Like most companies, yours probably has in place information governance policies to govern the use of the data you collect to ensure compliance with internal and external privacy, and security requirements. Likewise, your business is apt to have a tool-belt of technologies on hand to monitor and log activity around that data, to restrict access to the information, and otherwise attempt to protect it all from misuse and associated dangers.
That’s all well and good. After all, it’s critical that an organization be able to provide good data stewardship plans with the goal of keeping analytics projects from overstepping the boundaries of how certain data can be shared and who can access it, for example, as well as to have solutions in place to stop sensitive data from leaking out of the organization and possibly winding up in the wrong hands.
But as Big Data grows inside the enterprise, so too do the opportunities for companies to make the most of it. The findings of a survey released in December by global software industry advocacy organization BSA | The Software Alliance reveals the importance of data innovation in the modern economy: One-third of senior executives in the U.S. and 24 percent in Europe say they expect 10 percent or more of their companies’ growth to be related to data analytics. Five years out, that grows to 58 and 43 percent, respectively.
That means a couple of things: The dynamic between information governance policies and Big Data-driven projects must be improved, and the need exists to go beyond tools for blocking and tackling data usage to more seamlessly facilitating its appropriate use inside a Big Data system.
Adam Towvim, president and co-founder of startup TrustLayers, puts it this way: How can organizations take the privacy policies and regulations that govern proper use of patient, consumer or other sensitive data, and keep track of it all at the same scale at which all the Big Data analytics tools run? How can we not just prevent the bad things that could happen to enterprise data from happening – with potential fallout in the way of fines and brand damage – by getting ahead of all sorts of data misuse, while also optimizing authorized data use in support of business innovation and growth, so that opportunities aren’t left on the table?
There’s not a lot of time on the clock to get this all in order, either:
“2014 was the year of the data breach,” says Towvim, “but 2015 may be the year of data misuse at Big Data scale. The dirty little secret of Big Data is that when you build this giant haystack you need to have some way to pull the right needles out of it, and the haystack is too big for the tools that exist today.”
Attacking the Haystack
What’s needed – and what TrustLayers is delivering – is the ability to have visibility into the data flow as validated against policies (the accountability factor), he says. Think of it as computing against policies. “We identify the proper use of the data and set almost a blueprint for what that authorized use looks like,” he says. That way, the focus can be on maximizing data use within the appropriate boundaries and not mostly on trying to gate the use of that data because of concerns about violating privacy or regulatory requirements.
TrustLayers also eschews the idea of treating authorized data use as a matter of hard-coding policy rules to the data, an approach it says impacts a company when alteration is needed (as policies change) because of the time and resources that will need to go into affecting those changes. When rules do change, the updates should automatically be applied to all linked data with no user intervention required, the company says.
So, a main idea of its technology is for organizations to create those policies independent of individual data elements, instead applying rules to a higher layer. “The power to represent those policies at a higher semantic level is important,” he says, because it leads to the ability to speedily update policy changes at an organizational level. “Being able to do that and not have to tie things down to data fields is a great opportunity for the whole privacy and governance world,” Towvim believes.
The angle TrustLayers takes to get organizations quickly started and able to scale up with Big Data authorization activities begins with capturing its policies for modeling, including the option to use policies pre-built at a higher abstracted level for specific industry sectors. Once modeled, a lightweight API can connect the policies to all the different data sources used. “It’s really about seeing the data as it is in motion,” Towvim says, which is possible via a real-time dashboard showing users interacting with data. Because the company builds connectors to all different data sources, “we already have the mapping between the data as it is being moved around and the higher level policies we have created.”
The research that led to this was conducted by Towvim’s co-founder, Daniel Weitzner, a principal research scientist at MIT. Weitzner, who was trained as a lawyer, also served in the Obama administration as White House Deputy CTO, where he was instrumental in putting together the Consumer Privacy Bill of Rights in 2013. “For about five years of research at MIT, his research team focused on how to account for the use of all this primarily personal data – data inside what are becoming larger and larger data systems,” says Towvim. Surrounded as he was by computer scientists at MIT, and with his own legal training at hand, “it was a natural fit for him to pose the question of how can we compute against policies, but it was also groundbreaking,” Towvim says. “It really was a question of, as data is coming in, how can you have real-time automated audit and usage control of your policies in conjunction with data use.”
Time for Data-Driven Innovations
With that under a company’s belt, the door is open to a number of data-driven innovations. A chief marketing officer, for example, now can be in a position to understand the guard rails around consumer data so that he can run more campaigns informed by analytics in a regulated environment, Towvim says by way of example. Or a business unit leader should be able to leverage all the quantified self-data coming from an application for Internet connected devices, like wearables, and be able to use it at scale with every confidence that the rules are being followed.
Being able to innovate with data on the appropriate terms, with accountability, is the offensive complement to the security layer’s defensive position.
“You can’t blame offense. Those executives want to collect as much information as possible and draw correlations and advance the business or the mission of the organization,” says Towvim. “The challenge is that the defensive side – legal, privacy, compliance, governance – until now has had no tools to keep up with those Big Data analytics.”
Now they can, including accounting for some complex nuances, such as issues of consent management with patient data. A patient may initially consent to have her data applied for both not-for-profit and for-profit purposes, such as running her sample across multiple trials with an eye to a pharmaceuticals firm developing a new drug. “It’s very inefficient today to monitor complexity around use limits,” says Towvim. If a patient revokes some permissions, no longer allowing her samples to be used for for-profit research, a drug firm must be able to automate its systems so that changes to usage rules automatically flow throughout the organization. “Just managing that flow and monitoring downstream use is an example that is desperately needed,” he says, noting that some of the company’s early customers are using TrustLayers for just such use cases.
It also is being applied to predictive segmentation use cases, he says, which can include relying on validating data against policies in a financial services organization to determine if an individual is an appropriate credit risk.
“Data is the new currency,” says Towvim. “Why shouldn’t data be validated?”