By Topic

IBM Journal of Research and Development

Issue 2 • Date March 2009

Filter Results

Displaying Results 1 - 11 of 11
  • Preface

    Page(s): 1 - 2
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (35 KB)  

    First Page of the Article
    View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A technology perspective on worldwide privacy regulations

    Page(s): 1:1 - 1:17
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (442 KB)  

    In this paper we provide an overview of the worldwide privacy regulatory landscape from a technology perspective. We focus on data-centric definitions of personal information and then examine how these differ across different regulatory frameworks, such as the ones issued by the Organization for Economic Cooperation and Development, the European Union, the Asia Pacific Economic Cooperation, and the U.S. state laws. We discuss some of the challenges facing privacy regulatory bodies and involving leading-edge technologies, such as event data recorders, social networking Web sites, radio frequency identification, and national identification cards. Finally, we connect the regulatory environment with common security technologies that may assist organizations in complying with privacy requirements. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Data-centric security: Integrating data privacy and data security

    Page(s): 2:1 - 2:12
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (854 KB)  

    Classifying data according to its permissible use, appropriate handling, and business value is critical for data privacy and security protection. This is essential for compliance with the constantly evolving regulatory landscape concerning protected data. Problems arise when users compromise data privacy and security by overlooking the critical need to manage data according to these requirements. This paper considers the creation and application of data classification systems for security and privacy purposes. It focuses primarily on classifying information in a meaningful way through the use of a partially automated methodology that normalizes and classifies structured data throughout an enterprise. We introduce the three pillars of the data-centric security model, which are based on the data-centric security classification offering by IBM Global Business Services (GBS) and the IBM Research Division. In particular, we describe the data classification pillar of the data-centric security architecture, which provides the framework and method for partially automated classification of data to meet the demands of compliance standards. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Analysis of privacy and security policies

    Page(s): 3:1 - 3:18
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (342 KB)  

    The distributed nature of the environment in which privacy and security policies operate requires tools that help enforce consistency of policy rules across different domains. Furthermore, because changes to policy rules are required as policies evolve over time, such tools can be used by policy administrators to ensure the consistency of policy changes. In this paper, we describe a number of different policy analysis tools and techniques that we have developed over the years and present them in a unified framework in which both privacy and security policies are discussed. We cover dominance analyses of general policies, conflicts among authorizations and prohibitions, and other analyses of obligations, as well as policy similarity analysis and policy distribution. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Policy framework for security and privacy management

    Page(s): 4:1 - 4:14
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (367 KB)  

    Policies that address security and privacy are pervasive parts of both technical and social systems, and technology that enables both organizations and individuals to create and manage such policies is a critical need in information technology (IT). This paper describes the notion of end-to-end policy management and advances a framework that can be useful in understanding the commonality in IT security and privacy policy management. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Privacy is essential for secure mobile devices

    Page(s): 5:1 - 5:17
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (343 KB)  

    This paper contradicts the commonly held view that privacy and security of data must sometimes be sacrificed for the sake of national security. We demonstrate that for specific examples of real mobile devices, such as mobile phones, Wi-Fit®, electronic passports, and electronic government-employee ID cards, lack of sufficient attention to privacy actually harms the intended national security applications. We then present as a case study the Caernarvon high-security smart-card operating system developed by IBM, to show the feasibility of harmonizing personal privacy and security requirements with national security needs. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Harmonizing privacy with security principles and practices

    Page(s): 6:1 - 6:12
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (110 KB)  

    During the development of a software system, the process of requirements elicitation gathers both functional requirements (i.e., what the system should do) and nonfunctional requirements (i.e., what the system should be). Computer science and software engineering education have traditionally addressed the former more than the latter, because it is easier to test that functional requirements have been properly implemented. Within the category of nonfunctional requirements, the privacy requirements engineering process is less mature than that of security engineering, and underlying engineering principles can give little attention to privacy requirements. In this paper, we discuss how security and privacy requirements engineering can be taught as necessary aspects of software development. We suggest that the best way to harmonize security and privacy requirements is to link information systems experts with computer scientists with the goal of addressing the key issues that prevent systems from implementing effective security and privacy. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A privacy-aware architecture for a Web rating system

    Page(s): 7:1 - 7:16
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (2145 KB)  

    Net Trust is a fraud-detection application that enhances security while protecting privacy. Net Trust identifies fraudulent Web sites by aggregating individual opinions, user-selected browsing histories, and third-party information. In this paper, we examine the security properties intrinsic to the implementation of the Net Trust ratings system. The ratings system protects against attacks by limiting diffusion of information to those with whom there is an off-line trust relationship. We also propose a rich-client/ thin-server implementation architecture and examine the privacy properties of this architecture. The privacy properties function not only to prevent the compromising of user confidentiality, but also to make the ratings system more robust. By utilizing trusted off-line social networks, Net Trust enhances the security and privacy of the ratings data. The implementation architecture maintains high data availability while empowering browser-history owners with final control over data access. The Net Trust analysis we present illustrates the mutual reinforcement of individual privacy (defined as user control over personal information) and security (defined as the resiliency of data confidentiality and the efficacy of the rating system). View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Privacy-value-control harmonization for RFID adoption in retail

    Page(s): 8:1 - 8:14
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (402 KB)  

    Privacy concerns have, at least in part, impeded the adoption of radio frequency identification (RFID) in retail. The adoption of other automatic identification (auto-ID) applications shows that consumers often are willing to trade their privacy or their control of personal information against some value afforded by the application. In this paper, the interplay between privacy, value, and control is examined through a literature survey of four auto-ID applications: mobile phone, electronic toll collection, e-passports, and loyalty programs. The consumer value proposition for the use of RFID in retail is investigated through an online survey exploring end-user perceptions. The results of the survey are: 1) the customer value proposition has not been communicated well to customers; 2) privacy concerns are higher than other previously adopted applications despite similar privacy issues; and 3) harmonization of privacy, value, and control is likely to be achieved only after adoption, when customers will be educated through experience with the application. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Recovery scopes, recovery groups, and fine-grained recovery in enterprise storage controllers with multi-core processors

    Page(s): 9:1 - 9:16
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (396 KB)  

    In this paper we extend a previously published approach to error recovery in enterprise storage controllers with multi-core processors. Our approach first involves the partitioning of the set of tasks in the runtime of the controller software into clusters (recovery scopes) of dependent tasks. Then, these recovery scopes are mapped into a set of recovery groups, on which the scheduling of tasks, both during the recovery process and normal operation, is based. This recovery-aware scheduling (RAS) replaces the performance-based scheduling of the storage controller. Through simulation and benchmark experiments, we find that: 1) the performance of RAS appears to be critically dependent on the values of recovery-related parameters; and 2) our fine-grained recovery approach promises to enhance the storage system availability while keeping the additional overhead, and the resulting degradation in performance, under control. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Letter

    Page(s): 1 - 2
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (65 KB)  

    First Page of the Article
    View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.

Aims & Scope

The IBM Journal of Research and Development is a peer-reviewed technical journal, published bimonthly, which features the work of authors in the science, technology and engineering of information systems.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Clifford A. Pickover
IBM T. J. Watson Research Center