Security, privacy and IP in the 2.0 Enterprise

(bear over with me here for a while, this is something I am mulling over in relation to an nGenera research project called REC – Reinventing End-user Computing.) I am doing a teleconference on security, privacy and IP later today with Kimberly Hatch and other colleagues at nGenera and need to bloviate a bit to get in the mood.)

About a year ago, I told a class of executive students that we were about to start a research project in nGenera about how to get the IT department out of the PC business – about how end users should be able to get their own computers (purchased in the consumer marketplace, with significantly cheaper and only slightly less durable laptops) to their own preferences (Wintel, Mac, *nix, Symbian, whatever). This move was instigated by some of our larger customers and was at least to some degree driven by the need to allow the Facebook generation not to let go of their favorite toys and communities just because they need to actually do some work for a living.

I was very surprised at the reaction. The students – many of them IT managers – were almost visceral in their condemnation. This would never work, end users are technically incompetent when it comes to fiddling with updates and viruses and hopelessly naïve when it comes to keeping information confidential when it is supposed to be and available, backed up and up to date when that is required. Withdrawing the IT department behind a browser window and opening the floodgates was no less that fiduciary irresponsibility.

How things change. This year I made the same suggestion to a similar, slightly more business oriented audience – and although many of them held the same opinion, a number of them either thought it was something to think about. Some even saw it as an inevitability – a technical change no less momentous than the move from mainframes to PCs, only this time it behooves the IT department to lead rather than follow.

One comment stayed: While it is getting technically and economically possible to do everything in the cloud, the questions of security (which now, for most companies, is its own department), privacy (at least in Europe, a separate responsibility also), information management and intellectual property are nowhere near a working solution. There are many approaches and products, but so far no working consensus and few repeatable patterns have emerged.

The purpose of this note is to philosophize a little on these issues, and invite a discussion on how to handle these questions. See it as a draft, kind of a braindump badly in need of some structure and tighter conclusions….

Security

Back when I was actually doing IT management as opposed to just writing about it, I was sometimes asked by users how they should protect themselves against viruses. Back then, there weren’t many viruses – but there weren’t many anti-virus programs either. The main vector of infection was diskettes – so I told them that it was sort of similar to the human situation: If you kept the little plastic bag the diskette came with around the diskette as you inserted it into the computer, you would not get any viruses.

You also would not be able to do any work.

And that is still the case: Security is never a question of making something completely secure, but a tradeoff, with user friendliness and usability being the main other variables. Long password requirements begets Post-It notes with passwords neatly stuck under keyboards. Locked-down requirements means that users will do the work on their private laptops, sometimes with pirated software, and then transfer their work to the oh-so-secure work machine with a memory stick (one of my students, an IT consultant, had three client laptops which were so limited that he ended up doing most of his work on his own MacBook Pro.) Challenge-and-response systems with ID calculators means that users delay doing their work because it is too complicated.

A second problem with security and the way it is done now (in most organizations) is that it relies on a moat-and-drawbridge metaphor, assuming that bad users are easily separated from good ones, and that a user is a user is a user. But knowledge workers do many things – they don’t just log into a system, enter some data, and then leave again. They are not even the same users every time they come in – at the business school I work, we divide users into administrative, faculty and students, but it is not hard to find people that at times are all three – they may be administrative employees teaching a class or two, and at the same time taking a course, for grades.

To deal with this situation, we need to do two things: First, make security an individual responsibility to a larger degree than it is now. Secondly, to implement some sort of identity management infrastructure that can manage identities (who you are) and roles (what you are allowed to do) at all times.

Personal responsibility will mean that some form of local security must be available to the individual employee. Let me give you an example here: At work, I need to pull my security card 3-5 times to get to my office, depending on which route I take. The system is cumbersome, slow and delays collaboration, so it is frequently bypassed (for instance, when we need to have meeting with students, we have to let them through manually.) Yet there is very little to steal at a business school except private valuables and perhaps computers. This problem could be easily fixed if each employee was given a small safe or locker in their office where they could leave their wallets, and some kind of locking dock for the laptops. Security would then be a matter of locking down your own stuff – and it would instill an individual responsibility that would also make any roaming password sneak stick out, door locks or not.

The IS corollary, I would surmise, would be some sort of encrypted online storage for the important stuff, perhaps with some sort of synchronization, such as is done with Google Docs and Google Gears, through a browser window. In Norway, where most banking now is done online, there now is a national system for managing customer IDs. But while the system is widely available, it is not used to its full potential – it tends to be used just for securing logins to the transactional side of an Internet bank, and not as a port key to a wide array of customer-facing applications as it could be. For European companies, I see little reason not to use these publicly backed infrastructure technologies. For US companies – well, I don’t know what is available. And you still need to somehow set role-based access restrictions (see information management below).

And yes, we need single sign-on, password recovery, password rules, file and stream encryption and all those wonderful things. But they should be provided in a way that is useful and manageable to the end user, so that the total, not just the reported security level increases.

Here is one article saying we are going overboard on PC security – and here is another one saying the problem is getting out of hand, that the attacks are now coming from professionals rather than juvenile script jockeys, and we are just not taking it seriously enough. The difference? User knowledge and consequence management – the first advocates educated users who take risks and deal with the consequences, the second building technological solutions that allow the users to compute securely. We need both, of course, but I think we need to do the education thing first – for inherently secure protocols and applications are still not widespread. And when they come, the challenge-and-response mechanisms will kick in and the malware authors and phishers will evolve and become more sophisticated.

Privacy

Privacy is a tricky issue in the 2.0 enterprise. Blogs, wikis and community software not only encourages – indeed, demands – that you make an increasing portion of your decisions, opin
ions and half-finished thought available for all to see (and edit). They also make them immortal and findable, and eminently possible for distribution outside the safe walls of the company.

I have heard of a company that installed an advanced search engine which promptly crawled and made searchable every networked workstation and disk in the whole organization – including the personnel files, which contained such things as health information and who had recently executed on their stock options. Not a good thing.

Again, I wonder if the solution – on a conceptual level, at least – lies in letting customers manage their own information, including its dissemination. Setting standards for how to behave and forcing people to share is normally not a good thing – so, instead, make it easy to manage your information, easy to state whether something is personal or not.

Here is an example: I use a shared Lotus Notes calendar for my work, largely because it is the standard for my main workspace. But I have many roles (private person, nGenera, other research projects, consulting gigs) where I need to put detailed information in my calendar. By default, everything you put in your calendar is shared among employees of my main workspace unless you mark it "confidential" (most people only see the time, not content) or "private"  (everyone except you see only time, not content). That is great – except that this marking has to be done manually for each entry. There is no way to apply a "private" setting to a large number of entries, or to set Notes to apply "private" as the standard. I have 12 years of electronic calendar data where at least half the entries are things I don’t want any other employee to see. The only option for me is to close access to my calendar, and open it only for a few secretaries and two or three close colleagues. This, of course, means that others can’t use the multi-user scheduling functionality included in the software – or alternatively, that I risk double-booking because my calendar is not visible.

The problem of privacy is that we have public and private personae, and that the information infrastructure needs to understand that and focus on standards and interfaces, not applications. Almost every collaborative application, including calendaring, takes as granted that the user is employed or engaged with one organization only. But in an enterprise 2.0 world, people do not hang their hat only one place – and if they do, they may spend so much time deep in their customer’s organizations that they will need to be integrated into that organization’s calendaring and other collaborative information.

Long term, it seems to me that we either need to externalize the calendaring or other applications – in other words, do the equivalent of moving everyone to Google Calendar and MediaWiki, or we need to change collaborative applications from apps to standards. In other words – create APIs for your calendaring applications that allow updates and queries, do provide a standard interface but make sure that the user retains the option of using other ways in, be they cloud-based, synchronized, or some form of semi-connected edit such as an AJAX interface.

(This blog entry, incidentally, is an example of such thinking. If I write this on my blog, nGenera takes my RSS feed and displays it within their blog publishing application, meaning that it will be made visible to my colleagues there (with a "local" form) as well as to everyone else.)

In addition to allowing people to localize those applications that coordinates with, but does not demand immersion in the company infrastructure, you also need to educate people about how to make choices about what to publish.

I have blogged since 2004 and had a personal web page long before that. My blogs contain my personal views as well as more official stuff, publications, etc. But I very carefully do not give many details about my family (my daughters, for instance, are only named "daughter number X" until they are grownups and get their own blogs. I do not show pictures of my house, or list my private address. I don’t tell when I am going on holiday or for how long. Not that this information is very hard to come by – there are yellow pages and similar things that makes it quite easy to find me. The thing is that what is written in silicon may just as well be carved in stone – and my family may one day appreciate that I haven’t trumpeted their information all over cyberspace just because I wanted to show a cute picture or give a very personal example.

Similarly, I also write relatively little about my research projects and nothing on my consulting gigs – unless I either can mask the information in some way, or I get permission to write it.

At the same time, I am careful to put lots of stuff out there. Privacy in cyberspace is less a question of keeping everything about you secret – that battle is largely lost – and more a question of taking charge of your online persona. This goes for companies as well as people – if you never put anything on the Internet, and end up in the newspaper for some stupid traffic infraction or finishing last in a marathon, then that is the only thing people will find out there. Better to create your own site, Facebook page or whatever, and make sure that if you should end up being written about in a way you are not entirely happy with, then at least your own Pagerank is high enough that you can get your own version through.

Here is one example: In 2005, I had written a short article in the Norwegian version of PC World, where I talked about Chris Anderson’s article about the Long Tail. Then I got a very scathing email from a small web design company, poking fun at me for what they thought was a mistranslation ("The long tail" translates in Norwegian into "den lange halen", which they thought was a mistranslation of "the long haul".) The company pulled out all the stops and told me they had betted a bottle of red wine on why I had made this error, and wanted to know the precise reason so they could settle who had won the bet. I wrote back that they had misunderstood and that it looked like I had won the bottle. Then I put the whole thing on my blog, and had the satisfaction that when you searched Google for this company’s name, their largely content-free web site came up first – and my blog post as number two. Not a good way to manage your online footprint.

(As for really maintaining privacy, Bruce Schneier, renowned security expert (whose blog should be in the RSS feed of every IS manager, teaching the difference between real and apparent security), raises some interesting points in his discussion of how to create "sleeping" online identities for a time when you might need to erase your history and begin anew.)

If you have nothing on the net, then you are hostage to the first person or company that puts you there.

Information management

Information management changes in the 2.0 enterprise largely by changing the default mode of access from closed to open. Collaborative workspaces, search engines and RSS feeds means makes information visible and also makes it processable by individuals to a much larger extent than before.

One large company that installed a search engine (not the one mentioned previously) found that all kinds of information suddenly was available across the whole enterprise. This led many managers to request that their department servers be exempted from the search engine crawler as a matter of cause. After thinking about it and reali
zing that this would not further their strategy of information sharing, they are now working on a tagging routine, making each creator of a document responsible for determining its circulation – and for tagging it with keywords to make it easier to find. Of course, everyone else can tag the documents as well – and influence the distribution. This approach – which I will called distributed asset classification – still has risks of inadvertent information leaks, but at least some thought has gone into classifying each single piece, rather than either letting it all hang out or locking it all in.

The flip side of this is that search engines are great at integration even in the face of corporate or political silos: Here in Norway, there have been a number of initiatives to integrate all public web sites into one citizen portal, called norge.no. The idea is that as a citizen, you should be able to access your information easily, without having to worry about whether the thing you are trying to do belongs under the Ministry of this or that. It has largely failed because the various ministries, with a few exceptions, want to have their own portals (and I still haven’t figured out why, but then again, Norway is a country where the Justice department tried to claim copyright on laws.) The poor Minister of Modernization, charged with making the bureaucracy more effective, will eventually have to resort to a search engine approach. It is already happening in practice – try searching for "Visa UK Application" on Google, and then find it through the British Home Office (yep, that’s the name) portal and see what gets you there first. (Incidentally, note the idiosyncratic web design of the Visa office – a sure sign of bureaucratic lack of a feedback loop.)

In other words: Information management in the 2.0 enterprise is search-based (both in that users navigate by search and reference information objects based on their search terms rather than their addresses) and user influenced (not managed, see below). The users manage it both explicitly (by tagging and linking) and implicitly (by reading and editing.) This does not mean that you take an automated, Googlish approach, though – prioritization of information within the enterprise is not a popularity contest. Making the most read document corporate policy is not management – but managing information fully aware of what the users are doing is.

Intellectual property

Over 20 years of researching strategy and technology in organizations, I have learned a few things about keeping information confidential – and then getting permission to publish it. I have learned that when you ask for permission, you should ask as high up in the hierarchy as possible – CEOs and CIOs are much more keen to get something published than employees lower down, who either are afraid that top echelon wrath will come down on them, or also have a narrower horizon and therefore think what they do is more competitively sensitive or pressworthy than it is. Hence, they tend to excessively nail things down.

I have also learned never ever to involve lawyers and to be careful with the PR department. Lawyers need to justify their existence, much like virus software companies, and so are tempted to clamp down on everything (and sue everyone in sight) when there is a breach, because a rule has been broken, not thinking about whether the breach may actually be beneficial.  The PR department’s job is to tell the story of the company, and sometimes that leads to sugarcoating, since many of them have not realized that that a well written case, warts and all, demands much more respect than a blowsy press release.

An Enterprise 2.0 company needs to share all that can be shared and always tell the truth. That simple. Customers, employees and (after some thinking) investors tend to like it.

Sharing things leads to learning, but people cannot learn from you if they cannot have access to your material. When MIT decided to open up all their courses on the web in the Open Courseware initiative, the university portrayed this decision as a question of their role in society – was their mission to spread knowledge in the world, or was it to provide excellent education to the lucky few? From an idealistic standpoint, the choice was easy, and MIT was rightly hailed as innovators helping to further education everywhere – in Africa, interested youngsters can read course materials from MIT and learn.

But MITs sharing was also an extremely astute strategic move, both for internal and external purposes. Leaving the courses open for all to see has made MIT the gold standard for courses in technology and management – this is where you go as a teacher (and as a student) to compare your own courses to MIT. That the course material is searchable also moves it up on Google Scholar and other search engines – not important to other universities, who have access to costly scientific journals, but very important to non-student individuals, small companies and budding researchers all over the world. Also, being forced to make their material available means that quite a few teachers at MIT must spend just a bit more time on making their courses and course materials presentable to the outside world and not just the students – thereby forcing a much-needed focus on teaching rather than just research.

In the corporate world, particularly in pharmaceuticals, we see some of the same movement. Research is now so expensive (particularly the setting up of controlled experiments for rare and complicated diseases) that you have to link everyone doing research and development across the globe simply to get enough patients and manpower. And then, of course, you have to share the honor and to a certain extent the rewards. Luckily, this is quite simple, given today’s technologies. Mentally, it may be a larger hurdle to overcome – you have to start to think as if you were a research university.

Telling the truth saves mental energy.  If you tell the truth, you don’t have to remember what you said. A company that is open and frank with what it does, responds readily and honestly when customers or other stakeholders ask critical questions, and does not try to hide bad (or good) news, will benefit if and when they are attacked in some fashion – for instance in the press. Truth buys you legitimacy – meaning people will think you mean it when you have do deny some rumor.

I think companies should look carefully into the Creative Commons concept, and ask themselves – is my problem that people are misusing my information and knowledge, or that they don’t know about it? Does it add value to me if others can use it as a building block? Are there ways of using it that I haven’t thought about yet? Perhaps setting it free is the smartest thing you can do, investment-wise.

Conclusion, if anything

The 2.0 Enterprise consists of knowledge workers distributed across time, space and corporate borders. They are, if not experts, technically competent and thoughtful about their work style and equipment. They don’t like to be limited by technology and, much like the Internet, routes around obstacles in order to do what they need to do. They care less about know-how than know-why.

Security, privacy and IP for this crowd requires thinking differently. Moat-and-drawbridge doesn’t work (except for very specific administrative systems, which you can pull behind a browser window. You need to think less about stopping attacks and more about robustly dealing with their consequences. And you need to be very careful about how you position security, privacy and IP – not as a set of rules, but as a balancing between the threats, the defenses and the consequences.

Advertisements