There are various risks of buying, leasing, or subscribing to any Software as a Service (SaaS). The target company is subscribing to IBM Watson analytics on a monthly basis and therefore, risks of data security and privacy issues of leasing this service are discussed below. According to a 2015 CIO agenda report, nearly 3000 CIOs surveyed reported less security concerns but placed more emphasis on cloud computing and mobile which are, paradoxically, two major drivers behind IT security (Gartner,n.d.). In general the computer industry has developed technologies and business processes for ongoing security concerns, and will continue to develop stronger defenses to keep data secure. However, with the cloud, another issue of risk takes center stage; data privacy. The story of Edward J. Snowden and his NSA-related revelations highlight privacy issues. (Snowden was an American computer professional, former Central Intelligence Agency employee and former contractor for the US government who copied and leaked classified information from the NSA in 2013 without prior authorization). Data privacy means keeping our data safe from misuse by authorized users.
Security and privacy are not interchangeable, and we must have both in order to protect our data. So what’s the difference and why is important to understand in order to complete a risk analysis of utilizing IBM Watson analytics? Security is keeping the bad guys out and privacy is controlling access to those who should or are allowed in. Traditionally, IT experts have gotten pretty good at putting up defenses; obfuscating the storage of both data and metadata, using encryption wisely, and employing authentication controls. These are just a few examples of how to ensure that even if someone got into the organization’s cloud, the data would be scrambled or otherwise meaningless to the bad guys.
The complexity of information systems means that there are multiple potential points of entry for hackers to disrupt systems and steal information. The most recent example of the Dyn attack shows that DDos hackers can successfully take down an entire DNS provider (Land, 2016). Ddos attacks shut down websites by storming them with a devastating load of requests that appear legitimate. The Target attack shows an example of the vulnerability of the internet of things, as they were hacked through their HVAC system (Gallaugher, 2015). In a final example, the Heartbleed exploited a vulnerability in open source OpenSSL security software which is used in two-thirds of websites and embedded in many forms of IoT products. A common function allows servers to do a “handshake” which verifies that they exist and are open for communication. The bug allowed malicious code to ask the server to confirm it was there by providing a massive amount of data - which could contain usernames, passwords or even the digital certificate from a legitimate website. Other security risks pertain to user behaviors that can undermine even the best organizational IT security measures.
Prokesch (2014) describes how a huge number of cybercrimes are assisted by the intentional or unintentional behaviors of employees, contract workers, suppliers, distributors, and others who have legitimate access to an organization’s information systems. In fact, 70% of loss-causing security incidents are caused by insiders (Gallaugher, 2015). Social engineering and Phishing techniques can be used to con employees into revealing information or performing other tasks that put the firm’s security at risk. A few examples of ways to gain unauthorized access: impersonating senior management with fake uniforms or badges; using harassment, guilt or intimidation; setting off a series of false alarms to trick the employee into disabling alarm systems or using a bogus survey to obtain sensitive information. Another type of attack that has been successful is responding to fake messages from hackers that claim to be financial institutions with password keys or other security verification. (Gallaugher, 2015).
Healthcare leads the list of all industries in risk for cybercrimes, according to the IBM X-Force Cyber Security Intelligence Index (2016). Three of the top ten-cyber breaches in 2015 occurred in the healthcare industry (Lord, 2016). Therefore, UPMC, as a health service organization has a high probability of security risk and consequence on both a reputational and regulatory levels. Revealing patient’s private health data would violate HIPAA laws and harm UPMC’s reputation for integrity in protecting its patients’ confidentiality. This information could be greatly shielded by encryption, as really, we will be analyzing high-level trends in medication order and utilization without needing to input names or medical histories of individual patients. For trend analysis in which medications are being prescribed in particular cases, we could rely on Watson Analytics’ ability to pull abstract patterns from unstructured data, with patient names not required. The database could use encrypted ID numbers that are unrelated from the patients’ medical record numbers.
Bosser, Richter & Weinberg (2015) discuss how secure enterprise architecture begins with an initial security assessment of capabilities according to threat level. Employing a “castle keep” architecture can provide low probability for a high consequence leak, while allowing somewhat higher probabilities for lower consequence leaks. While we could encrypt patient data as described above, any data even somewhat based on individual patient records could be treated as the most sensitive and confidential. First of all, employees will not be accessing the Watson database through a mobile device - so that eliminates the highest probability source leak. Second, we will explore how we can minimize the amount of highly confidential data backed up on hard drives. Bosser, Richter & Weinberg recommend not having local data stored on a laptop; instead all classified information would be accessible only on a master-data database on demand by authorized systems. We will have the data backed up on the cloud and on one or more master computer hard drives onsite. The discussion on monitoring ALL access to ALL data is directly related to data protection and privacy. IBM reduces the risk of a breach of highly confidential data by providing protection through multiple forms at multiple levels (IBM Knowledge Center, 2015), including the Web Application Server level, System Level Security, Collection Level Security, Document Level Security, Encryption, and finally various protocols implemented to prevent a hacker from gaining access to data while it is in transit.
Today in a world swamped with tremendous data, IBM Watson Analytics is a prominent emerging artificial intelligence tool that can crack and make decisions that legacy and traditional programing cannot offer. IBM Watson learns over time with data fed into the cloud based-software. The risks associated derive from feeding IBM Watson with information. Cloud computing hosted by third party is a way of giving up information to a third-party to manage and store data that could be prone to cybercrime attacks. “We’re heading toward a world of near perfect Data, where ‘perfect’ means everything that happens is recorded and available for someone to mine” (Niccolai, 2015). IBM Watson analytics is used to mine and analyze structured and unstructured data produced by internet users. Thus, data professionals feeding and using Watson analytics have to find a risk-benefit balance between protecting individuals/ business’ privacy and using this data to make money (Vaughan, n.d). Because the IoT is connecting nearly every organization, threats of losing information might come from anywhere: employees, social engineering, phishing, infections of the system (Gallaugher, 2016). However, Watson Analytics, seems to give reassurance in confidentiality and security of data thanks to its advanced technology (IBM, 2016).
Dealing with masses of big data for purposes of analysis, tracking and reporting create several risks as explained above. It is essential to protect data especially when business operations are out there online or in the cloud. The ISP, cloud host or any third party entity may gain access and cross lines regulating federal, agency or state privacy for individuals, organizations or privileged information as in our case dealing with UPMC and their supply chain. The probability of external access could be high and the consequences critical if sensitive data is not managed professionally with data access tools, security software, password and a high degree of attention to detail to not only prevent access but also intrusion of virus or outside attacks. The risk is mitigated due to IBM Watson’s internal security features. However, in regards to information security, Gallagher mentions that “A firm’s technology development and deployment processes must also integrate with the security team to ensure that from the start, applications, databases, and other systems are implemented with security in mind (2016).” Without appropriate security measures all the value assessed up to this point can potentially be worthless. In the value analysis we discuss the cost effectiveness and value of using IBM Watson. This includes in part the value of their reputation and the security protection that IBM offers as a provider of SaaS with reputable cloud service.
https://www.youtube.com/watch?v=wI84CjHMKhk
REFERENCES
Bossert, O, Richter, W., & Weinberg, A. (2015, March). Protecting the enterprise with cybersecure IT architecture. Retrieved from http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/protecting-the-enterprise-with-cybersecure-it-architecture
Gartner Executive Programs Flipping to Digital Leadership. (n.d.). Retrieved November 18, 2016, from http://www.gartner.com/imagesrv/cio/pdf/cio_agenda_insights2015.pdf CIO survey in first paragraph
IBM Knowledge Center. (2016). Security in IBM Watson Content Analytics. Retrieved from https://www.ibm.com/support/knowledgecenter/SS5RWK_3.5.0/com.ibm.discovery.es.ad.doc/iiysasecure.htm
Land, M. (2016, Oct. 22). Massive internet attacks impact millions. Pittsburgh Post-Gazette, print edition, Sat. Oct 22 2016, p. 1.
Lord, N. (2016, Oct. 11). The top 10 biggest data breaches of 2015. Retrieved from https://digitalguardian.com/blog/top-10-biggest-data-breaches-2015
Niccolai, J. (2014.). Say hello to IBM Watson's 'perfect data' -- and goodbye privacy. Retrieved from http://www.computerworld.com/article/2986301/servers/say-hello-to-ibm-watsons-perfect-data-and-goodbye-privacy.html
Vaughan, J. (n.d.). Access vs. privacy: Information ethics issues confront data pros. Retrieved from http://searchdatamanagement.techtarget.com/opinion/Access-vs-privacy-Information-ethics-issues-confront-data-pros
https://www.youtube.com/watch?v=wI84CjHMKhk
REFERENCES
Bossert, O, Richter, W., & Weinberg, A. (2015, March). Protecting the enterprise with cybersecure IT architecture. Retrieved from http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/protecting-the-enterprise-with-cybersecure-it-architecture
Gartner Executive Programs Flipping to Digital Leadership. (n.d.). Retrieved November 18, 2016, from http://www.gartner.com/imagesrv/cio/pdf/cio_agenda_insights2015.pdf CIO survey in first paragraph
IBM Knowledge Center. (2016). Security in IBM Watson Content Analytics. Retrieved from https://www.ibm.com/support/knowledgecenter/SS5RWK_3.5.0/com.ibm.discovery.es.ad.doc/iiysasecure.htm
Land, M. (2016, Oct. 22). Massive internet attacks impact millions. Pittsburgh Post-Gazette, print edition, Sat. Oct 22 2016, p. 1.
Lord, N. (2016, Oct. 11). The top 10 biggest data breaches of 2015. Retrieved from https://digitalguardian.com/blog/top-10-biggest-data-breaches-2015
Niccolai, J. (2014.). Say hello to IBM Watson's 'perfect data' -- and goodbye privacy. Retrieved from http://www.computerworld.com/article/2986301/servers/say-hello-to-ibm-watsons-perfect-data-and-goodbye-privacy.html
Vaughan, J. (n.d.). Access vs. privacy: Information ethics issues confront data pros. Retrieved from http://searchdatamanagement.techtarget.com/opinion/Access-vs-privacy-Information-ethics-issues-confront-data-pros
No comments:
Post a Comment