IBM is developing a technology that will give enterprises a deeper understanding of their exposure to privacy problems and automate the process of defining which users are tapping a networks assets and how theyre using them.
The tool is at the forefront of an evolving trend in corporate America in which privacy considerations are beginning to pervade many aspects of organizations operations.
Traditionally, privacy policies have centered on who can view what data. But IBM and other vendors, including Microsoft Corp., have begun using a data-centric model in which policies and procedures are built around a map of where data resides, which applications and processes use it, and where it goes.
"Privacy isnt a binary relationship. Its more circumstantial, based on why you want access to the data," said Steve Adler, global privacy market manager for the Tivoli Software division of IBM, based in Austin, Texas. "You start with the data, not the people."
To that end, IBMs forthcoming tool, which has not yet been named, will help customers develop a map of all their network assets, data paths and employee usage to locate privacy exposures.
The tool will comprise a batch of agents and a central server component, and its methods will be roughly analogous to those of a security vulnerability scanner. The agents will crawl through a network—much like a Web spider does—and touch each device and data path. Theyll report to the server, which will compose a map of the way that data moves among servers, clients and applications, as well as a picture of which employees use which data and in what way. The idea is to develop a business process map depicting all interactions among people and data in an organization.
Customers will use the data to define privacy policies and enforcement procedures.
"The job of understanding privacy exposures is large and onerous. Its rules that govern who has access to what and why," Adler said.
IBM is doing some of this on a limited basis in customer engagements right now, mainly as part of privacy impact assessments. But automating the process will enable customers to handle it themselves.