The Bloor Perspective: Data protection, web services security and nanotechnology

The European Commission recently published its first report on the implementation of the Data Protection Directive. Unsurprisingly, the Commission concludes the Directive does not require any modification or updating - it was how it was interpreted by the individual member states that created difficulties! To quote: "The levels of compliance, enforcement and awareness are not at an acceptable level." But there is no definition of what is deemed "acceptable". Certainly the average citizen is unaware of their rights as a data subject unless, perhaps, he or she has failed a credit application and consequently taken a credit reference agency to task. Of more concern is the potential misuse of medical information. "Know your rights" is a mantra worth adopting. The Commission wants to see a greater number of "Codes of Conduct" published, especially in the context of data held by employers and the disciplines imposed on employees. The Commission is keen to instigate EU level investigations as a method of enforcement. On the same subject, it was recognised that most supervisory authorities have insufficient resources which handicaps effective policing. Greater adoption of the use of privacy enhancing technologies is proposed with a certification scheme for accredited tools which effectively depersonalise data records. Yes, there is a stipulation that historical, scientific and research data may be reconstituted but additional safeguards may be imposed. Beware if you contravene your previously supplied 'notification' or 'processing' classifications. The processing of sound and image data gets a mention, with special emphasis on video surveillance data. It was a live broadcast on the internet from a Swedish pub that led to their regulator imposing the rule that all customers had to give express consent prior to their faces being televised and that no back-up tapes are allowed. In other countries, the retention of a supermarket's CCTV data - unless required as evidence in criminal proceedings - requires customer consent. The Commission fears that multimedia techniques and processes will outstrip the legal texts and render them unenforceable. Finally, recommended action on a number of issues such as a wider use of exemptions from notification, simplification of the rules governing the transfer of data outside the EU, and making data controllers less bound to respond to access requests in cases of exceptional effort/costs incurred are welcomed. What fun awaits those countries now seeking membership.

*Twenty doors*

The nature of security and the growing realisation that the perimeter is dissolving means that a new approach to securing information systems is required. Anyone familiar with the "twenty-doors" problem will realise that by locking 19 doors security is not 95 per cent but 0 per cent. You have to see the whole picture. At the moment, the rush to capitalise on web services has stalled because many organisations fear they may be setting themselves up for security breaches and fraud. As the use of XML and web services increases, the need for comprehensive security solutions becomes even more critical. As companies look to use web services strategically across the enterprise, they will find that enterprise-wide identity and access management coupled with robust security policy administration and enforcement are essential precursors to building enterprise-class service-oriented architectures. The basic premise is that those organisations able to deploy web services in an environment in which applications launched by a trusted user or system can seamlessly transact with multiple applications and enterprises, are going to see more rapid time-to market of new products and services than their competitors. The argument is that tightly coupled security mechanisms that would otherwise protect transactions across the web between multiple applications and enterprises are inflexible and are incompatible with the service-orientated approach. The problem is that the service-orientated approach can expose organisations to new risks that current security solutions, from firewalls to SSL, cannot mitigate. This means looking at the problem slightly differently. While not the first to talk of security as a service, RSA is one of the first companies to talk about it in the context of applications rather than as an outsourced activity. RSA has announced a web services approach designed to enable organisations to securely deploy applications based on a common framework for establishing and managing identity - an essential constituent of trust. Another example of how solutions are emerging in this space is Tivoli. Its architecture is very much a trust-broker middleware layer where trust services (in the form of identity management) are accessed by applications that need to verify identities. This is in many respects similar to the approach recently adopted by Entrust. In a loosely coupled environment, where applications could be to all extents and purposes self-service, the ability to detach security decisions from the applications themselves is very important. Instead, the security decisions are made by a business service to which the applications refer, themselves, on a self-service basis. Equally important is the ability to express policy in business terms and convert it accurately to machine-readable form. This means that decisions are made, not on the basis of who is trying to access what, but against the business context of the action at a given point in the process. It is these factors that are driving security towards the service model and thankfully some vendors are beginning to deliver at least parts of the solution.

*Nano nano*

Nanotechnogy is becoming a fashionable technology topic. Indeed, it is awaking active investment interest and participation from financial institutions, venture capital companies and mainstream institutional investors alike. Even the UK government recently announced plans for an independent study to examine the benefits and risks. Why is this happening now? Current technologies will reach their practical commercial limitations over this decade. A breakthrough beyond these constraints opens up a huge range of business opportunities for investors, technology companies and, principally, end user commercial and retail consumers. Some of the strongest proponents of nanotechnology view it as "a new industrial revolution" where machines operate on a microscopic scale. What are the drivers behind it? This is where there must be some unease. Investors and technologists alike want a share of the commercial success which they believe will derive from early technical and subsequent commercial success with this technology. They are seeking a slice of the action. Should we be cautious? The critical issue is to understand the technologies which provide and deliver commercial applications for nanotechnology, otherwise the delivery is nothing more or less than pure research, of intellectual value but unproven commercial application. The commercial benefits and applications of nanotechnology must be examined in the very specific confines of the business to which it is intended to apply them. Is this yet another dot-com bubble? Bubbles like that are created when greed and enthusiasm substitute for analysis and understanding. Viewing nanotechnology in terms of blanket commercial applications to enhance the power of technology operating on a microscopic scale is dangerously simplistic. The danger lies in the possibility of hype from investors, pundits and poorly informed commentators. Education and briefing from technology experts and independent analysts should be applied and will go some way to dispelling any myths about the technology and presenting its application in an appropriate and realistic context.

Bloor Research is a leading independent analyst organisation in Europe. You can find out more at www.bloor-research.com or by emailing mail@bloor-research.com.