Making Data Better

In this Making Data Better episode, Steve and George discuss the multiple challenges of making better security approaches available and, critically, used by relying parties and suppliers. This is a hugely non-trivial problem. Functional product features nearly always receive priority over basic security. IoT manufacturers compete on features and cost where even a single dollar’s worth of cryptographic hardware impacts competitiveness. With incentives as they are, taking steps to secure digital operations will continue to be viewed as a cost of doing business, a cost to be minimized if not avoided. The answers are multiple but a huge market shaper is regulation. Regulation shapes how competitors prosper, or not, by focusing incentives on safety. That’s worked for automobiles; it’s worked for aircraft. We believe the internet needs similar treatment (remember the phrase “Information Superhighway”?). Regulation can remove the cost avoidance temptation and establish the minimum capabilities for all parties. And, as we discuss, ubiquitous participation is essential. We are also bullish on the business model that could emerge around verifiable credential sharing. So take a listen!

Privacy has been a major casualty of the Internet. Twenty five years ago Silicon Valley leading light, Sun’s CEO Scott McNealy said we “have zero privacy. Get over it.” And that has been the truth ever since and the profits basis for AdTech behemoths Google, Meta, and more. The good news is that, in the quarter century since advertising became the Internet’s business model, few have gotten over it, including powerful national and regional regulators. In this wide-ranging discussion with Steve and George, Michelle Finneran Dennedy, CEO of PrivacyCode, Inc. and Partner at strategy consulting firm Privatus.Online speaks to this shift toward restoring online privacy and what her company is doing to streamline implementation of privacy enhancing practices. In this Making Data Better episode, Michelle addresses: This is an important and exciting conversation. Take a listen.

A key actor in risk assessment is the data provider. These commercial operations aggregate and analyze the data produced by governments, enterprises, individuals, and even other data providers. All to feed today’s insatiable appetite for understanding who it is we are dealing with online. In this Making Data Better episode, Steve and George are joined by Cindy Printer, Director, Financial Crime Compliance and Payments, at LexisNexis Risk Solutions. The company is a major data provider to government and enterprise; Cindy focuses her work on financial services firms and their need for regulatory compliance. We discuss the granular nature of the data LexisNexis Risk Solutions offers its customers and the breadth of sources used to meet their needs. It’s astonishing. Cindy makes the point, one we heartily agree with at Lockstep, that risk is specific, a concern for each individual entity and that the data required by each entity varies based upon its specific concerns. And that’s why LexisNexis Risk Solutions tunes the data services it provides to the industry segment and individual firm. Sitting on top of such vast data resources and knowing the complications associated with deriving meaning from it all, LexisNexis Risk Solutions also provides analytical services that saves an enterprise from having to analyze the data itself. This is a great conversation if you want to understand the data provider role, the scale of its operations, and its priorities. So take a listen.

In this quick take, Steve and George discuss the idea of a single digital ID through a review of the proposed bill currently in front of Australian legislators. We being by comparing that approach to two very different models: India's Aadhaar program and the "shadow IDs" as employed by commercial data providers. We are excited by the steps Australia is taking to secure the online activity of its citizens. This is serious work with many of the required elements for success already in place. And connecting those elements into a strong chain will be challenging. We conclude with a discussion on the quality of the data feeding into any system performing identification. How do you know that the data is authentic when it is presented through plaintext? Like chip cards and passkeys, we posit that device-bound data is required for secure online interactions. This concern isn't just about what's happening in Australia, of course. The problems of data authenticity and how to integrate a new digital attribute into KYC processes are non-trivial. So take a listen and get in touch.

Australia's online security community - government, banking, and providers - has made a major, deliberate move. Over the last year, the term "digital identity" has been replaced by "digital ID" in government and industry publications and press releases. Steve and George unravel this deliberate linguistic shift from the amorphous 'digital identity' to the more concrete and pragmatic 'digital ID', and understand why this nuanced change is more than mere semantics. It's a shift that promises greater clarity in technology, legislation, and personal identification. Tune in and explore a future where proving who you are online is not just more secure, but refreshingly straightforward. Why does this matter? As Steve and George discuss it in this episode of Making Data Better, it accurately shifts the focus of policy and technical work on to the quality of the data used for identification purposes. It frees everyone from the impossible tasks of representing our "identities" digitally. Through our discussion, we celebrate the strides made by Australia in addressing the advancement of digital identity systems—a contrast to the comparatively uncoordinated, market-driven efforts seen in the U.S. Steve and George conclude with their perspective on how to secure digital IDs using device-assisted presentation. Plaintext presentation is the enemy. It gives hackers endless opportunities to copy (via data breaches) and replay (via fraud) that data. There is a straightforward solution that we have done before: marry the cryptographic strength of how chip cards are secured to the convenience of smartphone presentation and we have the opportunity to remove breach incentive by making our digital ID data better. There's plenty of work ahead but there's great power in what could be an uncontroversial, technically practical, achievable approach. So take a listen.

Data provides the basis for how we make decisions. An enemy of security these days, from our point of view, is plain text. We need better than that. We need device-assisted support for proving where data comes from and how it's been handled. We need systems that keep data (and code) from being altered without cause, that give us the ability to trace the change history of data. Confidential computing is a new compute paradigm that provides a hardware-based foundation for running code and the data it manipulates. It safeguards data and code (it's all data; it's all code) in its most vulnerable state: while it's being processed. In this episode of Making Data Better Steve and George are joined by Anjuna's Mark Bauer to dive into this new model's high impact on security and low impact on cloud app development. Mark dissects the mechanics behind this approach including how it strengthens the software supply chain through hardware-based attestation. He addresses its fit in modern cloud infrastructure including Kubernetes, data loss prevention (DLP), API scanning and more. The conversation addresses the initial major use cases for confidential computing. High risk environments including defense, banking, and healthcare are obvious. Not so obvious is securing multi-party data sets in the cloud for machine learning and AI-based applications. So take a listen to this episode of Making Data Better and learn how hardware-based security can harden the cloud.

Credential sharing is complex and exciting. Take a listen to our guest, Dan Stemp from JNCTN, in this installment of Making Data Better. We discuss JNCTN's credential sharing platform and its major use cases. Discover how managing digital identities supports the work of critical industries, from power generation to healthcare. We unpack the intricate relationships between those who rely on credentials, the individuals who hold them, and the authorities who issue them. Dan tells us the story of his firm's evolution from card personalization bureau to today's digital credential management scheme. We discuss the firm's clients' transition from physical tokens to digital credential presentation. Of course, we discuss wallets because they are the natural containers to hold verifiable credentials and we address JNCTN's proprietary approaches, the W3C, and big players like Apple and Google. Implementation of systemic systems is never easy. JNCTN has multiple stakeholders to convince. We examine enterprise adoption and the leverage points that resonate with the relyingn parties, the risk owners, who deploy these systems. It's not just about risk mitigation and operational efficiency. So, take a listen as Dan, Steve, and George share their enthusiasm for verifiable credential sharing and the breadth of applications ahead.

Ever wondered about government's role in online identification and how it could expand to help our digital economy function better and safer? Or how government data quality directly impacts risk assessment? In this episode of Making Data Better, we tackle where US and Australian governments stand on protecting our digital IDs and personal credentials. Join us as Jeremy Grant, Managing Director of Technology Business Strategy at Venable LLP, brings his insights on security technology strategy, policy, finance, and more to Making Data Better. Jeremy speaks to his decades-long experience with US federal and state government initiatives. And to the work of his organization, the Better Identity Coalition (check out its policy papers for federal and state-level policymakers!) Government issues the credentials we rely on to prove who we are. Regulating how those credentials may be protected to enjoy expanded usage is both necessary and fraught with complications. Tech regulation has a history of being well behind technology's evolution. That said, it is coherent policy and political direction that is needed. Disparate agencies may fully understand the potential of the assets they manage but without strategic focus at the highest level, the challenge of digital ID will remain. And our exposure to fraudsters, synthetic identities, and nation-state attacks will continue. This is no small matter. FINCEN, the Treasury Department's Financial Crimes Enforcement Network, recently announced their analysis of bank-filed suspicious activity reports. They found that $212 billion of transactions were tied to compromised identity. The General Accounting Office, the investigative arm of the US Congress, estimated between $100 and $135 billion losses in public benefits fraud during the pandemic. This is real money, ending up in the hands of organized criminals and adversarial nation-states. So, take a listen to this episode with Jeremy Grant and Lockstep's Steve Wilson and George Peabody. There's work to be done.

In October 2008 Heartland Payment Systems discovered it had been breached. Albert Gonzalez and several other individuals hacked their way through an external company website using SQL injection — an attack that too often still works — to the core of Heartland’s systems. They were able to copy credit and debit card numbers and other data used in payment authorization. At the time, that data enabled those who bought it to create new magstripe cards. Some stats about the hack: To me, this is also something of a hero story. Because Heartland’s leadership, led by CEO Bob Carr, got angry. Yes, at the hackers. But more important they took that anger and frustration and used it to fill a gaping hole in card system security, way out in front of what the card systems themselves required. I was fortunate enough to play a minor part in Heartland’s response. As an analyst, I got to know some key players who will tell their part of the story in this episode.

Self-sovereign identity, digital wallets, risk management, federated identity, and a recap of the Identiverse 2023 conference are among the topics discussed in this episode of Making Data Better. George and Steve complete their landscape view of data quality and security. Identiverse 2023 reflected those topics, indicating a shift toward digital wallets, passkeys, and verifiable credentials as essential components of a resilient digital ecosystem. We discuss these and what's not being addressed to date. So take a listen as we set the table for Making Data Better and begin our series. We will speak to practitioners of the latest in data protection, tell the stories of data quality initiatives that have succeeded—and failed—and regularly rise above the weeds to provide perspective. With so many moving parts and so many changes, Making Data Better keeps it all in context.

Online trust? Digital identification? Wallets? Privacy? Data quality? If these topics resonate, join Lockstep's George Peabody and Steve Wilson in this, the first episode of Making Data Better, a podcast about data quality and the impact it has on how we protect, manage, and use the digital data critical to our lives. We focus on making data better because data quality has everything to do with making good decisions. We introduce the critical and complex concerns that affect online trust and risk management. One area where this really applies is in assessing risk. We believe data quality has an outsized impact on risk management. From relatively trivial decisions about where to go out to eat, to opening new bank accounts and sending money cross-border, each carries risk. Do we trust the data? Does it let us know who or what is on the other end of our digital interaction? There are so many moving parts to understand, evaluate, and discuss. We’ll unpack all this with experts from fintech, cyber, healthcare, government services, and academia. So take a listen and join us on this journey.

Making Data Better is a podcast about data quality and the impact it has on how we protect, manage and use the digital data critical to our lives. Take a listen to this intro. We're launching the first episodes in June 2023.