by Anne Stuart
In a word, it’s about trust.
That’s how Simon Shiu sums up the vision behind the technology his team is developing in the Trusted Systems Laboratory at HP Labs in Bristol, England. It’s all designed to help companies make sure they’re doing the right thing – and to have confidence that their business partners, customers and suppliers are doing so as well.
The team’s work creating tools and methodologies around trust involves more than simply building another security infrastructure.
“Being secure is not enough,” Shiu says. “We want to provide people with confidence about the effectiveness of the controls in their IT environment” – especially those involving shared data. A control can be a technology mechanism, but more likely it involves people and processes. To that end, they’ve developed an analysis framework that assesses the overall control based on a mapping between IT events, IT controls and a company's own business priorities.
The need for such assurance is growing quickly as companies increasingly work outside their own walls. They outsource business and IT functions, transact business over the Internet, and provide outsiders – customers, partners and suppliers – with access to their systems. And, as a larger HP Labs research initiative indicates, they’re rapidly moving toward a shared IT model where individual company boundaries become even more porous.
The Bristol team’s trust project is part of HP's work on utility computing, which aims to give companies on-demand access to a large pool of resources, such as processing power, storage and bandwidth.
Turning computing into a pay-as-you-go utility – just like electrical power or natural gas -- offers tremendous potential in terms of efficiency and savings: Companies get the desired computing capability exactly when they want it, keep it just as long as they need it, and pay only for what they use.
But because utility computing typically involves many organizations
sharing a single data center, the approach raises new questions
as well. Among them:
- How can individual companies assure
the accuracy, confidentiality and integrity
of important information?
- How can they monitor their compliance
with regulatory mandates such as the corporate
reforms of Sarbanes-Oxley Act of 2002,
the privacy requirements of Health Insurance
Portability and Accountability Act of 1996
(HIPAA), and the global banking standards
of Basel II?
- And how can they guarantee that
they're providing the same safeguards to
their customers, partners and suppliers?
Concerns about those potential vulnerabilities motivated the Bristol team’s work. “We’ve been talking about accountability, and being transparent, and doing good audit trails for several years,” says Shiu, the project manager. "The question became: ‘What data is required to show customers that it’s safe to take something from a shared utility data center? How do we reassure everyone involved?’”
The answer, based on the team’s preliminary work, is to model the relationship between IT-associated business risks, IT controls, and the events and audit trails in systems. This approach leads to a collection of tools and methodologies that provide real-time deployment and monitoring of IT in those shared utility settings, as well as in standard IT environments.
The result of this work is an automated model-driven analysis engine that monitors and analyzes IT environments, looking for problems based on a company’s top business concerns.
“Maybe you just want to know if you’re Sarbanes-Oxley compliant,” Shiu says, referring to the stringent corporate record-keeping now required of publicly held companies in the United States. “That typically means being able to show a good controlled IT environment -- and showing that the environment is working.” Or a company might want to prove that its IT infrastructure provides high-level protection for private medical records or a partner’s valuable intellectual property.
In one pilot project, the team created an assurance model
for the HP Labs film rendering service, (“Rendering” refers
to adding light, texture and other details to computer-generated
scenes and characters, which turns them into finished frames.)
Not surprisingly, in the highly competitive film-animation industry, a chief worry of studios is keeping content confidential
Researchers built a model based on, as Shiu puts it, “the
people, processes and technologies” involved in rendering.
The model tracked specific factors such as when computer
nodes were removed and who had access to shared storage space, and then generates a streamlined snapshot of
how well trust concerns are addressed.
Using a stoplight-style
coding system – green meaning everything is fine, red
indicating a serious problem, with several other hues in
between – this so-called "trust record" lets
any viewer grasp the big picture at a glance.
Created in HTML so users can view it through a standard Web browser, the record simply lists audit results and highlights potential problems.
Users can click on any item listed in the trust record to get more details. For instance, the home page of an audit might indicate that a company isn’t meeting some aspect of its own provisions for Sarbanes-Oxley compliance. By drilling down one level, the user quickly determines that of a half-dozen compliance-related areas, just one – employee account management – is registering a potential problem.
By digging down to the next level, the user learns that – according to the trust technology audit – the company apparently isn’t moving fast enough to delete former employees from its systems. With that information, the company can move quickly to change its practices so that departing workers lose account and access privileges as soon as they walk out the door, thus bringing the organization back into line with the law’s requirements.
Currently, it’s unclear when and how the HP Labs technology might be offered on the market. “We’re really still in the middle of this, and it isn’t a simple product technology,” Shiu says. “IT is being delivered as a service, and we’re creating a model-driven methodology to deal with assurance for this world.” The technology could eventually be offered as a value-added service with HP’s utility-computing solutions or sold to customers who want to build their own trust models.
In any case, it’s highly likely that, at some point down the road, many companies will use some version of the technology to address the question Shiu sums up this way: “Is my reliance on IT OK? And, if not, why not?”
Anne Stuart is a Boston-based
freelance journalist who has written about business, technology,
and the Internet for more than a decade. Before going solo,
she was a senior writer at Inc., a senior editor at CIO
and CIO Web Business, a founding editor of WebMaster, and
a reporter for The Associated Press and several daily newspapers.