PREAMBLE:

In Part 1,[1] we acknowledged our data-driven world and identified some of the ways in which data impacts upon us, and we impinge upon and build-upon the vast volumes of data now in play from day to day.  It remains essential for us to gain a better understanding of this data, and so we considered it from a complex systems perspective by assigning 5 data domains or “faces” as follows: Form Factors, Applications, Categories, End-Users, and Scale.  Part 1 introduced and explained the model, illustrating it by further treating Form Factors across its 6 levels.  Now, in Part 2, we do the same for “Applications”.

ANALYSIS:

Applications.

These are the tools with which we actually collect, collate, manipulate, and further relate to the data.

Level 2 (provenance): At this level, we bifurcate into native applications and web-based applications.[2]  The former are predominantly created and generally managed locally, while the latter are often available for access or download on the world wide web, and managed remotely – if at all.  There is very wide variation in the level of stability, support, and functionality that web-based applications offer (unless they are home-grown and hosted on a proprietary intranet, and thus arguably native); and some vendors will still not stand behind their offerings, or lack the funding to roll-out more robust supports.[3]

Level 3 (management): The great variety of available applications leads to a plethora of management issues.  We see the following three main spheres of management with regard to applications: (i) Network Management; (ii) Intrusion Management; and (iii) Data Loss Prevention (DLP)/Business Continuity Planning (BCP).  The first is primarily concerned with ensuring sufficient network uptime to meet intended network/IT goals and required business functions, that all applications play nicely together, and that sufficient resources and related support tools and personnel are timely provisioned for respective business units and functions.  The second concentrates on ensuring that the network remains secure against malicious software, rogue actors (whether identifiable insiders escalating privileges, unknown outsiders socially engineering entry, or criminal groups and government agencies stretching the law and sometimes the facts, to manufacture or utilize real and virtual backdoors into third-party client and customer data).[4]  The third, focuses on eliminating or at least minimizing the harm from a breach event, as well as ensuring that critical business functions can continue – whether onsite, or virtually, or in some third recovery location – should the main system or systems become compromised or fully go down for any reason.  This can range from natural disaster, through terrorist event or utility failure, to a lockout with ransomware,[5] or distributed denial of service (DDOS) attack.

Level 4 (security): Just as with form factors, there are on this level categories for identity and access management (IAM); management “controls for risk, encryption, and security technique” (CREST); and two categories for regulatory compliance.  Regulatory Compliance (generic) includes privacy and Intellectual Property Rights (IPR) regimes, which, although they may differ somewhat across jurisdictions, tend to follow similar lines of reasoning.  Regulatory Compliance (specific) includes subnational, national, and transnational rules, and any industry-specific codes to which the business must adhere.  Despite the strong security presence on level 3 for applications, level 4 is a more appropriate one to actually place that identifier because much of these regulatory compliance metrics and standards have been regulator or industry-vetted, and have stringent security measures built-in.  This point also illustrates why we have put MPS together as interchangeable across levels 2, 3, and 4.

Level 5 (attack surfaces): As with form factors, the available attack vectors for applications are almost innumerable and continue to multiply and morph daily, intra-day, and across timezones.  However, there will always be many more attack surfaces within applications than there can be form factors.  This can range from corrupted code, imperfectly patched applications, omitted vulnerability updates, and even malicious software that masquerades as the legitimate version on a legitimate, semi-legitimate (sponsored or popular – i.e. “but, everyone uses it/goes there”), or a spoofed site that is unwittingly reached and trusted by a victim – including embedded advertising that might take you to or through many pop-up levels of where you really don’t want to be if you click on them by accident or in curiosity.[6]

Level 6 (aggregation): Applications can be aggregated across 6 main spaces: at the outer reaches, we have (i) the Cloud API, (ii) the Datacenter, and (iii) the In-house server.  Applications hosted in these spaces are (or should be) much more robust and better managed, due to their accessibility and use by far larger numbers of people than those found at the last three aggregation spaces.  Those last aggregation spaces are (iv) the workgroup,[7] (v) the single system desktop or laptop, social media, or gaming console/application,[8] and (vi) the mobile, to include tablet, smartphone, and wearable-tech.

CONCLUSION:

Once again, these above 20 faces (6+5+4+3+2) in the Applications Data Domain can combine and interact with, each and every one of the other 80 faces across the other four Data Domains identified, and so the depth and diversity of data remains and grows in its complexity as a system.

In the next installment, we will look at the “Categories” Data Domain.[9]  In the meantime, I bid all readers and blog visitors a very Merry Christmas, and a peaceful, prosperous, and progressive New Year 2014.

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy.  He is a published author on the National Security aspects of Environmental Law, and enjoys complex systems analysis in the legal, technological, and societal milieu.

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and diverse consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.


[1] Ekundayo George.  The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors).  Published on ogalaws.wordpress.com, November 1, 2013.  Online: > https://ogalaws.wordpress.com/2013/11/01/the-100-faces-of-data-a-5-part-complex-systems-study-part-1/<

[2] Casey Frechette.  What journalists need to know about the difference between Web apps and native apps.  Posted on poynter.org, April 11, 2013.   Web: > http://www.poynter.org/how-tos/digital-strategies/209768/what-journalists-need-to-know-about-the-difference-between-web-apps-and-native-apps/<

[3] Again, however, that is not always a credible excuse, as the following (albeit dated) review of then-available online support and helpdesk applications clearly shows an attempt to bridge that gap.  See e.g. Muj Parkes.  10 Great Online Support and Help Desk Apps.  Published on appstorm.com, June 28, 2010.  Online: >http://web.appstorm.net/roundups/communication-roundups/10-online-support-and-help-desk-apps/< ; See also International Federation of Red Cross and Red Crescent Societies (IFRC).  Innovation contest will provide support and funding for app development.  Published on ifrc.org, October 8, 2013.  Online: >http://www.ifrc.org/en/news-and-media/news-stories/international/can-humanitarian-apps-have-a-positive-impact-on-individuals-and-communities-63501/<  This was a more recent multiparty effort to spur development and rollout of socially-useful humanitarian applications by offering funding through a “(…) contest which asks young people to come up with a concept for an app that will help people make a positive contribution to their communities and improve their own skills at the same time. Winners will receive both mentoring and financial support to help bring their ideas to fruition”.  Today now, in some jurisdictions, there is also a crowdfunding option.

[4] Barton Gellman.  Edward Snowden, after months of NSA revelations, says his mission’s accomplished.  Published on washingtonpost.com, December 23, 2013.  Online: >http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html<; See also Joe Shute.  Christmas – the busiest time of year for the criminal cyber gangs.  Published on telegraph.co.uk, December 9, 2013.  Online: >http://www.telegraph.co.uk/technology/internet-security/10505962/Christmas-the-busiest-time-of-year-for-the-criminal-cyber-gangs.html<

[5] Peter Suciu.  Cryptolocker Malware Holding Up To 250,000 Computers Ransom.  Published on redorbit.com, December 26, 2013.  Online: >http://www.redorbit.com/news/technology/1113035548/cryptolocker-holds-250000-computers-ransom-122613/<

[6] Lee Bell.  Drive-by exploits are the top web security threat, says ENISA. Published on theinquirer.net, January 8, 2013.  Online: >http://www.theinquirer.net/inquirer/news/2234637/driveby-exploits-are-the-top-web-security-threat-says-enisa<

[7] Into this “workgroup” space, I would also breakout and insert such critical applications as the implanted ones (pacemaker applications), and the SCADA (remote monitoring and control applications).  These would all need to be more robust and have designed-in or otherwise deeply-embedded security features against hacking, due to the delicacy of their functions, their potential or design for remote operation and monitoring, and the developing Internet of Things (IOT) that will create workgroups out of several dozens or hundreds or more networked “hordes” of single such applications and application groups; all capable of hijack if not adequately secured.

[8] There is strong overlap between the workgroup, mobile/gaming, and wearable spaces with the proliferation of gaming applications that have wearable enhancements or other utilities bringing a virtual reality, multiple players in several locations beyond line-of-sight, and the potential to scale-up to large numbers of simultaneous users.  This is echoed by multi-user social media applications including chat and comment sites, pastable walls and apps., and all past, present, and future “virtual world/virtual reality” applications.  Again, subject to available or inbuilt security features and the patched/unpatched nature of the form factor used to access them, these apps. can be manna or minefield.

[9] See Ekundayo George.  The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 3 – Categories)Published on ogalaws.wordpress.com, February 4, 2014.   Online: >https://ogalaws.wordpress.com/2014/02/04/the-100-faces-of-data-a-5-part-complex-systems-study-part-3-categories/<

PREAMBLE:

We live today, in a data-driven world, full of data-driven economies (with projection and attempted matching of demand and supply); data-driven goods (with just-in-time components, and trends); data-driven services (customer preferences, and promotions); and even data-driven data – such as with supervisory control and data acquisition (SCADA), network functions virtualization (NFV), software-defined networking (SDN), and a host of analytics functionalities.  With so much data at stake, in play, and even getting in the way of people and other data, we should at the very least, try to gain a better understanding of it.  What is it, where does it come from, how do we use and interact with it, and what visible and invisible impacts does it now have (or might it later have), on us as individuals, on our societies and groups, on our behaviour and interactions, and on our individual and collective futures?

INTRODUCTION:

Let us consider “data” from a complex systems perspective.  We adopt a business perspective, excluding the individual one which would make the model unwieldy.  So, to begin, we single-out and assign 5 Data Domains: Form Factors, Applications, Categories, End-Users, and Scale; using the mnemonic of “faces”.

In order to visualize this conception, each of these 5 “faces” is placed in the order of their above presentation looking-out in 5 directions as emanating from about a central point labeled “DATA”.  Each of these 5 is also set on the flat top of an equilateral pyramid that radiates outward to occupy an arc of 72 degrees.  The total of 72 degrees as multiplied by 5, fills the entire 360 degrees of allocable area as emanating from that central “Data” point.  Hence, there are actually 5 separate and distinct pyramids growing out of that Data.  By the way, despite this visualized introduction, we won’t get too technical.

With the flat top of the pyramid being the source, each pyramid is further divided into 6 levels, with each level having increasingly more elements as one moves further out from the central point of origin.  The first level has that single element on the flat-top; the second has two; the third has three; the fourth has four; the fifth has five; and the sixth has six.

Adding the totals of 2 through 6 (in elements per level) within each pyramid, yields 20.  Multiplying this 20 by the 5 Domains, gives 100, thereby creating those 100 Faces of Data, for which the study is named.

ANALYSIS:

We shall now consider the 5 Data Domains in their “faces” order of appearance under this model, which differs from the logical “cafes” sequencing.

Form Factors.

These are the tools with which we gain access to data.

Level 2 (security): In the simplest bifurcation at this level (security), these are wired and wireless, with each needing different approaches, tools, and standards to ensure and maintain their security, availability or uptime, and ongoing reliability as fit for the intended purpose.[1]  The former (wired), would be anything in a home or office environment that was tethered, such as a desktop or laptop on the wired LAN, whilst the latter (wireless), would encompass anything from a laptop connecting by means of a wireless router, through to a smartphone or tablet with WI-FI access (or Li-Fi access),[2] or any wearable, implantable or near-field communication (NFC) device pulling, pushing, or both pulling and pushing data.

Level 3 (provenance): The variety of available form factors is further enhanced at this level, where they are divisible into customer-configured, commercial and-off-the-shelf (COTS) or unknown, and custom-configured.  Items in the last category are or have been, or are capable of being configured for optimum functionality, security, and ease of administration including in-house or outsourced mobile device management (MDM) by a responsible system administrator, such as with a company-issued form factor.  The first (customer-configured) category is known by the system administrator to be or have been configured by the customer (employee) or client (third-party accessing a company website or subsystem), such as with devices they own in their own names; which may or may not be capable of transformation or migration to the third category in a Bring Your Own Device (BYOD)-type scenario.  The second (COTS) category, is those form factors of which the responsible system administrator has no knowledge, or that are commercial and off-the shelf and possibly not even configured at the most basic level.  These would include jail-broken devices, those running pirated and illegal software, and those belonging to or co-opted by, rogue operators and networks with proven or potential malicious intent.

Level 4 (management): On this level, there is a category for identity and access management (IAM), a category holding management “controls for risk, encryption, and security technique” (CREST), and two categories for regulatory compliance.  Regulatory Compliance (generic) includes privacy and Intellectual Property Rights (IPR) regimes, which, although they may differ somewhat across jurisdictions, tend to follow similar lines of reasoning.  Regulatory Compliance (specific) includes subnational, national, and transnational rules, and any industry-specific codes to which the business must adhere; such as the federal Health Insurance Portability and Accountability Act (HIPAA) governing covered entities in the United States of America’s healthcare industry and all Business Associates involved with them; the Payment Card Industry Data Security Standards (PCI-DSS) for the global financial services industry to the extent that its members do business with or through the United States; and transnational rules and accords for banking (BASEL III), countering transnational crime (Anti-Money-laundering), and when applicable, any sanctions applied by a national body (nation state), a regional grouping (such as the European Union), or a global collective, such as the United Nations Organization (UN).

Level 5 (attack surfaces): The available attack vectors are myriad and constantly evolving, as they range from social engineering, through exploiting little known or common software vulnerabilities for “man in the middle” spoofing and “zero-day-vulnerability” phishing attacks, to advanced persistent threats such as distributed denial of service (DDOS), SQL-injection, and the full panoply of malware payloads for keylogging, botnetting, and data exfiltration on a massive scale.[3]  Our concern here is on the vulnerable areas, that soft underbelly of the form factor as an attack surfaces that remains under-or un-protected far too often.  For the individual owner, the form factor attack surface would include the solely-owned real device, and the single-user virtual device or service.[4]  For the business owner, this would be the business-owned device.  And finally, for the business non-owner, this would include the business-leased real device, and the business-leased virtual device or service; which fully implicates and encapsulates the cloud space.  Each of these attack surfaces represents its own known and unknown vulnerabilities that ideally require active governance and running adaptation[5] to responsibly manage.

Level 6 (aggregation): Businesses should consider six categories of relevant form factor aggregation on their owned and leased devices.  For businesses specifically, the two categories would be: Business to Business (B2B), and Business to Consumer (B2C) sales and marketing, and also the device and customer servicing that follow business and consumer trends and prevailing practices.  For governments, specifically, the two categories would be: in aid of current regulatory activities, and in aid of future service planning and preparation – as knowing which form factors are likely to be most in use aids in network capacity planning and regulation.  Businesses should also be aware that criminals and criminal groups also try to aggregate the form factors of and as used by businesses, for purposes of planning and conducting exploit campaigns, and also for purposes of monetization on their exploit campaigns as planned, while still live and underway, or as recently suspended for a time or fully concluded.

TABULATION:

Level

*Standard Name

Form Factors

Applications

Categories

End-Users

Scale

 

 

 

 

 

 

 

1

domain

form factors

applications

categories

end users

spaces

2

*MPS

MPS

MPS

MPS

MPS

MPS

3

MPS

MPS

MPS

MPS

MPS

MPS

4

MPS

MPS

MPS

MPS

MPS

MPS

5

attack surfaces

attack surfaces

attack surfaces

attack surfaces

attack surfaces

attack surfaces

6

aggregation

level

aggregation

level

aggregation

level

aggregation

level

aggregation

level

aggregation

level

 

 

 

 

 

 

 

MPS stands for management, provenance (or origin), and security.  The 5 Domains vary as to the level on which each of these applies.  However, the lack of cross-level comparison is restricted to these three levels, alone.  In the rest of the tabulation, direct parallels between levels can be more easily made.

CONCLUSION:

The relationship of data to form factors is clearly broad and deep, as these 20 distinct points show.  When considering that each of these above 20 faces in the Form Factors Data Domain can combine with and interact with each and every one of the other 80 faces across the other four Data Domains identified, one begins to understand how this is a complex system in the most classic sense of that term.

In the next installment, we will look at the “Applications” Data Domain.[6]

*********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer.  He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing).  See, for example: http://www.ogalaws.com.  A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other Services, and Environmental Law and Policy.  He is a published author on the National Security aspects of Environmental Law, and enjoys complex systems analysis in the legal, technological, and societal milieu.

Mr. George is also an experienced strategic consultant; sourcing, managing, and delivering on large, strategic projects (investigations, procurements, and diverse consulting engagements) with multiple stakeholders and multidisciplinary project teams.  See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred.  The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.


[1] There was a time when senior management in many large businesses did not take Information Security /Cybersecurity advisories as seriously as they should have.  Today, however, with fines and penalties for preventable privacy breaches running into the millions (before individual lawsuits), and the potential for the loss of millions of records on the loss of a single flash drive or portable hard drive, that story has changed.  However, it cannot hurt to remind everyone to simply “cube the B” when planning for security, so that it sticks.  This stands for ensuring Buy-in at all levels with regard to security policies and rules – especially with senior management; which should be followed by Budgeting accordingly, so that IT can secure the human, material, and financial resources to do its job and do it well without constantly having to justify more funding; and following Best Practices in the industry or the art when it comes to security forecasting, planning, drafting, implementing, and reviewing.  See e.g. Ekundayo George.  Individual (allegedly) Wreaks Havoc with Former Employer – Another Teachable Moment in Infosec.  Posted on ogalaws.com, May 16, 2013.  Web: >https://ogalaws.wordpress.com/2013/05/16/individual-allegedly-wreaks-havoc-with-former-employer-another-teachable-moment-in-infosec-2/<

[2] Nick Heath, in European Technology.  Researchers break speed record for transmitting data using light bulbs.  Published on techrepublik.com, October 29, 2013.  Web: >http://www.techrepublic.com/blog/european-technology/researchers-break-speed-record-for-transmitting-data-using-lightbulbs/?tag=nl.e101&s_cid=e101&ttag=e101&ftag=TRE684d531<

[3] For a brief overview of a recently-discovered, critical browser–specific attack vector, see Iain Thomson.  Big browser builders scramble to fix cross-platform zero-day flaw.  Published on theregister.co.uk, June 13, 2013.  Web: >http://www.theregister.co.uk/2013/06/13/cross_platform_browser_flaw_in_wild/<

[4] “Service” as here used, includes the entire “as a service” category, whether SaaS, PaaS, IaaS, or otherwise.

[5] For one prediction of the likely steps needed to maintain protection across an ever-expanding Attack Surface, See Patrick Lambert, in IT Security.  Growing attack surfaces require new security model.  Published in techrepublic.com, January 15, 2013.  Web: >http://www.techrepublic.com/blog/it-security/growing-attack-surfaces-require-new-security-model/<

[6] See Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 2 – Applications).  Published on ogalaws.wordpress.com, December 27, 2013. Online: >https://ogalaws.wordpress.com/2013/12/27/the-100-faces-of-data-a-5-part-complex-systems-study-part-2-applications/<

%d bloggers like this: