The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors).

November 1, 2013

PREAMBLE:

We live today, in a data-driven world, full of data-driven economies (with projection and attempted matching of demand and supply); data-driven goods (with just-in-time components, and trends); data-driven services (customer preferences, and promotions); and even data-driven data – such as with supervisory control and data acquisition (SCADA), network functions virtualization (NFV), software-defined networking (SDN), and a host of analytics functionalities.  With so much data at stake, in play, and even getting in the way of people and other data, we should at the very least, try to gain a better understanding of it.  What is it, where does it come from, how do we use and interact with it, and what visible and invisible impacts does it now have (or might it later have), on us as individuals, on our societies and groups, on our behaviour and interactions, and on our individual and collective futures?

INTRODUCTION:

Let us consider “data” from a complex systems perspective.  We adopt a business perspective, excluding the individual one which would make the model unwieldy.  So, to begin, we single-out and assign 5 Data Domains: Form Factors, Applications, Categories, End-Users, and Scale; using the mnemonic of “faces”.

In order to visualize this conception, each of these 5 “faces” is placed in the order of their above presentation looking-out in 5 directions as emanating from about a central point labeled “DATA”.  Each of these 5 is also set on the flat top of an equilateral pyramid that radiates outward to occupy an arc of 72 degrees.  The total of 72 degrees as multiplied by 5, fills the entire 360 degrees of allocable area as emanating from that central “Data” point.  Hence, there are actually 5 separate and distinct pyramids growing out of that Data.  By the way, despite this visualized introduction, we won’t get too technical.

With the flat top of the pyramid being the source, each pyramid is further divided into 6 levels, with each level having increasingly more elements as one moves further out from the central point of origin.  The first level has that single element on the flat-top; the second has two; the third has three; the fourth has four; the fifth has five; and the sixth has six.

Adding the totals of 2 through 6 (in elements per level) within each pyramid, yields 20.  Multiplying this 20 by the 5 Domains, gives 100, thereby creating those 100 Faces of Data, for which the study is named.

ANALYSIS:

We shall now consider the 5 Data Domains in their “faces” order of appearance under this model, which differs from the logical “cafes” sequencing.

Form Factors.

These are the tools with which we gain access to data.

Level 2 (security): In the simplest bifurcation at this level (security), these are wired and wireless, with each needing different approaches, tools, and standards to ensure and maintain their security, availability or uptime, and ongoing reliability as fit for the intended purpose.[1]  The former (wired), would be anything in a home or office environment that was tethered, such as a desktop or laptop on the wired LAN, whilst the latter (wireless), would encompass anything from a laptop connecting by means of a wireless router, through to a smartphone or tablet with WI-FI access (or Li-Fi access),[2] or any wearable, implantable or near-field communication (NFC) device pulling, pushing, or both pulling and pushing data.

Level 3 (provenance): The variety of available form factors is further enhanced at this level, where they are divisible into customer-configured, commercial and-off-the-shelf (COTS) or unknown, and custom-configured.  Items in the last category are or have been, or are capable of being configured for optimum functionality, security, and ease of administration including in-house or outsourced mobile device management (MDM) by a responsible system administrator, such as with a company-issued form factor.  The first (customer-configured) category is known by the system administrator to be or have been configured by the customer (employee) or client (third-party accessing a company website or subsystem), such as with devices they own in their own names; which may or may not be capable of transformation or migration to the third category in a Bring Your Own Device (BYOD)-type scenario.  The second (COTS) category, is those form factors of which the responsible system administrator has no knowledge, or that are commercial and off-the shelf and possibly not even configured at the most basic level.  These would include jail-broken devices, those running pirated and illegal software, and those belonging to or co-opted by, rogue operators and networks with proven or potential malicious intent.

Level 4 (management): On this level, there is a category for identity and access management (IAM), a category holding management “controls for risk, encryption, and security technique” (CREST), and two categories for regulatory compliance.  Regulatory Compliance (generic) includes privacy and Intellectual Property Rights (IPR) regimes, which, although they may differ somewhat across jurisdictions, tend to follow similar lines of reasoning.  Regulatory Compliance (specific) includes subnational, national, and transnational rules, and any industry-specific codes to which the business must adhere; such as the federal Health Insurance Portability and Accountability Act (HIPAA) governing covered entities in the United States of America’s healthcare industry and all Business Associates involved with them; the Payment Card Industry Data Security Standards (PCI-DSS) for the global financial services industry to the extent that its members do business with or through the United States; and transnational rules and accords for banking (BASEL III), countering transnational crime (Anti-Money-laundering), and when applicable, any sanctions applied by a national body (nation state), a regional grouping (such as the European Union), or a global collective, such as the United Nations Organization (UN).

Level 5 (attack surfaces): The available attack vectors are myriad and constantly evolving, as they range from social engineering, through exploiting little known or common software vulnerabilities for “man in the middle” spoofing and “zero-day-vulnerability” phishing attacks, to advanced persistent threats such as distributed denial of service (DDOS), SQL-injection, and the full panoply of malware payloads for keylogging, botnetting, and data exfiltration on a massive scale.[3]  Our concern here is on the vulnerable areas, that soft underbelly of the form factor as an attack surfaces that remains under-or un-protected far too often.  For the individual owner, the form factor attack surface would include the solely-owned real device, and the single-user virtual device or service.[4]  For the business owner, this would be the business-owned device.  And finally, for the business non-owner, this would include the business-leased real device, and the business-leased virtual device or service; which fully implicates and encapsulates the cloud space.  Each of these attack surfaces represents its own known and unknown vulnerabilities that ideally require active governance and running adaptation[5] to responsibly manage.

Level 6 (aggregation): Businesses should consider six categories of relevant form factor aggregation on their owned and leased devices.  For businesses specifically, the two categories would be: Business to Business (B2B), and Business to Consumer (B2C) sales and marketing, and also the device and customer servicing that follow business and consumer trends and prevailing practices.  For governments, specifically, the two categories would be: in aid of current regulatory activities, and in aid of future service planning and preparation – as knowing which form factors are likely to be most in use aids in network capacity planning and regulation.  Businesses should also be aware that criminals and criminal groups also try to aggregate the form factors of and as used by businesses, for purposes of planning and conducting exploit campaigns, and also for purposes of monetization on their exploit campaigns as planned, while still live and underway, or as recently suspended for a time or fully concluded.

TABULATION:

Level

*Standard Name

Form Factors

Applications

Categories

End-Users

Scale

 

 

 

 

 

 

 

1

domain

form factors

applications

categories

end users

spaces

2

*MPS

MPS

MPS

MPS

MPS

MPS

3

MPS

MPS

MPS

MPS

MPS

MPS

4

MPS

MPS

MPS

MPS

MPS

MPS

5

attack surfaces

attack surfaces

attack surfaces

attack surfaces

attack surfaces

attack surfaces

6

aggregation

level

aggregation

level

aggregation

level

aggregation

level

aggregation

level

aggregation

level

 

 

 

 

 

 

 

MPS stands for management, provenance (or origin), and security.  The 5 Domains vary as to the level on which each of these applies.  However, the lack of cross-level comparison is restricted to these three levels, alone.  In the rest of the tabulation, direct parallels between levels can be more easily made.

CONCLUSION:

The relationship of data to form factors is clearly broad and deep, as these 20 distinct points show.  When considering that each of these above 20 faces in the Form Factors Data Domain can combine with and interact with each and every one of the other 80 faces across the other four Data Domains identified, one begins to understand how this is a complex system in the most classic sense of that term.

In the next installment, we will look at the “Applications” Data Domain.[6]

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy.  He is a published author on the National Security aspects of Environmental Law, and enjoys complex systems analysis in the legal, technological, and societal milieu.

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and diverse consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.


[1] There was a time when senior management in many large businesses did not take Information Security /Cybersecurity advisories as seriously as they should have.  Today, however, with fines and penalties for preventable privacy breaches running into the millions (before individual lawsuits), and the potential for the loss of millions of records on the loss of a single flash drive or portable hard drive, that story has changed.  However, it cannot hurt to remind everyone to simply “cube the B” when planning for security, so that it sticks.  This stands for ensuring Buy-in at all levels with regard to security policies and rules – especially with senior management; which should be followed by Budgeting accordingly, so that IT can secure the human, material, and financial resources to do its job and do it well without constantly having to justify more funding; and following Best Practices in the industry or the art when it comes to security forecasting, planning, drafting, implementing, and reviewing.  See e.g. Ekundayo George.  Individual (allegedly) Wreaks Havoc with Former Employer – Another Teachable Moment in Infosec.  Posted on ogalaws.com, May 16, 2013.  Web: >https://ogalaws.wordpress.com/2013/05/16/individual-allegedly-wreaks-havoc-with-former-employer-another-teachable-moment-in-infosec-2/<

[2] Nick Heath, in European Technology.  Researchers break speed record for transmitting data using light bulbs.  Published on techrepublik.com, October 29, 2013.  Web: >http://www.techrepublic.com/blog/european-technology/researchers-break-speed-record-for-transmitting-data-using-lightbulbs/?tag=nl.e101&s_cid=e101&ttag=e101&ftag=TRE684d531<

[3] For a brief overview of a recently-discovered, critical browser–specific attack vector, see Iain Thomson.  Big browser builders scramble to fix cross-platform zero-day flaw.  Published on theregister.co.uk, June 13, 2013.  Web: >http://www.theregister.co.uk/2013/06/13/cross_platform_browser_flaw_in_wild/<

[4] “Service” as here used, includes the entire “as a service” category, whether SaaS, PaaS, IaaS, or otherwise.

[5] For one prediction of the likely steps needed to maintain protection across an ever-expanding Attack Surface, See Patrick Lambert, in IT Security.  Growing attack surfaces require new security model.  Published in techrepublic.com, January 15, 2013.  Web: >http://www.techrepublic.com/blog/it-security/growing-attack-surfaces-require-new-security-model/<

[6] See Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 2 – Applications).  Published on ogalaws.wordpress.com, December 27, 2013. Online: >https://ogalaws.wordpress.com/2013/12/27/the-100-faces-of-data-a-5-part-complex-systems-study-part-2-applications/<

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: