https://wiki.gccollab.ca/api.php?action=feedcontributions&feedformat=atom&user=Keith.douglaswiki - User contributions [en]2026-04-29T10:04:19ZUser contributionsMediaWiki 1.35.2https://wiki.gccollab.ca/index.php?title=Talk:Renewing_the_GC_Data_Strategy&diff=75082Talk:Renewing the GC Data Strategy2022-07-06T13:42:38Z<p>Keith.douglas: Some initial comments</p>
<hr />
<div>Speaking for myself ONLY:<br />
<br />
A data strategy IMO needs very close attention to mechanisms used to acquire, process, store, etc. these data. Development standards (particularly in the cybersecurity space) are very out of date - they reflect 1990s style "big bang" releases and paper assessments, no assignment of controls until months into a project, etc. This has to be changed or people will end run around procedures.<br />
<br />
Worse, some initiatives to "democratize" the development process also jeopardize what '''little''' we have in this respect. IMO, we should be moving towards professionalization in software development, application security, data security (which was barely alluded to at all in the talks, which is terrifying), etc. Remember that data *integrity* is as important (or often more) than confidentiality, and so even if there is a revolution in "secrecy" there is still a problem with data omissions, misrepresentations, distoritions, etc. that is not only the target of bad actors, but also just a way to suffer accidents.<br />
<br />
Finally, there is a desire to use certain acquisitions of extremely fraught ethical character - for example, spidering. Clear, agilily updatable regulations (legal sanction to departments, particularly) and very very concrete specifics on what is tolerated and not. A campaign to make the public aware of this and standards for being ignored personally (including businesses). Serious engagement with the philosophy of computing community on matters related is also vital (and this must also go beyond ethics to epistemology and effectively also, metaphysics like theories of human nature); scholars like H. Nissenbaum have pointed out that our traditional categories of privacy and such are not anything like how people actually behave and think. Whole categories of thought on these matters are not reflected (yet!) in law and policy. One interesting and terribly complicated example - terms of service. Do we honour them?</div>Keith.douglashttps://wiki.gccollab.ca/index.php?title=Talk:M365/Home/PowerBI&diff=30563Talk:M365/Home/PowerBI2020-07-31T13:14:15Z<p>Keith.douglas: Application security resources?</p>
<hr />
<div>We've found that doing proper application security with Power BI stuff is hard:<br />
(a) "Everyone wants to use it", so lots of activity<br />
(a2) Corrolary: proper software development techniques have to be instituted for a large group, etc.<br />
(b) Microsoft does not supply elementary diagnostic tools like request-response logs<br />
(c) The ecosystem does not seem to do much validation (or at least documented as such) on visualizers<br />
(d) The "SaaS" nature blackboxes a lot of the functions<br />
(e) Some aspects like returning all of the Undo history to Micorosoft's engines as part of the upload is dubious<br />
etc.<br />
(f) Microsoft says effectively, "by all means, pentest, but we won't help you understand the result because we won't document our appliances for you." This is the opposite of the Open By Default principles we are supposed to work with and annoying/hard to work with to boot. (This is a generalization of b, I guess.)<br />
<br />
Anyone have any good ideas on the software/application security front here?</div>Keith.douglas