The Data Breach Collab is an iOWN Council Proof of Concept (POC) project that will assess the impact of data ownership on the sharing of data breach information for the purpose of collaborating on new solutions in the fight against cyber crime.
A 'Zero-Copy' data management environment that supports owner-defined and universally-enforced access controls PLUS anonymization PLUS precision auditing is sufficient to create the conditions for organizations to contribute sensitive breach information and collaborate on building solutions in the fight against cyber criminals.
VIEW / ADD / EDIT
Granular to the cell
Identifiers anonymized at source
Right to be forgotten
Control operational use
Assign temporary owners
Incident Data Sources
Supports Data Linking, Universal Access Controls, Data Collaboration, and
No Code solutions. Hosted on-prem or private cloud.
Data Viz + Data Audit Tools
PROPOSED DATA GOVERNANCE
The POC operationalizes a Privacy by Design approach
Breach data is never copied
Breach data cannot be downloaded
Breach data can be fulsomely deleted (right to be forgotten)
Access to identifying data is fully-controlled by data owners
All incident reporters and reports are verified
Only data owners can grant (or withdraw) access to breach data
Only certified builders and auditors can request access to breach data
All data engagement (views, changes, queries) are visualized for owners
Data enrichments enabled by Universal Access Controls set by data owners
Person to Person
Person to System
System to System
The iOWN environment supports no code and lo code solution delivery which is powered by the Zero-Copy Integration framework that preserves Universal Access Controls.
Note: having access or log-in to a solution powered by the system does not give the user access to any data to which an owner has not granted them access.
Data Model approval (iOWN Council)
Public demonstration / webinar
The iOWN Council welcomes data privacy, data protection, data law, data compliance, and IT professionals with a passion for data ownership and data collaboration to join us on this and other projects in support of meaningful data ownership.
What makes the controls "universal"?
In short, the elimination of copies within the Dataware platform are what make the controls universal.
This is especially important when putting the data to use (aka "operationalizing" the data) by building new solutions to fight cyber crime such as dashboards, alerting systems, and consumer-facing apps.
This approach to data protection is sometimes referred to as "data minimization" and it is becoming increasingly common among modern data management systems. In principal, it is not unlike controlling the value of currency via anti-counterfeiting design features.
The universality of the access controls refers to the fact that it is the data owner and the data itself (not some external piece of code in an app) that manages access.
When an owner defines access to their data, it is enforced everywhere.
What types of data controls are available to data owners?
This stands in contrast to managing access controls across thousands of apps and the tens of thousands of copies that apps create as part of tradtional data integration.
Here's a breakdown of the controls:
Can the controls be handed to a steward or custodian?
Yes. Once of the many access controls available to data owners is the ability to give a user or group "control of the controls" and grant them temporary ownership (aka custodianship or stweardship) of their access controls. This stutus can be easily revoked by data owners at any time. A typical custodian would be a colllague working at the same organization and this process can be further bolstered by owner-defined rules.
How will hackers be kept out of the system?
The system can be hosted on premise or private cloud and the choice of hosting envirnments and related security regimes will go a long way towards improving cyber security. That said, no IT environment is 100% secure, but privacy-by-design features including owner-defined and highly-granular access controls, auto-anonymization, and the defaul elimination of download capabilities will place this system at the leading edge of data security.
Do system users have anonymity?
Yes. The plan is to work with one or more PET vendors to connect to the core Dataware platform in order to offer automated PII detection and anonymization capabilities.
Do organizations have anonymity?
Yes. The plan is to work with one or more PET vendors to connect to the core Dataware platform in order to offer automated organization, brand, and product name detection and anonymization capabilities.
Can any user or group work with non-anonymized data?
No. However, part of the proof of concept will be exploring whether any person or group should be granted clearance to access non-anonymized data.
Who has access to the system?
The prototype will be designed as an open system open to anyone (globally) to enter data breach incident information. However, all users and reports will be verified through a combination of automated features and human fact-checkers.
Typical users will include data security, data compliance, data governance, and risk management reosurces working for private and public organizations.
How are breach reports validated?
More details coming soon.
How are system users validated?
More details coming soon.
Can databases be connected to the system?
Can spreadsheets be connected to the system?
Yes. See the answer about "Databases" for more details.
How is Data Governance managed?
The Dataware platform being used for the POC supports the creation of data domains. That said, we have not yet determined the exact nature of the schema / architecture for the POC and so this one of the many challenges that will be addressed during the course of the project. That said, the universal access controls are owner-defeined and immutable by anyone but the data owner themselves, and so this is very much a privacy-by-design environment.
How is Data Mastering managed?
Description coming soon.
What is "Zero-Copy Integration"?
Zero-Copy Integration refers to the ability of the Dataware paltform used for this POC project to generate a new data model based on a saved query. Multiple such models can be created all pulling from the same physical data. The only requirement for this process is for the query builder (aka "Builder") to have query access to the data and this can only be grantedf by the data owners.
This stands in contrast to the traditonal approach of IT delivery which would require each new operational / transactional solution (app) to be supported by a new database silo which itself would need to be populated with copies of data exchanged from other apps and systems. This is how access controls are eroded and end with data ultimtely being copied to spreadhseet or othe rnon-sanctioned environment (at which point control over data access is lost completey.)
What types of solutions can be created to fight cyber crime?
The project will be able to demonstrate working prototypes of data-centric solutions, including, but not restricted to the following:
Pattern detection Systems
Can this system be used to train AI/ML tools?
Yes, the Dataware platform can be used to train and operationalize data from connected ML engines.