We never set out to work at the intersection of compliance and technology; it just sort of happened that way. From developing a world first Hadoop solution that was both favorably HIPAA and PCI accredited, to APRA approval for public cloud data migration, to our to our latest efforts with our blockchain-based identity trust, we’ve been working in this space a while.
So when I read the article on a nightmare data access request (you can find that article here), my thoughts naturally went to “hey, we can help with that”. The article points out nine high level requests that would cause compliance issues for companies without established business processes and backed by technology designed to address requests such as these. We’ll briefly go through each high level item and see whether or not our platform can impact its fulfillment:
- When using an identity established in our data trust platform, it’s relatively straight forward to respond with the full details of the created identity. All identity related information is grouped together and encrypted using entity specific keys, making retrieval a single point of access.
- Our grant-based system ensures that identity use is recorded and approved by all parties.
- Sharing (opt-in) can only occur when allowed by the individual, and is then publicly-to-the-participants recorded on our blockchain implementation and is easily audited.
- Access to identities are granted until revoked, something that can happen by either party at any time.
- Identity information is cryptographically and uniquely keyed to each individual making storing information a joint venture on behalf of both the company and individual.
- This is not specifically addressed by our platform.
- This is always a concern in any system, but by having good key management policies, as well as encryption-by-default, it’s less likely that a disclosure would result in information being accessible. An attacker would have to compromise: the encrypted data store, the business wallet, and the individual wallet to obtain the necessary decryption keys. None of these systems have default trust lines established. And it’s difficult, though not impossible, to pin keys to data without prior knowledge.
- Our blockchain audit records can assist, though not fully implement, requests such as this. Well implemented logging helps, which is a key feature of our underlying DataNexus platform.
- This is an ongoing problem. Regardless of data being encrypted at rest or in flight, it needs to be readable by both business processes and any humans involved in those processes (such as customer support). This gives an opportunity for disclosure, whether accidental or on purpose. While logging and access records can assist in auditing, full prevention is still difficult.
While we responded at a high level (and the implementation details are always messy), hopefully you have a better understanding of how our data trust can help businesses respond to ever-changing regulations, especially in a distributed economy with points of presence across the globe. As technology matures, and we get more history implementing our solution across various business verticals, we hope we can make responding to requests such as these easier, and hopefully, pre-emptive.
Our continuing challenge is to evolve the platform to be flexible and accommodate more and more business use cases, while still remaining true to our goals. As always, you can reach out to me on twitter at @cnkeller or firstname.lastname@example.org and Eddie at @eddie_satterly or email@example.com.