:sciducator

As I sat down on the plane, I took a look back at the conference brochure to remind myself of everything I had covered for the week.  Before I had left to come to this conference, there was nothing less exciting to me than information security.  However, it was the compliance and legal areas I learned about where I had gotten the most out of the conference.

Learning more about corporate governance in the cloud was my first priority in gathering information at the conference.  So glad that so many sessions at least noted this after hearing the urgency needed for improved federated identity management in a time when more and more technologies were moving into the cloud.  And oh yes, the cloud….the place were all things could happen, and would with information technology in our near future.

Beyond any doubt, my company’s effort to send me to the cloud conference was worthwhile.  So much of what I learned was not only going to do me good, but it would serve us well as our company decided to migrate to the cloud by the end of the fiscal quarter.  This information learned and the all the vendors I met was a great way to apply some best practices and share concerns from the industry on this work.

I recalled my notes from Laura Smith, a lead writer for SearchCIO.com, who noted in an interview with Benjamin Doyle, a pioneer user for Salesforce.com, one must be fairly aggressive in adopting new solutions.  In doing so, Doyle noted, that security and identity management had become the number one concern from IT professionals (Smith, 2011).  As I thought about it, it sure made sense.   With so many technologies moving to the cloud for many mobile and internet technologies, I had no doubt that identity management was going to be a growing concern.

Even Doyle noted in this interview that traditional technologies like Microsoft’s Active Directory were great at integrating with traditional software, but the cloud presented many new challenges which his company had never experienced before.  He noted in his shopping spree to find the right vendor solution that there was over 200 services they looked at in helping them move to the cloud (Active Directory Management, 2011). I had a note next to that statement to check when returning to the office which read, “review processes” as a reminder to look deeper into the decisions we had made in selecting our vendor, Trea Services.

True, Trea had been called because of our need to offer more mobile services in the cloud, but it was also because of their outstanding record in the field with identity management which caught our eye.  Making more of our services available via an online sign on system complicated the issue of moving to the cloud, but Trea has experts in identity management which makes all the work they do worthwhile after some of the horror stories I heard at this conference.

Dealing with people’s identity was no small business anymore.  Even in our own research we had used some guiding ISA experts to both provide a future reference to our framework, and to adopt a true security life cycle which we felt was in line with our business needs.  Jan Killmeyer and Windley were those noted experts to us.  As he notes in his work, “Information Security Architecture: An Integrated Approach to Security in the Organization, Second Edition,” there were four areas which now created our security life cycle.  Those included:

1. Performing security and risk assessments
2. Developing an infrastructure to reduce the risk and meet defined security goals and objectives that support the business goals and objectives
3. Implementing what has been developed
4. Measuring the effectiveness of what has been implemented, and maintaining that infrastructure to meet the needs of the organization (Killmeyer, 2006)

We recognized early that if we were going to help set the tone for compliance in the ISA process, we were going to need to produce the “mechanisms” which would make those processes achieve at consistently high levels.  It was apparent that our company was going to need to elicit some clear compliance measures based on industry standards and aligned to our business needs.

We adopted some guiding principles based on an article which sparked discussion about a year back called, “Top Considerations for Compliance in the Cloud,” by Marisa Peacock (2011).  In this article, we love the analogy of thinking of moving to the cloud as moving in general.  Thus, she encourages the adoption of five key principles to include:

1. Choosing the right neighborhood

As you might have guessed, different systems and modules offer different types of customer control and place different obligations and responsibilities upon both customers and service providers with respect to security and compliance.

1. Meeting the neighbors,

Like any real estate, it’s important to think about its proximity to the places you go, the quality of the roads, can the neighbors see over the bushes, and reputation of the neighborhood — in other words, consider vendor lock-in, portability of data and applications, interoperability, data privacy, and data repatriation.

1. Selecting the governing body,

Just like an HOA on the cloud, if you’re public or private, there are specific laws and regulations, and the related regulatory guidance and requirements that can affect an organization. From HIPAA, GLBA, and PCI DSS — your organization will need to examine the ins and outs of each to figure out what security controls are already in place and what’s needed to get the rest up to code.

1. Preparing for home inspection,

Once up to code, however, it’s important to understand that it will be necessary, even required, to assess the control state for the cloud service several times a year — on a regular basis. For example, PCI DSS requires quarterly vulnerability scans be conducted for systems.

1. Selecting the mortgage

Living on the cloud requires some long-term commitment. Is your neighborhood the place where your data can grow old? Are you still going to be able to meet compliance as your company grows or shrinks? What about the economy? (Peacock, 2011)

With these in consideration, there was no question that making the move to the cloud deserved some serious consideration, planning, and resources to be applied.  As this discussion continued, our CIO also chimed in with two frames of reference of which to view compliance.

“I am a firm believer that all systems benefit from a diversified perspective.  Therefore, based on the recommendation provided by Killmeyer and Windley, we understand that there are two important points here we needed to consider.”  He was right.  Both experts he referenced were subjecting their own personal view of how to manage security effectively.  In Killmeyer’s view the business drives the security management process more than Windley who supported his technology end.  Both perspectives are important and need to be taken into consideration when implementing.  Overall, this will minimize risk and increase our changes of a successful migration to the cloud.

With that in mind, it was time to go back and suggest that we form our Security Team who would help to oversee the cloud migration process.  As Killmeyer notes, “The Security Team should be involved in reviewing the results of all audit, control, or security reviews that occur within the organization. The Security Team is tasked with understanding why the results may not have been so spectacular and what was the systemic reason for lax or ineffective controls. The team responds to these results by assessing the policies, standards, and procedures that have been implemented and determining whether they are realistic and can be achieved with the resources at hand. If they cannot, it is the responsibility of the Security Team to communicate to the Board of Directors or executive-level management and make them aware of the risks and attempt to obtain the necessary resources to improve the architecture” (Killmeyer, 2006).

Brilliant. With a team in place and a more defined strategy for compliance.  It finally came down to defining security responsibilities for each individual with the organization and communicating those throughout the organization.  Thus, as Killmeyer noted to us, that process implementation should include:

1. Providing the necessary resources such as hiring appropriate personnel to be able to execute the responsibilities that have been defined
2. Providing the resources to train personnel to perform those responsibilities effectively
3. Developing weekly, monthly, and quarterly meetings to discuss security issues and concerns; and make progress with the ISA as well as understanding where in the security life cycle the organization stands
4. Enforcing the policies, standards, and procedures that have been developed
5. Educating all users throughout the organization on security through security awareness training
6. Purchasing and installation of hardware and software tools to effectively assess, monitor, and alert the security teams of potential security breaches and issues
7. Providing the necessary financial, personnel, and time resources to improve the organization’s processing environment by reducing risk and addressing the security concerns that have been discovered in the assessment phase.

Clearly, this would set us up well for getting to the maintenance phase, and as my colleague Chuck would say, “we can always maintenance one more system.”  Perhaps Chuck, but as I heard the seat belt sign come on, there was clearly some great ideas I had to add to the Security Team, we had a good implementation strategy in place, and we could now see the world through a solid compliance structure.  Indeed, it was going to be a great journey into the cloud.

Reference Page

Active Directory Management, Easing Cloud Concerns with Federated Identity, Retrieved March 14, 2011., http://activedirectorymanagement.com/ease-cloud-security-concerns-with-federated-identity-windows-it-pro/

Killmeyer, Jan. (2006). Information Security Architecture: An Integrated Approach to Security in the Organization, Second Edition. Auerbach Publications.

Peacock, M. Top Considerations of Compliance in the Cloud, Retrieved March 14, 2011.,

http://www.cmswire.com/cms/enterprise-cms/top-considerations-for-compliance-in-the-cloud-006474.php

Smith, Laura. Federated identity management urgently needed in the cloud, Retrieved March 14, 2011., http://searchcio.techtarget.com/news/2240033256/Federated-identity-management-urgently-needed-in-the-cloud

Staff, Aspatore Books., (2005). Inside the Minds: Winning Legal Strategies for Corporate Governance: Leading Lawyers on Effective Programs for Understanding Regulations, Maintaining Compliance, and Avoiding Liability. Aspatore Books.

Tech Republic, Cloud Computing Essentials For Security And Availability, Retrieved March 14, 2011.,

http://www.techrepublic.com/webcasts/cloud-computing-essentials-for-security-and-availability/2274581

Tipton, Harold F., & Krause, Micki. (2007). Information Security Management Handbook, Sixth Edition. Auerbach Publications.

Windley, Phillip, (2005). Digital Identity, O-Reilly: Bejing.

No Comments

The Case

It was a cold night and the smell of the coffee still lingered in the air. I was surprised at how much information was still left behind from the “all-geek gathering” at the local coffee shop. The flyers that announced the event, were still on the ground and a few were left behind on coffee tables. “Share your API Ideas Coffee Talk” paraphernalia was all over the place.

My client, Kelley Wetzel had warned me that there would be a mess left behind from this group to help identify them, but I had no idea. Clearly, if these “professionals” were being awarded for their neatness, then they would be waiting around for a while to receive their prize. That is when I spotted it, a lone paper with some notes jotted on the back. Upon further review it was clear that the conversation on APIs had grown into more than a discussion. If I was going to learn this group’s intentions, and stick on top of their work, I was going to need to act fast.

I returned to my office around midnight and pulled out the note again. It had some of the following websites written on it:

• One Hour Translation (API): http://www.onehourtranslation.com/
• Gimme Shiny! (Site): http://gimmeshiny.com/
• Arc90 Readability (Site): http://lab.arc90.com/
• LookItUp (Browser Plugin): http://userscripts.org/
• Woozor (Web Site): http://woozor.com/
• The Ad Generator (Web Site): http://www.theadgenerator.org/

The list appeared to be straight forward. Heck, they even provided me with a list of the sites, and the categories they were putting them into. Almost seemed as if they knew what I was after. Kelley had noted previously that they were a very analytical group of typical “type A personalities,” but this was clearly a case of over analysis.

I turned on my computer and checked each of the sites. Yup, they were all legitimate, but it had me wondering, “If this was an API Meet Up, and they had additional websites and even plug-ins included, then what were they really after. …?” I looked back at the paper again. There were additional notes which I had to twist and turn the paper to see. It read, “Create a Google Group Public Page.” Bingo….

When you search for a Google Group Public Page I came across no less than a few hundred direct results from the terms API and Federate Systems. Kelley was right, this certainly was a hot topic. I could now see why the collaboration within this group was leading to a lot of business which could potentially conflict with Kelley’s. It was becoming more and more apparent that if I was to serve this investigation well, I was going to need to do some more advanced technical research than previously thought.

The Investigation

Clearly, the increase of API’s and Federated Systems technologies comes from the increase of web 2.0 technologies. First step, nail down what an API really is. PC Magazine noted that an Application Programming Interface or API was, “A language and message format used by an application program to communicate with the operating system or some other control program such as a database management system (DBMS) or communications protocol” (PCMagazine, 1998). In contrast, it was far more challenging to find a clear definition on Federated Systems. Even Wikipedia notes, “A federated database system is a type of meta-database management system (DBMS) which transparently integrates multiple autonomous database systems into a single federated database” (Wikipedia, 2011). Given that, I wondered, “Do federated systems only focus on databases, and how are they related to APIs?”

Further investigation showed that even though APIs have been around for a while, the idea of having a federated system, and a clear definition to prove their benefits were still emerging. Could this group have stumbled onto something here? Could they be looking at APIs and Federated Systems as a means to draw away Kelley’s business? It was appearing that way. How they were going to do that needed some deeper investigation.

A call to a close friend at IBM helped out a lot. He noted that the reason Federated Systems was emerging with APIs was because of the rise of transmitted data via the internet, or the cloud – and not just for database purposes. I checked IBM’s website and it validated that thought further. In fact, the key point of Federated Systems was clear there. “Without federated systems, accessing disparate data sources requires multiple steps:

1. You must connect to each data source individually.

2. You must extract the necessary data by using different native application programming interfaces.

3. You must filter, sort, and consolidate the data manually.

With a federated system, you simply query the nicknames using SELECT, INSERT, UPDATE, and DELETE statements” (IBM, 2009).

Some further benefits I found with Federated Systems occurs when:
• Joining data from local tables and remote data sources, as if all the data is stored locally in the federated database
• Updating data in relational data sources, as if the data is stored in the federated database
• Replicating data to and from relational data sources
• Taking advantage of the data source processing strengths, by sending requests to the data sources for processing
• Compensating for SQL limitations at the data source by processing parts of a distributed request at the federated server

Given these advantages, and the growth of numerous APIs provided from the list, it was clearer than ever….The API and Federated Systems Google Group had found a way to design and delivery solutions not just for APIs, but for numerous means of data transmission which can occur via the web. Enough investigation – it was time to go to the source.

The Buck Stops Here

Nothing better than going to the source. True, in most other cases, I normally went to the individuals for answers, but in this case, it was just as easy to visit their Google Group. A few clicks and I stumbled upon a very telling post.

A member of the API and Federated Systems Group had posted, “API’s present privacy implications – is it bad for Facebook developers to use customer information for other purposes, why or why not?”

Several responses caught my eye, but it was this one that spelled it all out, “The privacy of data is a very sensitive issue. I strongly feel that private user data should be used solely within the application to which that user has granted. By granting permission to use their private data in an application, users have placed a degree of trust in that application and its developers, expect that the data will be used responsibly. It would be an ethical violation to use private user data in manner that is not agreeable to the end user. Examples might be:

* Selling or sharing email addresses with others without the user’s consent
* Failure to safeguard customer credit-card information
* Publishing information without the users consent.

It is important for developers to be aware of such privacy concerns.
If users’ determine that their private information has been misused, they will likely no longer trust the application to which they granted this information. This can have severe fallout, with potential loss of revenue or legal actions taken against the company that compromised the private data. Examples might be:
• The application / company / developer might receive bad press and reviews or online ratings may drop.
• Users will likely abandon the application, and it may be difficult to attract new users.
• Law suits over privacy violations could result.
Google outlines some good guidelines for private user data:

“We have five privacy principles that describe how we approach privacy and user information across all of our products:
1. Use information to provide our users with valuable products and services.
2. Develop products that reflect strong privacy standards and practices.
3. Make the collection of personal information transparent.
4. Give users meaningful choices to protect their privacy.
5. Be a responsible steward of the information we hold.” (Google, 2010).

The post continued, “Thus it is prudent for application developers to use private user data responsibly. From a development standpoint, I would probably avoid using private data at all, unless a key element of an application depended on that data, and there were no alternatives except to use that data. I would also inform end-users of the application as to how their private data might be used and let them decide if that usage policy is acceptable. (Irizarry, 2010 ).

Not only was everything here legitimate, but it reinforced the other information I was finding. In Jeffery Mattsura’s book, “Security Rights and Liabilities in E-Commerce,” he outlines privacy rights well,

” The legal rights and obligations discussed in this book arise from a number of sources. Some of those rights are created by laws or statutes that are enacted by legislative bodies. Other rights are created by the courts (“common law”) as they make decisions resolving specific disputes. Certain obligations are created at the international level through treaties. Additional rights are created by the development of rules, enacted and enforced by regulatory or administrative agencies (e.g., the Federal Communications Commission in the United States). Some standards are established by private groups, such as industry associations. Although these standards do not have the force of law, they can have a significant impact on conduct to the extent that the private groups that create and enforce them control or influence the behavior of participants in the marketplace.

Several different substantive categories of law apply to digital security. Intellectual property law (e.g., copyright and trademark), trade secrets law, and privacy law, for example, have an important impact on rights and duties associated with e-commerce security. The law of contracts and commercial transactions also plays a key role in digital security. Increasingly, consumer protection law, the law of torts, antitrust law, and property law are influencing digital marketplace security. Finally, we must always recognize that criminal law has an important role to play in digital security.

…… legal rights are enforced by private parties. Businesses or individual people have the right to enforce certain legal obligations against other parties (e.g., contract law rights). Legal actions to enforce these rights are sometimes referred to as civil actions or private law claims. Other legal rights are enforced by governments. Local, regional or national governments have the authority to enforce criminal laws and administrative rules (e.g., regulatory laws). Certain legal rules can be enforced by both governments and private parties (e.g., antitrust laws)” (Mattsura, 20?? ).

I was beginning to realize that there certainly was a lot of benefits and disadvantages to APIs and Federated Systems, but I had to be honest with myself, I was not seeing how this group was presenting a threat to Kelley. They had gone about their work well, they had even called out concerns they had about the implementation of APIs and other Web Resources with Federated Systems, and there appeared to be no harmful intent. This had me wondering just what this investigation was going to prove.

The Wrap Up

Getting back together with Kelley spelled out her intentions further. She noted that the group was a threat to her business not because of how they went about their work, but because they were creating so much transparency within the market space. The rise of this transparency would not just alter the perception of her customers, but was so profound, that it would change the way business was done. She references an article called, “The Dark Side of Cloud Computing” by CIO.com demonstrated her concerns well. It noted in summary:

• The cloud would offer less legal protection.
• You don’t own the hardware.
• Strong policies and user education is required.
• Do not trust machine instances for data protection
• Rethink your assumptions, (Sarrel, 2009).

Indeed. Kelley had no experience in these areas for her business model, and further, and in many places, her customer engagement plan had many gaps that were not addressed with this newly suggested model. The API group was certainly a threat, but not because they were after her business. Rather, they were a threat because they were creating a way of doing business that would demonstrate more empowering principles of information systems management than she was able to manage.

My work here was done. If Kelley was to “survive” in this new market, she was going to need to either partner with the principles established by this group, and the market, or she would not survive. Federated Systems appeared to be the emerging market place and honestly, Kelley was going to need to learn a whole new way of doing business which would not only be better for her in the long run, but would serve her customers better. It isn’t often when one gets the chance to offer important feedback like this. All I could hope is that Kelley was open to change.
Reference Used:

Commerce Docs, Federated Identity Participants, (February 25, 2010), Retrieved from:
http://commercelab.ipcommerce.com/Docs/1.17.13/SSO_API_Federated_Identity/Overview/Participants.aspx

Google. (2010). Privacy Center. (October 26, 2010) Retrieved from: http://www.google.com/privacy.html

IBM, Advantages of a Federated System, (April 30, 2009). Retrieved from:
http://publib.boulder.ibm.com/infocenter/db2luw/v8/index.jsp?topic=/com.ibm.db2.ii.doc/ad/ciibsfed.htm

IP Commerce, What is Required to Implement Federated Identity? (February 25,2010), Retrieved from:
http://www.ipcommerce.com/Platform/Commerce_Platform/Federated_Identity.aspx

Irizarry, D. (2010) “How are we defining API?” Retrieved from City University of Seattle, IS 432 Winter Course.
http://googledataapis.blogspot.com/2008/10/federated-login-for-google-account.html

PC Magazine, Definition of API, (2011) Retrieved from: http://www.pcmag.com/encyclopedia_term/0,2542,t=application+programming+interface&i=37856,00.asp

Sarrel, Matthew D. (2009-01-09). The Darker Side of Cloud Computing, PCMag.co, Retrieved from: http://www.pcmag.com/article2/0%2C2817%2C2330921%2C00.asp

Wikipedia, (February, 2011). Federated Database Systems, Retrieved from: http://en.wikipedia.org/wiki/Federated_database_system

No Comments

The Argument

“Excuse me sir, but did you sign that?” I never thought for a second that a comment like that would pop up on my computer screen. In fact, not only did it pop up, but it would not let me complete the transaction without ensuring that my digital signature was completed. I remember the event well because during normal computer events like this, I get a terms of service notification. Sadly, this was not the case.

I agree with the arguments being made in court today about my binding legal obligations, but honestly, the nature of how the digital signature came up, and the low exposure I have with them resulted in what I have brought to you today. I find it hard to believe that anyone would know much about this type of transactions because they are so rarely used compared to other means and approaches of private key technologies.

As a result, I would like to have the charges against me dropped in court today. I believe that the service provider, _________ should have done a better job of informing me about the legal use behind digital signature transactions, and thus, resulted in my lack of judgment before purchasing.

The Background – (Where Things Went South Fast)

My business partner and I were working on an emerging client idea. We knew we were on to something unique when upon further research we saw that many of our competitors were not only providing bits and pieces of our offering, but were certainly not hitting at the mark we had come up with. Thus, when we realized what we had come up with, we shared with some of our investors for initial input and feedback. The feedback about the idea was glowing.

One comment that caught our attention during this time came from a retired lawyer. She noted that the unique documents we were to create with each of our clients would need to be authenticated. After a formal follow up meeting with her we came to realize that she was right. There was no way we could guarantee our clients some of the essential services without authenticating several documents in the process.

True, on the clients site there was a page on “Digital Copyright Protection” which provided a good summary of the need to authenticate documents. However, following our meeting with our retired lawyer friend we recognized that some research of the topic was in order. Upon further review, we found that the American Bar Association’s Information Security Committee had posted the following about the enterprise use of Digital Signatures:
A signature is not part of the substance of a transaction, but rather of its representation or form. Signing writings serve the following general purposes:
• Evidence: A signature authenticates a writing by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer.
• Ceremony: The act of signing a document calls to the signer’s attention the legal significance of the signer’s act, and thereby helps prevent “inconsiderate engagements.
• Approval: In certain contexts defined by law or custom, a signature expresses the signer’s approval or authorization of the writing, or the signer’s intention that it have legal effect.
• Efficiency and logistics: A signature on a written document often imparts a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document. Negotiable instruments, for example, rely upon formal requirements, including a signature, for their ability to change hands with ease, rapidity, and minimal interruption (American Bar Association, 2011).
Given this information, we began to understand how our new business offering was going to be more complicated that what we originally thought, however we felt like we were taking due diligence in our work. In fact, when we contacted a legal representative from Surety’s noted company, they informed us that their “Timestamping” line of business would ensure that documents used in the business process would be authenticated. They noted as far as timestamping goes, “the approach that Surety uses is very sound. It provides a process that makes it virtually impossible to alter the true timestamping of a document. The following text, excerpted from a white paper on its web site (www.surety.com), explains the process it uses”:
§ “The requestor hashes the document and sends the hash value to a third party, who supplies digital time—as in other third party models.
§ The third party supplies time and date independently.
§ The document’s hash value is made part of a hash chain by including it with other hash values submitted for timestamping by various clients. Those hash values are passed through a one-way hashing algorithm, yielding a summary hash value dependent upon all the hash values.
§ A timestamping record is returned to the requestor. It includes the place in the hash chain occupied by the requestor’s document at the exact moment of timestamping and the other hash values, which were submitted for timestamping by various clients at that same time. It also includes the time and date of the timestamping.
§ The summary values of the hash chain are made widely public. The hash chain cannot be retrospectively altered, or faked, without detection, so the third party does not have to be trusted.
§ Validating the document’s content and time/date is done by creating a test summary hash value from the information included in the timestamping record.
§ The test value is then compared to the real summary hash value, which is found in the public hash chain. If the test value and the real value are the same, it is indisputable that this exact digital record was timestamped at exactly this moment.” (Surety.com, 2011)

The next wise steps we took was in contacting a local IS expert, Dr. McKaghan who teaches at a local university and works as a full-time consultant in Technology Management . During our time together, my IS expert, Dr. McKaghan had some great reference tools to pass along.

One of which was a clearer definition of what the term, “digital signature” really means. Once again, we had someone referencing the American Bar Associations with this:
…. from the information security point of view, “digital signature” means the result of applying to specific information certain specific technical processes…… The historical legal concept of “signature” is broader. It recognizes any mark made with the intention of authenticating the marked document. In a digital setting, today’s broad legal concept of “signature” may well include markings as diverse as digitized images of paper signatures, typed notations such as “/s/ John Smith,” or even addressing notations, such as electronic mail origination headers (American Bar Association,2011) .
It was becoming more and more clear to us that though our business offering was unique in nature, it certainly had its legal hiccups. Regardless, my business partner and I knew that we had come across an idea that was sound, and was going to have a growing market soon. The time to act was now, we had taken our due diligence in researching our product, and that is where we chose to move ahead.

What Went Wrong – The Legal Implications
We know now that even though our research was diligent in its nature, there is a lot more to authenticating documents, or “digital signatures”, than what was first explained to us. For example, nowhere on Surety’s site does it note all the legal implications we needed to cover. Upon review of issues brought before us, it would have been better to have a full description on the Digital Copyright page that noted the full legal issues we found from such authors such as Mohan Atreya. In his book, Digital Signatures, it notes that there are 5 areas of law to examine the use of Digital Signatures. They are as follows:

• § Contract law As businesses and professionals move to electronic forms of doing business, they will need to consider the legal implications of doing so. Contract law is so common that it permeates virtually every aspect of doing business. What is a contract? How are they formed? What defenses can be raised to contract formation? What considerations must be addressed when using digital signatures in a contract in electronic form? Will an electronically signed contract hold up in court? These questions and others will be answered.
• § Tort law Tort law covers the civil (that is, generally, other than criminal or contract law) areas of legal liability in general. When and how may someone sue or be sued based on use of a digital signature? What if someone obtains another’s private key and impersonates that person? What damages are attainable? The answers to these and many other questions will be discussed.
• § Evidence Any attempt to use contract, tort, or another type of legal claim under the law is without teeth if the facts about the claim cannot be proven in a courtroom; the law of evidence gives the legal claim its teeth, because without introducing evidence, the claim cannot be supported. What rules and procedures does a court place on the admissibility of evidence? Who must prove what and to what extent? We will review these and other issues here.
• § Choice of law Choice of law refers to which law applies to a case or contract. No matter where you are, the law that is applied depends on many factors. Does local, state, or federal law apply? Are there administrative areas of law that must be considered? Even if a local or state law applies, does federal law preempt it? These and other areas will be covered.
• § Agency and employment Often, a digital signature will be made on behalf of someone else, or the private key associated with the digital signature will be maintained and controlled by another. This is common in large businesses and in complex transactions. What is the liability of the agent and/or the principal for whom the agent acts? When may a principal disavow an action taken by an agent? What are the duties and responsibilities between an employee and employer and when may one be liable to the other? The legal interrelations of the agent, the principal, and third parties will be addressed here as well as between the employee and employer (Atreva, 2002).

I present this as our key evidence. Nowhere on their “Digital Copyright Page” do they note any of these important legal components. True, they have several disclaimers which allude to these areas, but nothing is as clearly stated as what I have provided. I believe our business would not have presented our new solution lines if we had known that legal action would come against us by not following these important legal guidelines.
Secondly, as noted from the experts we spoke to, because digital signatures are an emerging field of technology use and much of the “verdict” in how to implement best practices in this technical area are still out. I believe the steps we have taken show our evidence in providing a foundation of good contractual and tort law which will continue to develop as we grow this area of the business.

The Interview following Judge’s Ruling
Of course we are saddened by the verdict being handed down today. As mentioned earlier, we believe we did our due diligence and really, we are still too small to have our own legal division like Surety’s has. In the future, as the judge noted, we will be sure to include the legal and binding requirements outlined by the American Bar Association in our client contracts. Honestly, we believed we were working in the best interest of business, our own ethical understands and values. Next time we will be sure to review our offerings with a legal business consultant.

*Any relations to current companies, or professionals mentioned in this paper are purely coincidental in nature. This story is fictitious in nature and intended to highlight the legal and technical risks which involve the use of digital signatures.

Reference Page
American Bar Association, Section of Science and Technology, Information Security Committee
Digital Signature GuidelinesTutorial, Retrieved from, www.abanet.org/scitech/ec/isc/dsg-tutorial.html+digital+signature+tutorial&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com.

Atreva, M. (2002). Digital Signatures, NY,New York : MCGraw-Hill/Osborne.

Surety, Digital Copyright Protection, Retrieved from, http://www.surety.com/digital-copyright-protection.aspx.

Wikipedia: The current state of use with Digital Signatures — legal and practical, Retrieved from, http://en.wikipedia.org/wiki/Digital_signature#The_current_state_of_use_.E2.80.94_legal_and_practical.

1 Comment

It sure is great to have so many passwords to keep track of isn’t it? Wait a minute. What did you say there? Did you say that there is a movement towards a single sign-on process? Well now, just show me where to sign up and the process is done.

What do you mean there are tons of solutions out there? Oh great. Are you suggesting that this process is one in which I am going to have to know more about the industry so that I can make a more conscious decision? Well, given it’s a Saturday and there is no more football for the season, if you can sell this in a 1000 words, then mission accomplished.

Benefits and Risks of Single Sign-On Systems (after the discussion)

I think I get it now. All secure systems that require authentication have the potential for a single sign-on solution to be installed. So essentially, this eliminates the need to maintain systems and works to simplify administration and streamlined access to resources. (EDUCAUSE, 2009) I totally get what you mean. In essence, I know my passwords are not strong ones. I simply use the same ones over and over again. Should any one person ever get a hold of my sign on credentials, I would be toast. Think about it, I sign into work, my bank, and my profile almost daily. And it seems that more and more transactions are completed online every year as you say.

It seems to me with the movement toward cloud computing (inevitable), we all need to learn more about the advantages of single sign-on, or federated systems (SSO) as you call them. Learning more about what makes cloud technology such an advantage was a good way of describing why single sign-on is so useful. Like you noted about cloud computer, the accessibility, increased capacity to share information more easily, and the ability to use these applications using mobile devises are clearly an advantage (Orfano, 2010). Not only will that make a workforce, life, or living more easy, but I would have to image that it will also make IT professionals love the advantages.

Even though I have never been an IT professional, there is no doubt with the amount of challenges I have in using technology that for them, it must be ten-fold in monitoring, building, and maintaining these systems. It almost seems like the movement to upgrade systems would be simplified with a single sign-on system. When I worked at the university I believe I had no less than five different logon sites just to do my daily work. And the fact that the single sign-on would allow me the possibility of having my privacy maintained better almost seemed to make it a hands down winner.

However, I also appreciate that you gave me a heads up of what to be concerned about. Beyond a doubt, I certainly do not have the cash to invest in such an expensive system at this time and that also explains why the university never invested in one either. In fact, I was stunned that so much work goes into adopting or installing such measures either within an organization, or just having one in my life. The costs to analyze, establish, and setup a standardized procedure are amazing. Again, makes me appreciate what real IT professionals do for a living.

A Personal Discovery & Personal Action (after analysis, acceptance)

Look at this. Drupal, a community and support network has a current post explaining exactly what you have noted previously. In the post, “Single Sign On solutions — relative advantages and disadvantages”, there is a great analysis of the some of the different solutions someone is looking at to consider for single sign on. The ones noted there are as follows:
• The Longsight Group has a CAS-based solution.
• A pubcookie module based (obviously) on Pubcookie.
• The Single Sign On module
• OpenID — from a thread on the development mailing list, it looks like there might be an OpenID module in the works for Drupal.
• Then, there’s also Brown University’s cookie-based solution, and Shibbboleth.
Though I do not see a full disclosed list of all SSOs, this seems like a good start to consider. The only one on the list I have used is OpenID, and I do have to say, it is great to have as an access point between my wiki and blog. In fact, I would not be surprised if in time Facebook SignOn was something more widely used overall due to the high number of people using that web interface. (Drupal, 2006). Of course, that would help accomplish Zuckerburg’s vision ever more.

I also really enjoyed the video you showed me about Identity 2.0. from Dick Hardt, (YouTube, 2010). The transition from having our current identity in physical format such as licenses and passports is still the standard for many uses, but certainly, we will move to the Identity 2.0 movement more and more. It makes me wonder what kinds of discussions and governing bodies are taking the time to be sure that such important movements are happening. I appreciate you sharing the paper from the World Privacy Forum noting the public interest research and consumer education groups now invested, but regardless, it still is startling more are not aware of this movement (Gellman, 2009). After all, we are talking about a person’s identity here – the way the world sees you.

You have certainly given me a lot to think about today and the debate seems to be gearing up for what appears to be a brilliant future for SSOs. After all, it is the gateway into the emerging world of cloud computing, the movement to increase a secure process around privacy, and probably the most important aspect, it simplifies our lives. This conversation may not have been an easy one, but like anything with amazing potential, in time, it too will find its way in this world.

3 Comments

When my team is managing a project, we have to work with a large number of people across an enterprise and all have different belief systems, and see the project differently. Most of the time we work through a project manager for the project.

How would you ensure that you and the project manager get along enough to help direct and manage all the other parts and people of the project?

What approaches would you take with a project manager to clear issues that center on not understanding the project, its durability, or its meaning to the company?

Love this question because as a people person, I believe there is no end in how to manage situations well. And that in itself is how I do believe you manage each of these issues. Of course, be sure to do good project planning, role definition, and provide deliverables up front, but in managing people and issues, there is no telling how to effectively managing these with one sound formula.

In essence, systems and people flex with the needs of the business, and the challenges they need to overcome. In so doing, handle each situation by “hearing from” people/systems first. Do you have the appropriate channels to do that? Do you have the necessary metrics to fall back on to prove a risk is eminent? If not, put those in place first before you begin any project.

Next, after giving people and their technology their chance to “speak”, summarize what you are hearing from others. This provides validation and the opportunity for those who have not been “heard” to speak up. Once that is complete, you are already moving towards a solution.

Solutions that consider all factors within an organization that promote opportunity and value provides everyone the chance to move forward as a team. Use that principle in managing your projects/teams and more often than not, you’ll be on your path to success.

1 Comment

Inquiry Course Design and Learning – its foundations and importance in learning has had a positive impact on my classroom and in my consultancy in the workplace.  A view of the historical perspective notes its origins in the classroom. This methodology made headway first in science education in the 1970s. With the development of Marshall Herron’s scale of evaluating the amount of inquiry in science lab experiences, it allowed for teachers and students to engage and explore science concepts in more meaningful ways. Even earlier than this time, the same method gave rise to a more hands on learning approach which emerged in many science museums. One of the most well known examples of these museums was the creation of the Exploratorium in the San Francisco Bay area back 1969 (see Dr. Oppenhiemer’s Research).

The rise of inquiry learning in schools also saw a paralleled emergence in the business workplace. In my numerous library references, there is considerable research that proves inquiry design in a workplace training model increases employee engagement. Once employees are more engaged, the training facilitator can do a lot more to scaffold quality training programs to meet the unique needs of managers/employees. For example, in my own courses, it has increased opportunities to explore how new technologies can be used to prepare oneself better for the 21st century skills sets which are arising (opportunities to look at 21st Century Skills Models).

Increased engagement creates more inspired students and employees. In cases such as these, an engaged employee/student will be more involved in the learning process and therefore, are more likely to create their own structures of learning towards greater autonomy, mastery, and self purpose (reference here to Daniel Pink’s, “Driven”).

Within the rise of solid learning organizations, the benefits of greater productivity and employee purpose come into play and thus giving rise to a number of able learning solutions in the development cycle for employee growth. Thus, as a result, organizations can leverage these experiences to insert training needed to effectively embrace new organizational initiatives.  More results to come with working models at Resonant Insights, and new community engagement partners.

No Comments

You know, six years ago, I was a teacher.  Well, technically, I am still a teacher in what I do, but I am becoming more of a technical expert these days.  Isn’t that a funny term….”technical expert”?  No matter what your organization calls you, how do you see yourself as a professional contributor in this world?  Funny thing is, most people take a lot of time clarifying their role, and inevitably, it changes.  With an increased demand on professionals these days, it will be ever so important that you are an expert in your trade, AND that you have a growing passion to do new things.  In fact, if you look at my body of work in the last 5 years, I have really become the Community Learning Director I note in my online profiles several year ago.  I have created my own profession if you will.

What does that mean?  Well, I have taken a number of important skill sets and meshed them into easily leveraged assets.  In fact, I believe that the role of the future, or the job of the future is constantly doing that for the industries TOP professionals.  SHRM notes that the number one key driver of employee engagement (use to be known as satisfaction) is Career Development Opportunities.  That makes sense right?  After all, we all want to grow, and having goals is a healthy thing, too.  Not to mention, assuming you have a role you are growing into means that you are also likely to increase your pay over time as well – HBR article, http://bit.ly/amO4Zz.

So what is your real expertise?  You know, the thing that is going to drive your value over the next 5-10 years?  What is your real value you have to add, and not to just your profession or career, but to the communities of this world.  That space, that community space, is your best investment for the long term.  As roles diversify, and new careers emerge, you will be better positioned to drive your own future, and therefore, your career.  Beyond any doubt, if I was that same classroom teacher 5 years ago, I would not even be close to attaining the level of human capital assets I have to share now.  And guess what?  With a growing community of stakeholders?  I believe more than ever – especially in this economy – that I have yet to maximize my community, or my influence.  If you work wants to have greater influence, join me here, http://www.resonantinsights.com/

No Comments

Funny. Working for a very large organization can seem daunting to get anything done. Also funny is when you realize that the organization is so large, it takes 3 points of contact to get anything done. The funnier thing is once you do reach that person, you find that he/she would recommend someone better for that.

Is there a better way to find the right point of contact? In addition, how can we know if we really are in contact with someone who has the knowledge and depth we are looking for to “guide” us to the right solution. If this sound like your company, you may just want to invest in profiling – collecting data on your employees to better understand who your real experts in the organization are….

Profiling is such a negative term right now. Even in my current project we use words like capture data, or identify traits. Sure, they are all doing that, but honestly, until you can see the transparent background of those you are looking for, that point of contact remains just that, a single point.

Just suppose though you were to get more and more people to complete profiles like they do on LinkedIn. Suppose you could see someone’s professional knowledge to the depth that would guide you to the exact person you are looking for. And just suppose that that one person ended up being the knowledge expert in that area….voila, magic.

You know, I know my neighbors, but I do not have a clue what they do….and the funniest thing is, I just went to my reunion and that is all everyone asked me, “What do you do?” Well, for now, I am profiling people because I want to be darn sure that I am getting the right people on my project.  That is something that most people miss from the start.

No Comments

Over the past few years I have had the opportunity  to investigate, apply, and analyze the use of Social Media.  I even had the opportunity to present the use of this medium to several groups, and some of them have gone so far as to call me “an expert”.  Certainly, I have been active in numerous online communities and understand how my tweets update my online profiles simultaneously, but an “expert”?

Well, whatever I am, I can tell you this….social media helped me get my newest role with little effort on my part.  Seriously.  I did not apply, I did not go headhunting for my new company, and I did not have to do much networking at all.  For the past few years, what I have tried to understand better is how to use social media to improve my professional image, and how to leverage these new technologies to show what I can really do.

Take slideshare for example, http://www.slideshare.net/rgunhold.  Using this site allows one to upload presentations you have presented in the past, current ones you would like feedback on, and sample presentations that might help other professionals get the most out of a particular content category.  In most of my cases, I began using slideshare to share and collaborate for my IT classes.  Eventually, these presentations attracted others, and I received numerous emails requesting the original copies of my presentations, and even presentation requests.

And of course, everyone is now aware of LinkedIn, http://www.linkedin.com/in/ryangunhold.  As you can see from viewing my own profile, a lot of my work, background, references, speak for themselves.  There is no doubt that this page alone did a tremendous amount of the work that past human resource departments use to do to validate the quality of a new candidate.  Additionally, you can see I have added my slideshare space, and even my own blog posts to this page among other tools anyone can add after setting up your account.  Of course, I could add that LinkedIn showcased some amazing recommendations from my fellow and past colleagues, but I would also note that these technologies are diverging into one place where my work can be simulated for others to see.  Can you imagine that?  Would it be possible someday that I won’t even have to show up for the interview?

Speaking of using my blog in my profile, that is another example.  Nothing much.  Just wanted to write an online journal that would share my experiences/results along my professional journey.  What has been great about my blog is that I have fellow PhD students referencing my blog, and even requesting further research through it.  Really, all I had to do was use this medium and the rest fell into place.  Yes, I do use a strategy to ensure I am not posting boring/outdated content, but so long as I post, all else seems to create itself.

I was even surprised to see a new company (Scigen, http://pdos.csail.mit.edu/scigen/) that is able to create computer generated papers.  That is right.  There is enough information on the web now to generate a paper without anyone creating any new thoughts….amazing.  So how does this all change things?  No more applying for jobs, having to document in my written journal, or even write my own research papers?  Only time has the answer to that question.  However, I am more excited than ever to be using this medium to see where it takes me.

1 Comment

Funny how the education world has a lot of valid claims that business methods in education just “miss the mark.”  Funny how business discredits education as a sound practice with such claims that education is “continuously so in efficient or ineffective.”  Over the last ten years, I have heard statements like this.  Generally, these statements are made when one of these entities is imposing itself on the other.  Working for both, here is what I have seen…

Education is a business.  The reality of new economies, imposed requirements, and an ever burgeoning budget system has exposed one of the greatest weaknesses education has – it does not run efficiently.  In the last few years, we will hear about the greatest cuts we have ever seen in education (see cuts to California education).   With that, education will be forced – much in the way business has been forced by a shrinking economy for hundreds of years – to evolve.  So, unfortunately my dear education, if you do not embrace business principles in how you get things done, you will continue to struggle.

Thus, my dear business, you also need education to be effective.  Well, in many ways, as I have learned, you are likely to use good human resource management, but that aspect will require how well you understand what people really want.  And in that light, you will indeed need to embrace what education does well – human capital management.  In fact, education does this so well, countries like Signapore which choose to invest in education, show a great economic turnaround due to that investment (see results of Signapore Math on Economy).

So, needless to say, in this new economy, we will find innovative ways to get things done better than ever before.  My recommendation – use what works in both business and education, and we’ll be moving in the right direction.  Looks like more than ever before, it is about balance and it will certainly be interesting to see how well these two partners work together into their own Venn diagram.

2 Comments