Category Archives: Trust and Security

The means by which we both manage and limit semantic and truth uncertainty.

Distinguishing the not-good-enough

by Bernie Cohen

A reaction of one reader to my pragmatics blog was that, pragmatically speaking, it was still possible for a shared EHR to add value, but that it was certainly important to down scope the problem of sharing meaning across an enterprise, knowing full well that artificial boundaries are being drawn within the overall enterprise as a consequence. He goes on to say: “It may be a case where the perfect is the enemy”.

Maybe. But my own view is that this line – that the best may be the enemy of the good – doesn’t take into account the real harm that can be done by the not-good-enough.

Consider another aspect of Healthcare, the Clinical Practice Guidelines (CPG) which is strongly promoted by WHO and supported internationally. The potential benefits are enormous, not just for the patient, who should expect to be treated with best practice by any clinician who has the CPG CDs, but for the practitioner, who will be able to defend against any accusation of negligence by demonstrating adherence to CPG, and, most importantly, for the payer (government or insurance company) who will have the philosophers’ stone: the ability to predict, given the cost profile of the CPGs and the statistical distribution of complaints, the future cost of healthcare.

Unfortunately, this all depends on the ability to demonstrate the mutual consistency of the CPGs, which have been, and are being, drawn up by panels of specialists who have their own ontologies. For example, suppose a patient presents symptoms suggestive of both asthma and angina (both of which already have CPGs), which is not uncommon, and a clinician decides to follow one, or the other, or both CPGs, will the treatment plan, outcomes etc. be similar in each case? And who will take responsibility for damages caused by inconsistency? And how, and by whom, can all compositions of CPGs be so checked?

And while we’re on the subject of insurance companies, we already know that their ontologies differ markedly from those of both practitioner and patient, as demonstrated by the classic Kaiser Permanente example: a researcher who did a longitudinal study of post-partum complications using a large KP anonymised data set discovered that a significant proportion of those complications occurred in male patients, this being due to the fact that KP recorded the gender of the payer, not the patient!

When it comes to sharing meaning, before making the best the enemy of the good, we first need to know how to distinguish the not-good-enough. If we are to develop a care-centric approach to the patient in meeting the challenge of Health Care Reform, we are going to need to share meaning by reference to the patient situation itself and not just by reference to the treatment protocols involved.

Boundary Perimeter Edge

by Richard Veryard
We can use the three asymmetries to appreciate different strategies for security and trust, such as deperimeterization. First we need some definitions: Boundary refers to a discontinuity in a physical system, Perimeter to a discontinuity in a social system, and Edge to a discontinuity in systems of meaning. As with the asymmetries, these build on each other, so a perimeter includes a ‘virtual’ boundary, and an edge includes a ‘virtual’ perimeter. Thus where we place boundaries, perimeters and edges reflect where we place the three asymmetries. It also determines the way we are able to approach security and trust.

For example, deperimeterization can be understood as an effect of the third asymmetry. A traditional perimeter defence assumes that rights and obligations (social) coincide with certain physical divisions (boundaries). Deperimeterization means it is no longer feasible to align the levels of security with the social boundaries, because the social system is itself losing its cohesion under the influence of the third asymmetry.

Assuming symmetry means being able to run something as a closed system – the way it interacts is wholly defined by the supply-side, so control is possible. With the breaking of the first symmetry, the use of the technology is defined by its outputs, and not its internal functioning. But we can still apply a fortress approach to this, so long as we can wholly define the boundary across which the outputs are to be provided. The metaphor here is the fortress.

With the second symmetry being broken, our business changes from being defined by its outputs to being defined by its ability to organise business processes that deliver solutions. But the supplying business organisation is still in control of this, although the complexity of what is ‘inside’ is greatly increased by its now explicitly socio-technical nature. The fortress metaphor is still possible here, but understood now in terms of a dynamic frontline (e.g. Nato warfare across Europe).

It is with the third symmetry being broken that we get the necessity for defence in depth (they can strike from anywhere), asymmetric threat (they can play by their own rules), and agile/manoeuvrist conflicts that require power-to-the-edge and synchronization at the edge. This is the environment in which collaborative composition is necessary because of the complexity of the demand environment which you are trying to interact with. (The military metaphor here would be “operations-other-than-war” where you have to work with the inhabitants etc.) It is this latter third symmetry-breaking that creates the de-perimeterization effect.

Security and Symmetry

by Richard Veryard

Phil Wainewright asks

Are we honestly supposed to believe it was a co-ordinated denial-of-service attack that brought down a demonstration application on Sun’s much-touted pay-as-you-go Grid service on the day of its launch this week?

Phil suggests that two explanations are equally plausible – one in terms of security and one in terms of unanticipated levels of demand – since these two explanations might both generate pretty much the same outcome.

In a symmetric world, there is a clear distinction between genuine customers and hostile attackers – and the task of security is to tell them apart and keep them apart. We can easily separate security from marketing, because there is no interference between these two activities. We can install perimeter-based security, which prevents bad people from accessing our services.

In an asymmetric world, this distinction (and the deconfliction between marketing and security) breaks down. This asymmetry is one of the key drivers for the current interest in deperimeterization, as promoted by the Jericho Forum.

Banking Services and User-Defined Policy 2

by Richard Veryard
Who is going to want the kind of user-defined policies I talked about in the podcast (link to soundfile, transcript extract)? Is it just the higher-end type of customer, as Ron suggests?

Hypothesis One: The better-off customers have the more complex requirements. Their financial arrangements are more subtle, their consumer electronics are more sophisticated, and there is much greater scope for interoperability.

Hypothesis Two: The technically literate consumers are most able to articulate the more complex requirements. They are more willing to experiment with the available options, and to learn to express their requirements in an appropriate policy language. In consumer electronics, they are the ones who know the difference between an Ethernet cable and a USB port, and how to tweak the firewall.

Hypothesis Three: The lead times are getting shorter. Even if it is currently the better off and technically literate consumers who are the early adopters of this complexity, service providers should anticipate the possible mass adoption of some aspects of this complexity within a fairly short timescale.

Hypothesis Four: Although the better-off and technically literate customers may be the ones who currently understand and express these complex requirements, that doesn’t mean that the rest of the customers don’t have these requirements. Everyone needs security; and the less money you have to start with, the more you suffer if someone steals a hundred dollars from your account.

Hypothesis Five. Where end-users are not able or willing to engage with the technical necessities (such as writing their own policy statements in some technical mark-up language), there will be intermediate services that will do this. For example, financial advisers may start to see their role as helping the client to orchestrate and manage a complex set of financial services from a range of service providers, instead of simply helping to select financial products. There are also opportunities for self-help groups and communities to emerge, where the complexity is managed collectively at group level, rather than at the individual level.

Hypothesis Six. Ultimately, the complexity is supported by a platform of composable services providing the right balance of flexibility and efficiency. The strategic question now becomes one of platform dominance. (The banks may be privately thinking about this question, but I haven’t seen much evidence of it yet.)

Hypothesis Seven: In the short-term, banks might be tempted to focus on the higher-end type of customer if they really were the most profitable. But there may not be enough of them to cover the costs of supporting them effectively. A more strategic reason for focusing on the higher-end type of customer might be because of innovation. But there may be just as much innovation (and greater social benefit, as well as reasonable long-term profitability) from supporting a “long tail” of lower-end customers, either directly or through appropriate communities and intermediaries.

Banking Services and User-Defined Policy

by Richard Veryard
Transcript from Podcast [34:30-38:38]

[Richard] Let me talk about the relationship I have with my bank. As a typical banking customer, I get a very simple set of services from my bank, and quite frankly it’s not really what I want, but all the other banks offer me pretty much the same services, so I don’t really have much choice. What I would like from my bank would be for me to define my own data model, which would be more complex and more fitted to what I need than the data model the bank gives me. What I would like is to be able to define my own policies on the bank account – give me a policy language, I’ll code my own policies, I’m happy to do that – and let the bank execute them. But no, the bank’s not interested in doing that, the bank can make money just giving me a standard one-size-fits-all bank account, and so they’re not going to do that, and they’re probably not going to do that for some years to come. But other industries are starting to respond to that kind of asymmetric demand.

[Ron] That sounds really interesting about the bank, but I can’t even imagine or conceive of how a bank could possibly allow me to define my own policies, or the kind of data that’s going to be related to those policies. Can you give me an example of something that might work that way?

[Richard] Yes, let me talk about security policies. At the moment, my bank gives me a simple choice: either everybody with my password can access my internet bank account, or my bank account simply isn’t available over the internet. And so it’s a very crude binary: either it’s open or it’s closed. Now what I would like is to define much more precise security policies on my account, that says for example I can take money out of my account to these specific destinations up to these amounts of money, but if I want to pay vast amounts of money to an overseas company that I’ve never dealt with before, I do not want that to happen over the internet, I’m quite happy to go into the branch and do that over the counter, and sign all the paper that I need to give myself the extra security. I could write those policies over and above the policies the bank itself has, and the bank would be able to execute my security policies in composition with its own security policies, and that would give me greater security and me greater control over my account, without taking anything away from the bank. And if everybody had their own security policies it would make it a lot harder to have mass attacks on bank accounts, which would make everybody safer. And so there seems to be a win-win-win all round if banks were able to provide just simple kinds of user-defined policies of that kind.

[Ron] Okay, I can imagine how if that kind of thing were possible, that a bank who was willing to offer that might attract the kind of customers that would result in more profitability. I would imagine that might appeal to a higher-end type of customer than a typical customer that maybe doesn’t care that much about the bank’s security.

[Richard] But you see with SOA, the technology is all there to do that. Technologically, that’s very easy to do now. It’s purely a question of whether the bank is willing to manage that additional complexity.

For further discussion, see Banking Services and User-Defined Policies 2, in which I discuss who is going to want these kind of user-defined policies, and what are the strategic implications for banks and other service providers?