IBM Tool Roots Out Privacy Flaws

IBM is developing a technology that will give enterprises a deeper understanding of their exposure to privacy problems and automate the process of defining which users are tapping a networks assets and how theyre using them.

The tool is at the forefront of an evolving trend in corporate America in which privacy considerations are beginning to pervade many aspects of organizations operations.

Traditionally, privacy policies have centered on who can view what data. But IBM and other vendors, including Microsoft Corp., have begun using a data-centric model in which policies and procedures are built around a map of where data resides, which applications and processes use it, and where it goes.

“Privacy isnt a binary relationship. Its more circumstantial, based on why you want access to the data,” said Steve Adler, global privacy market manager for the Tivoli Software division of IBM, based in Austin, Texas. “You start with the data, not the people.”

To that end, IBMs forthcoming tool, which has not yet been named, will help customers develop a map of all their network assets, data paths and employee usage to locate privacy exposures.

The tool will comprise a batch of agents and a central server component, and its methods will be roughly analogous to those of a security vulnerability scanner. The agents will crawl through a network—much like a Web spider does—and touch each device and data path. Theyll report to the server, which will compose a map of the way that data moves among servers, clients and applications, as well as a picture of which employees use which data and in what way. The idea is to develop a business process map depicting all interactions among people and data in an organization.

/zimages/3/28571.gifRead why eWEEK Labs Cameron Sturdevant feelsprivacy is good business.

Customers will use the data to define privacy policies and enforcement procedures.

“The job of understanding privacy exposures is large and onerous. Its rules that govern who has access to what and why,” Adler said.

IBM is doing some of this on a limited basis in customer engagements right now, mainly as part of privacy impact assessments. But automating the process will enable customers to handle it themselves.

Next page: Software vendors slow to embrace privacy protection.

Page Two

Software vendors in general have been slower to come around to the need for privacy protection and related tools than they have to the need for security. However, Microsoft, in Redmond, Wash., for one, uses an internal system known as the Privacy Health Index to score individual groups on compliance with established privacy policies for the software development process. Low scores can lead to budget cuts or projects being canceled altogether.

Privacy advocates say IBM is on the right track with its approach and say it may encourage other companies to follow suit.

“Privacy has been slow around the technology side. Its been glacial movement. I hope some of this takes a faster track,” said Ari Schwartz, associate director of the Center for Democracy and Technology, in Washington. “The first step in protecting privacy is knowing where the data goes to and from. The goal is using data effectively. Companies are realizing privacy isnt just customers yelling and screaming—it can be used to pick up business.”

The new tool from IBM is one piece of a larger privacy initiative that includes the development of EPAL (Enterprise Privacy Authorization Language), an emerging standard for privacy policies, and upgrades to the Tivoli Privacy Manager product. IBM next year plans to release a plug-in for Privacy Manager that will be able to monitor SAP AG implementations. More monitors will be forthcoming next year, as will more pilot implementations of EPAL.

Discuss This in the eWEEK Forum