Contents | Zoom in | Zoom out
For navigation instructions please click here
Search Issue | Next Page
Te c h n o l o g y S o l u t i o n s f o r t h e E n t e r p r i s e
www.computer.org/itpro
Contents | Zoom in | Zoom out
For navigation instructions please click here
Search Issue | Next Page
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT Security
IN THIS ISSUE
14 Guest Editors’ Introduction: IT Security Morris Chang, Rick Kuhn, and Tim Weil
16
23
30
36
Security—A Perpetual War: Lessons from Nature
Securing Health Information
A Right to Cybercounter Strikes: The Risks of Legalizing Hack Backs
Protected Web Components: Hiding Sensitive Information in the Shadows
Jan Kallberg
Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens, and Wouter Joosen
Repeated cyberattacks and a lack of effective law enforcement have some nations seeking new ways to prevent such exploits. Countercyberattacks are illegal in most nations, but what if they were legal? Would they help? Or would they jeopardize the state’s authority and legitimacy?
Third-party code inclusion is rampant, potentially exposing sensitive data to attackers. Protected Web components can keep private data safe from opportunistic attacks by hiding static data in the Document Object Model (DOM) and isolating sensitive interactive elements within a Web component.
A.J. Burns and M. Eric Johnson
Wojciech Mazurczyk and Elz˙bieta Rzeszutko
Security attacks and defenses—from distributed denial of service attacks to intrusion detection systems—are analogous with the techniques of various species in the natural world. Examining that world for inspiration could help IT security researchers seek out and prevent future attacks.
Protecting health information is critical, yet the security implications of healthcare workers’ IT usage remain largely unexamined. This article surveys the IT-enabled healthcare ecosystem and its emerging mobility and security issues—from electronic health record (EHR) implementation to bring your own device (BYOD) practices.
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
January/February 2008 2015 January/February Volume 10, 17, Number 1 Volume
Te c h n o l oSolutions g y S o l ufor tio n sEnterprise for the Enterprise Technology the
COLUMNS AND DEPARTMENTS
2 From the Editors IT Pro 2015: A Look Ahead San Murugesan
5 IT in Emerging Markets Human-Computer Interaction in Colombia: Bridging the Gap between Education and Industry César A. Collazos and Luis Merchan
10 Data Analytics Analytics, Machine Learning, and the Internet of Things Seth Earley
58 IT Trends High Tech, High Sec.: Security Concerns in Graph Databases George Hurlburt
62 Mastermind Grace Hopper: Compilers and Cobol George Strawn and Candace Strawn
44
51
Understanding Green Software Development: A Conceptual Framework
An Interoperability Solution for Legacy Healthcare Devices
35 57 Back Cover
Advertiser Index IEEE CS Information Call for Papers: Wearable Computing
Yuan-Fa Lee
Luca Ardito, Giuseppe Procaccianti, Marco Torchiano, and Antonio Vetrò
Developers who aim to write energy-efficient software require both a new mindset and models and tools that can measure and reduce the software effect on hardware energy consumption. The authors’ conceptual framework provides a unifying view of strategies, models, and tools.
An ISO/IEEE 11073 personal health device system enables legacy healthcare devices to transmit vital sign data to an application hosting device on a network. The proposed architecture is composed of the x73-PHD gateway, x73-PHD adapter, and legacy healthcare devices.
On the Web: computer.org/itpro For more information on computing topics, visit the Computer Society Digital Library at www.computer.org/csdl.
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FROM THE EDITORS
IT Pro 2015: A Look Ahead San Murugesan, BRITE Professional Services
elcome to IT Professional 2015! In the last 16 years, IT Pro has presented 96 issues, offering useful information on various topics of interest, tracing advances in IT and discussing their effect on our work and lives, and addressing IT challenges and risks. We’re pleased that you, our readers and supporters, view IT Pro as valuable. Recently, in a brief readership survey, 90 percent of respondents rated IT Pro as “excellent” or “very good” (while 98 percent rated it “good” or higher). Respondents said they read the magazine to get a general overview of developments in the field, to maintain currency in their field, or to find specific information related to the field. Some looked to IT Pro for outcomes of ongoing research of practical relevance. Readers particularly valued application-oriented feature articles, our various departments, and research articles related to the issue’s theme. The vast majority of our readers are practitioners, professionals, and executives working in industry or government. Researchers in industry and academia and students are also part of our readership. I thank everyone who has contributed to IT Pro’s success and prominence—the readers, authors, reviewers, editorial and advisory
W
2
IT Pro January/February 2015
board members, and editorial and production staff. (For a list of the 2014 reviewers, please see www.computer. org/cms/Computer.org/dl/mags/it/ 2015/01/extras/mic2015010002s. ________________________ pdf.) __ I’m confident we will continue to work together to advance IT Pro to greater heights and to further enrich its value to you.
A Look Back at 2014 Last year, each of our six issues focused on a specific theme of interest to the IT professional community: IT risks, NIST’s contributions to IT, mobile commerce, life sciences computing, the consumerization of IT, and advancing cloud computing. We introduced three new departments—Data Analytics, Life in the C-Suite, and Mastermind— and continued with or reinvigorated four departments (IT Trends, IT in Emerging Markets, Smart Systems, and Securing IT). We also published some timely Spotlight departments, including “IT Enhances Football at World Cup 2014,” “Bitcoin: Benefit or Curse?” and “Mobile Commerce: A Broad Perspective.” Our theme issues and selected articles were highlighted in Computing Now, IEEE Life Sciences Newsletter, IEEE Annals of the History of Computing, and social media, bringing them to the attention of a wider audience. We also organized and conducted the first IT Professional confer-
Published by the IEEE Computer Society
ence on Information Governance Challenges, held on 22 May 2014 at the National Institute of Standards and Technology (NIST), Gaithersburg (see http://tinyurl. com/itproconf).
What’s in Store for 2015 As outlined in my previous editorial,1 as an IT professional, you’re expected to develop creative ITenabled solutions, harnessing ongoing advances and trends in IT to address real problems facing society. You also must satisfactorily address new and ongoing challenges facing IT systems and applications; uphold your professional, social, and ethical responsibilities; and work collaboratively with other professionals, managers, and colleagues. You should always be looking toward the future—what might happen in the next five to 10 years, and what actions can you take now to prepare for this future? You should look for points of potential disruption—what will change “business as usual”? You must stay abreast of advances in IT, emerging novel applications, new challenges and issues, and potential opportunities. IT Pro will be of value to you in meeting these demands and expectations and in succeeding as a reputable IT professional. In 2015, IT Pro’s six issues will focus on IT security, IT-enabled business innovation, the Internet of Anything, data analytics,
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Editorial Team Updates
W
e’ve diversified the editorial board and broadened its reach by inducting the following new members. Stephen J. Andriole is the Thomas G. Labrecque Professor of Business Technology in the Villanova School of Business at Villanova University, where he teaches courses in strategic technology and innovation and entrepreneurialism. He conducts applied research on technology management best practices, social media, big data analytics, cloud computing, and emerging (“ready”) technology adoption. Andriole is the recipient of the US Department of Defense Meritorious Civilian Service Award for his work at the Defense Advanced Research Projects Agency (DARPA), and is a Charter Member of the US Senior ___ Executive Service (SES). For more information, see www. andriole.com or contact him at
[email protected]. _____________ Haluk Demirkan is a professor of digital service innovation and business analytics, and he’s the founder and executive director of the Center for Information-Based Management at the Milgard School of Business, University of Washington—Tacoma. His interests include business analytics, digital innovation, service innovation, and serviceoriented-X. In 2014, he was ranked fifth in the Top-100 World-Wide Researchers according to the Association for Information Systems sanctioned Research Rankings. He is a co-founder and board of director of the International Society of Service Innovation Professionals (www.issip.org). Contact him at
[email protected]. __________ Bin Guo is a professor at Northwestern Polytechnical University. His research interests include ubiquitous computing, mobile phone sensing, mobile social networks, and humancomputer interaction. He is a senior member of IEEE. He won the 2nd Class of Natural Scientific Award of the State Education Ministry of China in 2014. For further details, see www.ayu.ics.keio.ac.jp/~bingo or contact him at
[email protected]. ______________ Samee U. Khan is an associate professor at the North Dakota State University. His research interests include the optimization, robustness, and security of cloud, grid, cluster, and big data computing; social, wired, and
wireless networks; power systems, smart grids, and optical networks. In these areas, his work appears in over 250 publications. He maintains the GreenCloud simulator and the CloudNetSim++ simulator. He is a Fellow of the British Computer Society and a Fellow of the Institute of Engineering and Technology. For further details, see ______ http://sa______________ meekhan.org or contact him at
[email protected]. ________ Arpan Pal is a principal scientist and research head at Innovation Lab, Tata Consultancy Services, Kolkata, India. His interests include mobile-phone and camera-based sensing and analytics, physiological sensing, M2M communications, and Internet-of-Things-based platforms and systems. He is on the editorial board for ACM Transactions on Embedded Computing Systems and IEEE Transactions on Emerging Topics in Computing. He is a senior member of IEEE. For further details, see www. ____ tcs.com/about/research/researchers/Pages/Pal-Arpan. aspx or contact him at _____________
[email protected]. ___ Tim Weil is a risk manager (contractor) at the US Department of Interior and has over 25 years’ experience in the areas or data processing, communications engineering, and information assurance. His areas of interest include identity management, IT service management, cloud security architecture, and enterprise risk management for federal agencies. He is an author and editor of the 2012 ANSI standards for Role-Based Access Control (RBAC). He has received several IEEE Distinguished Service awards. For further details, see ____ http:// securityfeeds.com, or contact him at
[email protected]. __________ We also thank Jia Zhang of Carnegie Mellon University—Silicon Valley and Liang-Jie Zhang of Kingdee Int’l Software Group, who have concluded their tenure as ed board members after several years of dedicated service and significant contributions to IT Pro. Finally, we say farewell to Shani Murray, who has been the Freelance Managing Editor of IT Pro since 2010, making excellent contributions to the success of our magazine. As she moves on, we welcome in her place Rebecca Deuel Gallegos, who is an excellent addition to our team. We look forward to her valuable contributions.
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
3 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FROM THE EDITORS We Welcome Your Contributions
I
T Pro covers the entire spectrum of an IT professional’s interest— technologies, applications, strategies, case studies, best practices, issues and challenges, and IT’s value proposition. We publish a mix of relevant, high-quality, peer-reviewed feature articles; short department articles; hot topic spotlight articles; and perspectives and opinion pieces. You can contribute to IT Pro in the following ways: t
t
t
t
Feature articles—you can submit quality articles (approximately 4,200 words) for theme issues or on topics of general interest, which will be subjected to peer review. For author guidelines and call for theme issues, see www.computer.org/itpro. Department articles—submit short articles (approximately 1,500 words) suitable for any of the departments to the respective editor (for contact information, see http://bitly.com/itpro-edboard). Reviewer—if you would like to serve as a reviewer, email your bio and details of your reviewing credentials to San Murugesan, Editor in Chief, at ____________
[email protected]. Theme issue proposal—we invite your proposals for our upcoming issues in 2016. If you would like to see a topic of relevance covered or wish to guest edit a theme issue, send your proposal to ___ san@ computer.org.
Furthermore, feel free to share your thoughts, suggestions, and comments on how we’re doing, or what else we could do, by emailing ___ san@ computer.org.
wearable computing, and smart systems. In addition to peer-reviewed articles on these topics, we’ll also feature articles that address other topics of interest. We’ll continue to offer our highly valued department line-up and will present From the Editors, Spotlight, and other special columns. Starting this year, IT Pro will primarily be published as a digital
Software Developer, Applications (Sr.) Des./create/modify software app’s to acquire, store SCADA data. Apply MFC Library and C#/.Net. Bachelor’s degree (Electrical Eng’g or Comp. Sci.) req’d. 5 yrs’ prog. responsible post-baccalaureate software dev. exp. req’d. Prior exp. must incl. 2 yrs’ prior exp. in pos’n. developing software app’s for SCADA data acquisition. Prior exp. must incl. appl’n. of MFC Library and C#/.Net. InStep Software, LLC, Chicago, IL. Resumes: Recruiting, PO Box 641152, Chicago, IL 60664.
4
edition, which provides several welcome features (subscribers can choose to receive print edition for an additional $149 per year). We plan to progressively include more multimedia content—video clips, interactive graphics, animation, and demos. So, you can look forward to IT Pro continuing to provide interesting and valuable information, enriched with new features. Furthermore, to engage with IT practitioners and facilitate closer interaction, we’re collaborating with international and regional conferences and symposia relevant to IT professionals and managers. For example, we’ve partnered with COMPSAC to cosponsor and organize a unique symposium, IT in Practice (ITiP), as part of ___ COMPSAC 2015 in Taiwan (www. compsac.org), _________ and we solicit your participation in the symposium. Please let me know if a conference
you’re associated with is interested in collaborating with IT Pro. To serve you better, we’ve given facelift to our editorial team (see the “Editorial Team Updates” sidebar).
ou, as an IT professional, can make a difference, helping change the world for the better, and we strive to make IT Pro your IT magazine of choice. We welcome your contributions (see the related sidebar). I trust you’ll find IT Pro in 2015 (and the years to follow) highly valuable to you.
Y
Reference 1. San Murugesan, “Succeeding as an IT Professional,” IT Professional, vol.16, no. 1, 2014, pp. 2–4.
San Murugesan is the director of BRITE Professional Services and an adjunct professor at the University of Western Sydney, Australia. His areas of interest include cloud computing, green IT, the Internet of Things, and IT applications. He’s the editor in chief of IT Professional. He is co-editor of the forthcoming Encyclopedia of Cloud Computing (Wiley 2015) and serves on the editorial board of Computer and edits its bimonthly column, Cloud Cover. He is a fellow of the Australian Computer Society and the Institution of Electronics and Telecommunication Engineers (IETE). Contact him at _________ san@computer. org, or visit his webpage at http://bitly. __ com/sanprofile.
Selected CS articles and columns are available for free at http://ComputingNow.computer.org.
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT IN EMERGING MARKETS EDITOR: Gustavo Rossi, Universidad Nacional de La Plata,
[email protected] _________________
Human-Computer Interaction in Colombia: Bridging the Gap between Education and Industry César A. Collazos, Universidad del Cauca, Colombia Luis Merchan, Universidad de San Buenaventura Cali, Colombia
uman-computer interaction (HCI) is a formative discipline related to the design of interactive systems. It lies at the crossroads of many scientific areas, including psychology, computer vision, artificial intelligence, face recognition, and motion tracking. In recent years, there has been a growing interest in improving all aspects of interaction between humans and computers. However, to achieve effective humancomputer intelligent interaction, computers must be able to interact naturally with users, similar to human-human interaction.1 Previous work in the HCI community has identified gaps between theory and practice in HCI education.2 Since the publication of the ACM SIGCHI Curricula for Human-Computer Interaction in 1992,3 computer science educators have implemented these guidelines in diverse ways in elective courses or as focus areas within other courses, such as graphics, software engineering,
H
1520-9202/15/$31.00 © 2015 IEEE
multimedia, or even introductory computer science courses. However, because many people in the software industry don’t know much about HCI, the HCI courses offered in undergraduate and postgraduate studies aren’t being applied in the software industry. We found this to be particularly true in Colombia, where we conducted an analysis of what’s being taught versus what software companies need when it comes to HCI. The survey was conducted at various universities and software companies in Colombia, obtaining important feedback related to the importance of HCI in the development of software processes.
Identified Problems To identify the gap between academia and the software industry, we surveyed professors and software developers about problems related to HCI education. In particular, we asked about issues related to government regulations, software industry requirements, and courses and methodologies.
Published by the IEEE Computer Society
Government Regulations Today, powerful new technologies can be used to advance sustainable development of societiesacross the world while including citizens in the process. According to a 2012 survey conducted by the United Nations, some developing countries, such as Colombia, have begun to catch up with higher-income countries in terms of citizen inclusion and e-participation.4 It’s thus imperative that such countries gear their information and services toward user uptake, addressing in particular the needs and concerns of citizens under-represented in government. Such countries also must view their citizens not only as passive receivers of information through Web-based services but as active partners who are encouraged to interact with the government through ICTbased dissemination of relevant government information—which is where HCI becomes imperative. Colombia’s government portal contains numerous participation
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
5 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT IN EMERGING MARKETS
Figure 1. Colombia’s government portal. It contains numerous participation features to help citizens engage with the government.
features to help citizens engage with the government (see Figure 1). Citizens can employ tools such as online forums, blogs, and online polls. The portal also lets users participate through social networking features, such as Facebook, Twitter, Wordpress, YouTube, and Flickr, where they can post comments and express their views. In researching Columbia’s state policies, we found that the guidelines for online government, offered by the Ministry of Information Technologies and Communications, focused primarily on the usability of state websites.5 These government-proposed guidelines are grouped according to the process of developing a website. The various groupings include information architecture, user interface design, interaction design, search, and tests of usability and content. Each guideline has a related evaluation matrix to evaluate website compliance at the national, territorial, and district level.
6
The guidelines also outline the benefits of applying HCI techniques to websites: t reduced production costs (by minimizing the number of latestate redesigns), t reduced support and maintenance costs, t reduced usage costs (through reduced user effort), t less customer support, and t reduced training costs. However, how to apply HCI techniques to realize these benefits remains an open challenge.
Software Industry Requirements With the online government programs and the strengthening of the IT industry through the Ministry of Information and Technology, the Colombian government is working to promote the use of IT in society. The government program opens up a wide range
of opportunities for the hardware and IT services industries in the country. Between 2007 and 2012, the software industry in Colombia grew 3.79 times due to the strengthening of the sector as a result of the government programs.6 Fedesoft, the Colombian software developers association, along with the Ministry of Commerce, Industry and Tourism, are developing Colombian software as an export product.6 To identify HCI capabilities needed in the software industry, we surveyed some companies in Colombia. Although there are many HCI areas of interest to the software industry, few software companies are researching these areas. Of those surveyed, although there was a general consensus of the importance of HCI, most said they had not integrated HCI into their software development processes. We thus need ways to better communicate and share information to increase collaboration between HCI researchers and software developers. One of the most promising research areas is usability in nonclassic applications, such as mobile environments or interactive digital television. Another important area is interaction scenarios in social networks—a growing segment of society.7 Figure 2 depicts some of these HCI areas of interest to software developers.
Courses and Methodologies Most HCI courses in Colombia are offered as optional undergraduate course.8 The topics most often covered include user-centered design, usability, and interaction design, as depicted in Figure 3. However, our survey revealed that universities are starting to add secondary topics, such as accessibility, ergonomics, emotional design, and aspects related to internalization and multiculturality. The survey
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
Bridging the Gap User satisfaction is often considered a critical outcome of quality management, and some studies11 show it as having a positive impact on organizational cost, profit, and sales growth. Moreover, user dissatisfaction stems from a lack of user involvement during software development. In the case of HCI, it has been suggested by experts that a user’s participation in the application growth life-cycle through user feedback is important for successful application execution. However, system professionals still aren’t sure how much user participation is needed or how HCI can help increase such participation. For example, usability is a critical quality factor when it comes to the success of a software product. Yet, according to Craig Larman,
4.5 4.0 3.5 3.0 2.5 2.0 1.5 1.0 0.5 0
HCI, CSCW, and CSCL Emotional interfaces Ubiquitous computing Accesibility Transcultural interfaces HCL and software Social networks Usability User centered design Cognitive aspects HCI and Semantic Web Cognitive ergonomics User interfaces Elicitation issues Awareness Multimodal interfaces Robotics and HCI Assisted cognition New interaction Adaptative interfaces HCI and mobile devices Interaction patterns Mixed reality
Level of interest
THE WORLD’S NEWSSTAND®
also revealed that the most used teaching methodology is to ask students to apply the concepts taught in the class to a particular case study. Table 1 lists the top 10 universities in Colombia,9 only one of which explicitly covers HCI in its undergraduate program. Clearly, academia is lacking when it comes to the HCI curriculum, even though various references and standards for computer science training, such as the ACM’s “Computer Science Curricula 2013,”10 continually note the importance of HCI, recognizing it as part of the body of knowledge and promoting its inclusion in the computer science curriculum. So although HCI is being promoted by research groups in master’s and doctorate programs, it has yet to be framed as an implicit factor in more general areas of study, such as “software quality attributes,” so the curriculum does not have sufficient breadth and rigor at the undergraduate level.
Figure 2. HCI research areas of interest to the software industry. Unfortunately, many software companies are not researching these areas, which is why better collaboration between HCI researchers and software practitioners is needed.
Ergonomics Information visualization Information architecture Graphical interfaces Physical interfaces Mobile HCI Internet applications Mixed reality User centered design CSCW Interaction design Usability HCI introduction 0
5
10
15
20
25
No. of courses
Figure 3. HCI courses taught in universities in Columbia.
an expert in software engineering, when it comes to usability engineering and the design of the user interface, the importance of usability in software development is disproportionate with the amount of attention given to the subject and formal education offered.12 Consequently, we need strategies for applying user requirements to HCI teaching, considering industry needs. Some proposals for
integration13 present ad-hoc solutions, created for particular software development organizations, but such proposals lack a generic approach for applying the solutions to organizations with different characteristics. We need mechanisms for educating people in the software industry about the importance of considering HCI during product development. In Brazil, some
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
7 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT IN EMERGING MARKETS Table 1. Ranking of the 10 best Colombian Universities versus the HCI courses offered. Rank
University
Engineering program
1
Universidad de los Andes Bogotá
Computer and Systems Engineering
No
2
Universidad Nacional— Bogotá
Systems Engineering
No
3
Universidad Rosario—Bogotá
No engineering programs
No
4
Univ. Externado de Colombia—Bogotá
No engineering programs
No
5
Universidad Icesi—Cali
Systems Engineering
No
6
Universidad EAFIT—Medellín
Systems Engineering
No
7
Universidad Nacional—Medellín
Systems Engineering and Informatics
No
8
Universidad de la Sabana—Chía
Computer Engineering
No
9
Universidad Javeriana—Bogotá
Systems Engineering
Yes (optional course—Human Computer Interaction, worth 3 credits)
Universidad del Norte—Barranquilla
Computer and Systems Engineering
No
10
companies are using consulting companies to help them perform usability testing on their products. In Mexico, Colombia, and Chile, some companies are working on usability, and there are a few projects focused on integrating people from academy and industry.7 It’s necessary for universities to develop real-world projects as experimental studies that consider industry needs, bringing together participants from both academia and industry. Such projects would give students an opportunity to apply HCI concepts in an industry-representative project. Another aspect to consider is how to express HCI using terms and concepts familiar to software developers. For example, implementing usability activities can be intermingled with other analysis activities. It would be easy to integrate HCI analysis activities into more general analysis activities during the development process. In particular, two activities viewed as “design” activities in HCI are viewed as “analysis” activities in software engineering: prototyping and developing the product concept.14 Implementing HCI techniques
8
during these two activities would be easy if the proper terminology and concepts were used. We also need to make sure that software developers are made aware of new HCI research areas and that companies have better educated developers. In Colombia, only 0.1 percent of software developers have a PhD, and 1 percent have a master’s degree—very low levels for an industry that requires highly qualified employees to be competitive.6
he HCI field is diverse, and there’s no general agreement on the set of activities that are part of a user-centered development process. However, the trend seems to be to focus on specifying the use context, outlining usability specifications, prototyping, and evaluating usability. Although the university experience in countries like Colombia is not as vast as in the US, England, or other countries, HCI research is slowly increasing as researchers participate more in important workshops, publish in recognized HCI journals, and are invited as keynote
T
Usability/HCI courses
speakers at international conferences. As Colombia introduces HCI techniques and activities into mainstream software engineering practices, software companies will improve their products and offerings.
References 1. N. Sebe, M.S. Lew, and T.S. Huang, “The State of the–Human– Computer Interaction,” Computer Vision in Human–Computer Interaction, LNCS 3.058, 2004, pp. 1–6, 2004. 2. E. Buie et al., “How to Bring HCI Research and Practice Closer Together,” Proc. 28th Int’l Conf. Extended Abstracts on Human Factors in Computing Systems (CHI-EA), 2010, pp. 81–84. 3. T.T. Hewett, ed., ACM SIGCHI Curricula for Human-Computer Interaction, ACM Press, 1992. 4. “United Nations E-Government Survey 2012: E-Government for ___ the People,” UN, Mar. 2012; www. un.org/en/development/desa/pub_____________________ lications/connecting-governments_____________________ to-citizens.html. __________ 5. “Lineamientos y Metodologías en Usabilidad para Gobierno en Línea [Guidelines and Methodologies in Usability for Online Government],”
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Minesterio de Tecnologias de la Informacion y las Communicaciones, 23 Aug. 2010; _________ http://paginasweb.univalle.edu.co/reglamentos/ _____________________ pasos/documentos/GEL108_CIN_____________________ TEL_Lineamientos_y_metodolo_____________________ gias_en_usabilidad.pdf. ______________ 6. Sector de TI en Colombia, tech. report, Federacion Colombianade la Industria de Software, 2012. 7. C. Collazos, T. Granollers, and M. Ortega, “Hacia una Integraciòn de Interaccion Humano-Computador en las Estructuras Curriculares a Nivel Iberoamericano [Towards Integration of Human-Computer Interaction in the Curriculum Frameworks to the Ibero-American Level],” Revista Internacional de Educacion en Ingenieria, vol. 3, 2010, pp. 1–10. 8. T. Granollers, C. Collazos, and M. González, “The State of HCI in Ibero-American Countries,” J. Universal Computer Science, vol. 14, no. 16, 2008, pp. 2599–2613.
9. “Mejores Universidades de Colombia, Según las Pruebas Saber Pro 2012 [Best Universities in Colombia, According to Saber Pro 2012 Tests],” Centro Virtual de Noticias de la Educación, 11 Sept. 2013; www.mineducacion.gov.co/ cvn/1665/w3-article-328609.html. ____________________ 10. “Computer Science Curricula 2013,” Association for Computing Machinery, 20 Dec. 2013; www.acm.org/ education/CS2013-final-report.pdf. _____________________ 11. H. Jun, S. Kim, and C. Chung, “Measuring Software Product Quality: A Survey of ISO/IEC 9126,” IEEE Software, vol. 21, no. 5, 2004, pp. 88–99. 12. C. Larman, UML and Patterns: An Introduction to Object-Oriented Analysis and Design and the Unified Process, 2nd ed., Prentice Hall, 2001. 13. K. Radle and S. Young, “Partnering Usability with Development: How Three Organizations Succeeded,” IEEE Software, vol. 18, no. 1, 2001, pp. 38–45.
14. X. Ferre, N. Juristo, and A. Moreno, “Improving Software Engineering Practice with HCI Aspects,” Proc. 11th Int’l Conf. Software Engineering Research, Management and Applications (SERA), 2003, LNCS 3026, 2004, pp. 349–363.
Cèsar A. Collazos is a full professor in the Computer Science Department at the Universidad del Cauca, Colombia. Contact him at _______________
[email protected]. Luis Merchan is a full professor in the Computer Science Department and the director of research at the Universidad de San Buenaventura Cali. Contact him at
[email protected]. _______________
Selected CS articles and columns are available for free at http://ComputingNow.computer.org.
CALL FOR ARTICLES IT Professional seeks original submissions on technology solutions for the enterprise. Topics include z z z z z z z
emerging technologies, cloud computing, Web 2.0 and services, cybersecurity, mobile computing, green IT, RFID,
z z z z z z z
social software, data management and mining, systems integration, communication networks, data center operations, IT asset management, and health information technology.
We welcome articles accompanied by Web-based demos. For more information, see our author guidelines at www.computer.org/itpro/author.htm.
WWW.COMPUTER.ORG/ITPRO _____________________________________
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
9 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
DATA ANALYTICS EDITOR: Seth Earley, Earley & Associates, __________
[email protected]
Analytics, Machine Learning, and the Internet of Things Seth Earley, Earley & Associates
ur increasingly connected world, combined with low-cost sensors and distributed intelligence, will have a transformative impact on industry, producing more data than humans will be able to process. Will businesses be able to adapt and evolve quickly enough to maintain their place in the competitive landscape? How will humans make sense of and benefit from these new sources of information and intelligence embedded in our environment?
O
Exploiting Evolving Technology Organizations will need to get their internal data houses in order so they can leverage new sources and streams of data. Smart connected devices will also remove humans from the loop in some cases, so devices will be making their own decisions and self-adjusting or course correcting and repairing themselves as needed. In other cases, collections of devices will act as systems that can be optimized in new ways, and systems of systems will share
10
IT Pro January/February 2015
data and behave as an ecosystem of data and devices. Machine learning—a term that describes numerous approaches to deriving meaning from data—will have to be part of the equation, but so will traditional business and data analysis techniques as organizations prepare for the Internet of Things (IoT). The IoT, or as some prefer to call it, the “Internet of Everything,” has been on an increasing growth trajectory that Gartner projects will reach 26 billion units by 2020, with the value of IoT products and services reaching US $300 billion.1 GE, a long time player in the industrial Internet— which comprises the mechanisms and applications for monitoring and optimizing the performance of industrial equipment (including jet engines, locomotives, power turbines, and manufacturing processes)—estimates that the industrial Internet will add $10 to $15 trillion (yes, trillion) to the global gross domestic product over the next 20 years.2 Of course, there is an enormous amount of hype in the marketplace around new and emerging
Published by the IEEE Computer Society
technologies. In fact, Gartner’s infamous “hype cycle” report has the IoT at the “peak of inflated expectations” (big data has already entered the “trough of disillusionment”).3 Yet regardless of entrepreneurs’ breathless excitement or journalists’ enthusiastic visions of the future, there are a number of challenges that organizations must wrestle with to exploit this evolution in technology.
The Challenges Organizations will need to focus on t understanding the relative maturity of enterprise capabilities in the realms of product technology and IT; t understanding the types of IoT functionality that can be incorporated and where new capabilities will impact customer value; t understanding the role of machine learning and predictive analytics models; and t rethinking business models and value chains based on how quickly the market is changing and the relative agility of competitors.
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
Let’s consider each of these challenges in more detail.
Understanding Product and IT Maturity This factor can be considered in two dimensions. How mature is the product portfolio? Is it a traditional class of product with slower changes and gradual evolution, or is it a faster moving, more complex technology ecosystem? Mining equipment is technologically complex but has longer equipment life cycles and relatively slower evolution than scientific research instrumentation. However, this doesn’t mean that the instrumentation firm is better equipped to extend its IoT offerings into system optimization. Another factor needs to be considered—that of IT process maturity. Each type of organization would benefit from IoT enablement; however, the models for that evolution will vary. Consider the dimension of the level of IT maturity. For example, the scientific research equipment supplier might be technologically advanced but not have strong IT architectures, processes, and governance. The mining equipment manufacturer might be very mature in internal IT processes. The implication for the scientific instrumentation firm might be that IoT will allow for functionality updates of field instrumentation, but the firm might not want to attempt to optimize a laboratory information ecosystem consisting of multiple classes of equipment. (It is certainly possible that a lack of maturity in IT as a cost center wouldn’t translate into a lack of maturity of IT in a profit center; however, many organizations build on existing foundational IT capabilities when developing or extending IT services offerings.) The mining equipment example
is discussed in a recent Harvard Business Review article on the IoT: Joy Global is a mining equipment manufacturer that offers monitoring, maintenance, and optimization of a fleet of equipment from multiple vendors by leveraging its expertise across various systems and processes related to mining operations.4
Understanding IoT Capabilities The next idea to consider is what capabilities to leverage in smart connected products. According to the same Harvard Business Review article, there are four types of IoT capabilities:4 t monitoring — sensors provide data about the operating environment and product usage and performance;
flexible and adaptable. When products are intelligent and connected to the Internet, they become variable and have the ability to change as the user’s needs change. Software manufacturers have recognized this for years. Now, physical objects become vehicles or containers for softwaredriven functionality. These levels of capability require increasingly sophisticated data analytics approaches—from collecting and applying data to allowing algorithms themselves to apply data and learn while doing so. So, the first level of capability— monitoring—becomes a real-time mechanism to better understand field performance and user needs and offer new capabilities. This means that the boundaries of an organization’s traditional products and services are blurred and
Rather than considering products as having fixed functionality, we need to view them as more flexible and adaptable. t control—product functions can be controlled and personalized; t optimization—feedback loops from monitoring and control allow for improved efficiency, better performance, preventative maintenance, and diagnostics and repair; and t autonomy —monitoring, control, and optimization allow for independent operation, coordination with other systems, interaction with the environment, personalization, replenishment, and self-diagnosis and repair. These levels of capability allow for redefined supply chains and reconfigured value chains. Rather than considering products as having fixed functionality, we need to view them as more
extended. Consider field equipment that was traditionally maintained by a contract field service firm, not by the manufacturer. With intelligence and monitoring, equipment can inform the manufacturer of needed service ahead of a breakdown. Routine maintenance can become part of the manufacturer’s offering, with complex repairs still being handled by a specialist contractor if the margins and logistics make sense for the organization. This disintermediation can extend to distribution chains as well. Equipment can automatically call for a replenishment of supplies, removing distribution costs and inventory from the supply chain. Control is a more sophisticated application built on top of
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
11 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
DATA ANALYTICS monitoring. We can monitor equipment operations and then extend the boundaries of human intervention by controlling multiple pieces of equipment or multiple systems. Consider the role of humans in running a system or machine, where most of the functions are automated. Humans guide the operation and look for edge conditions, anomalies, and exceptions that weren’t anticipated (or cost-effective) during the system design. Then, they use their judgment to make a change, correction, or adjustment. The human doesn’t need to be with the equipment and might not need to be monitoring in real time (depending on the process). Monitoring is simply taking in the data and processing it (something must be done with the data at some point). Control is applying that data in real (or near real) time to the operation of the equipment or device. The strategic decision that organizations need to make is whether and when to make more control capabilities part of the product offering and whether to offer that as a service or to allow the customer to have that capability. The third level of capability— optimization—can extend to the performance of an individual object, a fleet of objects, or an ecosystem of objects across multiple manufacturers and technologies. The strategic decision about whether to extend offerings to this realm hinges on the level of knowledge and sophistication around the value chain and the boundaries of the processes. The mining example illustrates the advantages that Joy Global might have over a vendor with a more limited view of the process ecosystem. A truck manufacturer, for example, would be poorly positioned to optimize complex mining equipment but would benefit from optimizing its fleet of trucks
12
(and potentially a fleet of other manufacturer’s trucks) if the industry dynamics made business sense. Extending optimization to independent operation requires an extension of capabilities to allow for less constrained interaction with the environment and with other systems. Autonomy requires greater intelligence around algorithms that can deal with unplanned situations—those situations for which programmers and system engineers didn’t explicitly design. Autonomous operations require incorporating adaptable machine learning approaches for dealing with novel situations into the core algorithms used for monitoring, control, and optimization.
Understanding Analytics and Machine Learning In November 2014, Mike Kuniavsky of Xerox PARC gave an IDTechEx presentation, “The User Experience of Predictive Analytics in the Internet of Things,” in which he suggested that virtually all functionality resides (or will soon reside) in the cloud. Data and functionality can be accessed from any location and through multiple devices. Specialized devices provide context in which the user accesses the data. A fitness bracelet can access data about the user’s physical health via an iPhone or laptop in the specific context of exercise. In this case, the fitness bracelet acts as an IoT sensor as well as provides a means for accessing and consuming data. The device also subsumes other devices (such as a pedometer) through software functionality. The data provided by the device can offer additional insights about the consumer’s usage and preferences, which can be leveraged when updating functionality and developing new features. If
aggregated across a population of users and combined with other datasets, new insights can shed light on epidemiological data, activity levels across populations, lifestyles, and demographic data. This information has value to marketers, healthcare providers, insurance companies, and government agencies. (Of course, we must account for privacy considerations and data usage permissions.) Machine learning algorithms can be used to make predictions based on these data patterns. For example, in a Mayo Clinic study, activity data was correlated with recovery rates for cardiac patients.5 The same machine learning and predictive algorithms are the basis for a number of connected intelligent consumer devices. Nest thermostats are an example of a device that leverages data patterns to predict the preferred temperature in a specific room at a certain time of day. (Another control and optimization example is seen at an aggregated neighborhood level, where power utilities can shift energy loads at peak times by remotely adjusting—with the occupant’s permission—hundreds or thousands of Nest devices by a couple of degrees.) Other consumer devices include those that learn from voice patterns (such as Echo, a personal-assistanttype device from Amazon6) to those that learn from much more complex behavior and activity patterns (such as Jaguar’s Land Rover monitoring system, which “relies on a complicated software which enables the car to study, predict, check, and remind the car’s occupants [to] help the driver auto-delegate his tasks and make him concentrate more on his driving.”7) Optimization algorithms use machine learning mechanisms to leverage data from both sensors
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
and intelligent devices that interact under dynamic conditions. These variable conditions can’t be precisely predicted beyond certain parameters. The algorithms will need to sense, respond, and adapt. For example, as cars take on more responsibilities from the driver, they will be interacting with more environmental sources of data (sensors, lights, other cars, and so on). Classes of applications in industrial automation, logistics and transportation, power grid and energy systems, traffic management, security systems, and other “systems of systems” will let machines communicate directly with other machines. Furthermore, such applications will help machines interpret dataflows based on algorithms that can evolve and adapt, so the machines can achieve the desired end states given certain operational parameters.
Rethinking the Business Model and Value Chain Intelligent, connected devices require organizations to reexamine how and where they create value in the marketplace and how that value will be enhanced or diminished as the competitive environment and information ecosystem evolves. Analytics will help validate some decisions (for example, getting real-time usage data regarding changes to features or added services and functions); however, business models might be so vastly transformed by new entrants and value-chain structures that analytics based on the company’s traditional business models will no longer be relevant. Products or services might be based on data stream exhaust from legacy products rather than revenue from the products themselves. New business models might extend far beyond the product
and into upstream suppliers or downstream consumers. 3.
t the core, all of these possibilities require organizations to have foundational capabilities around their internal data hygiene and analytic infrastructure: data curation, ownership and quality standards, consistent enterprise architecture, cleanly integrated systems, automated data onboarding processes, and mature analytic expertise. Without the basics in place and well managed, it will be very difficult to rapidly react to and evolve new analytic and data management functions and abilities. Because the IoT will be based on dataflows and sophisticated approaches for gaining insights from information and applying those insights to value creation through integration with enterprise knowledge, organizations that don’t have those abilities will be left behind in the marketplace or relegated to low-value, lowmargin commodities. Data has been called the new oil—and extending that metaphor means that data is refined into high-value products through the knowledge refinery of analytic capabilities. Organizations need to invest in building that infrastructure now so they are prepared in the coming years when supply chains and value creation will be transformed, disrupted, and upended. Information agility will be a required core competency.
A
4.
5.
6.
7.
gereports.com/post/74545267912/ analyze-this-the-industrial-internet_____________________ by-the ____ retrieved 2014-11-30. “Gartner’s 2014 Hype Cycle for Emerging Technologies Maps the Journey to Digital Business,” Gartner, 11 Aug. 2014; www.gartner. com/newsroom/id/2819918. M.E. Porter and J.E. Heppelmann, “How Smart Connected Devices are Transforming Competition,” Harvard Business Rev., Nov. 2014, pp. 70–86. D.J. Cook et al., “Functional Recovery in the Elderly After Major Surgery: Assessment of Mobility Recovery Using Wireless Technology,” Annals of Thoracic Surgery, vol. 96, no. 3, 2013, pp. 1057–1061; www.annalsthoracicsurgery.org/ article/S0003-4975(13)01253-8/ _____________________ fulltext. _____ D. Etherington, “Amazon Echo Is A $199 Connected Speaker Packing an Always-On Siri-Style Assistant,” Tech Crunch, 6 Nov. 2014; http://techcrunch.com/2014/11/06/ amazon-echo. ________ M. Mendoza, “Jaguar Land Rover Develops Self-Learning, Intelligent Car,” Tech Times, 17 July 2014; www.techtimes. com/articles/10308/20140717/jaguar_____________________ land-rover-develops-self-learning_____________________ intelligent-car.htm. __________
Seth Earley is CEO of Earley & Associates (www.earley.com). He’s an expert in knowledge processes and customer experience management strategies. His interests include customer experience design, knowledge management, content management systems and strategy, and taxonomy development. Contact him at
[email protected]. __________
References 1. “Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units By 2020,” Gartner, 12 Dec. 2013; www.gartner.com/ newsroom/id/2636073. ______________ 2. “Analyze This: The Industrial Internet by the Numbers & Outcomes,” GE, 7 Oct. 2013; www. ___
Selected CS articles and columns are available for free at http://ComputingNow.computer.org. ______________________
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
13 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
GUEST EDITORS’ INTRODUCTION
IT Security Morris Chang, Iowa State University Rick Kuhn, US National Institute of Standards and Technology Tim Weil, US Department of the Interior
hange is a factor in every area of life, but it often seems even more so in IT—particularly in IT security. Organizations must manage patches daily, continuously monitor for vulnerabilities and attacks, and install an endless stream of new releases of application software. Even in established IT fields, such as database management, new challenges are emerging—for example, we’re witnessing a shift from huge relational databases to even larger, but often less structured, big data repositories, which present new challenges for information security. In addition, completely new problems frequently appear, such as bring your own device (BYOD) security challenges, because every employee’s cell phone now has capabilities and risks that used to be concentrated in mainframes or desktop computers. The dynamics of the rapid change affecting the IT industry give rise to the question, how can IT professionals adapt to these ever-changing security challenges quickly and without draining their organizations’ resources?
C
Adapting Securely to Change As with many problems, one of the best approaches is to break the security problem down into component parts and separate concerns before
14
IT Pro January/February 2015
considering how the different components interact. Security is more than firewalls and cryptographic protocols, and a focus on these technical aspects can often lead to neglecting other issues, resulting in a breach. We can view security from at least the following four perspectives, analyzing problems accordingly.
Technical This is the most commonly discussed concern, and indeed it can have an extraordinary impact. A recent example is the “Heartbleed” bug (http:// ____ heartbleed.com), ___________ an apparently simple coding error in the OpenSSL library that allowed a storage boundary to overflow, revealing sometimes sensitive information or, in some cases, compleletly compromise systems. Heartbleed also illustrated the difficulty of analyzing security impacts. From one angle, Heartbleed appears to be a moderately severe buffer overrun vulnerability that can lead to a compromise of random bits of memory. But with repeated runs, it was possible to obtain critical data, such as authentication information, allowing attackers to log into systems. The key point here is that security can be very difficult to analyze outside of its particular application context.
Published by the IEEE Computer Society
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Behavioral One of the most poorly understood aspects of security is the problem of making mechanisms easy to use while retaining adequate strength for a particular application. Security principles, going back nearly 40 years, included the need for ease of use for security mechanisms, but the problem can be surprisingly difficult to solve, because of the needs of different application domains. A mechanism that is easy to use for employees with only minimal training might be unacceptable in a customerfacing application, because, of course, customers won’t have any training in its use.
Legal Regulations and laws have always been a part of life in industry and government, and legal complexities have multiplied along with technology. While technical aspects of security might be relatively similar across application domains, laws and regulations vary enormously, not only across industries but among jurisdictions as well. Further complicating the issue is the fact that corporations often conduct business in hundreds of countries. Successful methods for automating the regulatory and legal aspects of IT increase in importance as more and more, daily life happens online.
Kallberg, deals with a controversial topic: the legalities and practicalities of a “self-defense” approach to cybersecurity. When an organization is the target of a cyberattack, is it possible to accurately identify the attack source? If so, is it reasonable for the organization to take an offensive approach to stopping the attack? Industries and governments are currently asking these questions, and IT professionals should be aware of the issues involved. In “Securing Health Information,” A.J. Burns and M. Eric Johnson provide an overview of security issues in healthcare IT. The authors suggest that healthcare has lagged behind other industries in its use of IT but is changing rapidly now. The field is complex, in particular because of the tradeoff between security and a capacity to provide prompt and informed care, but solutions apply to many other industries as well. “Protecting Web Components: Hiding Sensitive Information in the Shadows,” by Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens, and Wouter Joosen, deals with the ubiquitous problem of protecting Web-based information and commerce using new features of the document object model. The authors also include statistics on the disturbingly high prevalence of security weaknesses in real-world websites, which suggest that many organizations might be more vulnerable than they realize.
Basic Principles A common theme apparent in the three aspects of security just discussed is the fact that often, everything depends on the context and application domain. But what are the basics that IT professionals can apply in analyzing security problems? Not only computer security principles, which are well known, but broader questions of protection and conflict should be considered, with lessons that can be learned from other fields entirely outside of IT.
In this Issue The first theme article in this issue, “Security— A Perpetual War: Lessons from Nature,” by Wojciech Mazurczyk and Elz˙bieta Rzeszutko, provides thought-provoking analogies between the natural world and cybersecurity issues, including botnets, intrusion detection, and distributed denial of service. Considering the basic principles involved can spur creative thinking about how to improve cyberdefenses. Another article, “A Right to Cybercounter Strikes: The Risks of Legalizing Hack Backs,” by Jan
rticles in this issue highlight emerging trends and suggest ways to approach the four aspects of cybersecurity we outlined. The breadth and depth of discussion in these articles should help readers recognize both problems and potential solutions.
A
Acknowledgment Certain products may be identified in this document, but such identification doesn’t imply recommendation by the US National Institute of Standards and Technology or other agencies of the US Government, nor does it imply that the products identified are necessarily the best available for the purpose.
Morris Chang is an associate professor at Iowa State University. Contact him at
[email protected]. _______________ Rick Kuhn is a computer scientist at the US National Institute of Standards and Technology. Contact him at ________
[email protected]. Tim Weil is a risk manager (contractor) at the US Department of the Interior. Contact him at
[email protected]. _________
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
15 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURITY
Security—A Perpetual War: Lessons from Nature Wojciech Mazurczyk and Elz˙bieta Rzeszutko, Warsaw University of Technology, Institute of Telecommunications, Poland
Security attacks and defenses—from distributed denial of service attacks to intrusion detection systems—are analogous with the techniques of various species in the natural world. Examining that world for inspiration could help IT security researchers seek out and prevent future attacks. ature, with its three billion or so years of experience in evolution through natural selection, genetic drift, and mutations, has inspired inventors and researchers for ages. Consider the following examples:
N
t Velcro, the fabric hook-and-loop fastener, was created by Swiss engineer George de Mestral in 1941, after he closely inspected burdock burrs while hunting in the Alps. t $BUTFZFT retroreflective road marking was invented by English businessman Percy Shaw in 1933, who, while driving at night, saw a cat cross the road and found inspiration in the shine reflecting from its eyes. t 'BTUTVJUT, worn by Olympic swimmers, used to have fabric that replicates a shark’s dermal denticles
16
IT Pro January/February 2015
to reduce drag, until their use was banned. The Speedo company first produced sharkskin swimsuits, and their use in the 2008 Summer Olympics helped break a few world records.1 Nature’s footprint is also present in the IT world, which hosts an astounding number of computational bio-inspired techniques. Examples include genetic algorithms, neural networks, and ant algorithms. Networking technologies have also adopted some of nature’s ways, including swarm intelligence, artificial immune systems, and sensor networks.2,3 Close inspection shows a similar parallelism in the digital security field, but here the analogy is more a matter of coincidence than the result of deliberate activity. Even though signature-based virus detection in antivirus software corresponds to
Published by the IEEE Computer Society
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Table 1. Analogies between offensive and defensive techniques in the virtual and natural worlds. Technique Offensive
Defensive
IT security example
Example from nature
Attracting the victim and fooling it into swallowing the bait (fatal)
Phishing websites or emails
Anglerfish (Lophius piscatorius)
Disabling an attack’s countermeasures
Worms
Bolas spiders (Araneidae)
Taking control over an entity to use it for your own purposes
Botnet
Ophiocordyceps unilateralis (a pathogenic fungus)
Communicating covertly
Botnet
Philippine tarsier (Tarsius syrichta), Richardson’s ground squirrel (Urocitellus richardsonii)
Generating numerous unnecessary resources
Spam
Small Balsam (Impatiens parviflora)
Preventing a legitimate entity from using a resource
Distributed denial of service (DDoS)
Kudzu (Pueraria montana)
Attracting the victim to achieve a designated goal (not fatal)
Honeypot
Lady’s slipper orchid (Cypripedium calceolus)
Preventing external threats
Firewalls
Hedgehog spines, porcupine quills, turtle shells, and acacia thorns
Differentiating between the welcome and unwelcome
Firewalls
Allelopathy phenomenon in a Mexican shrub (Leucaena leucocephala)
Detecting intruders and preventing attacks
Intrusion detection/ prevention systems (IDS/IPSs)
Masked birch caterpillar—larvae of Drepana arcuata
immunization via vaccinations, the exact source of this security tool’s inspiration remains ambiguous. In our view, Internet attack and defensive strategies mimic the ongoing arms race between various species in nature. Many of the virtual world’s current network attacks—both complex and simple—are nothing new. Worms, spam campaigns, distributed denial-of-service (DDoS) attacks, and so on, along with defensive techniques such as firewalls and intrusion detection/prevention systems (ID/PSs), have counterparts in nature that have been used for millions of years. Here, we link virtual attacks and countermeasure techniques with the mechanisms for competition, dominance, and defense observable in nature.
Offensive Techniques To illustrate the analogies between IT security and species’ interaction scenarios within the natural world (see Table 1), we’ll use a simple, general network attack scenario. Typically, a common network attack scenario can be divided into three phases: 1.
.BMXBSF JOTUBMMBUJPO: users are fooled into running malicious software (such as a virus or Trojan) on their machines. Attackers can
achieve this through phishing techniques, infected USB devices, and so on. 2. # PUOFU DSFBUJPO: typically, the malicious software’s primary goal is to make the user’s machine part of the botnet—that is, to make it a zombie machine. 3. -BVODI UIF BUUBDL botnets are mainly used to perform illegal activities, including conducting DDoS attacks, initiating spam campaigns, and so on. In the following, we offer a counterpart scenario from the natural world for each of these network attack phases. For simplicity’s sake, we chose only one or two examples for each network technique. However, because species interactions are frequently oriented toward competition or predation, a plethora of possible scenarios exist that resemble the digital security world’s attackdefense events.
Installing Malware The Internet contains a wide variety of malicious software that can infect user devices, including worms, viruses, spyware, and Trojans. Moreover, malware can be installed on a victim’s machine in many possible ways. For example, users might be
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
17 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y
lured by phishing websites or emails, fake posts, or social networking website content. Other attack vectors include using infected removable devices or downloading and installing untrusted software from malicious websites. Following are some analogies between worms and phishing attacks and natural events. Worms. This self-propagating malware typically has two main features: t Use exploits to install itself on a user’s machine. t Disable running security systems, including firewalls and antivirus software. The first feature is a fairly common occurrence in nature. Predators sometimes exploit other organisms’ evolutionary perceptual bias. If the prey is preevolved to respond to a sensory signal, it becomes vulnerable to exploitation of its bias. For example, Bolas spiders produce signals that their prey has been pre-programmed to respond to: they create a viscous silk ball, which hangs on a thread containing a chemical they produce that mirrors the prey’s female sex pheromone. Thus, by means of such aggressive mimicry, male moths are lured into the trap. Spiders also offer a good example of the second feature—the ability to disable defensive security systems—in how they hunt their prey. Typically, spiders subdue their victims using two attacking techniques: the web they weave and the venom they inject through fangs. Both of these techniques are used to disable the prey’s ability to defend itself or escape, as they either immobilize or paralyze the victim. Phishing. A phishing website’s main goal is to masquerade as a legitimate website and make users give out their secrets (password, credit card number, or the like). Thus, the essence of this attack technique is to attract victims and fool them into swallowing the bait. Many predators in the animal and plant kingdoms have long used this technique. For example, the Anglerfish (-PQIJVT1JTDBUPSJVT), sometimes referred to as the “sea-devil,” has 80 long filaments along the middle of its head; the most important filament is the longest one, which terminates in a lappet that can move in every direction. This lure attracts other fish; the Anglerfish then seizes them with its enormous jaws as they approach.
18
Creating a Botnet Planting malware on a computer completes the first step in establishing a botnet. Although users are unaware, they’ve actually lost control of their machines, which are now zombies. Many zombie computers form a botnet, controlled remotely by an attacker (the CPUIFSEFS) using a command-andcontrol (C&C) channel for issuing instructions for the zombie army’s actions. The botherder thus uses the users’ captured machines for his or her own purposes. Recently, to provide more stealth, botnet C&C channels have begun using an information-hiding technique called TUFHBOPHSBQIZ. In September 2011, security experts found a new worm called %VRV, whose general structural characteristics are similar to the infamous Stuxnet.4 The most stunning intricacy in Duqu’s functioning is the particular way it transfers the obtained data through C&C channels to the malware’s owners. The captured information is hidden in seemingly innocent pictures and traverses the global network as ordinary files, without raising any suspicion.5,6 A similar mechanism was found in a new variant of the Alureon malware7 discovered during the same period. Furthermore, in March 2014, ZBOT malware was found to possess similar functionality, but ZBOT used it to hide a list of the users’ banks and financial institutions. Once users visited any of the listed sites, the malware would try to steal their credentials.8 Here, we show analogies for two botnet features: t Take control over machines and uses them for malicious purposes. t Provide covert communication in the C&C channel to improve the botnet’s undetectability. Gaining dominance over another living creature’s behavior and steering its actions according to the dominator’s will might sound somewhat fantastic, but it does happen in the natural environment. 0QIJPDPSEZDFQT VOJMBUFSBMJT, a species of fungi, is one such evolutionary marvel. This small fungus requires highly specific conditions for development and reproduction; its spores germinate only when attached to an ant’s exoskeleton. Once attached, it slowly digests the ant by secreting enzymes and, before the ant dies, the fungus alters its behavior through chemicals it releases.9 Presumably because their pheromone
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
receptors’ functioning is altered, the zombie ants are compelled to undertake a deadly journey. They climb plants until they find a location characterized by an appropriate microclimate on the plant’s northern parts, where they attach themselves to the underside of the leaf’s veins by digging in their jaws. This location—the site of the ant’s annihilation—happens to be the best location for the fungus to sprout, reproduce, and release its spores. Thus, the cycle of life is completed. Regarding the first feature, a recruited zombie ant is often employed to play a role in other malicious activities, which can lead to recruitment of even more bots. Dead ophiocordyceps-infected ants often occur in close proximity to each other (even up to 26 ants per square meter) and form infected zones called BOUHSBWFZBSET. These graveyards are a special case of zombie-ant networks: any ant that enters such a region will eventually become infected and enlarge the number of recruited insects. The ability to communicate covertly (the second feature) is a precious evolutionary achievement that can be used for both defensive and offensive purposes. This skill’s value has proven high among the Philippine tarsiers (5BSTJVTTZSJDIta), which are small nocturnal primates that have a high-frequency limit of auditory sensitivity of approximately 91 kilohertz and can vocalize with a dominant frequency of 70 kHz. This ultrasonic communication is among the highest known for terrestrial mammals. Philippine tarsiers presumably utilize this ability as a private covert communication channel that is undetectable by predators, prey, and competitors.10
Launching Attacks During the typical attack scenario’s last phase, an established botnet is used to perform different malicious actions such as launching DDoS attacks, organizing and executing spam campaigns, hosting phishing websites, or stealing users’ credentials. Spam campaigns. The primary purpose of emitting a multitude of unsolicited emails is advertisement. The common denominator of all spam is that it’s unwanted, and it usually originates from multiple sources; it’s thus difficult to eradicate.
Invasive species have a similar strategy. Their goal of environmental proliferation is achieved through various mechanisms for efficient reproduction. One species that displays this aggressive behavior is an inconspicuous flower. Small Balsam (*NQBUJFOT QBSWJGMPSB) possesses an ingenious device for gaining dominance: its seed pouches are pressurized; upon ripening, they catapult seeds at high speed at the slightest touch. This effective means of spreading its genes has made Small Balsam an unwelcome guest. Its presence has a negative effect on biodiversity, and some countries have placed it on their blacklist of species whose cultivation is prohibited. Likewise, legal steps exist to restrict the flood of unwanted messages circulating in the Internet. Hosts known to issue large quantities of spam
The ability to communicate covertly is a precious evolutionary achievement that can be used for both defensive and offensive purposes. are blacklisted—just like the Small Balsam—in an attempt to prevent their dominance in the environment. DDoS attacks.DDoS attacks aim to prevent legit users from accessing a service or resource by occupying it constantly, thus making it unavailable to other parties. Such attacks are usually conducted from many sources to achieve the illicit activity’s appropriate scale. The same behavior is observable in the plant kingdom. 1VFSBSJB NPOUBOB, commonly known as the Kudzu vine or Japanese arrowroot, has infested North America, southern Africa, and some parts of Europe and central Asia. Taken out of its natural habitat by humans, and without natural pests and diseases, Kudzu has proven to be a very noxious plant and requires persistent countermeasures to eradicate completely. It’s so effective in its mischief, it was used during World War II to quickly conceal objects of military significance.11 Japanese arrowroot also proliferates its ecosystem with astounding speed (approximately 30 cm per day). Within weeks, this aggressive perennial
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
19 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y
plant, like a DDoS attack, can literally choke all other growth, including trees and shrubs, by stealing the precious resources of light and nutrients.
Defensive Techniques Security mechanisms and systems also have their counterparts in nature’s kingdoms.
Firewalls Presently, almost every computer or network has a firewall to defend it from unwanted incoming network traffic while also permitting useful inbound and outbound traffic. Here, we present analogies for two firewall features: t Offer isolation from external threats. t Filter out unwanted entities. Regarding the first feature, animals and plants, like computers, possess a defensive capacity against unwanted intruders. The hedgehog’s spines, porcupine’s quills, turtle’s shells, and acacia’s thorns are all meant to discourage unwanted attention. A firewall’s second feature lets it differentiate between what is and isn’t welcome. Certain plants have a similar selective mechanism that emits chemical substances into the environment to moderate other plants’ growth capacity. This socalled TFMFDUJWF BMMFMPQBUIZ phenomenon has been observed in, among others, the Mexican shrub -FVDBFOB MFVDPDFQIBMB. This shrub secretes a toxic amino acid stunting the growth of all surrounding plants but not its own seedlings;12 it also increases the yield of rice crops, but has negative impact on wheat. Selective allelopathy bears considerable resemblance to the digital firewall, permitting only beneficial neighbors to enter a plant’s ecosystem.
Honeypots
t Match occurring events with patterns corresponding of known types of offensive activity. t React to such events appropriately (if possible).
Honeypot systems play a significant role in increasing Internet security by means of “trapping” intruders in isolated segments of the network or application and observing their behavior. Frequently, bait is set up: an apparently ill-protected resource or dummy resource is displayed for prey and later monitored to discover the attacker’s modus operandi. The lady’s slipper orchid ($ZQSJQFEJVN DBMDFPMVT) behaves very much like a honeypot, using its scent and color to attract pollinating insects. These insects are tempted to enter the flower’s slippershaped pouch, where they remain trapped unless they follow the only exit path, which leads the insect via pollen-bearing stamina. The pollinator is released once it’s covered with pollen or has successfully deposited gametes originating from a different orchid. This behavior pattern is encountered quite frequently in nature, where symbiotic relations are common. $ZQSJQFEJVN DBMDFPMVT restrains the insect until its objective is fulfilled, just as a honeypot lures the intruder to remain inside the specially crafted artificial environment until a comprehensive attacker behavior model can be created.
Animal communities frequently display analogous behavior, in which one representative is positioned on a lookout for approaching predators and warns the others of approaching danger. The masked
hether talking about Internet users or wild creatures, when looking at the complex web of interactions, a pattern
Intrusion Detection or Prevention Systems Compared to firewalls, the defensive capacity of IDS/IPSs is more complex:
20
birch caterpillar, or %SFQBOB BSDVBUB, has created a great natural IDS/IPS system. The caterpillar resides under silken cover attached to leaves. If disturbed by leaf vibrations caused by an approaching predator, a 1PEJTVT, the caterpillar takes preventive actions; it reacts only to its natural enemies’ vibrations, while ignoring all nonrelevant signals, such as those caused by rain or wind. When in danger, the caterpillar displays three deterrent behaviors on the leaf: it scrubs it with its abdomen, drums on it, or scratches it with its mandibles.13 Taken together, all three have proven successful in deterring attackers. A close inspection of the masked birch caterpillar’s behavior shows that it’s as complex as that of a digital IDS/IPS system. Regarding the first feature, the initial stage of detecting vibrations is followed by an algorithm that matches it with the pattern for predator-related disturbances. The caterpillar then takes preventive measures to fend off the attacker (the second feature).
W
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
emerges. Where there’s a conflict of interest, the reason is typically related to gaining competitive dominance over counterparts or obtaining access to a limited resource. This leads to a situation in which known interaction models are constantly adapted to devise new ways to outwit rivals. Most of the discussed scenarios rely on an entity’s inherent reaction model and its inability to react appropriately if a victim or attacker exploits its bias toward certain signals. It thus becomes apparent that two significant components of providing security are the ability to respond to dubious signals with caution and understand the aggressor’s behavioral pattern. As we’ve described here, the ongoing evolution of the offensive and defensive techniques from the animal, plant, and other eukaryote kingdoms has analogies in network attacks and their countermeasures. Indeed, in both cases we’re witnessing an arms race, albeit with different time windows. For every offensive technique developed, sooner or later, a defensive scheme appears both in nature and in the IT security world. Many mollusks, for example, have developed thick shells to avoid being eaten by animals such as crabs and fish. In turn, predators such as crabs have grown more powerful claws and jaws that compensate for the snails’ thicker shells. The Internet’s malware arms race is between cyber criminals and those seeking to thwart their activities. Malware authors are getting better at being stealthy and finding ways to fight back against the security pros. Therefore, even when a countermeasure is developed for a type of malware, the attackers can slightly alter the code to give it a “rebirthing suite” that improves its defenses against antivirus programs—and then use it over and over again. For example, the Zeus/ ZBOT malware was originally discovered in 2007, and developers upgraded defensive systems to deal with it. It was then resurrected a few times in various locations from 2009–2012.14 As with the natural processes, such an arms race is unlikely to end in the foreseeable future. Finally, and not so optimistically, given that the perpetual contention of offensive–defensive among living things hasn’t led to any definite countermeasures, the IT security world is likely to follow the same pattern. As in nature, the virtual world’s defense systems are upgraded only when a new threat is identified. Typically,
the resulting systems don’t attempt to foresee potential new strategies or means of attacks to prevent them in advance. Maybe now is the time, however, for researchers and security experts to seek new network attack techniques and novel defense systems by taking a peek at the goings-on in the kingdoms of living things for inspiration.
References 1. H. Thompson, “Why Are Scientists Trying to Make Fake Shark Skin?” Smithsonian.com, 11 Aug. 2014; http://www.smithsonianmag.com/innovation/why-are________________________________ scientists-trying-to-make-fake-shark-skin-180951514/? ________________________________ no-ist. ___ 2. F. Dressler and O.B. Akan, “A Survey on Bio-Inspired Networking,” $PNQVUFS/FUXPSLT, vol. 54, no. 6, 2010, pp. 881–900. 3. X.S. Yang et al., eds., Swarm Intelligence and BioInspired Computation: Theory and Applications, Newnes, 2013. 4. B. Bencsáth et al., %VRV"4UVYOFU-JLF.BMXBSF'PVOE JO UIF 8JME,” tech. report, Lab. of Cryptography and System Security, Budapest Univ. Technology and Economics, 2011; www.crysys.hu/publications/files/ bencsathPBF11duqu.pdf. _______________ 5. D. Goodin, “Duqu Spawned by ‘Well-Funded Team of Competent Coders’—World’s First Known Modular Rootkit Does Steganography, Too,” 5IF3FHJTUFS, 9 Nov. 2011; www.theregister.co.uk/2011/11/09/duqu _analysis. _____ 6. Symantec Security Response, 8%VRV5IF1SFDVSTPS UPUIF/FYU4UVYOFU WFSTJPO , white paper, Symantec, 23 Nov. 2011; www.symantec.com/content/en/us/ enterprise/media/security_response/whitepapers/-w32 ________________________________ _duqu_the_precursor_to_the_next_stuxnet_research ________________________________ .pdf. __ 7. Virus Bulletin, “Alureon Trojan Uses Steganography to Receive Commands,” 26 Sept. 2011; www.virusbtn. com/news/2011/09_26. 8. J. Gumban, “Sunsets and Cats Can Be Hazardous to Your Online Bank Account,” blog, TrendMicro, 3 Mar. 2014, http://blog.trendmicro.com/trendlabs-securityintelligence/sunsets-and-cats-can-be-hazardous-toyour-online-bank-account. 9. D.P. Hughes et al., “Behavioral Mechanisms and Morphological Symptoms of Zombie Ants Dying from Fungal Infection,” #.$&DPMPHZ, vol. 11, no. 1, 2011, p. 13. 10. M.A. Ramsier et al., “Primate Communication in the Pure Ultrasound,” #JPMPHZ -FUUFST, vol. 8, no. 4, 2012; http://rsbl.royalsocietypublishing.org/content/8/4/508.
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
21 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y
11. T. Walker, 1MBOU$POTFSWBUJPO8IZJU.BUUFSTBOE)PXJU 8PSLT, Timber Press, 2013, p. 157. 12. K.K. Suresh and R.S. Vinaya Rai, “Studies on the Allelopathic Effects of Some Agroforestry Tree Crops,” *OUM5SFF$SPQT+, vol. 4, nos. 2–3, 1987, pp. 109–115. 13. R.N.C. Guedes et al., “Vibration Detection and Discrimination in the Masked Birch Caterpillar (Drepana arcuata),” + $PNQBSBUJWF 1IZTJPMPHZ ", vol. 198, no. 5, 2012, pp. 325–335. 14. “New Version of Zbot/Zeus Found in the Wild,” *O GPTFDVSJUZ.BHB[JOF, June 2013; www.infosecuritymagazine.com/news/new-version-of-zbotzeus-found________________________________ in-the-wild. _______
Wojciech Mazurczyk JTBOBTTPDJBUFQSPGFTTPSBUUIF8BS TBX6OJWFSTJUZPG5FDIOPMPHZ 865 BOEJTUIFGPVOEFSPG UIF$ZCFSTFDVSJUZCJPQSPKFDUBU865)JTSFTFBSDIJOUFSFTUT JODMVEF JOGPSNBUJPOIJEJOH UFDIOJRVFT O FUXPSL B OPNBMJFT EFUFDUJPO EJHJUBM GPSFOTJDT BOE CJPJOTQJSFE TFDVSJUZ BOE
OFUXPSLJOH.B[VSD[ZLSFDFJWFEB1I%BOEB%4DJOUFMF DPNNVOJDBUJPO GSPN 'BDVMUZ PG &MFDUSPOJDT BOE *OGPSNBUJPO 5FDIOPMPHZ 8BSTBX6OJWFSTJUZPG5FDIOPMPHZ)FJTBTFOJPS NFNCFSPG*&&&$POUBDUIJNBUXNB[VSD[ZL!UFMFQXFEVQM ________________ Elz˙bieta Rzeszutko JT B SFTFBSDI BTTJTUBOU BOE 1I% DBOEJEBUF JO UIF 'BDVMUZ PG &MFDUSPOJDT BOE *OGPSNBUJPO 5FDIOPMPHZT *OTUJUVUF PG 5FMFDPNNVOJDBUJPOT BU Warsaw University of Technology (WUT) )FS SFTFBSDI JOUFSFTUT JODMVEF OFUXPSL TFDVSJUZ CJPJOTQJSFE TFDVSJUZ BOE JOGPSNBUJPOIJEJOH UFDIOJRVFT 3[FT[VULP SFDFJWFE BO .4Dø JO UFMFDPNNVOJDBUJPOT GSPN 8BSTBX 6OJWFSTJUZ PG 5FDIOPMPHZ)FTBNFNCFSPGUIF$ZCFSTFDVSJUZCJPQSPKFDU BU865$POUBDUIFSBUFS[FT[VULP!UFMFQXFEVQM ________________
Selected CS articles and columns are available for free at http://ComputingNow.computer.org.
hibu Inc.
is seeking a Sr. Technical Program Manager, Digital Business Unit, in our Bellevue WA office. Job Description: Plan, prioritize, schedule, coordinate, and deliver web-based and mobile projects with different priorities simultaneously. Identify the scope of the program including the goals and the expected deliverables. Define and develop technical functional specifications for engineering projects. Create and execute development plans across multiple projects and revises as appropriate to meet changing needs and requirements. Interact with stakeholders at multiple levels and work with sales, marketing, legal, and technical teams to define solutions to meet business and engineering needs. Work with development and test leads to drive project execution following Agile/SCRUM methodology. Define & drive various product quality improvement related efforts. Develop product and service migration plans for client-side and back-office systems, and execute those plans in coordination with sales, marketing, product, legal and technical teams. Identify market-defining services that should be integrated into hibu’s SME marketing services to improve customer success.
CONFERENCES in the Palm of Your Hand Let your attendees have: tDPOGFSFODFTDIFEVMF tDPOGFSFODFJOGPSNBUJPO tQBQFSMJTUJOHT tBOENPSF 5IF DPOGFSFODF QSPHSBN NPCJMF BQQ XPSLT GPS Android EFWJDFT iPhone iPad BOEUIFKindle Fire.
Education Requirements: Bachelor’s Degree in Computer Science or Computer Information Systems. Experience/Skill Requirements: 6 years of experience in delivering internet-related products and technologies. 3.5 years of experience supporting CSS, HTML and ASP.NET projects and minimum of 5 years of experience with Agile, object oriented programming such as C# or Java.
'PS NPSF JOGPSNBUJPO QMFBTF DPOUBDU $POGFSFODF1VCMJTIJOH4FSWJDFT $14 BU
[email protected] __________
Will accept foreign bachelor’s degree or equivalent to a U.S. Bachelor’s Degree. Will accept any combination of education, training or experience evaluated by a qualified evaluation service to be the equivalent to a Bachelor’s Degree in the field. Please sent application materials to Stephen Clifford at
[email protected] _____________
22
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURITY
Securing Health Information A.J. Burns and M. Eric Johnson, Vanderbilt University
Protecting health information is critical, yet the security implications of healthcare workers’ IT usage remain largely unexamined. This article surveys the IT-enabled healthcare ecosystem and its emerging mobility and security issues—from electronic health record (EHR) implementation to bring your own device (BYOD) practices. n 28 January 2014, in the wake of a winter storm that effectively shut down roadways across the southeastern US, Zenko Hrynkiw set out on foot to perform a life-saving surgery. Two days later, the headline would read: “Brain surgeon walked six miles during snowstorm for emergency operation.”1 Beneath the attention-grabbing headline, however, an easily overlooked comment set the stage for an important discussion: “The good doctor said he was even able to receive the patient’s CT scan via text message while walking toward the hospital.”1 Perhaps no anecdote better exemplifies the competing values inherent in the healthcare industry. On the one hand, as researchers with an interest in patients’ health information security,
O
1520-9202/15/$31.00 © 2015 IEEE
we’re tempted to ask several questions, including: Was that his personal cell phone or was it provided and managed by the healthcare organization? What mobile apps were on the device, and how did they interact with the patient data? On the other hand, we’re simply thankful that physicians serve a higher purpose than information security alone. Although the information security issues seem rather insignificant when compared with Hrynkiw’s life-saving efforts, those entrusted with sensitive information have a responsibility to ensure its protection. We contend that the time to grapple with these issues isn’t in the face of emergency but rather during implementation, adoption, and legislation. With health IT having been prescribed as the cure for what ails the
Published by the IEEE Computer Society
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
23 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y 100% 95% 90% 85% 80% 75% 70%
le
l
wh ol
esa
Leg a ail/ Ret
spit a
lity
g /ho
urin act nuf Ma
Foo d
Ban king
thc
are
ogy
Hea l
nol Tec h
Edu
cat
ion
88.6%
Figure 1. Smartphone use by industry.5 More than 88 percent of workers in the healthcare sector reported using their personal smartphones for work-related tasks.
70% 60% 50% 40% 30% 20% 10% 0%
App
Feb -20 Ma 13 r-20 Ap 13 r-20 Ma 13 y-2 0 Jun 13 -20 Jul 13 -20 13 Au g-2 013 Sep -20 Oc 13 t-20 No 13 v-2 013 De c-2 013 Jan -20 Feb 14 -20 Ma 14 r-20 Ap 14 r-20 Ma 14 y-2 014
Mobile
Figure 2. Digital media share.7 As of 2014, more than half of all digital media in the US was consumed through mobile apps.
healthcare industry, we take this opportunity to examine the often-neglected behavioral risks associated with a digitized healthcare ecosystem.
Healthcare in the Digital Age Enabled by pervasive IT and ubiquitous networks, today’s organizations increasingly rely on continuous access to real-time information. This has led to the emergence of a knowledge economy, and information is its lifeblood. Perhaps no industry stands to achieve more significant gains from IT advances in efficiency and effectiveness than healthcare. In the US, eliminating inefficiencies in the healthcare industry has become a part of the national agenda. With the passing of the American Recovery and Reinvestment Act of 2009 and the associated Health Information Technology and Economic and Clinical Health (HITECH) Act, adoption of health IT became law of the land.2 Five years later, we’re approaching the legislation’s punitive phase, with penalties for organizations
24
that fail to adopt and achieve “meaningful use” of electronic health records (EHRs). Despite some notable exceptions, HITECH appears to be spurring, at a minimum, basic EHR adoption: prior to the meaningful use incentives, the EHR adoption rate was a sluggish 3 percent per year; since 2010, the rate has increased dramatically to 10– 15 percent per year.3 Moreover, recent research indicates that meaningful use of health IT is improving patient outcomes.4 At the same time, the line between personal and professional IT use is blurring as employees not only bring their work home with them on employer-owned mobile devices but also bring their home to work by using personally owned devices for work purposes. A recent study estimates that as many as 90 percent of full-time employees in the US use their smartphone for work purposes, a phenomenon dubbed “bring your own device” (BYOD).5 Even the economy’s most highly regulated sectors—including the financial and healthcare industries—have seen dramatic increases in the use of personally owned devices. In fact, 88.6 percent of those working in healthcare report using their smartphone for work (see Figure 1).5 All the while, 54 percent of US organizations report that they’re unable to determine if off-site employees are using technology and informational resources in a way that addresses corporate and regulatory requirements.6 This trend toward mobility in computing continues to radically transform how individuals interact with IT. For example, in 2014, comScore reported that for the first time, more than half of all digital media in the US was consumed in a mobile app (see Figure 2).7 In the health sector, enabled by low entry barriers and lax (often non-existent) regulation, the number of mobile health (mHealth) apps available to consumers now exceeds 100,000, with millions of total yearly downloads.8 Yet when it comes to these available apps, the industry provides little transparency about either the mHealth data’s security and privacy9 or the usage patterns among physicians and patients that have downloaded these apps.10 Given health IT’s promise to improve this vital industry’s efficiency and effectiveness, various stakeholders have taken a keen interest in spurring healthcare’s IT adoption and innovation. However, the sensitive nature of personal health
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Table 1. Use and users of health data.14 Data users
Data uses
information (PHI) requires a cautious approach to IT integration to ensure PHI’s ongoing security.
Hospitals
Discharge summary Quality reporting Operational assessment
Behavioral Information Security
Physicians
Office visits Quality reporting
Patients
Personal health record
Labs
Test results
Public health institutions
Communicable disease reporting
Payers
Benefit checking Claims Quality audits
Researchers
Research studies
Derived from the well-known CIA triad of information assurance, behavioral information security has been broadly defined as the study of human actions that influence the confidentiality, integrity, and availability of information and information systems.11 Despite the seemingly synergistic relationship among these pillars of information assurance, conflicts often arise as information flows across complex information chains of technologically advanced organizations.12 Enabling user connectivity—through permissive policies such as BYOD—likely provides some organizational advantages (such as increased productivity), but it also complicates security risk management. A connected workforce’s increased mobility exposes organizational information to risks far beyond the IT staff’s proximate control. In the healthcare sector, the growing number of potential uses and users of health information magnifies the implications of behavioral information security.
Health Information Use and Users Health information’s potential uses are many and various, with each having a unique chain of custody to achieve the maximum benefit. To better understand the information flow and associated security implications, it’s helpful to separate the use and users into meaningful categories. For example, healthcare sector actors can be divided into three broad groups: t those who administer healthcare (such as doctors, nurses, and ambulance staff); t those who support the aforementioned actors (such as administrators, porters, and IT staff); and t patients.13 Regardless of the classification schema, it’s clear that the healthcare industry is characterized by interrelations between user groups, each of which is comprised of a network of agents with unique interests. With such a complex network of parties utilizing health data, the protection of sensitive information is largely dependent upon the actions of each person who has access to the information along the custody chain.
Each individual with PHI access has a personal responsibility to ensure appropriate use of the data; this health data stewardship is a guiding principle. Relating back to behavioral information security, stewardship implies that those in possession of health data have a responsibility to protect the information’s confidentiality, integrity, and availability. As the National Committee on Vital and Health Statistics (NCVHS) notes, health data stewardship should be practiced by all who collect, view, store, exchange, aggregate, analyze, or use electronic health data.14 Examples of these vast users include hospitals, physicians, patients, labs, public health institutions, payers, and researchers (see Table 1).
Behavioral Threats to Health Data Paralleling PHI’s various uses and users, threats to health data security also take on many forms. For example, a computer containing health information that’s also connected to the Internet is susceptible to cybersecurity risks and requires technical and physical solutions such as a properly functioning proxy server and firewall. Due to the user’s prominence in healthcare IT, the systems are increasingly thought of as sociotechnical systems. As such, health data security must account for not only the technical solutions relating to IT artifacts, but also for the complex networks of users. Thus, the behavior of those with information access is as much a part of the system’s functioning as the encryption algorithm that contributes to the sensitive information’s security.
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
25 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y Unintentional
Nonmalicious
Unintentional actions, accidental data entry, forgetful oversights, uninformed violations
Volitional (nonmalicious) noncompliance Failing to log off when leaving PC, delayed backups, not changing password regularly
Intentional, malicious computer abuse
Maliciousness
Intentionality
Passive, nonvolitional noncompliance
Sabotage, data theft or corruption, embezzlement, fraud, deliberate policy violations
Intentional
Malicious
Figure 3. Insider threat-vector continuum.15 The threat from insiders who might compromise data security varies on at least two key characteristics: intent and maliciousness.
The range of threats emanating from internal human factors varies on (at least) two key characteristics: intentionality and maliciousness. The combination of intentionality and maliciousness introduce unique antecedents and consequences that require specific threat-management techniques. Some suggest that insider threats to information security should be depicted along a continuum of intentionality and maliciousness (see Figure 3).15 Threats to information security stemming from unintentional acts must be managed differently than intentional acts, whether malicious or benign. For example, unintentional acts can’t be directly “dissuaded,” but rather require an indirect approach—such as training to reduce accidental disclosures or policies aimed at increasing diligence. In contrast, intentional acts that aren’t malicious can be avoided by a direct intervention that increases the insiders’ understanding of the risks associated with certain behaviors. Finally, intentional malicious acts pose yet another distinct threat and require a third type of precaution, such as substantially harsh sanctions and employee screening. By analyzing actual breach reports and interviewing health IT professionals, researchers have recently identified the most likely scenarios for unauthorized health information exposure.16 Confirming security’s behavioral aspect, five of the six most likely scenarios begin “An internal employee….” As Table 2 shows, in addition to being behaviorally driven, the most common threats also seem to involve exposure of a modest amount of data resulting from a failure to restrict access to either the information (such as through improper privileges or shared passwords) or a device (such as through lost or stolen devices).
26
Evolving Issues in Mobility and Security The healthcare industry has been a laggard in terms of IT adoption, yet (as Figure 1 shows) most individuals working in healthcare are already using their own technology on the job. Although using personal or mobile devices to access, store, manipulate, and transfer information isn’t unique to the healthcare sector, the context’s uniqueness and the information’s sensitivity warrant a specific discussion. The use and users of health information are vast, and the information’s security relies on the institution’s ability to control information access throughout the course of care and beyond. Here, to guide our discussion, we highlight two specific issues related to mobility and security in an IT-enabled healthcare sector: BYOD and the mHealth application ecosystem.
Bring Your Own Device Perhaps no healthcare IT trend adds greater complexity to health information security than healthcare providers’ widespread use of personally owned devices for work purposes. Although few would argue that the care provided likely benefits from the mobility and familiarity afforded physicians by BYOD, the transfer of sensitive data outside of monitored systems poses a significant threat to access control. For example, when used for work, personally owned devices often pull double duty as instruments of both healthcare and personal productivity. As such, the user intermingles approved, work-related applications with unapproved applications such as file syncing programs or games—potentially exposing the device to insecure applications or even malware. Additionally, when people use their own smartphones for work, the same devices that house potentially sensitive information are likely used to send and receive personal emails, browse the Web, and view media. Although such behaviors are neither bad nor atypical of today’s technology users, many fail to take even the most basic precautions to secure their devices. For example, 41 percent of those using smartphones in the healthcare sector report having no password protection on their device, while 53 percent indicate that they have willfully connected to unsecure or unknown networks with their devices. 5
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Table 2. Threats to health data.16 Threat/scenario
Description
Unattended asset goes missing
An internal employee located on the premises leaves an asset unattended and consequently the asset—which contained personal information on a few patients—goes missing.
Password or access-token sharing
An internal employee shares his or her password or access token, leading to disclosure of patient information to unauthorized people.
Email to wrong recipient
An internal employee located on the premises sends an email to the wrong addressee and consequently discloses the personal details of some patients (less than 10).
Theft on premises
Theft of devices with personal data occurs on the organization’s premises affecting 10–99 patient records.
Procedure not followed
An internal employee located on the premises does not follow formal procedures, leading to disclosure of patient information.
Wrong privileges set
An internal employee on the premises was unintentionally given the wrong privileges or authorizations, causing disclosure of personal patient information to unauthorized persons.
Finally, enabling BYOD alongside organizational health IT provides for system workarounds. Workarounds are notoriously prevalent in the healthcare industry—a phenomenon referred to as first-order problem solving, in which providers work around inefficient systems to ensure continuity of care.17 However, when used as a means to circumvent secure systems, workarounds become a security risk. Of course, working around an overly burdensome or time-intensive system to provide higher-quality patient care is also a policy and design issue. To help organizations deal with emerging mobility and the accompanying BYOD trend, the US National Institute of Standards and Technology (NIST) highlights five strategies for managing BYOD in the enterprise:18 t restrict BYOD altogether, t limit the organizational resources accessible from user-owned mobile devices, t enable remote scrubbing of employee-owned devices housing sensitive information, t secure user-owned devices by housing organizational applications and information in an isolated sandbox or other secure container on the device, or t use device-integrity scanning applications to maintain the device’s trust status. The importance of these strategies is paramount. As NIST notes, this guidance “provides recommendations for selecting, implementing, and using centralized management technologies,
and it explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles.”18 However, solutions such as these (primarily) technical controls constitute only half of the sociotechnical information security dilemma. When it comes to behavioral threats to health information, we know relatively little about how people in the health sector use BYOD, what their motivations are, or which management techniques might influence this socio-dimension of the socio-technical BYOD phenomenon.
mHealth App Ecosystem Related to BYOD’s prominence in the health sector is the mHealth phenomenon. Whether patient- or physician-facing, these mHealth apps have the potential to dramatically transform this sector, from easing the management of chronic illness to streamlining patient-physician communication. Driven by consumer demand’s shift toward mobility—and enabled by little oversight and low entry barriers—the mHealth market is growing at a rapid pace; indeed, many existing mHealth apps are the first of their kind for their developers. In fact, as of the first quarter 2014, more than 35 percent of available mHealth apps were developed by people or organizations that published their first mHealth apps in the previous 15 months.8 However, because of this sector’s data sensitivity—and despite regulation’s potential harms to innovation—security and privacy experts, along
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
27 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y
with consumer advocates, have begun to sound the alarms for more transparency.9,19 For example, recent research indicates that the security features of most available mHealth apps are largely hidden from users. Standard security measures—such as using encryption in transmission and storage—might not be standard in even the most popular mHealth apps.19 Additionally, users’ ability to make informed decisions about using mHealth is convoluted by insufficient, obscure, or even nonexistent privacy policies.9 These challenges posed by mHealth are somewhat unique to the health sector where, previously, most electronic health data communication has been under the purview of entities regulated by the Health Insurance Portability and Accountability Act (HIPAA). Meanwhile, regulators struggle to establish jurisdiction over mHealth apps. It’s clear that this evolving environment is complicating individual users’ and organizations’ ability to make informed decisions about using mHealth apps. To help them better assess mHealth apps and their overall mobile strategy, organizations such as NIST and the Health Information Trust Alliance (HITRUST) are actively preparing institutional guidelines for mobile security. For example, in August 2014, NIST released a draft of third-party mobile app vetting considerations for public comment. As the draft noted, “mobile app vetting is intended to assess a mobile app’s operational characteristics of secure behavior and reliability (including performance) so that organizations can determine if the app is acceptable for use in their expected environment.”20 Guidelines such as these are an important resource for healthcare organizations and offer opportunities for tailored recommendations based on the health sector’s unique needs. As these guidelines are formalized, health IT specialists should continue to adapt the guidance for evaluating mHealth apps. On the consumer side, fewer resources are available for mHealth app users to evaluate an app’s security. It seems that the more we know about mHealth app security (or lack thereof), the less comfortable experts are in recommending their use. In fact, a previous attempt to certify the security of available mHealth apps was abandoned due to researchers’ inability to effectively and accurately assess that security.19 This is
28
important, because the nature and extent of the data generated, stored, or transmitted by these mHealth apps shares key characteristics with the types of data that are protected under HIPAA.19 Given that many of these mHealth apps target non-health professionals, future studies should seek uncover how these individuals use the apps, including the type of health information being disclosed (whether willfully or not). It’s also important to better understand the average consumer’s ability to evaluate the security and privacy implications of their mHealth app use.
he healthcare sector is undergoing an IT revolution. Spurred by innovation and legislative initiative, an industry-wide migration is occurring toward digitized health records and the adoption of both organizational and personal health IT. The promise of IT to increase the efficiency and effectiveness of a notoriously inefficient healthcare industry portends a welcome improvement in health outcomes for millions of patients. However, despite the wellintentioned zeal for the mass adoption of health IT embodied in healthcare legislation, serious security implications exist for an IT-enabled health ecosystem. Our goal with this article isn’t to express pessimism about the benefits of health IT. Indeed, the adoption of health IT is a vital step, and we believe it’s the only way forward. Our goal in examining the idiosyncrasies of an IT-enabled health ecosystem is to highlight the next step in health IT: securing the users of health information.
T
Acknowledgments The US National Science Foundation’s Trustworthy Health and Wellness project (CNS-1329686) supported our work. The views and conclusions expressed here are our own and shouldn’t be interpreted as representing the views, either expressed or implied, of the NSF.
References 1. B. Bratu, “Brain Surgeon Walked Six Miles During Snowstorm for Emergency Operation,” NBC News, 30 Jan. 2014; http://usnews.nbcnews.com/_ news/2014/01/30/22511890-brain-surgeon-walked-six________________________________ miles-during-snowstorm-for-emergency-operation. ______________________________ 2. L. Kohn, Electronic Health Record Programs: Participation Has Increased, but Action Needed to Achieve Goals,
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
THE WORLD’S NEWSSTAND®
Including Improved Quality of Care, report, US Govt. Accountability Office, March 2014; www.gao.gov/ products/GAO-14-207. ______________ J. Adler-Milstein et al., “More Than Half of US Hospitals Have at Least a Basic EHR, But Stage 2 Criteria Remain Challenging for Most,” Health Affairs, 2014; doi:10.1377/hlthaff.2014.0453. A. Appari et al., “Meaningful Use of Electronic Health Record Systems and Process Quality of Care: Evidence from a Panel Data Analysis of US AcuteCare Hospitals,” Health Services Research, vol. 48, no. 2, 2013, pp. 354–375. BYOD Insights 2013: A Cisco Partner Network Study, report, Cisco mConcierge, March 2013; www.ciscom________ con.com/sw/swchannel/registration/internet/regis______________________________ tration.cfm?SWAPPID=91&RegPageID=350200&S _______________________________ WTHEMEID=12949. _____________ The Risk of Insider Fraud—Second Annual Study, report, Ponemon Institute, LLC, Feb. 2013; www.ponemon. org/blog/risk-of-insider-fraud-second-annual-study. A. Lella and A. Lipsman, The U.S. Mobile App Report, comScore, 2014; www.comscore.com/Insights/ Presentations-and-Whitepapers/2014/The-US-Mobile________________________________ App-Report. _______ mHealth App Developer Economics 2014: The State of the Art of mHealth App Publishing, report, Mobile Health Economics, May 2014; http://mhealtheconomics. com/mhealth-developer-economics-report. A. Sunyaev et al., “Availability and Quality of Mobile Health App Privacy Policies,” J. Am. Medical Informatics Assoc., 21 Aug. 2014; doi:10.1136/amiajnl-2013-002605. M. Aitken and C. Gauntlett, “Patient Apps for Improved Healthcare from Novelty to Mainstream,” IMS Institute for Healthcare Infomatics, October 2013; www. ___ imshealth.com/deployedfiles/imshealth/Global/ ________________________________ Content/Corporate/IMS%20Health%20Institute/ ________________________________ Reports/Patient_Apps/IIHI_Patient_Apps_Report.pdf. _______________________________ J.M. Stanton et al., “Behavioral Information Security: An Overview, Results, and Research Agenda,” Human-Computer Interaction and Management Information Systems: Foundations, P. Zhang and D. Galletta, eds., M.E. Sharpe, 2006, pp. 262–280. K.S. Wilson, “Conflicts Among the Pillars of Information Assurance,” IT Professional, vol. 15, no. 4, 2013, pp. 44–49. R.J. Paul et al., “Healthcare Information Systems: A Patient-User Perspective,” Health Systems, vol. 1, no. 2, 2012, pp. 85–95. S. Kanaan and J. Carr, “Health Data Stewardship: Who, What, When, Why? An NCVHS Primer,” Nat’l Committee on Vital and Health
15.
16.
17.
18.
19.
20.
Statistics, Sept. 2009; http://ncvhs.us/wp-content/ uploads/2014/05/090930lt.pdf. __________________ R. Willison and M. Warkentin, “Beyond Deterrence: An Expanded View of Employee Computer Abuse,” MIS Quarterly, vol. 37, no. 1, 2013, pp. 1–20. N. van Deursen et al., “Monitoring Information Security Risks within Health Care,” Computers & Security, vol. 37, 2013, pp. 31–45. A. Tucker, “Work Design Drivers of Organizational Learning about Operational Failures: A Laboratory Experiment on Medication Administration,” working paper no. 13-044, Harvard Business School, 2013. M. Souppaya and K. Scarfone, NIST Special Publication 800-124 Revision 1: Guidelines for Managing the Security of Mobile Devices in the Enterprise, June 2013; www.nist. gov/customcf/get_pdf.cfm?pub_id=913427. H. Dongjing et al., “Security Concerns in Android mHealth Apps,” Proc. Am. Medical Informatics Assoc. (AMIA) Ann. Symp., 2014, http://knowledge.amia. org/56638-amia-1.1540970/t-004-1.1544972/f-0041.1544973/a-162-1.1545187/an-162-1.1545188. ___________________________ J. Voas et al., NIST Special Publication 800-163 (Draft): Technical Considerations for Vetting 3rd Party Mobile Applications (Draft), August 2014; http://csrc.nist.gov/ publications/drafts/800-163/sp800_163_draft.pdf. ______________________________
A.J. Burns is a postdoctoral research scholar in the Owen Graduate School of Management at Vanderbilt University. His research interests include the intersection of IT and business, with a focus on behavioral information security. Burns has a doctorate of business administration from Louisiana Tech University. Contact him at aj.burns@ ______ owen.vanderbilt.edu. ____________ M. Eric Johnson is dean of the Owen Graduate School of Management at Vanderbilt University. His research interests include the impact of IT on the extended enterprise and the security failures and economic incentives that drive identity theft. Johnson has a PhD in engineering from Stanford University. Contact him at ___________ eric.johnson@owen. vanderbilt.edu. ________
Selected CS articles and columns are available for free at http://ComputingNow.computer.org.
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
29 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURITY
A Right to Cybercounter Strikes: The Risks of Legalizing Hack Backs Jan Kallberg, The University of Texas at Dallas
Repeated cyberattacks and a lack of effective law enforcement have some nations seeking new ways to prevent such exploits. Countercyberattacks are illegal in most nations, but what if they were legal? Would they help? Or would they jeopardize the state’s authority and legitimacy? n recent years, several vocal proponents have emerged, calling for corporations to have the legal right to “hack back” after being targeted by a cyberattack. Hacking back is currently illegal in most countries; there’s no legal right to digital self-defense, so any counterattack is considered to be a new perpetrated attack.1,2 One proponent for changing this in the US is the Commission on the Theft of American Intellectual Property, a bipartisan group dedicated to addressing the losses of intellectual property that US industries face due to cyberattacks.3 Discussions in the US have focused on corporate interests and the potential loss of intellectual property derived from successful cyberattacks.4,5 The Netherlands, France, and the UK have had similar debates about the future legalization
I
30
IT Pro January/February 2015
of hacking back. The rationale in Europe has been from a law enforcement—rather than corporate—standpoint, with the view that hacking back would let law enforcement conduct investigations by hacking into cybercrime perpetrators’ computers and networks. The unknown is if hacking back is a viable route to address the problem, or if it would trigger new problems and challenges that could lead to entropy in Internet governance, delaying the formation of regulating cyber norms codified by national legislators and international organizations. Multinational governance entities, such as the United Nations (UN), the International Telecommunications Union (ITU), the European Union (EU), and the Internet Corporation for Assigned Names and Numbers (ICANN), work
Published by the IEEE Computer Society
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
together with national legislators and interest groups to create norms and rules for the Internet and its future use. If corporations have a broad mandate to strike back against hackers, could it dissolve Internet public norms by focusing on the best interest of corporations? The Commission on the Theft of American Intellectual Property advocates hacking back to recover stolen intellectual property and data and has wide acceptance in the corporate and political sphere. Here, I take a closer look at its “IP Commission” report3 and explore whether the legalization of corporate hack back is a viable route or merely an approach based on weak assumptions.
will have a measurable influence on the development of future cyber interchanges. The main contribution that the defense unit of a targeted state can offer is coordination and direction, due to the absence of defensive and even punitive measures from the nation state. The new militarized cyberunits can’t provide real-time protection or support for affected corporations. In fact, there are no nation state initiatives for adequately protecting businesses against state-sponsored attacks, leading to growing frustration in the corporate sector in the industrialized world.
Report Recommendations Growing Frustration Over the past two decades, there’s been a shift in cybercriminals from individuals seeking personal gain to foreign entities,6,7 and increasingly state actors, seeking to gain a geopolitical, military, industrial, competitive, intelligence, or commercial advantage by attacking computers. Unlike earlier cybercriminals, state actors have access to a variety of resources—for example, they can leverage community intelligence or align government and business interests—so state-sponsored attacks are better funded and have more resources than attacks launched by individuals or smaller groups. The emergence of such state-sponsored attacks has increased the number of concerns of targeted states, because even if the targeted states’ bureaucracy and administrative public control isn’t affected, the attacks can affect the targeted nations’ businesses and society in general through destabilization; disruption; and the loss of digital assets, research advantages, and revenue. In an effort to address this new threat, nation states are pursuing cyberdefense abilities that include the ability to hack back. Several advanced democracies, and their ministries of defense, are creating what they define as cyberwarfare units. The question is whether these fairly small, military cyber-defense units will have an impact in a cyber conflict, given that such units are usually forensic teams trying to identify the attackers and determine vulnerabilities at a limited number of systems and points of entry. It’s unlikely that any of these cyberunits, given their size and abilities in relation to the infrastructure and economy of the defending state,
The Commission’s report, released 22 May 2013, recommends three general ways to address the problem.3 First, corporate America should implement prudent vulnerability-mitigation measures. Second, the report calls for public support from legislators to allow American companies to develop and later utilize technology that can both identify and recover IP stolen through cyberattacks. Finally, the report presents a recommendation that legislators should reconcile necessary changes in the law with a changing technical environment.8 Industrial practices seek to determine the extent of an attack, the attacker’s intent, and why and how the attack was possible. The aggregated knowledge from forensic and analytic work would then create a set of cyberintelligence to mitigate vulnerabilities and enable counter activities.9 However, such counteractivity is still illegal, even if the corporate ability to trace, attribute, and determine an attack’s origin is increasing. The recommendations of the Commission would, if they became law, remove the legal hindrance for corporate cyber-intelligence and penetrating systems on foreign soil, as long as there was probable cause that these systems had been engaged to steal American intellectual property: Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.
This statement in the report was embraced both by members of Congress and the business
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
31 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y
community as a major endorsement of a right to strike back. The report was also endorsed by Chairman Rogers of the House Permanent Select Committee on Intelligence, who released the following statement:8 I heartily agree that Congress and the Administration need to act quickly to help American companies defend the hard work and innovation that is the life-blood of our economy. That must begin with getting cyber information sharing legislation signed into law.
Yet what are the endorsers actually proposing, and what are some of the report’s underlying assumptions?
The Assumptions of Hacking Back The report’s proposed model would allow corporations to breach foreign systems to repossess stolen intellectual property as long as there was no actual damage to the entity that originally stole the IP. This model relies on the following general assumptions.
Companies Can Identify Their Attackers The idea of legalizing hack-back operations is based on the assumption that the defending party can attribute the initial attack to an entity with pin-point precision. If a defending party is given the right to strike back, it’s logically based on the assumption that the counterstriker can identify, beyond doubt, the initial attacker. If attribution isn’t achieved with satisfactory granularity and precision, the right to counterstrike would be a right to strike anyone based on suspicion of involvement. Very few, if any, private entities can determine with high granularity who attacked them or trace back the attack to determine where stolen data is stored. The lack of norms and a right to strike back even if the counterstrike wasn’t precise would increase entropy and deviation from norms and international governance. An established threshold for what constitutes an acceptable attribution to give access to a right to hack back is legally complicated and, because of the presence of many gray areas, would be open to interpretation if codified, leading to unpredictable legislation. Laws that aren’t predictable tend to create more confusion than clarity.
32
Companies Can Handle Their Adversaries The concept of corporate countercyberattacks assumes that counterstriking corporations can handle their adversaries—even a heavily funded and aggressive state-sponsored organization. A probing counterattack wouldn’t be enough to determine the size, ability, and intent of the potential adversary. Furthermore, following the assumption that the counterstriking corporation can handle any adversary is another assumption that there will be no uncontrolled escalation. Edward N. Luttwak once noted that strategy only matters if you have the resources to execute it.10 A counter attacker must be able to engage the full capacity of the initial attacker, if needed, which could be far beyond the ability visualized in the initial attack. If a counterattacker can’t match the full capacity, then the hack-back strategy is flawed.
There Will Be No Uncontrolled Escalation Imagine a bank robbery in which the police arrive at the scene while the thieves are still inside. The government takes responsibility for the situation and instructs citizens to leave the area. The law enforcement officers seek to peacefully solve the standoff with the bank robbers, who have stolen property from bank account holders and shareholders. If we apply the same logic that supports legalized hacking back to the bank robbery, then any bank account holder could, instead of leaving the area, would be able to enter the area, attack the robbers with a weapon of their choice, and try to retrieve their funds. This, of course, would generate an uncontrolled escalation of the situation. The counterstriking account holder wouldn’t be accountable for his actions, because he had the right to do so, even if the escalation had grave consequences for the other parties involved and left the law enforcement officers in the middle of a shootout. If countercyberattacks are legalized, logically this carries an assumption that there will be no uncontrolled escalation that affects a third party. But the counterstriker doesn’t have control of the situation, once erupted, that and thus can’t guarantee that uncontrolled escalation can be avoided.
Companies Can Deter Future Attacks The defending party must be able to counterattack with such magnitude that the initial attacker
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
is deterred from further attacks. If deterrence is established, then the digital interchange will cease and the confrontation ends.11,12 The key question is how to establish deterrence without causing any damage. Furthermore, if the attacker isn’t deterred, the situation could escalate or become a tit-for-tat game that goes on indefinitely. According to the Commission’s report, Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.
A counterattack that leaves no damages is unlikely to create any long-lasting deterrence.13,14 So if the counterattack itself can’t serve as a deterrent, then deterrence must be found outside of the interchange, such as financial sanctions by the initial target’s government against the initial attacker’s organization. These measures can lead to an escalation, however, pushing the interchange beyond the initial attacker and counterattacker. The report also proposes also a threat-based deterrence model: A different concept for security, known as threat-based deterrence, has been identified as a means to protect the most important information in corporate or government networks.
The passage is summarized later in the text: “In short, it reverses the time, opportunity, and resource advantage of the targeted attacker by reducing his incentives and raising his costs without raising costs for the defender.” Deterrence is achieved by deploying advanced security measures such that it’s not worth the effort. The reason to hack back was to limit the attacker’s geopolitical, competitive, or economic gain. If the attacker knows that there’s a substantial value that can be retrieved behind the deployed threat-based deterrence, the attacker will likely asses that the cost to penetrate the defense effort is marginal compared to the potential gain. An argument for hacking back was a concern or suspicion that a significant portion of the intellectual property related to the US Air Force fighter project F-35 had been stolen. If true, a
threat-based deterrence designed using the proposed model would include cyberdefenses that only can be breached after deploying tens of billions of US dollars, to counter weight the value of the F-35 design it protects. The cyberdefenses of the F-35 intellectual property had then to be as costly to attack and penetrate as the development of the F-35 design. From a logical standpoint, deterrence against future attacks isn’t achieved by the defender following the proposed methods outlined in the report because the equilibrium of potential gain and cost to penetrate raises the cost of cyberdefense measures for advanced projects such as F-35 to billions of dollars.
The Attacker Hasn’t Prepared a Second Strike There’s an assumption that the interchange will occur with a specific set of cyberweapons and aim points, so the interchange can’t lead to further damages. Even if the initial striker intended to rearrange the target and potential affects, there will be no option to do so and is limited to operate in the realm of the initial interchange. A new set of second strikes would not be an uncontrolled escalation as long as the targeting occurred within the same realm and values as the earlier strikes. The second strike option for the initial attacker could target unprecedented targets at the initial attacker’s discretion, such as logistics, payments, and manufacturing as a punitive strike for a counter hack back.15,16 It’s more likely that the initial attacker has second-strike options that the initial target is unaware of at the moment of counterstrike.
The Company Has No Interests in the Attacker’s Jurisdiction If a multinational company (MNC) counterstrikes a state agency or state-sponsored attacker, the MNC could face the risk of repercussions if its assets are in the initial attacker’s jurisdiction. Major MNCs have subsidiaries and assets in hundreds of jurisdictions. Fortune 500 companies, for example, have assets in the US, China, Russia, India, and numerous other jurisdictions. So if MNC “A” counterstrikes a cyberattack from China, how will this affect MNC “subsidiary A” in China? A related issue is if, by improper attribution, MNC “A” counterstrikes from the US targeting
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
33 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y
Chinese digital assets when in fact these Chinese assets had no connection with the initial attack. This would then constitute a new, unjustifiable and illegal attack on Chinese digital assets. The scenarios for different outcomes are complex and can lead to unpredicted casual and collateral events that are likely to hurt international trust and trade. The idea to legalize hack back, and allow corporations to seek their solution to cyber issues, as a temporary bridge until new Internet governance rules and norms are in place, could lead to increased distrust and entropy, which would be counterproductive to the long-term goal of a secure and safe Internet.
However, hacking back is different, because it doesn’t end with terminating the attack on yourself; rather, it assumes a counterstrike on the initial attacker. The right of self-defense traditionally ends when the initial attacker’s assault is prevented, stopped, or passed. A nation state also typically has a monopoly on diplomacy and interaction with foreign state entities. The corporate hacking back would let corporations engage foreign entities and conduct aggressive operations in foreign jurisdictions—a role traditionally, and by international law, performed only by nation states. The legitimacy and authority of the initial defender’s nation states is undermined by corporate hacking back operations.17
The Duplicated IP Is Stored in One Location Embedded in the report is a notion that the stolen information can be brought back. For a counterstriker, the information that has been stolen must be stored in one place, with no duplications that can be dispersed and distributed. The report assumes that the stolen information and intellectual property are stored in a tangible physical form at a given place. An analogy would be if someone stole a can of preserved apricots from the pantry of house A and hid in the pantry of house B, where the can could be found and retrieved. An analogy with cash doesn’t work, because cash can be notes and coins other than the original and still maintain the same value for the initial owner if brought back. This assumption also ignores the likelihood that the initial attacker uses backups to store the data, so the initial attacker can retrieve the stolen information if lost.
The Role of the State One role of a nation state is to protect its citizens and dwellers from foreign violence. Historically, the citizenry surrenders its interest in violence and gives the state the monopoly on it, under the laws of the land, against protection from violence. The right to hack back is then an acceptance of a nation state’s failure to protect its citizens and businesses. The argument for a corporate right to self-defense due to nation state failure implies there are no other mechanisms in place to defend the assets. Analogies aligned with the right of self-defense would be the right for banks to hire armed guards to protect their money vaults and the right to bear arms for your own protection, legal in the US.
34
future legalization of hacking back has several embedded risks for escalating the situation, deteriorating trust in the international system, and increasing technopolitical entropy. Furthermore, it will likely work against the establishment of cyber norms. The idea of legalization is attractive from a corporate and even political standpoint in a time of growing frustration, because it shows that at least something can be done when industry and politicians demand counteraction. The question, though, is whether it would be successful—and at what price. The notion that hacking back can be a policy option is based on several flawed assumptions, so it’s unlikely to be an effective tool in decreasing the number of cyberattacks.
A
References 1. “18 U.S. Code § 1030—Fraud and Related Activity in Connection with Computers,” United States Code, title 18, part I, chapter 47, 1986; www.law.cornell.edu/ ____________ uscode/text/18/1030. 2. Computer Misuse Act 1990, Parliament of the United Kingdom, 1990; www.legislation.gov.uk/ ukpga/1990/18/section/4. _______________ 3. “The IP Commission Report,” Commission on the Theft of American Intellectual Property, 22 May 2013; www.ipcommission.org. 4. J. Westby, “Caution: Active Response to Cyber Attacks Has High Risk,” Forbes, 29 Nov. 2012; www. ___ forbes.com/sites/jody westby/2012/11/29/caution________________________________ active-response-to-cyber-attacks-has-high-risk. _____________________________ 5. C.M. Matthews, “Support Grows to Let Cybertheft Victims ‘Hack Back,’” Wall Street J. Online, 2 June
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
2013; http://online.wsj.com/news/articles/SB1000142 4127887324682204578517374103394466. _________________________ 6. J. Kallberg and B. Thuraisingham, “State Actors’ Offensive Cyberoperations: The Disruptive Power of Systematic Cyberattacks,” IT Professional, vol. 15, no. 3, 2013, pp. 32–35. 7. J.Kallberg, and B. Thuraisingham, “From Cyber Terrorism to State Actors’ Covert Cyber Operations,” Strategic Intelligence Management, Elsevier, 2013, pp. 229–233. 8. “Chairman Rogers Statement on the Report by the Commission on the Theft of American Intellectual Property,” US House of Representatives, 22 May 2013; http://intelligence.house.gov/press-release/ chairman-rogers-statement-report-commission_______________________________ theft-american-intellectual-property. ______________________ 9. T. Mattern et al., “Operational Levels of Cyber Intelligence,” Int’l J. Intelligence and CounterIntelligence, vol. 27, no. 4, 2014, pp. 702–719. 10. E. Luttwak, The Grand Strategy of the Roman Empire: From the First Century AD to the Third, JHU Press, 1979. 11. J.M. Collins, “Principles of Deterrence,” Air University Rev., Nov./Dec. 1979. 12. L. Freedman, Deterrence, Polity, 2004. 13. R.H. Reed, “On Deterrence,” Air University Rev., May/ June 1975.
14. E. Sterner, “Retaliatory Deterrence in Cyberspace,” Strategic Studies Quarterly, Spring 2011, pp. 62–80. 15. J. Kallberg and R.A. Burk, “Failed Cyberdefense: The Environmental Consequences of Hostile Acts,” Military Rev., May/June 2014, pp. 22–25. 16. J. Kallberg and R.A. Burk, “Cyber Defense as Environmental Protection—The Broader Potential Impact of Failed Defensive Counter Cyber Operations,” Conflict and Cooperation in Cyberspace: The Challenge to National Security, P.A. Yannakogeorgos and A.B. Lowther, eds., Taylor & Francis, 2013, pp. 265–275. 17. J. Kallberg, “Private Cyber Retaliation Undermines Federal Authority,” Defense News, 28 July 2013; www. ___ defensenews.com/article/20130728/DEFREG02/ ________________________________ 307280007/Private-Cyber-Retaliation-Undermines________________________________ Federal-Authority. ___________
Jan Kallberg is a research scientist and lead at the Cyber Operations Research Lab at the Cyber Security Research and Education Institute (CSI) in the Erik Jonsson School of Engineering and Computer Science at the University of Texas at Dallas. His research interests include offensive cyberoperations and societal stability. Kallberg received his PhD in public affairs from the University of Texas at Dallas. Contact him at ______________
[email protected].
ADVERTISER INFORMATION
Advertising Personnel Marian Anderson: Sr. Advertising Coordinator Email:
[email protected] ______________ Phone: +1 714 816 2139 | Fax: +1 714 821 4010 Sandy Brown: Sr. Business Development Mgr. Email
[email protected] ____________ Phone: +1 714 816 2144 | Fax: +1 714 821 4010
Southwest, California: Mike Hughes Email:
[email protected] ______________ Phone: +1 805 529 6790 Southeast: Heather Buonadies Email:
[email protected] ______________ Phone: +1 973 304 4123 Fax: +1 973 585 7071
Advertising Sales Representatives (display) $GYHUWLVLQJ6DOHV5HSUHVHQWDWLYHV&ODVVLÀHG/LQH
Central, Northwest, Far East: Eric Kincaid Email:
[email protected] ____________ Phone: +1 214 673 3742 Fax: +1 888 886 8599 Northeast, Midwest, Europe, Middle East: Ann & David Schissler Email:
[email protected],
[email protected] _____________ _____________ Phone: +1 508 394 4026 Fax: +1 508 394 1707
Heather Buonadies Email:
[email protected] ______________ Phone: +1 973 304 4123 Fax: +1 973 585 7071 Advertising Sales Representatives (Jobs Board)
Heather Buonadies Email:
[email protected] ______________ Phone: +1 973 304 4123 Fax: +1 973 585 7071
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
35 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURITY
Protected Web Components: Hiding Sensitive Information in the Shadows Philippe De Ryck, Katholieke Universiteit Leuven, Belgium Nick Nikiforakis, Stony Brook University Lieven Desmet, Frank Piessens, and Wouter Joosen, Katholieke Universiteit Leuven, Belgium
Third-party code inclusion is rampant, potentially exposing sensitive data to attackers. Protected Web components can keep private data safe from opportunistic attacks by hiding static data in the Document Object Model (DOM) and isolating sensitive interactive elements within a Web component. he Web has evolved from including static images and document links to comprising Web applications with individual components provided by numerous service providers. When a Web application incorporates third-party components using remote scripts, the user’s browser will run the third-party code within the security context of the Web application. This not only exposes the code’s functionality to the Web application but also gives the included code full access to the Web application’s client-side context, including the page’s content, local data, and origin-protected functionality. This lack of code isolation can
T 36
IT Pro January/February 2015
have severe consequences if the included code doesn’t behave correctly. Consequently, by including potentially untrusted remote scripts, a Web application developer accepts a certain risk, both for the site’s integrity and for the safekeeping of user data. Opportunistic attacks on the client-side content of a Web application can be mitigated by hiding private data and sensitive elements from potentially malicious scripts. For example, iframes support content isolation in a webpage, albeit with a large overhead and a lack in flexibility for integration in highly dynamic, visually streamlined Web applications. Alternatively, JavaScript sandboxing
Published by the IEEE Computer Society
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
techniques support code isolation,1,2 but don’t offer isolation of data in the Document Object Model (DOM).3 Finally, the recent Web Components specification lets developers instantiate custom HTML tags for use within the page.4 A major feature of such custom elements is the support for a hidden DOM, known as the Shadow DOM.5 Unfortunately, the Web components specification focuses on functional separation of the DOM and doesn’t offer security features or code isolation. Here, we motivate the need for a flexible mechanism that supports the isolation of the user’s private data in the DOM, as well as the isolation of sensitive elements, such as input elements of a login form. Furthermore, we investigate the properties of the Web components specification, and show that there’s a potential for offering the desired level of isolation without compromising the much needed flexibility of modern Web applications.
Use Cases and Existing Technologies Integrating third-party components using remote scripts is common on the Web. Examples include programming APIs and development frameworks (such as JQuery and Bootstrap), advertising services (such as DoubleClick and AdSense), Web analytics tools (such as Google Analytics), and social media plug-ins (such as Facebook’s “like” button). A 2012 study of remote JavaScript inclusions on the Alexa top 10,000 sites showed that 88.45 percent include at least one remote script, and one site even included scripts from 295 remote hosts.6 Furthermore, 68.37 percent of sites included the Google Analytics library, and 79.74 percent included at least one Google library. Finally, the study applied a set of metrics to show that 12 percent of sites that were deemed security conscious included scripts from sites that deployed weak security measures. Including remote scripts not only creates a vector for attacks targeting a specific Web application, but it also presents an attack vector for opportunistic attackers, who aim to execute low-profile attacks on a large number of Web applications. Such attacks can yield large quantities of sensitive information—for example, by scraping the webpage’s user-specific content, recording user-provided input in form fields, and
extracting security tokens and session identifiers. Even when developers carefully select only trusted third parties for remote script inclusion, a certain risk persists, because third-party providers can be compromised as well. The dangers of third-party script inclusions are best illustrated by real-world examples, such as on-screen keyboard scraping malware,7 malware spread through advertisements,8 or actual compromises of third-party providers.9,10 An opportunistic attacker can gain access to the Web application’s client-side context through several attack vectors—for example, by compromising a remotely included script or advertisement, or through a cross-site scripting attack (XSS). Because of the wide variety of sites that can be compromised through a malicious script
Even when developers carefully select only trusted third parties for remote script inclusion, a certain risk persists. or advertisement, opportunistic attackers carry out nontargeted attacks, such as looking for input elements of the type password, or scraping any user-specific displayed content, such as email messages, health records, and bank statements.
Use Cases In light of the opportunistic attacker model, we propose three general use cases that benefit from effectively isolating data or HTML elements within the browser. Displaying sensitive information. Many Web applications process and display user-specific information, which is often considered private and sensitive. Common examples of such private data are email messages, chat conversations, bank statements, and security challenges. Opportunistic attackers can easily inspect and collect such sensitive information because it isn’t isolated from the rest of the page, which includes third-party scripts. An effective isolation mechanism for in-application content could prevent inspection or collection by an opportunistic attacker.
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
37 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y Table 1. Six of the seven highest ranking free online password managers include at least one remote script on the user password page. Search ranking
Name
No. of remote scripts
1
PassPack
1
3
LastPass
1
4
Norton Identity Safe
4
5
Keeper
1
8
Dashlane
1
10
Clipperz
0
16
Mitto
1
Protecting security tokens. A variant of displayed private information are applicationrelated, hidden security tokens, often associated with a user’s session. For example, the security tokens protecting against cross-site request forgery (CSRF) attacks are embedded as hidden form elements.11 Hiding such security tokens from opportunistic attackers raises the security level of the applied countermeasures, thereby eliminating alternative attack vectors.
Motivating Empirical Evidence
Password managers. Online password managers are used to store the multitude of authentication credentials required on the modern Web. This private and highly sensitive data is often even stored in an encrypted container, which is decrypted at the client side when the client provides the correct master key. One might expect that in such a sophisticated setup, the decrypted data is handled with care, preventing any risk of stolen or leaked data. For seven online password managers, gathered from the top 20 results for the Google query “free online password manager,” we investigated whether they include scripts from a third-party on the page that hosts the passwords in the DOM, giving these scripts full access to the user’s credentials. As Table 1 shows, six of the seven (86 percent) include third-party scripts from at least one remote host on the page that displays the user’s passwords. The Ghostery browser extension (https://www.ghostery.com/en/) consid_____________________ ers all scripts to be analytics. Additionally, two password managers include scripts from additional remote hosts on their main page, which is situated within the same origin as the sensitive page.
The inclusion of potentially untrusted thirdparty code into a Web application is a common though potentially dangerous practice.6 Two important industry-driven surveys of the most critical software errors warn of this risk. The Open Web Application Security Project (OWASP) Top Ten Project, which lists the 10 most dangerous risks for Web applications, gives “using
Login forms. Almost every webpage has a login form, which are a trivial target from which an opportunistic attacker can extract user credentials. We crawled the Alexa top 1,000 sites, looking for login forms situated on a page with third-party script inclusions, thereby giving the third party full access to the login form.
Protecting sensitive input elements. A third use case focuses on protecting client-side input elements, in contrast to hiding server-delivered content. Most Web applications contain sensitive input elements, such as HTML password elements and on-screen keyboards. Opportunistic attackers can easily gather sensitive user-provided data by using generally applicable selectors for sensitive input elements. Isolating such sensitive input elements from opportunistic attackers ensures that user-provided input cannot easily be stolen with a nontargeted attack. Note that such an isolation mechanism must extend toward event handlers associated with isolated input elements.
38
components with known vulnerabilities” ninth place.12 A similar initiative, the CWE/SANS Top 25 Most Dangerous Software Errors, puts “inclusion of functionality from untrusted control sphere” at the 16th spot.13 To support the high rankings in these industry surveys, and to establish the relevance of the aforementioned use cases, we conducted two relatively small-scale experiments. To support the use cases for hiding sensitive data in the DOM, we investigate popular online password managers, where the DOM holds all of the user’s passwords to every website. The second experiment supports the use case for protecting sensitive input elements by measuring the exposure of login forms to third-party script providers.
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
% of Alexa websites with login forms
THE WORLD’S NEWSSTAND®
1.0 0.8
We found that 52 percent of the websites included a login form, and 0.6 all of them included at least one third-party script in the login page. 0.4 Of the sites with a login form, 40 0.2 percent included scripts from more than five different third-party hosts. 0.0 Figure 1 shows the right-skewed 30 40 0 10 20 distribution of login pages includ#Unique remote hosts providing JS files ing scripts from remote hosts, with an average number of 3.4 hosts on a login page, and an extreme of one Figure 1. Empirical cumulative distribution function (ECDF) of the login page including code from 36 percentage of login pages of popular Alexa sites, and the number of different remote hosts. These num- unique remote hosts from which they request JavaScript code. bers indicate that a scenario with an opportunistic attacker targeting login forms is, unfortunately, very plausible. DOM separation. The Web Components specification combines a set of technologies allowing the creation of custom HTML elements.4 One Existing Technologies interesting technology is the shadow DOM, Several technologies are relevant when discusswhich allows custom elements to hide their ining third-party script inclusion and content ternal DOM structure from the outside world.5 separation. One currently deployed example is the HTML5 Document isolation. Web developers can use video element, which features a control bar with frames or iframes to isolate content in separate play/pause buttons. The internals of the video eldocuments to varying degrees, depending on ement are implemented using traditional HTML the associated origins. Placing data in a docuelements but are hidden from the webpage and ment with a different origin from the main the user via the shadow DOM. document effectively offers both DOM-based The shadow DOM is well suited to hiding conand script-based isolation, and further restrictent in the DOM but doesn’t prevent later access, tions are available through the HTML5 sandbox nor does it offer script-based isolation properties. attribute. Document-based isolation offers strong secuProtected Web Components rity guarantees but has a rigid, block-level strucWeb components are the most viable starting ture, making it less attractive for modern Web point for creating a protection mechanism for applications. Additionally, frames with different private data and sensitive elements against oporigins require a separate roundtrip to fetch the portunistic attackers.4 They offer the required content, causing a delay in page load times. flexibility to cope with the highly dynamic requirements of modern Web applications, as JavaScript sandboxing. Driven by the rise in opposed to iframes, and already possess the caremote script inclusions, script-based sandpability to host a separate DOM tree using the boxing techniques are being developed and shadow DOM, a property that is hard to achieve deployed.1,2 By isolating a remote script in a using JavaScript sandboxing technologies. To leverage Web components to create prosandbox, developers gain fine-grained control tected Web components, we must be able to hide over its capabilities, thereby preventing the static data in the DOM tree, without it being acscript from misbehaving. cessible to opportunistic attackers. Second, proAlthough sandboxing techniques can effectected Web components should be able to host tively be used to contain remote scripts, they typinteractive elements, without being vulnerable to ically don’t provide a way to isolate parts of the script-based compromises—for example, through DOM, making it difficult to secure the described function-overriding or prototype-poisoning use cases.
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
39 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y
HTML elements using the shadowRoot property, and composed into a single DOM tree during the rendering process. The main document and any embedded shadow DOM trees are functionally separated, limiting the propagation of Cascading Style Sheets (CSS) or selectors between the main document and the subtrees, in both directions. Shadow DOM trees are already used to implement browser controls, such as the playback bar for the (a) (b) video element, and can also be used by a developer through a JavaScript API. Figure 2. Protected Web components for data security: (a) a password Note that the browser’s internal shadow manager page containing private data and sensitive elements, DOM trees are not accessible through together with a third-party advertisement, without any isolation or the shadowRoot property, whereas develprotection; (b) the effect of using protected Web components. oper-created shadow DOM trees remain accessible from JavaScript. Unfortunately, the latter property of scriptvar protected = document.createElement(‘div’); defined shadow DOM trees conflicts with the var root = protected.createShadowRoot(); goal of hiding static data in the DOM. However, by redefining the getter of the shadowRoot //Append data to the root property, developers can make their scriptroot = null; defined DOM trees inaccessible to JavaScript. Object.defineProperty(protected, “shadowRoot”, Figure 3 shows the creation and population of { get: function() { return null; }}); a shadow DOM, and the overriding of the getter to return null instead of a reference to the Figure 3. Data can be hidden in the shadow shadow DOM. DOM by clearing existing references and After redefining the getter and wiping all existredefining the only access point. ing references to the shadow DOM, it’s no longer possible to directly access the data stored in the shadow DOM. Therefore, instantiating an inacattacks. In this section, we explain how shadow cessible shadow DOM tree with sensitive data DOM trees can be permanently hidden by taking before loading untrusted code ensures that the advantage of ECMAScript 5 getters, and elaborate private data will never be exposed to opportunison techniques that can be used to isolate script tic attackers. code within a hidden tree. Figure 2 illustrates the use of protected Web components in a password manager. Isolating Interactive Scripts The third use case aims to protect sensitive input elements from untrusted scripts. Sensitive input Hiding Static Data elements are usually part of a form, and they typThe goal of the first and second use cases was to ically depend on JavaScript handlers for interacembed private, user-specific data into the DOM tive input processing and validation. tree, without exposing it to an opportunistic Although the shadow DOM is ideally suited attacker, who uses DOM manipulation techto isolating elements from the rest of the page, niques to extract potentially sensitive infora problem arises when these elements use Jamation. Such techniques include the use of vaScript handlers for processing input events. JavaScript DOM APIs, stylesheet operations, and The shadow DOM offers functional separation custom selectors. but doesn’t instantiate a separate JavaScript The shadow DOM supports the creation of sepacontext, leaving the JavaScript code defined rate DOM trees, which are attached to traditional
40
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
(function() { var getElement = document.getElementById; var data = getElement(“shadowInput”).textContent; //...
in the shadow DOM vulnerable to several attacks, such as function overriding and prototype poisoning. To obtain protected Web components, the shadow DOM’s script code needs to be effectively isolated, not only to prevent JavaScript functions and variables from leaking into the global namespace, but also to prevent the use of potentially contaminated functions defined in the global namespace or Object prototypes. Obtaining this isolation in the current shadow DOM requires two separate steps. First, any code within the shadow DOM should be encapsulated in a separate namespace, which is possible in JavaScript through the correct use of closures. Second, the use of potentially contaminated functions can be prevented by storing and using known good versions of the required functions, a technique often used in JavaScript sandboxing and policy enforcement mechanisms.14,15 Figure 4 is a brief code snippet using closures and known good functions. Isolating the shadow DOM’s JavaScript code, in combination with overriding the shadowRoot getter, effectively supports HTML elements containing sensitive data, while maintaining scriptbased interaction.
})()
Figure 4. By using closures and known good copies of functions, scripts can be isolated within the shadow DOM.
Protecting sensitive input elements. Sensitive input elements capture user input and can be a target for opportunistic attackers. These elements can be placed in a secure Web component as well, preventing direct querying by an attacker. If these input elements depend on script-based handlers for validation, autocompletion, and so on, the handler code must be part of the secure Web component as well. The protected Web components not only fit the three proposed use cases but also protect against opportunistic attackers in the two examples presented earlier. First, the online password managers can use protected Web components to prevent deliberate or inadvertent extraction of the user’s credentials from the DOM, while preserving the possibility of including third-party scripts. In the second scenario, the login forms and associated handlers can be embedded in a protected Web component, preventing a curious or malicious script from stealing the user’s credentials through input events.
Motivating Examples Revisited Protected Web components offer a strong mechanism to isolate data and sensitive elements within the DOM tree, without sacrificing the flexibility to place this data anywhere within the page, like iframes do. These properties ensure that protected Web components are well suited to meet the three use cases described earlier. Displaying sensitive information. By embedding sensitive data in a secure Web component, using the shadow DOM to hide static data, we effectively prevent an opportunistic attacker from extracting the data in an automated way. Protecting security tokens. Because security tokens are often embedded in interactive elements such as forms, they can be protected by placing the element inside a secure Web component. Security tokens, such as CSRF tokens, are part of the DOM, and the secure component will prevent an opportunistic attacker from extracting them.
lthough protected Web components offer significant security benefits against a realistic, ubiquitous opportunistic attacker, they also have a limited impact. First, by embedding sensitive elements in a secure Web component, they are effectively separated from the rest of the page, preventing any interactions, even from legitimate code within the page. Therefore, all code interacting with a sensitive element must be loaded in the secure component. Typically, this code is closely tied to the element anyway, with validation handlers and autocompletion code as an example. Continuing on these handlers, we regret that the full implementation burden rests once again with the developer. Therefore, we envision the Web components specification endorsing two configurable extensions to the current model:
A
t hiding a shadow DOM, where the shadowRoot attribute doesn’t return a reference to the shadow DOM, similar to the current behavior of user-agent-created shadow DOMs, and
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
41 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT SECURIT Y
t instantiating a new script context within the shadow DOM, ensuring that all scripts imported by the shadow DOM are separate from the hosting page. The latter extension is comparable to how Web workers also run in a separate context, enabling messaging through a predefined interface. The possibility of instantiating new script contexts in a shadow DOM also benefits the deployment of Web components, because it prevents naming and scoping conflicts between the different imported components and the host page. The downside of instantiating a new script context is the lack of shared global variables, requiring any libraries to be loaded in each context. Hiding private content and sensitive elements through Web components can help mitigate opportunistic, nontargeted attacks, but it doesn’t offer an airtight security solution. We consider this approach to be part of the recent trend in client-side security mechanisms, which significantly improve the security of client-side aspects of Web applications, often by applying the defense-in-depth principle. Previously adopted examples are the HttpOnly flag for cookies, which prevents several common session attacks; and the Content Security Policy,16 which significantly raises the bar for typical cross-site scripting attacks.
Acknowledgments This research is partially funded by the Agency for Innovation by Science and Technology in Flanders (IWT), the Research Fund KU Leuven, the IWT-SBO project SPION, and by the EU FP7 project STREWS. The Prevention of and Fight against Crime Programme of the European Union (B-CCENTRE) also provided financial support.
References 1. P. Agten et al., “JSand: Complete Client-Side Sandboxing of Third-Party JavaScript without Browser Modifications,” Proc. 28th Ann. Computer Security Applications Conf. (ACSAC 12), 2012, pp. 1–10. 2. L. Ingram and M. Walfish, “Treehouse: JavaScript Sandboxes to Help Web Developers Help Themselves,” Proc. Usenix Ann. Technical Conf. (ATC 12), 2012, pp. 153–164. 3. Mozilla Developer Network, “Document Object Model (DOM),” 2014; https://developer.mozilla.org/ en-US/docs/Web/API/Document_Object_Model. ______________________________
42
4. D. Cooney and D. Glazkov, “Introduction to Web Components,” W3C Working Group Note, 24 July 2014; www.w3.org/TR/components-intro. 5. D. Glazkov, “Shadow DOM,” W3C Working Draft, work in progress, June 2014. 6. N. Nikiforakis et al., “You Are What You Include: Large-Scale Evaluation of Remote JavaScript Inclusions,” Proc. 19th ACM Conf. Computer and Comm. Security (CCS 12), 2012, pp. 736–747. 7. S. Mitchell, “IE Mouse-Tracking Flaw Allows Anyone to Steal Passwords,” PC Pro, 13 Dec. 2012; www. ___ pcpro.co.uk/news/security/378667/ie-mouse-tracking_______________________________ flaw-allows-anyone-to-steal-passwords. ________________________ 8. C. Smith, “Yahoo Ad Malware Attack Far Greater Than Anticipated,” BGR, 13 Jan. 2014; http://bgr. com/2014/01/13/yahoo-malware-attack. 9. “qTip2 Code Compromised,” Github, Incident Report, 8 Dec. 2011; https://github.com/Craga89/qTip2/ issues/286. ______ 10. K. Zetter, “Google Hack Attack Was Ultra Sophisticated, New Details Show,” Wired, 14 Jan. 2010; www. ___ _____________________________ wired.com/threatlevel/2010/01/operation-aurora. 11. N. Jovanovic, E. Kirda, and C. Kruegel, “Preventing Cross-site Request Forgery Attacks,” Proc. 2nd Int’l Conf. Security and Privacy in Comm. Networks (SecureComm 06), 2006, pp. 1–10. 12. D. Wichers, “OWASP Top 10,” Open Web Application Security Project (OWASP), 2013; www.owasp. org/index.php/Category:OWASP_Top_Ten_Project. 13. B. Martin et al., “CWE/SANS Top 25 Most Dangerous Programming Errors,” Common Weakness Enumeration, 2011; http://cwe.mitre.org/top25. 14. J. Magazinius, P.H. Phung, and D. Sands, “Safe Wrappers and Sane Policies for Self Protecting JavaScript,” Proc. 15th Nordic Conf. Secure IT Systems (NordSec 12), 2012, pp. 239–255. 15. L. Meyerovich and B. Livshits, “ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser,” Proc. 31st IEEE Symp. Security and Privacy (SP 10), 2010, pp. 481–496. 16. B. Sterne and A. Barth, Content Security Policy 1.0, World Wide Web Consortium (W3C) Candidate Recommendation, 2012; www.w3.org/TR/CSP.
Philippe De Ryck is a post-doctoral researcher in the Computer Science Department at the Katholieke Universiteit Leuven, Belgium. He has recently finished his PhD on Web application security, with a specific focus on crosssite request forgery (CSRF), session management, and JavaScript sandboxing techniques. He is the lead author of Primer on Client-side Web Security, which gives a
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
broad overview of the current state of client-side security in the Web. Contact him at
[email protected]. ___________________ Nick Nikiforakis is an assistant professor in the Computer Science Department at Stony Brook University. His research interests include Web application security and privacy, which he usually approaches by looking at the Web as a series of interconnected ecosystems. Contact him at
[email protected]. _____________ Lieven Desmet is a research manager of secure software within the iMinds-DistriNet research group at the Katholieke Universiteit Leuven, Belgium. His research interests include software security, and in particular, Web application security. Lieven received a PhD in computer science from the University of Leuven. He’s a board member of the Open Web Application Security Project’s Belgium chapter, and program director of the yearly SecAppDev training courses on secure application development. Contact him at
[email protected]. __________________
Frank Piessens is a professor in the Department of Computer Science at the Katholieke Universiteit Leuven, Belgium. His research interests include software security, and in particular the development of high-assurance techniques to deal with implementation-level software vulnerabilities and bugs, including techniques such as software verification, runtime monitoring, type systems, and programming language design. Contact him at __________________
[email protected]. Wouter Joosen is a professor in the Computer Science Department at the Katholieke Universiteit Leuven, Belgium. His research interests are aspect-oriented software development, middleware, and software security. Joosen received a PhD in computer science from KU Leuven. Contact him at
[email protected]. __________________
Selected CS articles and columns are available for free at http://ComputingNow.computer.org.
Experimenting with your hiring process? Finding the best computing job or hire shouldn’t be left to chance. IEEE Computer Society Jobs is your ideal recruitment resource, targeting over 85,000 expert researchers and qualified top-level managers in software engineering, robotics, programming, artificial intelligence, networking and communications, consulting, modeling, data structures, and other computer science-related fields worldwide. Whether you’re looking to hire or be hired, IEEE Computer Society Jobs provides real results by matching hundreds of relevant jobs with this hard-to-reach audience each month, in Computer magazine and/or online-only!
http://www.computer.org/jobs The IEEE Computer Society is a partner in the AIP Career Network, a collection of online job sites for scientists, engineers, and computing professionals. Other partners include Physics Today, the American Association of Physicists in Medicine (AAPM), American Association of Physics Teachers (AAPT), American Physical Society (APS), AVS Science and Technology, and the Society of Physics Students (SPS) and Sigma Pi Sigma.
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
43 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FEATURE: GREEN COMPUTING
Understanding Green Software Development: A Conceptual Framework Luca Ardito, Giuseppe Procaccianti, and Marco Torchiano, Politecnico di Torino, Italy Antonio Vetrò, Technische Universität München, Germany
Developers who aim to write energy-efficient software require both a new mindset and models and tools that can measure and reduce the software effect on hardware energy consumption. The authors’ conceptual framework provides a unifying view of strategies, models, and tools. T energy consumption is an increasingly relevant concern. Traditionally, only hardware designers dealt with energy consumption. However, as hardware became more powerful, the influence of software behavior on energy consumption grew significantly. During the last few years, we have explored several facets of IT energy consumption from a software engineering perspective. What was once purely anecdotal evidence about the pivotal role of software on energy consumption is now supported by sound empirical data we collected through a series of experiments on different hardware platforms: servers, desktop PCs, and mobile phones. We analyzed the power consumption of three servers performing different tasks, and we observed that power consumption
I
44
IT Pro January/February 2015
can increase up to 40 percent depending on the usage scenario.1 We analyzed desktop computers from different technological generations in distinct software usage scenarios and found out that, depending on the software applications used, power consumption can increase up to 20 percent.2 Finally, we profiled the power consumption of mobile devices, comparing two generations of Android OS-based smartphones. Our results show how different execution profiles of the same application can significantly affect the power consumption of a mobile device.3 Although the actual figures vary depending on the specific hardware platform, the impact of software on energy consumption is definitely relevant. This implies a change of mindset for the software engineering community. First,
Published by the IEEE Computer Society
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
developers must be more aware of the energy consumption caused by their applications. Second, a new perspective of software as the hardware driver arises. In this article, we provide a conceptual framework to support this new mindset by focusing on existing techniques and providing a useful unit of measurement for estimating the energy consumption of software.
A Framework for Energy-Efficient Software There’s a joke that asks, “How many hardware engineers does it take to change a light bulb?” The answer is, “None. We’ll fix it in software.” As people say, there is a grain of truth in any joke. At the beginning of computer science, hardware and software were tightly mingled and mostly indistinguishable, but now hardware and software are more distant: the number of software layers is constantly increasing to provide encapsulation and abstraction for software applications. The goal of layering is to abstract (in other words, selectively remove) several details and shield the upper layers as much as possible from the complexity that lies in the lower layers. The first details that were removed are those concerning how hardware works. The result is that layers stand in the way of linking software to its physical consequences, such as its energy consumption. In practice, in any programmable device, although the ultimate responsibility of energy consumption is always with the hardware, the software dictates the way the energy is consumed. The abstract model underlying the power consumption can be summarized as Power = Idle +
∑
Hwc + Swc ,
c ∈Components
where 0 ) Swc ) 1. The total power consumption Power of an IT device, when turned on, consists of an Idle part that is present even when the device is sitting idle. The additional consumption depends on the individual hardware component’s maximum consumption Hwc, which is modulated by how much work the software demands of the component, Swc. Depending on the software requests, the hardware component can run at full throttle or remain idle. This theoretical software power model supports higher, software-level strategies for
increasing software energy efficiency. It gives developers a way to t develop a strategy by analyzing the causes of energy consumption, and t validate the efficacy of the formulated strategies by measuring their impact and effect. According to this perspective of power consumption, there are two main strategies to achieve efficient, green software: refactoring and self-adaptation. Figure 1 presents these strategies organized in a framework. At the top of the figure are those stakeholders who are interested in or affected by sustainability issues (see a list of such stakeholders created by Birgit Penzenstadler and her colleagues4): they trigger the need for developing energy-efficient software. This serves as input to the Strategy level, where operational decisions for greening the software are made. The refactoring strategy is shown on the left side of Figure 1 (and described in detail later). It focuses on minimizing software instructions and code patterns that can cause higher energy usage. The self-adaptation strategy, shown on the right side of the figure, has the main goal of creating an energy-aware application that can choose among different configurations, or energy profiles, with respect to different scenarios and contexts (also described in detail later). The two strategies are not meant to be mutually exclusive: developers can apply them together in the same development process. In addition, other technological, human, or process strategies can be plugged in whenever their impact is measurable and linkable, through modeling and profiling, to a software application and its power consumption. Developers should apply both strategies iteratively by verifying the energy efficiency improvements through power profiling tools; then they can adapt the strategies as needed. They should also apply these strategies carefully, keeping in mind the software mission and its main functionalities, the required quality of service, and the interests of the stakeholders. For example, applying self-adaptation to reduce network usage might improve energy efficiency, but it might also violate service-level agreements on response time or availability. The bottom part of the figure shows the Response level, meant to identify opportunities for energy optimization and to assess the energy
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
45 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FEATURE: GREEN COMPUTING
LEGEND
Stakeholders Strategy
Design according to guidelines
Create energy profile configuration
Implementation
Data
Energy profiles Detect the best energy profile at the moment
Identify energy smells
Software artifact
Strategy level
Activity
Self adaptation (energy-aware software)
Refactoring (energy-aware developer)
Best profiles
Code patterns
Modify application behavior
Refactor code
Hardware device Software application
Information flow Property
Estimation Composition Input/output
Software Software power model profiling tool Usage data Applicaiton resource usage
Hardware device 1
Hardware
Response level
SW power consumption
Hardware device 2 Hardware device n
Figure 1. Framework for energy-efficient software strategies. Software power consumption can be reduced by refactoring and through self-adaptation.
savings gained by applying various strategies. The hardware provides resource usage information such as memory accesses, device usage, and CPU mode. This information is used as input to software profiling tools that analyze software applications during execution and provide online power consumption estimation values with varying granularity. Software power models represent a crucial component of our framework, because they enable the formulation and validation of the strategies.
Software Power Consumption Models To date, many research efforts have been devoted to predicting how much energy a computer system will consume when running a specific application or performing a specific task. The modeling approaches can be “white-box”—that
46
is, code-level or instruction-level metrics—or “black-box”—that is, runtime metrics such as usage ratios of CPU or RAM. Of course, timing is an important factor: white-box models can be used to provide both an online (runtime) and offline (compile-time) estimation of the software impact, while black-box models can only perform online because they rely on resource usage data. However, real-time estimation is hard to achieve with both approaches. Due to the different time scales between hardware and software events, a certain amount of latency between the actual value and the prediction must be considered. From our experience, the effectiveness of the chosen predictors varies greatly with respect to the hardware system considered. In embedded systems, for example, we have observed that code-level constructs may have an observable
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Display
Download Call Standby
impact over power consumption only MP3 audio in some cases.5 Also, as the system CPU architecture becomes more comintensive plex, these models appear to be too Bluetooth fine-grained to describe the effect of scan software over power consumption. In GPS these cases, a resource-usage-based model might be more meaningful: Wi-Fi initial work has successfully proven the correlation between indicators 3G of hardware resources and the power consumption of a desktop computer 2G system.2 As a matter of fact, most 0 200 400 600 800 1000 of the commercially available power Power consumption (mW) profiling software tools (including Joulemeter,6 ARO,7 Power TOP,8 and PowerTutor9) are based on these Figure 2. Power consumption of a mobile device in different usage scenarios. The data comes from earlier research.10 Each bar types of models. Choosing the appropriate resourc- in the graph represents a usage scenario that makes intensive use es (or, more precisely, resource us- of a specific peripheral. For the 3G and 2G scenarios, both a data age metrics) as predictors is key to download, a phone call, and a standby scenario were evaluated. building an accurate resource-based power consumption model. Typically, the CPU is the most important component to usage (code level), or designing the software in monitor; this is why, especially on more advanced such a way that it can adapt at run time to difmobile systems such as smartphones, most tools ferent energy needs or to the available residual focus on CPU usage as a predictor for software device energy (design level). power consumption. However, our experiments have proven that other metrics—such as memRefactoring: Code-Level Guidelines ory usage and, more importantly, I/O operaPredictive models embed knowledge about both tions—have a significant correlation with power the resources that consume power (such as CPU) consumption. and the activities that drive their consumption Moreover, in some usage scenarios, software (such as disk transfers). As a consequence, the applications might require the activation of highly next step, from a developer perspective, is to power-consuming peripherals (for example, GPS identify the code patterns that imply high usage modules, 3G, and Wi-Fi antennas) that signifiof those resources and activities. Taking inspiracantly modify the device’s consumption profile. tion from the well-known book of Martin Fowler Figure 2 shows the typical power consumption and Kent Beck,11 we call such patterns energy code 10 of a mobile device in different usage scenarios. smells5 —that is, implementation choices (at the code, design, or architectural level) that make This suggests two considerations. First, rather software execution less energy efficient. than ignoring system resources, models must Combining our experience with evidence proexplicitly measure them. Second, software develvided by similar work,12–15 we have derived a few opers must be aware that decreasing the computational complexity of software applications isn’t lessons learned that represent a set of code-level enough to develop an energy-efficient applicaguidelines for developers who want to “green” tion; they need to adopt a holistic approach. their applications.
Developing Green Software Here, we illustrate two complementary strategies to develop green software: identifying and refactoring code patterns that cause high-energy
Clean up useless code and data. As software evolves, many parts might become obsolete. Writing to never-read variables and other useless routines (such as repeated conditionals) might
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
47 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FEATURE: GREEN COMPUTING
consume power purposelessly. Cleaning up these instructions might improve energy efficiency as well as maintainability. Many static analysis tools can detect useless code. Look for immortals. The life cycle of software processes and threads must be carefully managed. Immortality energy smells describe situations where a software service restarts after explicitly being killed by the user, continuing to drain energy. Sometimes, developers create software immortals on purpose: in these cases, the death and rebirth phases of the processes and threads should be as graceful as possible to reduce resource usage overhead and the consequent energy waste. Monitor the appropriate resources. The part of the system that is responsible for energy usage is hardware. That being said, in modern computer systems there are many different hardware devices, with different power requirements. Understand first which hardware needs more energy (for example, the GPS transmitter, wireless antennas, and sensors), then which software routines use it. Exploit scenario-driven refactoring. Execution of the software depends not only on its internal structure and host environment (such as the OS) but also on the input it receives. Thus, an energy refactoring operation might show its results only in specific situations. Focusing on common usage scenarios makes the improvements more perceivable by users and eventually saves more energy. Focus on higher-level structures and complex routines. As in performance optimization problems, improvements obtained at lower abstraction levels might be nullified by inefficiencies at higher abstraction levels. This is especially true when there are many software layers or when software runs in a complex environment (such as in virtualized or distributed systems). Start refactoring from higher-level constructs: their impact on CPU and memory (and consequently energy) is significantly higher compared to lowlevel functions. Don’t trust loops. Loop constructs are powerful, but their contents must be carefully monitored.
48
Loop smells happen when an application repeats the same activity on a loop without achieving the intended result and uselessly consuming energy (for example, when polling an unreachable server). Detecting and refactoring such loops can save a lot of energy, especially on battery-powered devices. Reduce the amount of data transferred. In distributed and high-performance systems, or in battery-powered devices using power-consuming radio transmission, data transfer might be a significant source of power drain. Developers can optimize data exchanged between software applications or databases (local or remote) using data compression or data aggregation techniques. The energy impact of this optimization might be crucial in data-intensive and big data applications. The refactoring strategy mostly operates at code level, so code-related metrics can be used to guide the application of the strategy. An example metric is the communication energy cost, which estimates the energy consumption induced by data transfers for each software component.16
Self-Adaptation: Green Software by Design While guidelines are useful for developers who want to green their existing applications, selfadaptation techniques are a good solution when developers are drawing their software’s architecture from scratch. The key idea is to provide different configurations of the same application that can be activated at different times to find the best tradeoff between features provided and energy consumed. The main issue that arises in this approach is the need for getting instant power consumption data from devices; the hard part is getting the data with a limited overhead and without resorting to external equipment. We can consider a device as composed of three layers: hardware, OS, and application. Considering a single device, the data consumption flow should reach the upper layers (OS and application) from the hardware layer in order to be read without introducing too much overhead. In this way, the upper layers can be aware of their instant power consumption through resource usage. Currently, we compute this data by isolating a process’s use of a given resource and multiplying it by the theoretical consumption value of
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Table 1. Example configuration file for self-adapting applications. Profile 1 Software sensor
Profile 2
State (on/off)
Refresh after (sec)
Phone
On
3,600
Location
Off
Wi-Fi
Off
Bluetooth Device Info
State (on/off)
Refresh after (sec)
On
600
–
On + GPS On
600
–
On
600
Off
–
On
600
On
3,600
On
3,600
Device Status
On
3,600
On
600
Device Settings
On
3,600
On
600
Terminal Activity
Off
–
On
600
Data
On
3,600
On
3,600
that resource in that situation. This method introduces an error due to the theoretical value and an overhead due to the computation. The use of built-in power meters installed in the hardware layer would help to send energy consumption data in real time to the upper levels with the advantage of getting the consumption data by simply reading a value. Based on this architecture, the OS receives consumption data in real time, processes all the data received, and interacts with the application layer. The application layer needs a suitable interface to exchange energy information with the OS layer. Actions needed to implement self-adaptation depend on the context in which the application will be used. It’s important to create usage scenarios to measure the “energy cost” of a single functionality provided by the application. Based on functionality energy costs, it’s then possible to create different energy profiles that contain the full set or a subset of functionalities. This approach follows the scenario-driven refactoring guideline we discussed earlier, and it uses the energy consumption data provided by the OS layer. After that, it’s possible to work on a single functionality by deciding whether to include it in an energy profile or to change some parameters to save energy. In other work, 3 we presented a mobile application that reconfigures itself on the basis of the remaining battery level. We implemented self-adaptation by working on the application functionalities, enabling or disabling modules, and tuning some parameters; this changed the data granularity collected from the device and sent to the server. Table 1 shows an example of
two different configurations of the same mobile application. Results show improvements up to 30 percent compared to an equivalent, nonreconfiguring application. Improvements depend on the scenario and level of tradeoffs that developers are willing to reach. Compared to the refactoring strategy, self-adaptation introduces a relevant set of changes to the software system. While refactoring operates at code level, self-adaptation is more of an architectural concern. Claudia Raibulet and Laura Masciadri proposed a set of architectural metrics to evaluate the adaptivity of a software system.17 Although these metrics are not specific for energy-driven self-adaptation, they can be adopted as a reference for developers who want to introduce self-adaptive mechanisms into their applications. For example, their MaAC (Minimum architectural Adaptive Cost) metric expresses the fixed cost of adaptivity at the architecture level.
here is significant evidence that a growing share of green IT will be addressed by green software engineering. From a management perspective, making software greener is a challenging task that involves complex tradeoffs among stakeholders. From a technical perspective, several tools and good practices are available, although they are not yet well integrated in an organic framework able to provide software developers and designers a unifying view. Our conceptual framework provides a highlevel view over the possible operational strategies for developing greener software, by leveraging the
T
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
49 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FEATURE: GREEN COMPUTING
information provided by power consumption models and power profiling tools. The impact of any successful strategy on power consumption must be measurable. This fundamental condition is the natural consequence of one of the lesson learned in 45 years of software engineering: no improvement is possible without measurement.
References 1. A. Vetrò et al., “Monitoring IT Power Consumption in a Research Center: Seven Facts,” Proc. 1st Int’l Conf. Smart Grids, Green Communications and IT Energy___ Aware Technologies (Energy 11), 2011, pp. 64-69; www. thinkmind.org/index.php?view=article&articlei d=energy 2011_4_20_50078. _________________ 2. G. Procaccianti et al., “Profiling Power Consumption on Desktop Computer Systems,” Proc. 1st Int’l Conf. Information and Communication on Technology for the Fight against Global Warming (ICT-GLOW 11), LNCS 6868, 2011, pp. 110–123; http://dx.doi.org/10.1007/978-3642-23447-711. _________ 3. L. Ardito et al., “gLCB: An Energy Aware Context Broker,” Sustainable Computing: Informatics and Systems, vol. 3, no. 1, 2013, pp. 18–26; www.sciencedirect. com/science/article/pii/S2210537912000522. 4. B. Penzenstadler, H. Femmer, and D. Richardson, “Who Is the Advocate? Stakeholders for Sustainability,” Proc. 2nd Int’l Workshop Green and Sustainable Software (Greens 13), 2013, pp. 70–77. 5. A. Vetrò et al., “Definition, Implementation and Validation of Energy Code Smells: An Exploratory Study on an Embedded System,” Proc. 3rd Int’l Conf. Smart Grids, Green Communications and IT Energy-Aware Technologies (Energy 13), 2013, pp. 34–39. 6. Microsoft Research, “Joulemeter: Computational Energy Measurement and Optimization,” 5 May 2014; http://research.microsoft.com/en-us/projects/ joulemeter. ______ 7. “AT&T Application Resource Optimizer (ARO),” 5 May 2014; https://developer.att.com/application______________________ resource-optimizer. ____________ 8. Intel Open Source Technology Center, “PowerTOP,” 5 May 2014; https://01.org/powertop. 9. M. Gordon, L. Zhang, and B. Tiwana, “PowerTutor,” 5 May 2014; http://ziyang.eecs.umich.edu/projects/ powertutor/. _______ 10. L. Ardito et al., “Profiling Power Consumption on Mobile Devices,” Proc. 3rd Int’l Conf. Smart Grids, Green Communications and IT Energy-Aware Technologies (Energy 13), 2013, pp. 101–106.
50
11. M. Fowler and K. Beck, Refactoring: Improving the Design of Existing Code, Addison-Wesley Professional, 1999. 12. M. Gottschalk et al., “Removing Energy Code Smells with Reengineering Services,” Beitragsband der 42 Jahrestagung der Gesellschaft für Informatik e.V. [Proceedings of INFORMATIK 2012, Lecture Notes in Informatics, German Informatics Society], 2012, pp. 441–455. 13. A. Pathak, Y.C. Hu, and M. Zhang, “Bootstrapping Energy Debugging on Smartphones: A First Look at Energy Bugs in Mobile Devices,” Proc. 10th ACM Workshop Hot Topics in Networks (HotNets X), 2011, pp. 5:1– 5:6; http://doi.acm.org/10.1145/2070562.2070567. 14. B. Steigerwald et al., “Creating Energy Efficient Software,” 2007; https://software.intel.com/sites/default/ files/m/d/4/1/d/8/creating_energy-efficient_software.pdf. ________________________________ 15. L. Curtis, “Environmentally Sustainable Infrastructure Design,” The Architecture J., vol. 18, 2008, pp. 2–8. 16. C. Seo, S. Malek, and N. Medvidovic, “ComponentLevel Energy Consumption Estimation for Distributed Java-Based Software Systems,” Component-Based Software Engineering, Springer, 2008, pp. 97–113. 17. C. Raibulet and L. Masciadri, “Evaluation of Dynamic Adaptivity through Metrics: An Achievable Target?” Proc. Joint Working IEEE/IFIP Conf. Software Architecture and European Conf. Software Architecture (WICSA/ECSA 09), IEEE, 2009, pp. 341–344.
Luca Ardito is a postdoctoral research fellow in the Control and Computer Engineering Department at Politecnico di Torino. He received his PhD in software and systems engineering from Politecnico di Torino. Contact him at luca. ___
[email protected]. _________ Giuseppe Procaccianti is a doctoral candidate in the Software and Services Group of VU University Amsterdam. He is currently undertaking a double-degree PhD program in software and systems engineering between the Politecnico and the VU. Contact him at ____________
[email protected]. Marco Torchiano is an associate professor in the Control and Computer Engineering Department at Politecnico di Torino, Italy. He received his PhD in computer engineering from Politecnico di Torino. Contact him at ____ marco.
[email protected]. ___________ Antonio Vetrò is a postdoctoral research fellow in the Software and System Engineering Department at Technische Universität München (Germany). Formerly, he was a research assistant and PhD student at Politecnico di Torino (Italy). Contact him at
[email protected]. __________
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
CLOUD FEATURE:COMPUTING STANDARDIZATION
An Interoperability Solution for Legacy Healthcare Devices Yuan-Fa Lee, Industrial Technology Research Institute, Taiwan
An ISO/IEEE 11073 personal health device system enables legacy healthcare devices to transmit vital sign data to an application hosting device on a network. The proposed architecture is composed of the x73-PHD gateway, x73-PHD adapter, and legacy healthcare devices. n many existing healthcare devices, communication protocols are private and closed. The transmission interfaces of various legacy healthcare devices consist of four types: RS-232, USB, Bluetooth, and ZigBee. Standardization is becoming more important to allow the gathering of health information from various devices in a unified manner. Continua Health Alliance (www.continuaalliance.org) adopts international standard specifications (ISO/IEEE 11073 Personal Health Data, or PHD), to solve the interoperability problem between healthcare device operations.1,2 However, to standardize existing healthcare devices, we have to redesign current hardware and software. The standardization cost (including hardware and software) will increase and the design of healthcare devices will become more complex. In addition, users have confidence in the
I
1520-9202/15/$31.00 © 2015 IEEE
healthcare devices that they are using currently or have used before. These standardization costs, implementation complexity, and users’ practical demands create difficulties in growing healthcare markets as well as heightening the significance of a standard. Recent research has focused on the personal healthcare system and the transmission of vital sign data from legacy healthcare devices to various application hosting devices or care providers based on the ISO/IEEE 11073 standards to support legacy healthcare devices.3 See the “Related Work in Standardization” sidebar for more information about these approaches. I propose an x73-PHD system for legacy (non-PHD) healthcare devices that don’t follow the x73-PHD standards. This system converts the communication protocol of legacy devices to the ISO/IEEE 11073 PHD protocols.3 I developed a
Published by the IEEE Computer Society
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
51 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FEATURE: STANDARDIZATION Related Work in Standardization ack in 2010, Chan-Yong Park and his colleagues proposed an ISO/IEEE 11073 standardization system, including a universal Personal Health Data (PHD) adapter (UPA), UPA interface board, and PHD manager.1 The UPA interface board communicates with a legacy healthcare device through a universal asynchronous receiver/transmitter (UART) interface and transmits measurement data to the universal PHD adapter to the PHD manager via the ZigBee interface. However, the UPA board interface only supports specific legacy devices with an UART interface. Around the same time, Yung-Shun Huang and I introduced a novel personal healthcare system, including a service gateway, an adapter, and a legacy device.2 The adapter functions as a bridge to convert vital sign data from the connecting healthcare device, and then transmits data to the service gateway in compliance with ISO/IEEE 11073 PHD data format and protocol standards via a Bluetooth interface. However, the adapter only supports specific legacy devices with an RS-232 interface. These solutions don’t dynamically support different kinds of devices.
B
In 2012, Park and his colleagues presented an implementation model of standardization for legacy healthcare devices.3 The proposed system generates standard PHD protocol message blocks using legacy device information. This system standardizes the legacy healthcare devices. However, users need to manually input target device information to the PHD message-generation GUI. Furthermore, this system only supports the UART interface for communicating with legacy healthcare devices. References
standardization adapter device for the x73-PHD standardizations of legacy devices. I further integrated these devices into the x73-PHD gateway, which is an ISO/IEEE 11073 PHD compatible manager. The objective of my system is to solve the interoperability problem and existent legacy healthcare device support issues.
Methods Here, I introduce the design of the healthcare monitoring system, including the system architecture, Continua paired information, workflow of the x73-PHD Adapter, and the firmware upgrade mechanism.
System Architecture The overall system architecture consists of an x73PHD gateway, an x73-PHD adapter, and non-PHD devices. The gateway functions as an application hosting device and connects with the adapter via the personal area network interface (PAN-IF), which supports USB and Bluetooth, and via the sensor LAN-IF, which supports ZigBee. The adapter connects with a non-PHD device via wired communication interfaces (for example, RS-232 and USB) or wireless communication interfaces (for example,
52
1. C.-Y. Park, J.-H. Lim, and S.-J. Park, “ISO/IEEE 11073 PHD Standardization of Legacy Healthcare Devices for Home Healthcare Services,” Proc. IEEE Int’l Conf. Consumer Electronics, 2011, pp. 547-548. 2. Y.-F. Lee and Y.-S. Huang, “Novel Personal Healthcare System,” Proc. 4th Int’l Symp. Medical Information and Communication Technology, 2010, pp. 54. 3. C.-Y. Park, J.-H. Lim, and S.-J. Park, “ISO/IEEE 11073 PHD Adapter Board for Standardization of Legacy Healthcare Device,” Proc. IEEE Int’l Conf. Consumer Electronics, 2012, pp. 482-483.
Bluetooth and ZigBee). The adapter gets Continua paired information from the non-PHD device and upgrades a corresponding firmware. The measurement data is exchanged between the non-PHD device, adapter, and gateway. Figure 1 illustrates an overview of the proposed healthcare monitoring system. This system provides an interoperability platform for the non-PHD device exchanging measurement data compliant with the international x73-PHD standards via standard PAN and sensor LAN interfaces.
Continua Paired Information The adapter adopts the design of Continua paired information to determine the firmware version. When a non-PHD device with the adapter gets the Continua certification or is qualified by a Continua test tool, my system generates a relationship status, labeled “Continua paired information,” between the firmware version of the adapter and the series of devices. Based on the Continua paired information, the adapter receives the corresponding firmware from the gateway and interoperates with the non-PHD device. The relationship of the firmware version for the adapter and devices is as follows:
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Gateway
Adapter Adapter application
Gateway application
ISO/IEEE 11073-104ZZ
ISO/IEEE 11073-104ZZ
ISO/IEEE 11073-20601 (supports firmware upgrade mechanism)
ISO/IEEE 11073-20601 (supports firmware upgrade mechanism)
Bluetooth stack/ZigBee stack/USB stack
Hardware (Bluetooth dongle/ZigBee dongle/ USB connector)
Bluetooth software module
ZigBee software module
USB software module
Sensor module
UART software module
Non-PHD device
Hardware (Bluetooth/ZigBee/USB/RS-232 port)
Figure 1. An operation overview of the adapter with a non-Personal-Health-Data device conjoined for connecting to the gateway via the personal area network or sensor LAN interface transmission. The measurement data compliant with the international x73-PHD standards is exchanged between the non-PHD device, adapter, and gateway.
t the product is Continua certified or a qualified product (a firmware version of the x73-PHD adapter, a series of devices), resulting in the relationship “Continua paired information;” t to find the correct firmware version of the x73PHD adapter for a series of devices, the relationship is “Search (Continua paired information).” The adapter provides two methods to get the Continua paired information: wireless and wired. In wireless mode, the adapter performs a service discovery on a non-PHD device with wireless functionality (for example, Bluetooth or ZigBee). The unique information, including the media access control (MAC) or device serial number, corresponds to the Continua paired information. In the wired mode, the adapter queries the non-PHD device with the wired interfaces (for example, RS-232 or USB) for the unique information, including the product serial number, model number, and manufacturer data. The adapter can request that the gateway perform a firmware upgrade and enable the exchange of measurement data between itself and the non-PHD device, because the Continua paired information is converted from the unique information.
Workflow of the x73-PHD Adapter Figure 2 divides the adapter workflow into three steps: obtain Continua paired information, upgrade the firmware, and trigger 11073 communication. In the first step, the adapter obtains the Continua paired
information on the basis of the healthcare device’s supported interface. For example, if a healthcare device supports a wired mode, the adapter connects to it with an RS-232 or USB interface. In addition, if a healthcare device supports a wireless mode, the adapter connects to it with Bluetooth or ZigBee. The adapter checks the current firmware version owned by itself with the Continua paired information. If the current firmware version doesn’t correspond to the Continua paired information, the adapter requests a firmware upgrade; otherwise, the adapter triggers 11073 communication. In the firmware upgrade step, the adapter receives the matched firmware, burns it into flash memory, and then enters the 11073 communication step after boot up. In the 11073 communication step, the adapter sends an association request message to trigger the 11073 communication.
Firmware Upgrade Mechanism A specially designed firmware upgrade mechanism for the gateway and adapter is integrated into the x73-PHD standard to support remote firmware upgrades.4 In addition, the mechanism is compatible with the original connection state machine. The firmware upgrade state machine of the gateway includes five states: idle, check firmware information, start firmware download, send firmware data, and finish firmware download. The firmware upgrade state machine of the adapter also includes five states: idle, wait for the firmware information,
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
53 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FEATURE: STANDARDIZATION Table 1. Firmware upgrade messages. Item
Message direction
Message description
Firmware upgrade request
Agent → manager
Request firmware upgrade message with Continua paired information and firmware version
Firmware upgrade response
Manager → agent
Response to the upgrade message with a “no” or “yes” (including firmware image size and checksum information)
Start firmware download
Agent → manager
Request to start firmware download message
Firmware data
Manager → agent
Download firmware data
Finish firmware download
Manager → agent
Request to finish the firmware download procedure
Start
Post
Get Continua paired information
Upgrade firmware?
Yes Send out firmware upgrade request
Check firmware upgrade response
Results and Discussion
No respondror No new firmware
Yes Start to get firmware No Check firmware Yes Program firmware
Reboot device
Start to establish 11073 communication
End
Figure 2. A workflow overview of the adapter, including obtaining Continua paired information, upgrading the firmware, and triggering 11073 communication. The adapter gets the Continua paired information on the basis of the healthcare device’s supported interface. If the current firmware version doesn’t correspond to the Continua paired information, the adapter enters the firmware upgrade step; otherwise, the adapter enters the 11073 communication step directly, where the adapter receives the matched firmware, burns it into flash memory, and then enters the 11073 communication step after boot up.
54
start the firmware download, receive firmware data, and finish the firmware download. The firmware upgrade state machine of the gateway interacts with the firmware upgrade state machine of the adapter. The communication model of the gateway and the adapter provides a detailed definition of the entry, exit, and error conditions for each state, including various operating procedures for firmware data transmission. Figures 3a and 3b illustrate the firmware upgrade state machines of the gateway and adapter separately in detail. Table 1 shows the firmware upgrade message in detail.
I developed the system proposed in this article based on a previous implementation.5,6 I created the gateway and integrated the Continua Reference Code Library with PAN-IF and sensor LAN-IF solutions in a Windows-based platform. I developed the adapter in an embedded system without OS support; the adapter includes protocol and device specifications defined in x73-PHD standards. The adapter uses a Texas Instruments MSP430F5419 as its microcontroller unit. It supports four communication interfaces: RS-232, USB, Bluetooth, and ZigBee. In addition, the hardware solutions for the USB Personal Healthcare Device Class, Bluetooth Health Device Profile (HDP), and ZigBee Health Care Profile are Texas Instruments MSP430F5529, Stollmann BlueMod+P25/G2 HDP, and Freescale MC13224, respectively. The supported legacy devices are the FORA TD-3250G (blood pressure and glucose) and TD-8002 (blood pressure, glucose, body temperature, and oxygen saturation). In addition, the adapter conjoins the legacy devices that were tested by Continua Test Management Lite version 1.5.3.0 separately. So, Continua paired information was generated for two legacy healthcare devices, FORA TD-3250G and TD-8002. Currently, the tested types of legacy devices available are blood pressure monitors, glucose meters, thermometers,
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Entry point
Transport connect indication Transport disconnect indication
Disconnected
Transport connect indication Transport disconnect indication
Corresponding events
Disassociating (TxAssocRelReq)
Entry point 1
Idle
TxCfgEvtRptRsp
Corresponding events Rx firmware upgrade Req. (info.)
Tx firmware upgarde Rsq. (No)
Finish firmware download
Tx firmware data
RxAssocReq
Start firmware download
Send firmware data
Check config
Unassociated
Tx firmware upgrade Rsq. (yes & info.)
Tx finish firmware download event
(accepted-config)
Corresponding events
Entry point 2
Check firmware info
Corresponding events
Associating
TxAssocRsp (accepted)
TxCfgEvtRptRsp (unsupported-config)
RxCfgEvtRptRed
TxAssocRsp (accepted-unknow-config)
(lookup config)
Rx start firmware download event
Operating
Waiting for config
(a) Entry point
Transport connect indication Transport disconnect indication
Disconnected
Transport connect indication Transport disconnect indication
Corresponding events
Disassociating (TxAssocRelReq)
Entry point 1
Idle
Corresponding events Tx firmware upgrade Req. (info.)
Timeout/Rx firmware Upgrade Rsp.(No)
Finish firmware download Rx finish firmware download event Rx firmware Receive data
firmware data
Operating
RxCfgEvtRptRsp (accepted-config)
Corresponding events
Entry point 2
Wait firmware info Rx firmware upgrade Rsq. (yes & Info.)
Start firmware download Tx start firmware download event
Unassociated
TxAssocReq
corresponding events
Associating (TxAssocReq)
RxAssocRsp (accepted)
Waiting approval RxCfgEvtRptRsp (unsupported-config)
TxCfgEvtRptRed
RxAssocRsp (accepted-unknow-config)
Sending config
(b)
Figure 3. The diagram illustrates the firmware upgrade mechanism for the (a) gateway and (b) adapter.
and oximeters. However, the proposed system can support other types of healthcare devices as well. Figure 4 illustrates the sequence diagram for firmware upgrade mechanisms for the adapter and gateway. The adapter requests updating firmware by sending a firmware upgrade request message to the gateway. The gateway responds with the positive result message to the adapter. The adapter starts to receive the firmware data from the gateway and burns the firmware data into flash memory. After the adapter boots up successfully, it enables and establishes an 11073 connection with the gateway. During the firmware download, the compressed firmware is divided into several frames, an expected sequence number checks accuracy for each received
frame, and firmware-related information (for example, header, signature, size, and checksum) verifies firmware validity when downloaded from the gateway to an adapter. If an unexpected frame number is received, then the procedure terminates. If any of the checked values vary from the expected one, then the firmware is treated as a broken or illegal image and not processed. In addition, based on Bluetooth security mechanisms (pairing, authentication, authorization, service levels, and symmetric key security)7 and ZigBee security mechanisms (device authorization, symmetric key security, encryption, and integrity protection),8 the compressed firmware transmission is protected from unauthorized access. If untrusted or illegal firmware is received,
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
55 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
FEATURE: STANDARDIZATION x73-PHD gateway
x73-PHD adapter
with the x73-PHD data format and protocol standards. The adapter supports shelf products without any modification. It’s easy to promote the adapter instead of a new device with PHD functionality for users.
Firmware upgrade requrest (info) Firmware upgrade request Start firmware download Firmware data Finish firmware download Program firmware and restart device
Standardization and Modulization
Many existing legacy healthcare devices have their own software and protocols AARE (unknown configuration) that work alone or inside a single vendor system. The standardization for legacy Notify configuration healthcare systems requires replaceAccepted configuration ment of system parts of a given healthGet MDS care device and incurs higher costs for interoperability. From the manuMDS facturer’s standpoint, the standardizaData tion costs of PHD devices including ... software, firmware, and hardware is RLRQ accumulated based on prior developRLRE ment costs from previous investment. In addition, it’s difficult to understand and implement the PHD standards for healthcare device companies that have Figure 4. This diagram illustrates the messaging procedure including no standardization experience. upgrading firmware and triggering 11073 communication for the For healthcare device companies, gateway and adapter. In the firmware upgrade step, the adapter there’s a longer development time for receives the matched firmware data from the gateway, burns it into standardization. The adapter proflash memory, and then enters the 11073 communication step after posed by this study is easy to proboot up. In the 11073 communication step, the adapter sends an duce and use for healthcare devices association request message to trigger the 11073 communication. including existing legacy healthcare devices and newly developed (PHD or non-PHD) devices. The standardized model then the adapter ignores it and doesn’t write it into of the PHD functionality enables the reuse in the flash memory. Furthermore, the adapter adopts a same module and reduces product complications dual image design to prevent failures from remote and standardization costs. firmware upgrades caused by unknown reasons. The proposed system benefits telecare ecosystem promotion in the current environment by working with various non-PHD devices. n this experiment, I created an x73-PHD standardization system without any hardware or software changing the legacy healthcare devices. This Legacy Healthcare Device Support standardization system can be adapted for many Users worldwide have used existing legacy healthlegacy healthcare devices when it owns Continua care devices. From a customer standpoint, it’s difpaired information and the corresponding firmware ficult to adopt new healthcare devices with PHD for the legacy devices. The system offers a practifunctionality instead of the non-PHD devices cal approach for constructing an e-health service instantly because users need to become familiar environment based on the international x73-PHD with the new PHD devices. The proposed system standards using legacy healthcare devices. In the supports non-PHD devices directly. The adapter future, the most important tasks for this study will connects with the non-PHD device and transmits be to support other brands of healthcare devices; to measurement data to the gateway in compliance AARQ
I
56
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
support other kinds of device specifications, for example, ECG and cardiovascular; and to provide support for PAN-IF features, for example, Bluetooth Low Energy.
References
PURPOSE: The IEEE Computer Society is the world’s largest association of computing professionals and is the leading provider of technical information in the field. MEMBERSHIP: Members receive the monthly magazine Computer, discounts, and opportunities to serve (all activities are led by volunteer members). Membership is open to all IEEE members, affiliate society members, and others interested in the computer field. COMPUTER SOCIETY WEBSITE: www.computer.org Next Board Meeting: 26–30 January 2015, Long Beach, CA, USA
EXECUTIVE COMMITTEE
1. P. Brigitte et al., “Empowering Healthcare Patients with Smart Technology,” Computer, vol. 43, no. 7, 2010, pp. 27−34. 2. R. Carroll et al., “Continua: An Interoperable Personal Healthcare Ecosystem,” IEEE Pervasive Computing, vol. 6, no. 4, 2007, pp. 90-94. 3. L. Schmitt et al., “Novel ISO/IEEE 11073 Standards for Personal Telehealth Systems Interoperability,” Proc. Joint Workshop High Confidence Medical Devices, Software, and Systems and Medical Device Plug-and-Play Interoperability, 2007, pp. 146−148. 4. Health Informatics. Personal Health Device Communication. Part 20601: Application Profile—Optimized Exchange Protocol, ISO/ IEEE 11073–20601a-2010, 2010. 5. Y.-F. Lee and Y.-S. Huang, “Novel Personal Healthcare System,” Proc. 4th Int’l Symp. Medical Information and Communication Technology, 2010, pp. 54. 6. Y.-F. Lee, “Personal Medical Monitoring System: Addressing Interoperability,” IEEE IT Professional, vol. 15, no. 5, 2013, pp. 31–37. 7. Bluetooth Specification Core Version 4.1, Bluetooth SIG, 2013; ________ https://www. bluetooth.org/en-us/specification/ _______________________ adopted-specifications. _____________ 8. ZigBee RF4CE Specification, ZigBee Alliance, 2008; http://zigbee.org/zigbee-for________________ developers/network-specifications. ____________________
President: Thomas M. Conte President-Elect: Roger U. Fujii; Past President: Dejan S. Milojicic; Secretary: Cecilia Metra; Treasurer, 2nd VP: David S. Ebert; 1st VP, Member & Geographic Activities: Elizabeth L. Burd; VP, Publications: Jean-Luc Gaudiot; VP, Professional & Educational Activities: Charlene (Chuck) Walrad; VP, Standards Activities: Don Wright; VP, Technical & Conference Activities: Phillip A. Laplante; 2015–2016 IEEE Director & Delegate Division VIII: John W. Walz; 2014–2015 IEEE Director & Delegate Division V: Susan K. (Kathy) Land; 2015 IEEE Director-Elect & Delegate Division V: Harold Javid
BOARD OF GOVERNORS Term Expiring 2015: Ann DeMarle, Cecilia Metra, Nita Patel, Diomidis Spinellis, Phillip A. Laplante, Jean-Luc Gaudiot, Stefano Zanero Term Expriring 2016: David A. Bader, Pierre Bourque, Dennis J. Frailey, Jill I. Gostin, Atsuhiro Goto, Rob Reilly, Christina M. Schober Term Expiring 2017: David Lomet, Ming C. Lin, Gregory T. Byrd, Alfredo Benso, Forrest Shull, Fabrizio Lombardi, Hausi A. Muller
EXECUTIVE STAFF Executive Director: Angela R. Burgess; Director, Governance & Associate Executive Director: Anne Marie Kelly; Director, Finance & Accounting: John G. Miller; Director, Information Technology Services: Ray Kahn; Director, Membership: Eric Berkowitz; Director, Products & Services: Evan M. Butterfield; Director, Sales & Marketing: Chris Jensen
COMPUTER SOCIETY OFFICES Washington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036-4928 Phone: FFax:
FEmail:
[email protected] ____________ Los Alamitos: 10662 Los Vaqueros Circle, Los Alamitos, CA 90720 Phone:
FEmail:
[email protected] ___________ Membership & Publication Orders Phone: FFax:
FEmail:
[email protected] ___________ Asia/Pacific: Watanabe Building, 1-4-2 Minami-Aoyama, Minato-ku, Tokyo 107 ,;,9FPhone:
FFax: FEmail: tokyo.ofc@ ______ computer.org
IEEE BOARD OF DIRECTORS President & CEO: Howard E. Michel; President-Elect: Barry L. Shoop; Past
Yuan-Fa Lee is a researcher in the Biomedical Technology and Device Research Laboratories at the Industrial Technology Research Institute in Taiwan. His research interests include embedded system programming, network and medical device communication protocols, and virtual reality. Lee has an MS in engineering from the National Taiwan University of Science and Technology. Contact him at
[email protected]. _____________
President: J. Roberto de Marca; Director & Secretary: Parviz Famouri; Director & Treasurer: Jerry Hudgins; Director & President, IEEE-USA: James A. Jefferies; Director & President, Standards Association: Bruce P. Kraemer; Director & VP, Educational Activities: Saurabh Sinha; Director & VP, Membership and Geographic Activities: Wai-Choong Wong; Director & VP, Publication Services and Products: Sheila Hemami; Director & VP, Technical Activities: Vincenzo Piuri; Director & Delegate Division V: Susan K. (Kathy) Land; Director & Delegate Division VIII: John W. Walz revised 16 Dec. 2014
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
57 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT TRENDS EDITOR: Irena Bojanova, University of Maryland University College, _______________
[email protected]
© Tadeusz Ibrom | Dreamstime.com
High Tech, High Sec.: Security Concerns in Graph Databases George Hurlburt, STEMCorp
ybersecurity measures are best accommodated in system design, because retrofits can be costly. New technologies and applications, however, bring new security and privacy challenges. Furthermore, the consequences of new technology adaptation are often difficult to anticipate. Such is the case with graph databases, a relatively new database technology that’s gaining popularity. This article explores the value of graph databases and probes some of their security and privacy implications.
C
The Emergence of NOSQL The Relational Database Management System (RDBMS), initially designed to maximize highly expensive storage, has indeed proven to be highly effective in transaction-rich and processstable environments. For example, the RDBMS excels in large-scale credit-card transaction processing and cyclic billing operations. The RDBMS offers superior performance in the realm of indexed spatial data, but it fares poorly in highly dynamic environments, such in as a management information system that depends on
58
IT Pro January/February 2015
volatile data or a systems architecture in which the churn of many-to-many relationships is high. In such environments, the RDBMS design imposes far too much mathematical and managerial overhead. The emergence of the Not Only Structured Query Language (NOSQL) database represents an alternative to the decades-long reign of the RDBMS.1 Various forms of NOSQL databases opened doors to a vastly improved dynamic data portrayal, with far less overhead and performance penalties. For example, schemas need not be as rigorous in the NOSQL world. NOSQL database designs include wide-column stores, document stores, key value (tuple) stores, multimodal databases, object databases, grid/ cloud databases, and graph databases. The graph database, crossing many lines in the NOQQL world,2 stands poised to become a successful technology.
The Graph Database The graph database relies on the familiar “node-arc-node” relationship, or perhaps more simplistically, a “noun-verb-noun” relationship of a network (see Figure 1). A node
Published by the IEEE Computer Society
can be any object. An arc represents the relationship between nodes. Both nodes and arcs can contain properties. This simple node-arc-node triad, often called a triple, is the fundamental building block for describing all manner of complex networks in great detail. Networks such as an electrical grid, a corporate supply chain, or an entire ecosystem are often composed of numerous nodes that share huge numbers of multiple relationships across arcs. Networks of all kinds lend themselves well to graph representation. The graph database harnesses this powerful capability to represent network composition and connectivity. Graph databases have matured to support discovery, knowledge management, and even prediction. In an Internet-connected world, where networks of all types become increasingly preeminent, such a network capability is becoming essential to modern sense making. However, like the RDBMS, the graph database is just another tool in the box, and it can be harnessed for good or ill. Thus, it’s not premature to consider the large-scale security implications
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
of this new and rather exciting technology, at least from the highest levels.
Graph Discovery Because they deal with properties and connections, graph databases represent rich pools of information, often hidden until discovered. Discovery is a means by which a large collection of related data is mined for new insights, without a strong precognition of what these insights might be. The graph database wasn’t initially considered a useful tool for discovery. It took a specially designed family of supercomputers to realize the full power of graph discovery. Although it’s straightforward to represent graphs, as the volume of triples increases into the billions, the ability to rapidly traverse multiple paths becomes compute-bound in all but the most powerful machines. This is particularly true in the case of dense graphs, such as tightly woven protein-protein networks. Here, detailed graph queries can overwhelm lesser capable computational systems. The graph supercomputer, built from the ground up to traverse graphs, overcomes time and capacity limitations. Such devices, some complete with Hadoop analysis tools, recently became available on the high-end graph database marketplace via Cray computers.3 The high-end graph supercomputer, built for discovery, brings great promise. For example, it can support a detailed build-out of the complex relationships between the ocean and atmosphere that compose climatic conditions. In a time of great climate change, further discovery of indirect, nonlinear causes and effects becomes increasingly crucial. Likewise, a graph supercomputer could hasten a discovery concerning the spread
Node – Arc – Node
The Triple — Basic building block
Noun – Verb – Noun
Plain talk
Vortex – Edge – Vortex
Math speak
Subject – Predicate – Object
The Triple (W3C RDF standard)
Figure 1. Fundamental graph reasoning. This simple node-arc-node triad, often called a triple, is the fundamental building block for describing all manner of complex networks in great detail.
Applied discovery Real-world data
Triple representation Graph Graph query New insights
Traversal Baseline model
Figure 2. A graph database harnessed for discovery. Such discovery could support a detailed build-out of the complex relationships between ocean and atmosphere that compose climatic conditions, or could hasten the discovery of how Ebola might spread in Western Africa.
of Ebola in Western Africa, which could serve to stem the spread of the disease. Figure 2 illustrates the notion of discovery using a graph database.
Discovery: Privacy and Security Graph discovery, which has great promise for resolving complex interrelated problems, however, presents privacy and security concerns. For example, one’s identity can be further laid bare if the graph supercomputer becomes the device of choice to further mine our social and financial transactions
for purposes of surveillance, targeted advertising, and other overt exploits that tend to rob individuals of their privacy. While perhaps an alien thought in a thriving free enterprise system, placing an ethical bar on the acceptable extent of intrusion into one’s personal life might well prove necessary for financial, if not constitutional, reasons. It’s quite acceptable to expect law-enforcement to use all necessary means to remove real threats from our midst, but at what expense to the rest of society? Likewise, those anxious to move their products will take
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
59 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
IT TRENDS advantage of every opportunity to do so by whatever means possible, but at what personal price for those targeted? The reality is that such high-end exploitation amounts to nothing more than a projection of currently established trends. In the design of such socioeconomic studies, especially involving a wide range of social and business transaction relationships, the security bar must be set exceedingly high. Any intentionally perpetrated breach could be far more devastating than the recent massive hacks against corporations such as credit-card issuers or motion picture companies. This
Web Consortium (W3C) view of linked data—an endeavor to make reusable structured knowledge generally available in a common referential format via the Web.5 There’s a downside though. Whereas it’s relatively straightforward to convert highly structured data, such as well-organized spreadsheets and databases, into RDF, the ability to reliably convert unstructured data into RDF exists only in high-end tools, which carry some restrictive caveats. Not all graph databases, however, require RDF triple representation. A number of thriving commercial graph databases employ
Any intentionally perpetrated breach could be far more devastating than the recent massive hacks against corporations. is further acerbated by the notion that the Internet of Anything (IoA) consists of myriads of sensors, actuators, and mobile devices, all of which seem to be optimized for privacy leakage.4
Graph Knowledge Management The node-arc-node triple concept is highly conducive to the “subjectpredicate-object” relationships expressed using the Resource Description Framework (RDF) descriptive language. RDF creates a level of formal expression that lets you describe and reason about the data housed in a graph database. Moreover, RDF nicely feeds a formal ontology, thus permitting a rigorous semantic definition of terms. The “how much is enough” question, however, might take years to resolve with regard to a tolerable degree of practical formalization. Together, RDF and a formal ontology speak to the World Wide
60
triples in their own unique ways without engaging RDF. Many offer a number of attractive features, such as graph visualization, backup, and recovery. As the graph database industry grows from 2 percent to an estimated 25 percent of the database market by 2017,6 a number of these tools will catch the corporate nod and the consumer base will continue to grow. Of course, many employ their own languages and techniques for data management. A real need exists for standards that, at a minimum, support data transportability.
Knowledge Management: Privacy and Security Once again, however, security— particularly for proprietary architectural designs—must be taken into consideration. If Web sharing is envisioned as a reasonable means to generate a lot of system representative triples from resident
experts, the design of a secure portal to the RDF data store becomes exceedingly important. Likewise, the notion of user authentication and verification also becomes important. Although knowledge management is perhaps less extensive than discovery, related databases still might possess specific identity attributes that must be well protected. Front-end provisions must be made to assure the existence of both security against intrusion and the privacy of any personal data contained in the graph database. Failure to offer adequate protection could disqualify otherwise promising candidate graph database offerings, whose interfaces are nonetheless vulnerable to attack.
Graph Prediction In dynamic circumstances involving an unfolding process such as weather or economic trends, the ability to predict future behavior becomes highly desirable. Graph representations facilitate predictions, because they let us both qualify and quantify a system represented as a network. The ability to assign properties to nodes and arcs, such as location, time, weights, or quantities, lets us qualitatively evaluate the graph on the basis of similar properties. More importantly, quantitative techniques let us evaluate metrics inherent in almost all graphs. This applies to many fields, including neuroscience.7 The ability to apply proven metrics to graphs means that their characteristics might be quantified in such a manner to objectively evaluate the graph. In cases where graph data is dynamic, such as in an ongoing process, a powerful predictive capability becomes possible, assuming the datastream is accessible. This approach presumes combinations of graph theory,
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
and combinatorial mathematics can be applied against a real-time datastream. Moreover, various graph configurations could be classified based on their metrics. Such classification templates, each with a graph signature based on its metrics, could then permit identification of and a predictive baseline for similar graphs as they arise.
Prediction: Security and Privacy Current cybersecurity best practices suggest the importance of taking a snapshot of a system under study to determine its security and privacy vulnerabilities, leading to the accreditation of systems proven to be “secure.” The fallacy of such practice is that most systems are influenced by ever-changing environments, which serve to change systemic behaviors over time. Thus, the accreditation is good for the moment of time in which the snapshot was taken. Given their growing sophistication, graph databases offer the potential to let us monitor dynamic change in near real time. By monitoring datastreams for anomalous node or relationship pattern changes using quantitative methods, we could detect and investigate intrusions and other security breaches early on, quickly prosecuting any identified perpetrators. From the predictive perspective, data integrity must take a front seat. Thus, the data provenance issue becomes crucial, because the stakes of prediction are high. The results of a prediction are as accurate as the data underlying the predictive tools. False data could gravely affect outcomes where security is literally endangered. Consider the consequence of a faulty predictive model for disaster relief, which calls for distributing re-
sources in an unaffected region as opposed to the affected region. In this regard, good security practice results in the highest ethical standards of applied science.
lthough graph databases hold great promise in a world being consumed by networks of all kinds, they also represent some inherent security risks that have yet to be fully understood, much less appreciated. Rather than piling on the bandwagon, the prudent IT professional must carefully evaluate potential risks in the context of
A
4.
5.
6.
7.
PDF/products/urika-gd/Urika-GD_____________________ _________ WhitePaper.pdf. A. Ukil, S. Bandyopadhyay, and A. Pal, “IoT-Privacy: To be Private or Not to be Private,” IEEE Conf. Computer Communications Workshops (INFOCOM), 2014, pp. 123–124. D. Wood et al., Linked Data—Structured Data on the Web, Manning Publications, 2014. E. Eifrem, “Graphs are Eating the World,” keynote, GraphConnect, Nov. 2014; http://vimeo. com/110554197. O. Sporns, “The Nonrandom Brain: Efficiency, Economy, and Complex Dynamics,” Frontiers in Computational Neuroscience, vol. 5, 2011;
Given their growing sophistication, graph databases offer the potential to let us monitor dynamic change in near real time. the intended operating environment and perform the necessary tradeoffs to achieve acceptable levels of security and data protection. If security and privacy issues surrounding relatively new technologies, such as increasingly popular graph databases, aren’t considered up-front, they become far more costly to implement downstream.
www.frontiersin.org/Journal/Abstract. aspx?s=237&name=computational_ _____________________ neuroscience&ART_DOI=10.3389/ _____________________ fncom.2011.00005. ___________
George Hurlburt is chief scientist at STEMCorp, a nonprofit that works to further economic development via the adoption of network science and to advance autonomous technologies as useful tools for human use. Contact him at
[email protected]. __________________
References 1. A.B.M. Moniruzzaman and S.A. Hossain, “NoSQL Database: New Era of Databases for Big Data Analytics—Classification, Characteristics and Comparison,” Int’l J. Database Theory and Application, vol. 6, no. 4, 2013. 2. M. Buerli, “The Current State of Graph Databases,” Dept. of Computer Science, Cal Poly San Luis Obispo, Dec. 2012. 3. Real Time Discovery in Big-Data Using the Urika-GD Appliance, white paper, Oct. 2014, www.cray.com/Assets/
Selected CS articles and columns are available for free at http://ComputingNow.computer.org.
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
61 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
MASTERMIND EDITOR: George Strawn, NITRD,
[email protected] ____________
Grace Hopper: Compilers and Cobol George Strawn, NITRD Candace Strawn
dmiral Grace Murray Hopper (1906–1992) was the first famous female computer scientist (except, perhaps, for the 19th century Ada Countess Lovelace, who was the “programmer” for Charles Babbage’s uncompleted steam-powered computer—a story for another article). This sketch of Hopper will focus on her early programming days, creation of the first compiler, leadership in creating the Cobol language, and latter-day speaking career. Incidentally, when people introduced her as a speaker, she advised them to say only that she was “the third programmer of the first computer.” (One hapless individual tried to give a more extensive introduction and a received a Navy-quality dressing down for his efforts—that would be one of us, George Strawn.) We’ll also highlight the Grace Hopper Celebration of Women in Computing conference, which, since 1994, has brought together an increasing number of women (and now men) to address the disappointing gender imbalance in IT professions.
A
62
IT Pro January/February 2015
A Mathematician Gets Hooked on Computing Hopper was educated at Vassar and Yale, receiving a PhD in mathematics in 1934. She then taught math at Vassar for 10 years. In the middle of WWII (1943), she took a leave of absence from Vassar and entered the US Naval Reserve, where she was assigned to the Bureau of Ships Computation Project at Harvard to work with Howard Aiken. In the late 1930s, Aiken, a professor at Harvard, had convinced IBM to build an electromechanical computer, called the Mark I.1 (Incidentally, the Mark I was patterned after Babbage’s 19th century unfulfilled designs.) In 1944, the Mark I was completed and delivered to Harvard. As mentioned earlier, Hopper said she was “the third programmer of the first computer.” Since the Mark I was electromechanical, not electronic, it was not featured in the article in the March/April 2014 issue, “Masterminds of the Electronic Digital Computer.” The Mark I could have been called the last of the pre-computers, but we can almost
Published by the IEEE Computer Society
hear Hopper dressing us down for that interpretation. At the end of the war, Hopper chose to stay at the Harvard Computation Lab rather than return to Vassar. An oft-repeated story from her Harvard days was that she “debugged” the Mark I by removing a moth from the machine’s wires, which had disrupted operations (and spelled its doom). Since that time, fixing hardware or software has been called debugging.2 In 1949, Hopper joined the Eckert-Mauchly Computer Corporation and became part of the team developing the UNIVAC I.3 The corporation ran into financial problems in the early 1950s and sold out to Remington Rand. Hopper continued to work under the new management and soon made seminal contributions, initiating the field of high-level programming languages.
Compilers and the Mother of Cobol Hopper was perhaps the first person to believe that computers should speak human-like languages, rather than requiring
1520-9202/15/$31.00 © 2015 IEEE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
THE WORLD’S NEWSSTAND®
humans to speak computer languages. This belief began to be put into action in 1952 with the creation of the A-0 compiler4 (Arithmetic Language, version 0—actually more of a link-loader than compiler). In 1954, Hopper was named director of automatic programming for the UNIVAC division, and her department released some of the first truly compiler-based programming languages, including Math-Matic (A-3) and Flow-Matic5 (B-0, Business Language, version 0). By the way, the A-2, which was released in 1953, was perhaps the first example of free and open source software, because customers were given the source code and encouraged to send in suggested improvements. It was soon realized that computer programming was laborintensive and expensive, and the idea of more human-like computer languages began to catch on. Such languages could lower the cost and speed of developing computer programs. Progress proceeded in several directions. For scientific applications, IBM developed the Fortran (formula translation) language and delivered its first Fortran compiler for the 704 computer in 1957. For computer scientists, an international team developed the Algol language and the first compilers appeared in 1958. For artificial intelligence researchers, the Lisp language was created about this same time, with the first Lisp interpreter developed for an IBM 704 in 1958 (Lisp compilers didn’t appear until the early 1960s). However, business applications, then as now, were a major part of the computing landscape. Hopper focused her considerable talents in that direction. In particular, the Flow-Matic language reflected Hopper’s be-
lief that business programming should be accomplished in a language that looked as much like English as possible. Remington Rand officials were skeptical, but Flow-Matic was released to customers in the late 1950s and was immediately successful. IBM then entered the field of business programming languages with its Comtran (commercial translator, a companion to Fortran). With multiple languages emerging, the benefit of having a “standard” business language became apparent. Reprogramming a computer application could be as expensive as programming it in the first place. For example, buying a new computer could mean starting over on programming an application. So in 1959, a committee of industry and government personnel, with Hopper as technical consultant, was formed with the goal of developing a common business-oriented language for programming (Cobol; http://en.m.wikipedia.org/wiki/ ______ COBOL). The first version was named Cobol60, and compilers began appearing from various computer companies. Cobol has been wildly successful. In 1997, the Gartner Group estimated that there was a total of 200 billion lines of Cobol code in existence, which ran 80 percent of all business programs.6 One of the reasons for Cobol’s success has been the degree of standardization achieved. The American National Standards Institute issued the first Cobol standard in 1968, and Hopper was a major force behind this activity. From 1967 to 1977, she served as the director of the Navy Programming Languages Group in the Navy’s Office of Information Systems Planning and was promoted to the rank of captain in 1973.
“Amazing Grace” Hopper retired from the Navy in 1966, 1971, and 1986! She was recalled after the first two retirements and was promoted to Rear Admiral in 1983. Among her many honors, the Navy commissioned a destroyer named USS Hopper in 1996, and a Department of Energy laboratory named one of its supercomputers the Hopper. Her multiple contributions and honors contributed to her being called “Amazing Grace” as an additional honor.7 Later, her retirement speaking career also added luster to her reputation. She was not only a gifted speaker but also a humble one. One story she like to tell about herself was that a man on an elevator once thought she was the elevator operator as she was in full Navy dress. Hopper sternly corrected the man’s impression and he responded rather rudely: “You must be the oldest one they’ve got.” Hopper shot back, “I am not! Admiral Rickover is older!” Another memorable part of her speeches was when she handed out “nanoseconds” to audience members. These were wires, a little less than a foot long, which is the distance that light travels in a nanosecond. We heard her talk in the pre-chip days of discrete transistors, which were connected by wires, many of which were much longer than a foot. We interpreted her remarks to mean that we shouldn’t hold out hope for a gigaop computer (which chip technology eventually realized).
he number of women computer science majors is small and declining, which is resulting in even fewer women in the IT professions. Understanding why this decline is occurring and what can be done
T
computer.org/ITPro
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q
63 M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
MASTERMIND about it is occupying much time and thought in the higher education community. The IT professions need as many good candidates as the country (and world) can provide, so disenfranchising half of the population is a terrible idea. Two inducements that are known to encourage people to follow a certain path are role models and heroes. The Celebrating Women in Computing Conference (http://gracehopper. org) helps fulfill both of these __ goals, among others. Honoring Grace Hopper by giving the conference her name announces to the world that IT heroes aren’t just men—women are IT heroes too.
References 1. M.R.Swaine,“Harvard Mark I,”Encyclopedia Britannica; www.britannica.com/ EBchecked/topic/44895/ Harvard_____________________ Mark-I. ____ 2. W. Isaacson, The Innovators, Simon & Schuster, 2014. 3. L.R. Johnson, “Coming to Grips with Univac,” IEEE Annals of the History of Computing, vol. 28, no. 2, 2006, pp. 32– 42; doi: 10.1109/ MAHC.2006.27. 4. P. Ceruzzi, A History of Modern Computing, The MIT Press, 1998. 5. Introducing a New Language for Automatic Programming: Univac Flow- Matic, Sperry Rand Corp., 1957. 6 . R . J. K i z i o r, D. C a r r, a n d P. Halpern, “Does COBOL Have a Future?” Proc. Information Systems
IT Professional (ISSN 1520-9202) is published bimonthly by the IEEE Computer Society. IEEE Headquarters, Three Park Avenue, 17th Floor, New York, NY 10016-5997; IEEE Computer Society Publications Office, 10662 Los Vaqueros Circle, PO Box 3014, Los Alamitos, CA 907201314; voice +714 821 8380; fax +714 821 4010; IEEE Computer Society Headquarters, 1828 L St. NW, Suite 1202, Washington, DC 20036. Subscribe to IT Professional by visiting www. ___ __________ computer.org/itpro. Postmaster: Send undelivered copies and address changes to IT Professional, Membership Processing Dept., IEEE Service Center, 445 Hoes Lane, Piscataway, NJ 08854-4141. Periodicals Postage Paid at New York, NY, and at additional mailing offices. Canadian GST #125634188. Canada Post Publications Mail Agreement Number 40013885. Return undeliverable Canadian addresses to PO Box 122, Niagara Falls, ON L2E 6S8, Canada. Printed in the USA. Editorial: Unless otherwise stated, bylined articles, as well as product and service descriptions, reflect the author’s or firm’s opinion. Inclusion in IT Professional does not necessarily constitute endorsement by the IEEE or the Computer Society. All submissions are subject to editing for style, clarity, and space.
Education Conf., vol. 17, no. 126, 2000. 7. K.L. Engel, “Admiral ‘Amazing Grace’ Hopper, Pioneering Computer Programmer,” Amazing Women in History; www.amazingwomeninhistory. com/amazing-grace-hopper-computerprogrammer. _______
George Strawn is director of the National Coordination Office for the Networking and Information Technology Research and Development Program (NITRD). Contact him at _______ gostrawn@ gmail.com. Candace Strawn is a retired high school, community college, and university teacher. Contact her at castrawn@ ______ gmail.com.
Selected CS articles and columns are available for free at http://ComputingNow.computer.org.
Subscribe today! IEEE Computer Society’s newest magazine tackles the emerging technology of cloud computing.
computer.org/ cloudcomputing _____________________
64
IT Pro January/February 2015
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Technology Solutions for the Enterprise Editor in Chief
Editorial Staff
San Murugesan, BRITE Professional Services,
[email protected] __________
Editorial Management: Shani Murray
Associate Editors in Chief
Editorial Product Lead: Bonnie Wylie,
[email protected] ___________
Irena Bojanova, University of Maryland University College,
[email protected] ______________ J. Morris Chang, Iowa State University,
[email protected] _____________ Linda Wilbanks, US Department of Education, ___________
[email protected]
Cover Designer: Jennie Zhu-Mai Publications Coordinator:
[email protected] ____________
Department Editors
Director, Products & Services: Evan Butterfield
_________ Data Analytics: Seth Earley, Earley & Associates,
[email protected]
Senior Manager, Editorial Services: Robin Baldwin
IT in Emerging Markets: Gustavo Rossi, Universidad Nacional de La Plata,
[email protected] ________________
Associate Manager, Peer Review: Hilda Carman Director of Membership: Eric Berkowitz
IT Trends: Irena Bojanova, University of Maryland University College, ______________
[email protected]
Business Development Manager: Sandy Brown
Life in the C-Suite: Joseph Williams, Seattle Pacific University,
[email protected] __________
Senior Advertising Coordinator: Marian Anderson
Mastermind: George Strawn, NITRD,
[email protected] ___________
2015 IEEE Computer Society President
Securing IT: Rick Kuhn, US Nat’l Inst. of Standards and Technology,
[email protected] ________
Thomas M. Conte
Smart Systems: Karen Evans, KE&T Partners,
[email protected] ____________
CS Magazine Operations Committee
Editorial Board
Forrest Shull (chair), Brian Blake, Maria Ebling, Lieven Eeckhout, Miguel Encarnacao, Nathan Ensmenger, Sumi Helal, San Murugesan, Shari Lawrence Pfleeger, Yong Rui, Diomidis Spinellis, George K. Thiruvathukal, Mazin Yousif, Daniel Zeng
Stephen J. Andriole, Villanova University Wesley Chou, US Department of Defense Fulvio Corno, Politecnico di Torino Haluk Demirkan, University of Washington—Tacoma Vladimir Dimitrov, University of Sofia Reza Djavanshir, Johns Hopkins University Jinan Fiaidhi, Lakehead University, Canada Bin Guo, Northwestern Polytechnical University Robert R. Harmon, Portland State University George F. Hurlburt, STEMCorp Samee U. Khan, North Dakota State University Maria R. Lee, Shih Chien University Sunil Mithas, University of Maryland Arpan Pal, Tata Consultancy Services Tim Weil, US Department of Interior
CS Publications Board Jean-Luc Gaudiot (VP for Publications), Alain April, Alfredo Benso, Laxmi Bhuyan, Greg Byrd, Robert Dupuis, David S. Ebert, Ming C. Lin, Linda I. Shafer, Forrest Shull, H.J. Siegel Writers: Access www.computer.org/itpro/author.htm. Letters to the Editors: Send letters to _________
[email protected]. Subscribe: Visit www.computer.org/subscribe. Subscription Change of Address: Contact
[email protected]. ___________ Missing or Damaged Copies: Contact
[email protected] ________ Reprints of Articles: Contact
[email protected]. ___________
Advisory Board
IEEE prohibits discrimination, harassment and bullying: For more information, visit www.ieee.org/web/aboutus/whatis/policies/p9-26.html.
Jin-Fu Chang, President, Yuan-Ze University and Board Chair, Institute for Information Industry, Taiwan Wushow Chou (EIC Emeritus), North Carolina State Univ. Karen Evans, KE&T Partners Frank E. Ferrante, FEF Group Thomas Jepsen, IT consultant Simon Liu, US Nat’l Agricultural Library H. Gilbert Miller, Noblis Sorel Reisman (chair), California State Univ., Fullerton Henry Schaffer, North Carolina State Univ. George Strawn, NITRD Published by the
______
R EUSE R IGHTS
1) IS NOT MADE FOR PROFIT; 2) INCLUDES THIS IEEE ENDORSEMENT OF ANY THIRD - PARTY PRODUCTS OR SERVICES. AUTHORS AND THEIR COMPANIES ARE PERMITTED TO POST THE ACCEPTED VERSION OF IEEE- COPYRIGHTED MATERIAL ON THEIR OWN WEB SERVERS WITHOUT PERMISSION, PROVIDED THAT THE IEEE COPYRIGHT NOTICE AND A FULL CITATION TO THE ORIGINAL WORK APPEAR ON THE FIRST SCREEN OF THE POSTED COPY. A N ACCEPTED MANUSCRIPT IS A VERSION WHICH HAS BEEN REVISED BY THE AUTHOR TO INCORPORATE REVIEW SUGGESTIONS, BUT NOT THE PUBLISHED VERSION WITH COPY- EDITING, PROOFREADING , AND FORMATTING ADDED BY IEEE. F OR MORE INFORMATION, PLEASE GO TO: HTTP :// WWW. IEEE .ORG/PUBLICATIONS_STANDARDS/PUBLICATIONS/RIGHTS/PAPERVERSIONPOLICY. HTML . PERMISSION TO REPRINT/REPUBLISH THIS MATERIAL FOR COMMERCIAL , ADVERTISING, OR __________________________________________ PROMOTIONAL PURPOSES OR FOR CREATING NEW COLLECTIVE WORKS FOR RESALE OR REDISTRIBUTION MUST BE OBTAINED FROM IEEE BY WRITING TO THE IEEE INTELLECTUAL PROPERTY R IGHTS O FFICE, 445 H OES L ANE, PISCATAWAY, NJ 08854-4141 OR PUBS - PERMISSIONS@ IEEE.ORG. COPYRIGHT © 2015 IEEE. A LL RIGHTS RESERVED. ____________ AND
R EPRINT PERMISSIONS: EDUCATIONAL
OR PERSONAL USE OF THIS MATERIAL IS PERMITTED WITHOUT FEE , PROVIDED SUCH USE:
NOTICE AND A FULL CITATION TO THE ORIGINAL WORK ON THE FIRST PAGE OF THE COPY; AND
3)
DOES NOT IMPLY
A BSTRACTING AND LIBRARY USE: A BSTRACTING IS PERMITTED WITH CREDIT TO THE SOURCE. L IBRARIES ARE PERMITTED TO PHOTOCOPY FOR PRIVATE USE OF PATRONS, PROVIDED THE PER- COPY FEE COPYRIGHT CLEARANCE CENTER, 222 ROSEWOOD D RIVE, DANVERS, MA 01923.
INDICATED IN THE CODE AT THE BOTTOM OF THE FIRST PAGE IS PAID THROUGH THE
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®
Technology Solutions for the Enterprise
CALL FOR PAPERS
Wearable Computing Publication: September/October 2015
Submission deadline: 1 February 2015
Given the growing popularity of Google Glass, the Apple iWatch, Fitbit, and many other wearable devices, wearable computing is a topic of significant interest. The use of wearables for specific applications, such as healthcare monitoring or elderly support, is becoming a reality. Wearable computing also extends into the workplace—making it safer, more comfortable, and more productive—and the military, with advanced technologies being integrated into suits and clothes for soldiers. Driven by advances in mobile computing and communications, ambient intelligence, and ubiquitous sensors, wearable computing facilitates a new form of human-computer interaction via small, on-body devices that are always on, ready, and accessible. The “always ready” capability leads to a new form of synergy between humans and computers, offering consistency and multitasking capabilities. Areas of wearable computing research include user interface design, augmented reality, pattern recognition, and wireless and personal area network technologies. This issue of IT Professional will review wearable computing trends and applications and consider the engineering and operational aspects of wearable computing. We solicit papers covering various topics of interest in wearable computing, including the following: t t t t t
t t
System design Personal and enterprise applications Case studies on organizations embracing wearables Impact on user interface design, augmented reality, and wireless networks Integrating wearables into larger systems (such as augmented reality systems, training systems, and platforms for collaborative work) Behavioral modeling Management of wearable devices
t t t t t t
Cultural and social implications of adopting wearable computing devices Application areas—such as electronic textiles and fashion Privacy, personal safety, and quality of life issues Collective human intelligence Innovations in and prospects of wearable computing How wearables can help achieve better outcomes in the military health system
Submissions Feature articles should be no longer than 4,200 words (with tables and figures each counting as 300 words) and have no more than 20 references. Illustrations are welcome. For author guidelines, including sample articles see http://www.computer.org/web/peerreviewmagazines/acitpro. Submit your article at https://mc.manuscriptcentral.com/itpro-cs. Questions? For further information, contact the Guest Editors: Maria R. Lee, Shih Chien University,
[email protected] __________________ Irena Bojanova, University of Maryland University College,
[email protected] ________________ __________________ Tom Suder, Mobile Gov,
[email protected]
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next Page Technology Solutions for the Enterprise
M q M q
M q
MqM q THE WORLD’S NEWSSTAND®