, WA
Status:   gold customer
London School of Economics, February 2010, Jerry Fishenden
… and at the macro level
    • fundamental reform of the
      policymaking process:
      – ensure technological and scientific
        evidence is gathered and understood
        prior to legislation being brought
        forward
         • eg avoid ‘the Identity Cards Act’ model,
           where the mechanism/solution (cards) is
           fused with the objective and policy
           outcome
    • don’t plan based on what you can
      see in the rear-view mirror
intelligent environments
          • office, home and public buildings
            running embedded technologies:
             – controlling lighting, heating
               (energy efficiency) and security
             – entertainment (music/film etc
               following you around the house)
             – dynamically moving calls and
               content between desk/mobile
               phones, PCs other devices
          • public environments
             – knowing you’re there
             – telling you what’s available
re-thinking form factors & devices
MyLifeBits




                                  MyLifeStore
                                                                          Internet




             Gordon Bell, Microsoft Research, http://www.mylifebits.com
information security and privacy
embedded in the systems lifecycle
the transition from basic to dynamic security
                   Basic              Standardized             Rationalized               Dynamic
               Patch status            Multiple directories     Automate identity        Self provisioning
Technology


               of desktops             for authentication       and access               and quarantine
               is unknown              Limited automated        management               capable systems
               No unified directory    software                 Automated                ensure compliance
               for access mgmt         distribution             system management        and high availability



               IT processes            Central                  SLAs are linked          Self-assessing and
               undefined               Admin and                to business              continuous
               Complexity due          configuration            objectives               improvement
Process




               to localized            of security              Clearly defined and      Easy, secure access
               processes               Standard desktop         enforced images,         to info from
               and minimal central     images defined,          security, best           anywhere
               control                 not adopted by all       practices                on Internet

               IT staff taxed          IT Staff trained in      IT Staff manages an      IT is a
               by operational          best practices such      efficient,               strategic asset
               challenges              as MOF,                  controlled
                                                                                         Users look to IT
                                       ITIL, etc.               environment
               Users come up with                                                        as a valued partner
People




               their own               Users expect basic       Users have the right     to enable new
                                                                tools,
               IT solutions            services from IT                                  business initiatives
                                                                availability, and
                                                                access to info
               $1320/PC Cost           $580/PC Cost           $230/PC Cost             < $100/PC Cost
“CardSpace”


  • enables users to
    use multiple
    identity systems
  • based on Web
    services
  • usable by any
    application
CardSpace features


         • strong 2-way authentication
         • enhanced privacy
            – at user’s discretion, store personal
              information on PC/Phone/Device or
              in “the cloud”
            – fully informed disclosure
            – multiple personas, a mirror of the
              real world
Web services and identity



           •   WS-* family of open Web Services protocols
           •   developed by Microsoft, IBM and others
           •   designed to connect multiple identity systems
           •   anyone can implement on any platform
           •   CardSpace is one implementation – a Java
               implementation already exists, and others are
               committing to support it:
                – Novell and IBM have announced the Higgins project: an
                  open source implementation
                – OpenID is being supported by many players
if we can get this right ...?
if we can get this right ...?




                                privacy and
                                security
                                restored?
summary


  • privacy and security need to be designed in
                      partnership
         • both are parts of an ecosystem
   • online digital identity and “The Laws” are
  making headway into online privacy and security
• better design is required – especially as we enter
                  the pervasive age
what next?
new modes of interaction, experience

                           touch



 immersive visualisation
                               speech




                                   handwriting
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
visualisation in the real world


              video
... the future workstation?
London School of Economics, February 2010, Jerry Fishenden
surface computing




  •   display-centric   •   multi user
  •   direct Input      •   tangible objects

blending of physical and virtual interaction
London School of Economics, February 2010, Jerry Fishenden
source: fishenden.com
Source: “Sketching
User Experiences”, Bill
Buxton
iCube
Virtual playground
mining
London School of Economics, February 2010, Jerry Fishenden
London School of Economics, February 2010, Jerry Fishenden
the virtual museum



      video
London School of Economics, February 2010, Jerry Fishenden
object recognition



      video




                     Source:
                     Microsoft
                     Research
augmented bowl



    video




                 Source: Microsoft
                 Research
London School of Economics, February 2010, Jerry Fishenden
future healthcare ?



      video
London School of Economics, February 2010, Jerry Fishenden
“The illiterate of the 21st century will not be
those who cannot read and write, but those
  who cannot learn, unlearn, and relearn”
                                Rethinking the Future,
                                          Alvin Toffler
... vision




             Source: Private Eye
             7th Feb 1962
... reality?




               Source: Private Eye
               7th Feb 1962
conclusion
thesis: we lack a consensus on, and balance of:

                  - public policy
            - technological aptness
                 - citizen benefit
London School of Economics, February 2010, Jerry Fishenden
... and what role will you play ...?
... thank you.

     IT perspectives
             Jerry Fishenden
Director, Centre for Technology Policy Research
           Visiting Senior Fellow, LSE

            j.fishenden@lse.ac.uk
                blog: ntouk.com

Más contenido relacionado

La actualidad más candente

Dr Jimmy Schwarzkopf Keynote @STKI Summit 2011
Dr Jimmy Schwarzkopf  Keynote @STKI Summit 2011Dr Jimmy Schwarzkopf  Keynote @STKI Summit 2011
Dr Jimmy Schwarzkopf Keynote @STKI Summit 2011Dr. Jimmy Schwarzkopf
 
19 July 2012 - Loc-poi overview v2
19 July 2012 - Loc-poi overview v2 19 July 2012 - Loc-poi overview v2
19 July 2012 - Loc-poi overview v2 Timothy Holborn
 
HSD Digital Citizenship Framework
HSD Digital Citizenship FrameworkHSD Digital Citizenship Framework
HSD Digital Citizenship FrameworkDarren Kuropatwa
 
Collaborative Knowledge Networks Market Assessment
Collaborative Knowledge Networks  Market AssessmentCollaborative Knowledge Networks  Market Assessment
Collaborative Knowledge Networks Market AssessmentDon_Johnson
 
How Can Policymakers and Regulators Better Engage the Internet of Things?
How Can Policymakers and Regulators Better Engage the Internet of Things? How Can Policymakers and Regulators Better Engage the Internet of Things?
How Can Policymakers and Regulators Better Engage the Internet of Things? Mercatus Center
 
ICT4D, Digital technologies for development
ICT4D, Digital technologies for developmentICT4D, Digital technologies for development
ICT4D, Digital technologies for developmentRoberto Polillo
 
Information Technology
Information TechnologyInformation Technology
Information TechnologyDivyank Jindal
 
Next Generation Innovation Platform for Research and Economic Development in ...
Next Generation Innovation Platform for Research and Economic Development in ...Next Generation Innovation Platform for Research and Economic Development in ...
Next Generation Innovation Platform for Research and Economic Development in ...Ed Dodds
 
Digital Networks
Digital NetworksDigital Networks
Digital NetworksKathy Gill
 
Everyday surveillance
Everyday surveillanceEveryday surveillance
Everyday surveillanceYavuz Paksoy
 
Transformations in interaction
Transformations in interactionTransformations in interaction
Transformations in interactionYavuz Paksoy
 
Citizen Centric Governance in Europe
Citizen Centric Governance in EuropeCitizen Centric Governance in Europe
Citizen Centric Governance in EuropeFrancesco Niglia
 
Melbourne Digital City Strategy - CoMConnect Report
Melbourne Digital City Strategy - CoMConnect ReportMelbourne Digital City Strategy - CoMConnect Report
Melbourne Digital City Strategy - CoMConnect ReportCoMcityLab
 
Awareness on IoT Adoption for SMEs and Business Intelligence
Awareness on IoT Adoption for SMEs and Business IntelligenceAwareness on IoT Adoption for SMEs and Business Intelligence
Awareness on IoT Adoption for SMEs and Business IntelligenceDr. Mazlan Abbas
 
IR 4.0 - Embrace or Risk Becoming Obsolete
IR 4.0 - Embrace or Risk Becoming ObsoleteIR 4.0 - Embrace or Risk Becoming Obsolete
IR 4.0 - Embrace or Risk Becoming ObsoleteDr. Mazlan Abbas
 
Big Data, Open Data, Big Costs - tim willoughby
Big Data, Open Data, Big Costs  - tim willoughbyBig Data, Open Data, Big Costs  - tim willoughby
Big Data, Open Data, Big Costs - tim willoughbyTim Willoughby
 
What Is Digital Social Innovation?
What Is Digital Social Innovation?What Is Digital Social Innovation?
What Is Digital Social Innovation?Crowdsourcing Week
 

La actualidad más candente (20)

Dr Jimmy Schwarzkopf Keynote @STKI Summit 2011
Dr Jimmy Schwarzkopf  Keynote @STKI Summit 2011Dr Jimmy Schwarzkopf  Keynote @STKI Summit 2011
Dr Jimmy Schwarzkopf Keynote @STKI Summit 2011
 
19 July 2012 - Loc-poi overview v2
19 July 2012 - Loc-poi overview v2 19 July 2012 - Loc-poi overview v2
19 July 2012 - Loc-poi overview v2
 
HSD Digital Citizenship Framework
HSD Digital Citizenship FrameworkHSD Digital Citizenship Framework
HSD Digital Citizenship Framework
 
Cio limond
Cio limondCio limond
Cio limond
 
Ch # 5, CISM
Ch # 5, CISMCh # 5, CISM
Ch # 5, CISM
 
Collaborative Knowledge Networks Market Assessment
Collaborative Knowledge Networks  Market AssessmentCollaborative Knowledge Networks  Market Assessment
Collaborative Knowledge Networks Market Assessment
 
How Can Policymakers and Regulators Better Engage the Internet of Things?
How Can Policymakers and Regulators Better Engage the Internet of Things? How Can Policymakers and Regulators Better Engage the Internet of Things?
How Can Policymakers and Regulators Better Engage the Internet of Things?
 
ICT4D, Digital technologies for development
ICT4D, Digital technologies for developmentICT4D, Digital technologies for development
ICT4D, Digital technologies for development
 
Information Technology
Information TechnologyInformation Technology
Information Technology
 
Digital city
Digital cityDigital city
Digital city
 
Next Generation Innovation Platform for Research and Economic Development in ...
Next Generation Innovation Platform for Research and Economic Development in ...Next Generation Innovation Platform for Research and Economic Development in ...
Next Generation Innovation Platform for Research and Economic Development in ...
 
Digital Networks
Digital NetworksDigital Networks
Digital Networks
 
Everyday surveillance
Everyday surveillanceEveryday surveillance
Everyday surveillance
 
Transformations in interaction
Transformations in interactionTransformations in interaction
Transformations in interaction
 
Citizen Centric Governance in Europe
Citizen Centric Governance in EuropeCitizen Centric Governance in Europe
Citizen Centric Governance in Europe
 
Melbourne Digital City Strategy - CoMConnect Report
Melbourne Digital City Strategy - CoMConnect ReportMelbourne Digital City Strategy - CoMConnect Report
Melbourne Digital City Strategy - CoMConnect Report
 
Awareness on IoT Adoption for SMEs and Business Intelligence
Awareness on IoT Adoption for SMEs and Business IntelligenceAwareness on IoT Adoption for SMEs and Business Intelligence
Awareness on IoT Adoption for SMEs and Business Intelligence
 
IR 4.0 - Embrace or Risk Becoming Obsolete
IR 4.0 - Embrace or Risk Becoming ObsoleteIR 4.0 - Embrace or Risk Becoming Obsolete
IR 4.0 - Embrace or Risk Becoming Obsolete
 
Big Data, Open Data, Big Costs - tim willoughby
Big Data, Open Data, Big Costs  - tim willoughbyBig Data, Open Data, Big Costs  - tim willoughby
Big Data, Open Data, Big Costs - tim willoughby
 
What Is Digital Social Innovation?
What Is Digital Social Innovation?What Is Digital Social Innovation?
What Is Digital Social Innovation?
 

Similar a London School of Economics, February 2010, Jerry Fishenden

Maximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise ArchitectureMaximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise ArchitectureAlan McSweeney
 
Bending the IT Op-Ex Cost Curve Through IT Simplification
Bending the IT Op-Ex Cost Curve Through IT SimplificationBending the IT Op-Ex Cost Curve Through IT Simplification
Bending the IT Op-Ex Cost Curve Through IT SimplificationCognizant
 
It aac cloud-acquisition_roadmap2012
It aac cloud-acquisition_roadmap2012It aac cloud-acquisition_roadmap2012
It aac cloud-acquisition_roadmap2012John Weiler
 
Day 1: ICT Strategic Planning, Mr. Soufiane Ben Moussa, CTO, House of Commons...
Day 1: ICT Strategic Planning, Mr. Soufiane Ben Moussa, CTO, House of Commons...Day 1: ICT Strategic Planning, Mr. Soufiane Ben Moussa, CTO, House of Commons...
Day 1: ICT Strategic Planning, Mr. Soufiane Ben Moussa, CTO, House of Commons...wepc2016
 
1. Introduction to EA -Session1 .pptx
1. Introduction to EA -Session1 .pptx1. Introduction to EA -Session1 .pptx
1. Introduction to EA -Session1 .pptxMohammadMahdiKargar2
 
Partners in Technology 11Oct2013 DSDIP DLGCRR Mark Cushing
Partners in Technology 11Oct2013 DSDIP DLGCRR Mark CushingPartners in Technology 11Oct2013 DSDIP DLGCRR Mark Cushing
Partners in Technology 11Oct2013 DSDIP DLGCRR Mark CushingDigital Queensland
 
Technology Management and its basics
Technology Management and its basicsTechnology Management and its basics
Technology Management and its basicsAbdul Rehman Khan
 
Webinar: The 5 Most Critical Things to Understand About Modern Data Integration
Webinar: The 5 Most Critical Things to Understand About Modern Data IntegrationWebinar: The 5 Most Critical Things to Understand About Modern Data Integration
Webinar: The 5 Most Critical Things to Understand About Modern Data IntegrationSnapLogic
 
A Brief Introduction to Enterprise Architecture
A Brief Introduction to  Enterprise Architecture A Brief Introduction to  Enterprise Architecture
A Brief Introduction to Enterprise Architecture Daljit Banger
 
Aitp presentation ed holub - october 23 2010
Aitp presentation   ed holub - october 23 2010Aitp presentation   ed holub - october 23 2010
Aitp presentation ed holub - october 23 2010AITPHouston
 
Joel Paula, OECD - How Distributed Ledger Technology is making a difference i...
Joel Paula, OECD - How Distributed Ledger Technology is making a difference i...Joel Paula, OECD - How Distributed Ledger Technology is making a difference i...
Joel Paula, OECD - How Distributed Ledger Technology is making a difference i...OECD Environment
 
Next Generation Digital Transformation
Next Generation Digital TransformationNext Generation Digital Transformation
Next Generation Digital TransformationVishal Sharma
 
Ict mgmt processes_roles_competencies
Ict mgmt processes_roles_competenciesIct mgmt processes_roles_competencies
Ict mgmt processes_roles_competenciesSalegram Padhee
 
Throughlife integrated concurrent_engineering_master_gaudenzi_2016_lisi_v02
Throughlife integrated concurrent_engineering_master_gaudenzi_2016_lisi_v02Throughlife integrated concurrent_engineering_master_gaudenzi_2016_lisi_v02
Throughlife integrated concurrent_engineering_master_gaudenzi_2016_lisi_v02Marco Lisi
 
Service systems engineering_moscow2014_lisi_v02
Service systems engineering_moscow2014_lisi_v02Service systems engineering_moscow2014_lisi_v02
Service systems engineering_moscow2014_lisi_v02Marco Lisi
 
Prof dp sharma keynote speech in malaysia
Prof dp sharma keynote speech in malaysiaProf dp sharma keynote speech in malaysia
Prof dp sharma keynote speech in malaysiadhatura
 
HITECH-Meaningful Use and the Benefits of the PMI and ITIL Relationship
HITECH-Meaningful Use and the Benefits of the PMI and ITIL RelationshipHITECH-Meaningful Use and the Benefits of the PMI and ITIL Relationship
HITECH-Meaningful Use and the Benefits of the PMI and ITIL RelationshipWilliam Buddy Gillespie ITIL Certified
 

Similar a London School of Economics, February 2010, Jerry Fishenden (20)

Maximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise ArchitectureMaximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise Architecture
 
System Error
System ErrorSystem Error
System Error
 
Bending the IT Op-Ex Cost Curve Through IT Simplification
Bending the IT Op-Ex Cost Curve Through IT SimplificationBending the IT Op-Ex Cost Curve Through IT Simplification
Bending the IT Op-Ex Cost Curve Through IT Simplification
 
Marketing to the CIO of a retail bank
Marketing to the CIO of a retail bankMarketing to the CIO of a retail bank
Marketing to the CIO of a retail bank
 
It aac cloud-acquisition_roadmap2012
It aac cloud-acquisition_roadmap2012It aac cloud-acquisition_roadmap2012
It aac cloud-acquisition_roadmap2012
 
Ce733 lecture1
Ce733 lecture1Ce733 lecture1
Ce733 lecture1
 
Day 1: ICT Strategic Planning, Mr. Soufiane Ben Moussa, CTO, House of Commons...
Day 1: ICT Strategic Planning, Mr. Soufiane Ben Moussa, CTO, House of Commons...Day 1: ICT Strategic Planning, Mr. Soufiane Ben Moussa, CTO, House of Commons...
Day 1: ICT Strategic Planning, Mr. Soufiane Ben Moussa, CTO, House of Commons...
 
1. Introduction to EA -Session1 .pptx
1. Introduction to EA -Session1 .pptx1. Introduction to EA -Session1 .pptx
1. Introduction to EA -Session1 .pptx
 
Partners in Technology 11Oct2013 DSDIP DLGCRR Mark Cushing
Partners in Technology 11Oct2013 DSDIP DLGCRR Mark CushingPartners in Technology 11Oct2013 DSDIP DLGCRR Mark Cushing
Partners in Technology 11Oct2013 DSDIP DLGCRR Mark Cushing
 
Technology Management and its basics
Technology Management and its basicsTechnology Management and its basics
Technology Management and its basics
 
Webinar: The 5 Most Critical Things to Understand About Modern Data Integration
Webinar: The 5 Most Critical Things to Understand About Modern Data IntegrationWebinar: The 5 Most Critical Things to Understand About Modern Data Integration
Webinar: The 5 Most Critical Things to Understand About Modern Data Integration
 
A Brief Introduction to Enterprise Architecture
A Brief Introduction to  Enterprise Architecture A Brief Introduction to  Enterprise Architecture
A Brief Introduction to Enterprise Architecture
 
Aitp presentation ed holub - october 23 2010
Aitp presentation   ed holub - october 23 2010Aitp presentation   ed holub - october 23 2010
Aitp presentation ed holub - october 23 2010
 
Joel Paula, OECD - How Distributed Ledger Technology is making a difference i...
Joel Paula, OECD - How Distributed Ledger Technology is making a difference i...Joel Paula, OECD - How Distributed Ledger Technology is making a difference i...
Joel Paula, OECD - How Distributed Ledger Technology is making a difference i...
 
Next Generation Digital Transformation
Next Generation Digital TransformationNext Generation Digital Transformation
Next Generation Digital Transformation
 
Ict mgmt processes_roles_competencies
Ict mgmt processes_roles_competenciesIct mgmt processes_roles_competencies
Ict mgmt processes_roles_competencies
 
Throughlife integrated concurrent_engineering_master_gaudenzi_2016_lisi_v02
Throughlife integrated concurrent_engineering_master_gaudenzi_2016_lisi_v02Throughlife integrated concurrent_engineering_master_gaudenzi_2016_lisi_v02
Throughlife integrated concurrent_engineering_master_gaudenzi_2016_lisi_v02
 
Service systems engineering_moscow2014_lisi_v02
Service systems engineering_moscow2014_lisi_v02Service systems engineering_moscow2014_lisi_v02
Service systems engineering_moscow2014_lisi_v02
 
Prof dp sharma keynote speech in malaysia
Prof dp sharma keynote speech in malaysiaProf dp sharma keynote speech in malaysia
Prof dp sharma keynote speech in malaysia
 
HITECH-Meaningful Use and the Benefits of the PMI and ITIL Relationship
HITECH-Meaningful Use and the Benefits of the PMI and ITIL RelationshipHITECH-Meaningful Use and the Benefits of the PMI and ITIL Relationship
HITECH-Meaningful Use and the Benefits of the PMI and ITIL Relationship
 

Más de Jerry Fishenden

2006 — Technology Adoption: emerging technologies and their likely impact
2006 — Technology Adoption: emerging technologies and their likely impact2006 — Technology Adoption: emerging technologies and their likely impact
2006 — Technology Adoption: emerging technologies and their likely impactJerry Fishenden
 
Reinventing government for the Internet age Jerry Fishenden 2008
Reinventing government for the Internet age Jerry Fishenden 2008Reinventing government for the Internet age Jerry Fishenden 2008
Reinventing government for the Internet age Jerry Fishenden 2008Jerry Fishenden
 
Interactive Palimpsests - IEEE ISCC April 2014 Jerry Fishenden
Interactive Palimpsests - IEEE ISCC April 2014 Jerry FishendenInteractive Palimpsests - IEEE ISCC April 2014 Jerry Fishenden
Interactive Palimpsests - IEEE ISCC April 2014 Jerry FishendenJerry Fishenden
 
uk identity assurance programme - IDA draft principles
uk identity assurance programme - IDA draft principlesuk identity assurance programme - IDA draft principles
uk identity assurance programme - IDA draft principlesJerry Fishenden
 
Designing online social security for the future
Designing online social security for the futureDesigning online social security for the future
Designing online social security for the futureJerry Fishenden
 
Open Forum Summit June 2010
Open Forum Summit June 2010Open Forum Summit June 2010
Open Forum Summit June 2010Jerry Fishenden
 
The Future Of Creative Technologies Conference Abridged
The Future Of Creative Technologies Conference AbridgedThe Future Of Creative Technologies Conference Abridged
The Future Of Creative Technologies Conference AbridgedJerry Fishenden
 

Más de Jerry Fishenden (8)

2006 — Technology Adoption: emerging technologies and their likely impact
2006 — Technology Adoption: emerging technologies and their likely impact2006 — Technology Adoption: emerging technologies and their likely impact
2006 — Technology Adoption: emerging technologies and their likely impact
 
Better use of data
Better use of dataBetter use of data
Better use of data
 
Reinventing government for the Internet age Jerry Fishenden 2008
Reinventing government for the Internet age Jerry Fishenden 2008Reinventing government for the Internet age Jerry Fishenden 2008
Reinventing government for the Internet age Jerry Fishenden 2008
 
Interactive Palimpsests - IEEE ISCC April 2014 Jerry Fishenden
Interactive Palimpsests - IEEE ISCC April 2014 Jerry FishendenInteractive Palimpsests - IEEE ISCC April 2014 Jerry Fishenden
Interactive Palimpsests - IEEE ISCC April 2014 Jerry Fishenden
 
uk identity assurance programme - IDA draft principles
uk identity assurance programme - IDA draft principlesuk identity assurance programme - IDA draft principles
uk identity assurance programme - IDA draft principles
 
Designing online social security for the future
Designing online social security for the futureDesigning online social security for the future
Designing online social security for the future
 
Open Forum Summit June 2010
Open Forum Summit June 2010Open Forum Summit June 2010
Open Forum Summit June 2010
 
The Future Of Creative Technologies Conference Abridged
The Future Of Creative Technologies Conference AbridgedThe Future Of Creative Technologies Conference Abridged
The Future Of Creative Technologies Conference Abridged
 

Último

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Último (20)

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

London School of Economics, February 2010, Jerry Fishenden

  • 1. IT perspectives Jerry Fishenden Director, Centre for Technology Policy Research Visiting Senior Fellow, LSE
  • 2. an underlying thesis outline • introduction • context • mind the GAP ... • ... the UK • privacy and security • what next? • conclusion
  • 3. thesis: we lack a consensus on, and balance of: - public policy - technological aptness - user benefit
  • 14. the myth of fast technology Source: “Sketching User Experiences”, Bill Buxton
  • 15. The Everett Rogers Technology Adoption Lifecycle model
  • 16. prediction horizons • 3-5 years: – highly predictable – products already in development • 5-10 Years: – relatively predictable – basic technologies identified • 10-15 years: – less predictable – new basic technologies will disrupt – trends are the only guide
  • 17. the myth of fast technology • the mouse – invented c.1964 • the CD – c.1965 • the fax – c.1843 • LCDs – c.1888
  • 19. World Bank Experience • “Information system projects appear to have an alarmingly high failure rate, even in developed countries — half of large implementations fail, half suffer disputes.” • “It is estimated that more than 80 percent of World Bank projects have an informatics component. Many of these components meet essential development needs. It is vital therefore, that they are planned and implemented to bring lasting benefit.” World Bank, 2004
  • 21. some challenges • governance • competing needs of many diverse stakeholders • more demands than capacity • everyone is an IT expert • architecture • rapidly increasing systems complexity • delivering new services increases complexity • operations and maintenance budget growing • procurement • severe budget and cost control pressures • procurement cycles not responsive to organisational need
  • 22. why governments should lead in effective use of IT • IT is an important enabler of improved service delivery and effectiveness • government use of IT can drive private sector adoption and capacity building • effective use of IT drives local market for IT skills and service provision • in the UK, government accounts for around 55% of all IT expenditure ….
  • 23. the GAP principles Governance • IT is a service provider to the business - business units and information technology organisations need to be intimately linked through managed engagement processes. • the Chief Information Officer (CIO) requires real authority - CIOs need effective authority to mandate architecture standards across organisational boundaries. Architecture • the future of business is networked – adoption of architectures based on XML and underlying internet standards maximise flexibility and improve speed of delivery of new services. Procurement • architecture is the foundation - a long term strategic model is required for core architecture procurement • service orientation in architecture enables flexibility – shorter term tactical models can be used to procure from smaller, local or specialized suppliers • Service Level Agreements alone do not guarantee success – good governance and architecture are required to enable effective operations outsourcing
  • 24. IT governance IT governance is about assigning decision rights and creating an accountability framework that encourages desirable behaviour in the use of IT (Source: CISR (Center for information Systems Research) Sloan School of Management, MIT and Gartner EXP) CISR also states that IT governance should cover five IT domains: • IT ‘maxims’ or policies • IT infrastructure strategy • IT architecture • Business application portfolio management • IT investment and prioritisation. Source: CISR & Gartner EXP
  • 25. assessing IT governance Your total score Status of your governance 00 to 08 Poor, needs serious attention 09 to 16 Good start, could be improved 17 to 24 Good, keep improving 25 to 32 Very good, little room for improvement Score yourself for 1 to 4 (1 = not at all, 4 = completely) for: – We follow a set of agreed IT policies – We follow an agreed IT infrastructure strategy – We enforce agreed architecture standards – Applications are managed to an agreed portfolio strategy – IT investment is prioritized according to a government policy framework – We follow an agreed procurement policy – We follow a standard project management methodology – We carry out post implementation benefits analysis and review
  • 26. characteristics of effective governance • an agreed definition of architecture and its associated minimum standards adopted across the entire organisation • CIO and IT organisations empowered to enforce architecture and standards • government ministers and internal IT leaders must be co-stakeholders to collaborate and have voice on long term IT strategy • change management processes ensure rigour in operations • financial models and budgets adopted • opportunity to provide shared services and / or outsourced
  • 28. effective procurement • encourage a diverse supply-side marketplace – avoid over-dependency on a limited number of big suppliers • distinct architecture / procurement models: – core architecture services – operational infrastructure services – applications and application services • effective enterprise architecture creates: – new approach to supplier selection, time horizons and selection criteria for each – reduced dependence on the classic challenge of outsourcing the end to end infrastructure – lower complexity allowing for smaller, local suppliers, lower costs and improved flexibility and versatility.
  • 29. applying the GAP principles in government • Governance – IT is a service provider to government and the citizen. – agencies and information technology organisations need to be intimately linked to national policy priorities through managed engagement processes. – the Chief Information Officer (CIO) requires real authority. A pan- government CIO role must exist and needs effective authority to mandate information and architecture standards across government. • architecture – the future of government is networked. Adoption of architectures based on XML and underlying internet standards maximise flexibility and improve speed of delivery of new government services. • procurement – architecture is the foundation. A long term strategic model is required for core architecture procurement – Service orientation in architecture enables flexibility. Shorter term tactical models enhance opportunities for local technology providers – Service Level Agreements alone do not guarantee success – good governance and architecture are required to enable effective shared service models
  • 30. recommended changes • establish: – an IT investment council as a component of the government executive office – an applications committee, as a subset of the IT investment council, to prioritise and maintain applications portfolio – an architecture advisory group to ensure compliance – a technical advisory group to advise on technical matters, including infrastructure strategy compliance – a programme-project management office to ensure PPM compliance – a project review board for each major project
  • 32. ... could do better? • The UK is “apparently a world leader in ineffective IT schemes for government” • Dunleavy et al observe that: – “.... a large number of projects have been scrapped in the last decade, with significant losses of complete investments or with partial write-offs of investment. This record is closely associated with a pattern of price rises in contracts over implementation periods and of significantly less functionality for implemented systems than initially expected.” (Source: Dunleavy, P., Margetts, H., Bastow, S., Tinkler, J. Digital Era Governance. Oxford University Press, 2008)
  • 33. ... could do better? • “... the greater the power of the IT industry, the less effective the performance of government IT has been.” – (Source: Dunleavy, P., Margetts, H., Bastow, S., Tinkler, J. Digital Era Governance. Oxford University Press, 2008 (p130)) • just 11 companies provide 80% of public sector business in the ICT sector – (Source: House of Commons Public Accounts Committee, Twenty-Seventh Report, Session 2004-05, 6 April 2005) • 2010 … just 1 company with c. 60% of all public sector IT business …?
  • 34. • in the digital age, you don't need to own or hold everything new yourself in order to provide an integrated service realities of – you can exploit each other's investments (across the public/private sectors – and the “personal sector”): the outcome, “intelligent for once, can be greater than the sum of the parts ... state” – ... and the citizen lives at the centre
  • 36. ... a flashback to last century
  • 37. the evolving Internet Personal Transactional Informational “Are social computing themes like user- generated content and communication fundamentally changing the rules of business? We think they are—in a big way.” Forrester Research
  • 38. the Internet as grid • it’s not just the Web • the Internet drives services, not Web sites • the Internet as grid changes everything
  • 39. enabled by Internet evolution Xbox Live evolution Web Services and APIs are evolving 1st party web sites into rich, serious development platforms for next generation Internet applications • shorter time to delivery • broader, more compelling experiences benefits • better reliability • support for multiple devices • wider syndication
  • 41. public policy technology
  • 42. the existing focus • server consolidation • the development of a common structure for servers and applications • automating the deployment of servers and applications within that common structure • improving overall security, data protection and privacy practices (including at the local, regional or branch office level) • improving security through improved identity management • virtualisation and rationalisation in the data centre • desktop and mobile platform optimisation • driving down the 76% of IT budget costs spent on IT services
  • 43. Government (provider/producer centric view Education Tax Welfare Health ...etc citizen
  • 44. Government (provider/producer centric view Education Tax Welfare Health ...etc citizen
  • 45. From To • Function oriented • Process oriented • Build to last • Build to change • Prolonged • Incrementally built development cycles and deployed • Internal focus • External and internal focus • Application silos • Orchestrated solutions • Tightly coupled • Loosely coupled • Object oriented • Message oriented • Known implementation • Abstraction Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland Revenue and the Cabinet Office.
  • 46. Current Focus Internal User Future Focus Business Business Business Business Function Function Function Function A B C X User Process A User External User Process B User Process C Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland Revenue and the Cabinet Office.
  • 48. Local Government Central Government Government Gateway Businesses Voluntary Organisations
  • 49. Local Government Central Government Government Gateway Businesses Voluntary Organisations
  • 51. the architecture in 2004 ... applications aggregate the services into a presentation channel the GSI and the for specific business Users Internet provide processes presentation PC the common web site helpdesk layer application message bus a growing number of “headless” web services message bus (Internet/GSI) Gateway Gateway Gateway secure payments STS A&A TxE messaging the Gateway provides mediation for the non- Gateway Gateway Gateway web services world, via DIS DIS DIS the hub and spoke transactional model Dept Dept Dept Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland Revenue and the Cabinet Office.
  • 52. ... the proposed next step new services are added into departments the pool directly Users expose their presentation PC own services web site helpdesk rules Dept layer application onto the bus message bus (Internet/GSI) Gateway Gateway Gateway secure payments Dept STS A&A TxE messaging the Gateway continues to provide mediation for Gateway Gateway the non-web services DIS DIS world, via the hub and spoke model Dept Dept Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland Revenue and the Cabinet Office.
  • 53. ... the end goal? depts adopt busses internally message bus Users presentation PC web site helpdesk rules Dept layer application other trusted message bus (Internet/GSI) credentials are supported Gateway Gateway secure Trusted payments Dept STS A&A messaging STS message bus legacy hub and spoke is deprecated Source: “Building the Agile Department: a Service Oriented Architecture for Government”. Jerry Fishenden, April 2004. Report for Inland Revenue and the Cabinet Office.
  • 60. key issues • how do we get public sector IT to where it needs to be? • how do we keep “lights on” while ensuring new projects are conceived and delivered in new ways? • how do we do things in new ways without risking failures in the transition period?
  • 64. ... come and contribute! http://wiki.idealgovernment.com/IdealGovernmentITStrategy
  • 66. whatever happened to privacy anyway ...?
  • 67. subscribes to shops at Vodaphone (source: mobile phone) Morrisons (source: loyalty card and credit card) overweight (source: connected bathroom scales) alcoholic (source: The Red Lion EPOS) iPod owner (source: RFID tag fashion victim (source: street CCTV)
  • 68. we need trust in our digital lives • any systems – private or public sector – need to: – recognise the importance of the rule of law, security, and privacy and other core democratic freedoms in contributing to trustworthiness – honour European values such as privacy, freedom of expression, protection of minorities, freedom of association, and freedom of belief • the public sector has a key role in overall governance and compliance in support of these important values
  • 71. … or this
  • 72. security • high public awareness of security issues • the Internet is a great medium for committing crime • global reach • anonymity • lack of traceability • profits for committing crimes are going up • time to exploit is decreasing
  • 73. not a great model either … your name, bank account number, sort code number … (conveniently embossed for easy skimming) … your signature, 234 “security code” and “automated hacking magnetic strip”
  • 78. time to exploit Most attacks occur here (why does this gap exist?) Product Vulnerability Vulnerability Fix Fix deployed ship discovered made public/ deployed at customer Component fixed site
  • 79. an evolving threat Largest segment by $ spent on defence National Interest Spy Largest area by $ lost Personal Gain Thief Fastest growing Largest area segment by volume Trespasser Personal Fame Curiosity Vandal Author Script-Kiddy Undergraduate Expert Specialist
  • 80. botnets • “botnets serve various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. The botnet owner community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the largest amount of "high-quality" infected machines (commonly university, corporate, and even government machines).” Wikipedia
  • 81. botnets http://www.thinq.co.uk/news/201 0/2/11/battle-of-the-botnets- breaks-out/
  • 83. forensics of a virus July 1 July 16 July 25 Aug 11 vulnerability bulletin & patch reported to us / available exploit code in public worm in the wild patch in progress no exploit Report Bulletin Exploit Worm  Vulnerability in  MS03-026 delivered  X-focus (Chinese  Blaster worm RPC/DDOM reported to customers group) published discovered –; variants  MS activated highest (7/16/03) exploit tool and other viruses hit level emergency  Continued outreach  MS heightened efforts simultaneously (i.e. response process to analysts, press, to get information to “SoBig”) community, partners, customers government agencies Blaster shows the complex interplay between security researchers, software companies, and hackers Source: Microsoft
  • 84. honeypot projects • six computers attached to Internet – different versions of Windows, Linux and Mac OS • over the course of one week – machines were scanned 46,255 times – 4,892 direct attacks • no up-to-date, patched operating systems succumbed to a single attack • all down rev systems were compromised – Windows XP with no patches – infested in 18 minutes by Blaster and Sasser – within an hour it became a "bot" Source: StillSecure, see http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html
  • 85. example security engineering response: the Security Development Lifecycle Requirements Design Implementation Verification Release Response Guidelines & Best Practices Coding Standards Testing based on threat Security models Final Security Review (FSR) Response Tool usage Review threat models Feedback loop Product Inception Penetration Testing - Tools/ Assign resource Threat Modeling Archiving of Compliance Info Processes Security plan Models created - Postmortems Mitigations in design Security Docs & - SRLs and functional specs Tools Security Push Customer deliverables Security push training RTM & for secure deployment Review threat models Deployment Design Design guidelines applied Review code Signoff Security architecture Attack testing Security design review Review against new threats Ship criteria agreed upon Meet signoff criteria
  • 86. a technology framework • secure infrastructure – safeguards that protect against malware, intrusions and unauthorised access to personal information, and help protect systems from evolving threats • identity and access control – systems that help protect personal information from unauthorised access or use, and provide management controls for identity access and provisioning • data encryption – safeguards that protect sensitive personal information by converting data into incomprehensible code that requires a key held by an authorised recipient to decode • document protection – protection of personal information stored in documents throughout the entire life cycle of the document • auditing and reporting – monitoring to verify the integrity of systems and data in compliance with business policies
  • 87. not citizen centric – password fatigue
  • 88. phishing & phraud Source: http://www.antiphishing.org The number of unique phishing The number of unique phishing reports submitted in the third quarter websites detected during the of 2009 reached an all-time high of third quarter of 2009 reached a 40,621 new record in August with 56,362
  • 90. the impact of phishing • most people are spoofed – over 60% have visited a fake or spoofed site • people are tricked – over 15% admit to having provided personal data • target for spoofing attacks – banks, credit card companies, Web retailers, online auctions (e-bay) and mortgage companies. • economic loss for a small number of people – slightly more than 2% – average cost of $115 dollars Source: TRUSTe
  • 91. outcome of social engineering typical information posted on hacker forum First name: XXXXXXXXXX Lastname: XXXXXXXXXXX Address: XXXXXXXXXXX City: BALTIMORE State: MD Zipcode: 21211 Phone: 410-XXXX-XXXX SSN: XXX-XX-XXXX Driver's license: XXXXXXXXXXXXX DOB: X-XX-19XX Cardnumber: XXXXXXXXXXX Expiry Date: XX-XXXX CVV2: XXX ATM Pin: XXXX Paypal email: XXXXXX@yahoo.com Paypal Password :XXXXXXXXXXX IP address: XXX.XXX.XXX.XXX
  • 92. some issues ... • the economics of computing makes the collection, storage, analysis and dissemination of data cost effective (e.g., spam) • there is often a tension between government and regulatory requirements, business strategies, and citizen/customer expectations – Security and Privacy can be both synergistic and antagonistic • new technologies raise important privacy concerns (e.g., biometrics, GPS) • what constitutes an “invasion of privacy” may be unclear and may be dependent on local laws and customs
  • 93. privacy technologies • Anti-Spam and Anti-Spyware • Rights Management • Filtering Technologies • Authentication Technologies • Parental Controls, Pop Up Blockers, Phorm-blocker, Junk Email, Ad Blockers, etc.
  • 94. today - commonplace • fingerprints – commonplace: from Disney to your PocketPC to US Visit to your home PC keyboard and mouse – increasingly a commodity item
  • 95. today – less common • iris recognition – working in limited contexts: • airports • UAE
  • 96. tomorrow? • commoditised biometrics– from our gait to our DNA ...?
  • 98. reminder - outcome of social engineering typical information posted on hacker forum First name: XXXXXXXXXX Lastname: XXXXXXXXXXX Address: XXXXXXXXXXX City: BALTIMORE State: MD Zipcode: 21211 Phone: 410-XXXX-XXXX SSN: XXX-XX-XXXX Driver's license: XXXXXXXXXXXXX DOB: X-XX-19XX Cardnumber: XXXXXXXXXXX Expiry Date: XX-XXXX CVV2: XXX ATM Pin: XXXX Paypal email: XXXXXX@yahoo.com Paypal Password :XXXXXXXXXXX IP address: XXX.XXX.XXX.XXX
  • 99. • so will biometrics be any different from biographics… ? Internet hacker forum RH Index Finger Image (JPEG2000): XXXXXXXXXXX L Eye Iris Image (JPEG2000) : XXXXXXXXXXX L Eye Iris Image (RAW): XXXXXXXXXXX ….. • … if using our biometrics becomes routine, they become open to universal capture by third parties – not just technology – “protocols” too » who is entitled to take and store our biometrics? » what happens when “everyone” has them ?
  • 100. criminalisation of the Internet • greater use and greater value attract professionalised international criminal fringe – dysfunctional, ad-hoc nature of identity patchwork – phishing and pharming (“phraud”) at 1000% CAGR • the ad hoc nature of internet identity cannot withstand the growing assault of professionalised attackers – we can predict a deepening public crisis
  • 101. towards an identity metasystem • diverse needs of players mean integrating multiple constituent technologies • not the first time we’ve seen this in computing – think back to things as basic as abstract display services made possible through device drivers • we need a unifying “identity metasystem” – protect applications from complexities of systems – allow digital identity to be loosely coupled • avoid need to agree on dominant technologies a priori – they will emerge from the ecosystem
  • 102. the Laws of Identity
  • 103. the “laws” Directed Identity A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. User Control and Consent Pluralism of Operators and Technologies A universal identity metasystem must channel Digital identity systems must only reveal and enable the interworking of multiple identity information identifying a user with the user’s technologies run by multiple identity providers. consent. Human Integration Limited Disclosure for Limited Use A unifying identity metasystem must define the The solution which discloses the least human user as a component integrated through identifying information and best limits its use is protected and unambiguous human-machine the most stable, long-term solution. communications. The Law of Fewest Parties Consistent Experience Across Contexts A unifying identity metasystem must provide a Digital identity systems must limit disclosure of simple consistent experience while enabling identifying information to parties having a separation of contexts through multiple necessary and justifiable place in a given operators and technologies. identity relationship.
  • 104. the “laws” Directed Identity A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. User Control and Consentinformation Pluralism of Operators and Technologies the user decides which A universal identity metasystem must channel Digital identity systems must only reveal and enable the interworking of multiple identity to reveal to another party information identifying a user with the user’s technologies run by multiple identity providers. consent. Human Integration Limited Disclosure for Limited Use A unifying identity metasystem must define the The solution which discloses the least human user as a component integrated through identifying information and best limits its use is protected and unambiguous human-machine the most stable, long-term solution. communications. The Law of Fewest Parties Consistent Experience Across Contexts A unifying identity metasystem must provide a Digital identity systems must limit disclosure of simple consistent experience while enabling identifying information to parties having a separation of contexts through multiple necessary and justifiable place in a given operators and technologies. identity relationship.
  • 105. the “laws” Directed Identity A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. User Control and Consentinformation Pluralism of Operators and Technologies the user decides which A universal identity metasystem must channel Digital identity systems must only reveal and enable the interworking of multiple identity to reveal to another party information identifying a user with the user’s technologies run by multiple identity providers. consent. Human Integration Limited Disclosure for Limited Use systems don’t disclose more A unifying identity metasystem must define the information than is necessary in a The solution which discloses the least human user as a component integrated through identifying information and best limits its use is protected and unambiguous human-machine given context the most stable, long-term solution. communications. The Law of Fewest Parties Consistent Experience Across Contexts A unifying identity metasystem must provide a Digital identity systems must limit disclosure of simple consistent experience while enabling identifying information to parties having a separation of contexts through multiple necessary and justifiable place in a given operators and technologies. identity relationship.
  • 106. the “laws” Directed Identity A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. User Control and Consentinformation Pluralism of Operators and Technologies the user decides which A universal identity metasystem must channel Digital identity systems must only reveal and enable the interworking of multiple identity to reveal to another party information identifying a user with the user’s technologies run by multiple identity providers. consent. Human Integration Limited Disclosure for Limited Use systems don’t disclose more A unifying identity metasystem must define the information than is necessary in a The solution which discloses the least human user as a component integrated through identifying information and best limits its use is protected and unambiguous human-machine given context the most stable, long-term solution. communications. The Law of discloseParties data only Consistent Experience Across Contexts systems Fewest identity A unifying identity metasystem must provide a Digital identity systems must limit disclosure of simple consistent experience while enabling to those with a necessary and identifying information to parties having a separation of contexts through multiple necessary and justifiable place in a given justifiable place in the relationship operators and technologies. identity relationship.
  • 107. the “laws” Directed Identitybroadcast identifiers for supports both A universal identity metasystem must support public entities and “unidirectional” both “omnidirectional” identifiers for use by identifiers for private ones public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. User Control and Consentinformation Pluralism of Operators and Technologies the user decides which A universal identity metasystem must channel Digital identity systems must only reveal and enable the interworking of multiple identity to reveal to another party information identifying a user with the user’s technologies run by multiple identity providers. consent. Human Integration Limited Disclosure for Limited Use systems don’t disclose more A unifying identity metasystem must define the information than is necessary in a The solution which discloses the least human user as a component integrated through identifying information and best limits its use is protected and unambiguous human-machine given context the most stable, long-term solution. communications. The Law of discloseParties data only Consistent Experience Across Contexts systems Fewest identity A unifying identity metasystem must provide a Digital identity systems must limit disclosure of simple consistent experience while enabling to those with a necessary and identifying information to parties having a separation of contexts through multiple necessary and justifiable place in a given justifiable place in the relationship operators and technologies. identity relationship.
  • 108. the “laws” Directed Identitybroadcast identifiers for supports both A universal identity metasystem must support public entities and “unidirectional” both “omnidirectional” identifiers for use by identifiers for private ones public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. works across multiple technologies run User Control and Consentinformation Pluralism ofdifferent identity providers, by Operators and Technologies the user decides which A universal identity metasystem must channel Digital identity systems must only reveal including government and enable the interworking of multiple identity to reveal to another party information identifying a user with the user’s technologies run by multiple identity providers. consent. Human Integration Limited Disclosure for Limited Use systems don’t disclose more A unifying identity metasystem must define the information than is necessary in a The solution which discloses the least human user as a component integrated through identifying information and best limits its use is protected and unambiguous human-machine given context the most stable, long-term solution. communications. The Law of discloseParties data only Consistent Experience Across Contexts systems Fewest identity A unifying identity metasystem must provide a Digital identity systems must limit disclosure of simple consistent experience while enabling to those with a necessary and identifying information to parties having a separation of contexts through multiple necessary and justifiable place in a given justifiable place in the relationship operators and technologies. identity relationship.
  • 109. the “laws” Directed Identitybroadcast identifiers for supports both A universal identity metasystem must support public entities and “unidirectional” both “omnidirectional” identifiers for use by identifiers for private ones public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. works across multiple technologies run User Control and Consentinformation Pluralism ofdifferent identity providers, by Operators and Technologies the user decides which A universal identity metasystem must channel Digital identity systems must only reveal including government and enable the interworking of multiple identity to reveal to another party information identifying a user with the user’s technologies run by multiple identity providers. consent. Human Integration Limited Disclosure for Limited Use systems don’t disclose more A unifying identity metasystem must define the information than is necessary in a The solution which discloses the least human user as a component by real people works with and is usable integrated through identifying information and best limits its use is protected and unambiguous human-machine given context the most stable, long-term solution. communications. The Law of discloseParties data only Consistent Experience Across Contexts systems Fewest identity A unifying identity metasystem must provide a Digital identity systems must limit disclosure of simple consistent experience while enabling to those with a necessary and identifying information to parties having a separation of contexts through multiple necessary and justifiable place in a given justifiable place in the relationship operators and technologies. identity relationship.
  • 110. the “laws” Directed Identitybroadcast identifiers for supports both A universal identity metasystem must support public entities and “unidirectional” both “omnidirectional” identifiers for use by identifiers for private ones public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. works across multiple technologies run User Control and Consentinformation Pluralism ofdifferent identity providers, by Operators and Technologies the user decides which A universal identity metasystem must channel Digital identity systems must only reveal including government and enable the interworking of multiple identity to reveal to another party information identifying a user with the user’s technologies run by multiple identity providers. consent. Human Integration Limited Disclosure for Limited Use systems don’t disclose more A unifying identity metasystem must define the information than is necessary in a The solution which discloses the least human user as a component by real people works with and is usable integrated through identifying information and best limits its use is protected and unambiguous human-machine given context the most stable, long-term solution. communications. The Law of discloseParties data only Consistent Experience Across Contexts systems Fewest identity A unifying identity metasystem must provide a Digital identity systems must limit disclosure of behaves the same way wherever and simple consistent experience while enabling to those with a necessary and identifying information to parties having a separation of contexts you use multiple however through it necessary and justifiable place in a given justifiable place in the relationship operators and technologies. identity relationship.
  • 111. the 'laws' define a citizen-centric metasystem Applications Existing & New Technologies X509, Kerberos, x509 Governments Devices Me Organisations PCs, Mobile, Phone Individuals Work & Consumer Businesses
  • 112. Mr Cameron suggests rethinking the whole issue ... ... the second principle, says Mr Cameron, should be to keep down the risk of a breach by using as little information as possible to achieve the task in hand. This approach, which he calls “information minimalism”, rules out keeping information “just in case”. Third, identity systems must be able to check who is asking for the information, not just Source: The Economist Feb 16th-22nd 2008 hand it over. ... the final principle is a thorough understanding of the human factor
  • 114. minimal disclosure tokens: basics Name: Alice Smith DOB: 03-25-1976 Name: Alice Smith Address: Address: 1234 Crypto, Seattle, WA 1234 Crypto, Seattle, Reputation: high Status: gold customer Status: gold customer Gender: female
  • 115. minimal disclosure tokens: basics Which adult Prove that from WA is you are from this? WA and over 21 ? ? Name: Alice Smith Address: 1234 Crypto, Seattle, WA DOB: 03-25-1976 proof Over-21 Status: gold customer Reputation: high Gender: female
  • 116. authenticated anonymity Prove that you are a gold customer Name: Alice Smith Address: 1234 Crypto, Seattle, WA Status: gold customer
  • 117. unlinkable data sharing Name: Alice Smith Address: 1234 Crypto, Seattle, WA Status: gold customer ? UserID: City: Alice S. Seattle, WA ? No unwanted linkages Name: Alice Smith UserID: Alice S. Address: 1234 Crypto, Seattle, WA Status: gold customer
  • 119. … and at the macro level • fundamental reform of the policymaking process: – ensure technological and scientific evidence is gathered and understood prior to legislation being brought forward • eg avoid ‘the Identity Cards Act’ model, where the mechanism/solution (cards) is fused with the objective and policy outcome • don’t plan based on what you can see in the rear-view mirror
  • 120. intelligent environments • office, home and public buildings running embedded technologies: – controlling lighting, heating (energy efficiency) and security – entertainment (music/film etc following you around the house) – dynamically moving calls and content between desk/mobile phones, PCs other devices • public environments – knowing you’re there – telling you what’s available
  • 122. MyLifeBits MyLifeStore Internet Gordon Bell, Microsoft Research, http://www.mylifebits.com
  • 123. information security and privacy embedded in the systems lifecycle
  • 124. the transition from basic to dynamic security Basic Standardized Rationalized Dynamic Patch status Multiple directories Automate identity Self provisioning Technology of desktops for authentication and access and quarantine is unknown Limited automated management capable systems No unified directory software Automated ensure compliance for access mgmt distribution system management and high availability IT processes Central SLAs are linked Self-assessing and undefined Admin and to business continuous Complexity due configuration objectives improvement Process to localized of security Clearly defined and Easy, secure access processes Standard desktop enforced images, to info from and minimal central images defined, security, best anywhere control not adopted by all practices on Internet IT staff taxed IT Staff trained in IT Staff manages an IT is a by operational best practices such efficient, strategic asset challenges as MOF, controlled Users look to IT ITIL, etc. environment Users come up with as a valued partner People their own Users expect basic Users have the right to enable new tools, IT solutions services from IT business initiatives availability, and access to info $1320/PC Cost $580/PC Cost $230/PC Cost < $100/PC Cost
  • 125. “CardSpace” • enables users to use multiple identity systems • based on Web services • usable by any application
  • 126. CardSpace features • strong 2-way authentication • enhanced privacy – at user’s discretion, store personal information on PC/Phone/Device or in “the cloud” – fully informed disclosure – multiple personas, a mirror of the real world
  • 127. Web services and identity • WS-* family of open Web Services protocols • developed by Microsoft, IBM and others • designed to connect multiple identity systems • anyone can implement on any platform • CardSpace is one implementation – a Java implementation already exists, and others are committing to support it: – Novell and IBM have announced the Higgins project: an open source implementation – OpenID is being supported by many players
  • 128. if we can get this right ...?
  • 129. if we can get this right ...? privacy and security restored?
  • 130. summary • privacy and security need to be designed in partnership • both are parts of an ecosystem • online digital identity and “The Laws” are making headway into online privacy and security • better design is required – especially as we enter the pervasive age
  • 132. new modes of interaction, experience touch immersive visualisation speech handwriting
  • 138. visualisation in the real world video
  • 139. ... the future workstation?
  • 141. surface computing • display-centric • multi user • direct Input • tangible objects blending of physical and virtual interaction
  • 145. iCube
  • 147. mining
  • 152. object recognition video Source: Microsoft Research
  • 153. augmented bowl video Source: Microsoft Research
  • 157. “The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn” Rethinking the Future, Alvin Toffler
  • 158. ... vision Source: Private Eye 7th Feb 1962
  • 159. ... reality? Source: Private Eye 7th Feb 1962
  • 161. thesis: we lack a consensus on, and balance of: - public policy - technological aptness - citizen benefit
  • 163. ... and what role will you play ...?
  • 164. ... thank you. IT perspectives Jerry Fishenden Director, Centre for Technology Policy Research Visiting Senior Fellow, LSE j.fishenden@lse.ac.uk blog: ntouk.com