The Best Solutions to Data Security and Privacy Challenges Require Revolutionary Thinking

The Internet’s original creators worked on technologies to bind contracts to data. They imagined digital contracts attached to our data everywhere it moves; contracts that assert ownership, record provenance, limit use by others and even revoke access. Had these ideas of binding software to data been allowed to mature, the digital landscape would look and function entirely differently. 

Data security and privacy are hot topics in the boardrooms of every organization. Chief Data Officers increasingly need to take an active business leadership role in addressing the complex issues underpinning these topics. Business leaders are realizing that security and privacy cannot be delegated to IT and then forgotten. 

So, what does the CDO need to know about developing data security and privacy solutions?

I interviewed Alan Rodriguez, founder of the nonprofit Data Freedom Foundation and inventor of the Smart Data Protocol, to get his insights. This article is the first in a three-part series, covering initial observations discussed in our interview.

Observation 1 – It’s All About The Data

Derek:

Increasingly, data, privacy, and security leaders are jointly focusing on fundamentals such as identity and access management, privacy compliance complexity, as well as keeping an eye on advanced and emerging technologies such as machine learning, artificial intelligence, zero trust, secure access service edge, internet of things, big data, and blockchain.

Many vendors in the Cyber Security space offer products and consulting services that address access controls, defensive mechanisms, and risk mitigations. They have typically focused their solutions on policies and procedures, physical barriers, firewalls/networks, computers, and applications.

However, at the 2018 MIT CDOIQ Symposium, Thomas Salasa, Director of the Army Architecture Integration Center and CDO at the U.S. Army, made the following important statement:

“Adversaries are not stealing our networks, they're stealing the data on the network, so if the data isn't protected at the data level instead of at the perimeter level, then we're not going to survive moving into the future.”

His challenge begs the question: Are traditional “solutions” largely missing the mark?

How can data protect itself without relying entirely on the established layers of defense, including physical barriers like network security and firewalls, operating system security, and identity and access management to networks and applications? 

Alan:

While a layered security approach will always provide the best protection, our current approaches leave data vulnerable and unprotected at its source. We hear about data breaches and ransomware attacks almost daily. Once the perimeter is breached, or identity is compromised by social engineering, the underlying data is exposed. This hoard of gold doesn’t need to be taken. It needs to be copied at near-zero cost and leave no trace.  

Everywhere our data is copied and stored, it remains inert and passive, with no capacity to control how others access and use it and no capacity to take defensive action and intelligently mitigate risks. 

Our non-profit Data Freedom Foundation team began working to solve this problem over a decade ago. Our mission is to invent consent technology that operates “at the data level.”  Our approach to consent technology secures, protects, and monitors data everywhere it moves. 

We started by adding another layer around an individual’s data. We call this protective shell a Data Container or Data Object. These data containers or data objects wrap the data in software that provide a range of intelligent or “smart” capabilities such as (1) data access control and consent revocation, (2) an immutable state engine for proof of data provenance, and (3) intelligent risk awareness and mitigation.

Smart Data imbues our existing data with all the intelligence other “smart devices” and “smart things” possess, such as self-awareness, group intelligence, programmability, and automation. We accomplish this by binding smart contracts to data that control who, when, where, and how others access and use the contained data everywhere smart data is shared or monetized. 

Derek:

That’s interesting, yes, and of course, recent advancements in cryptographic techniques like Secure Data Containers, Cryptographic Proof of Provenance, Smart Contracts, Zero-Knowledge Proofs, and Secure Multi-Party Computation are finally providing workable solutions. Tell us a bit more about this “smart data.”

Observation 2 – Smart Data Is The Answer

Alan:

Between 1997 and 2011, the World Wide Web Consortium (W3C) and Internet Engineering Task Force (IETF) worked collaboratively through many interrelated efforts to create control architectures for our shared data. Despite this extended effort, no standard coupling data with digital contracts emerged, constraining data usage. You can read more about these efforts in our longer blog post, Creating Digital Rule of Law on Medium.

As a result, the world now faces a profound problem with data and trust. Data propagates online without essential metadata to document ownership, define terms of use, or record its history. This lack of trust (data quality) is the root cause of most data challenges facing organizations of all sizes. Our societal lack of trust in data is also fundamentally incompatible with an open, participatory, and free digital society.

Smart Data Protocol binds software to data as it moves to give our data self-awareness and intelligence, assert its ownership, record its history, and enforce the terms of any contained agreements. Smart Data fundamentally changes the nature of data from the uncontrolled propagation of untrusted bytes to the precisely tailored propagation of high-quality and trusted information.

Smart Data dramatically improves data quality, security, provenance, and trust, amplifying the value generation from all digital and data-driven initiatives. It automates most security, privacy, and regulatory compliance. It improves data comprehension and democratization, boosting digital transformation outcomes. It also solves many edge-compute data architecture challenges by managing intensive data handling between parties at the network edge (near or within user devices), where most data is generated and produces immediate and personalized experiences.

Observation 3 – The Risk-Reward Paradox

Derek:

Data and security leaders often find themselves in a quandary. The data science community and the analytics teams have a seemingly insatiable demand for free — and immediate — access to all the data generated by the organization. This can be challenging when your role is to secure the organization's data.

On the one hand, there is a need to unleash innovation, and on the other hand, there is a need to control risk. This can create conflict, friction, and drama in the best of cultures. 

Due to increasing pressure to innovate and drive value out of existing enterprise data assets, the business may accept high-risk use cases as a competitive necessity. In some extreme cases, businesses shelve high-value use cases until later due to their high risk. Both situations are undesirable and place senior data and security leaders in challenging “no-win” situations. How can Smart Data address this quandary?

ALAN:

Yes, both situations result from missing technology and standards that enable high-value use case exploration that simultaneously constrains the associated risks. 

Because Smart Data automates data policies, regulations, and licenses within and between organizations, it fundamentally alters this risk/reward-related equation. It enables enterprise data and security leadersto drive innovation enterprise-wide with the increased confidence their unique organizational data-sharing risks can be significantly reduced and sufficiently managed.

Smart Data enables enterprise data and security leaders to act as frictionless drivers of innovation and data-driven value generation. It reduces the endless negotiations dialing in the required innovation/risk balance. It helps data and security leaders navigate decision-making between leaders who focus on risk management (privacy, security, compliance, ethics, and risk management) with leaders who must push the risk envelope to outpace competitors (innovation, product, marketing, and digital transformation management).

Put simply, Smart Data enables exponentially more data sharing and value generation with exponentially less risk.

What’s Next?

The second article in this series explores repeating programmatic themes in technology over the last two decades (software-defined networks and storage, virtual computing, and code containers), culminating with the idea of Smart Data (software-defined data). Our third article explores Privacy Enhanced Technologies (PETs) and how they provide the Smart Data Protocol’s most fascinating capabilities.

About the Author

Founder, CEO and Principal Consultant of Gavroshe. Derek has over 3 decades of Data & Analytics experience, including Big Data, Information Resource Management (IRM) and Business Intelligence/ Data Warehousing fields.  He established Data Resource Management and IRM Functions in several large Corporations using Bill Inmon's DW2.0 and the Zachman Framework as a basis. Derek established and managed numerous enterprise programs and initiatives in the areas of Data Governance, Business Intelligence, Data Warehousing and Data Quality Improvement. He is a founding member of MIT's International Society for CDOs.