| WO2012178055A1 | 2012-12-27 |
| US20110099365A1 | 2011-04-28 |
| CLAIMS 1. The invented data protection method comprises: • Parametric al and programmatic setup and adoption of invented private or confidential data protection method operational execution, what allows it be compliant with regional or national legislation requirements, corporate practices and policies, real protection needs, user's IT systems architectures; • Protected private or confidential data is fully or partially eliminated right at the IT system (system in which data is supposed to be protected) entry point using decomposition and cryptography techniques. • Decomposed data pieces are spread across several externally owned special storage services and original IT system has back only specially generated identifiers of entire protected data instance or it' s separate parts as well as additional hash values based on some attribute values or some attribute values compositions in order to leave data query capabilities to the IT system operator. • As a result of data receipt and store proposed procedure none of the participants can claim, that it has private or confidential data, because it has been eliminated and spread across different independent participants. • Nobody, besides IT system operator or desired by him recipients can restore and compose original private or confidential data, because only operator has all the knowledge on how to retrieve independent data pieces and compose them together. This "knowledge" is not the private or confidential data, is not depersonalized private date and requires smaller security protection levels than original data and typically not a subject of statutory regulations. The more precise limitations during data pieces retrieval had been provided by the operator, the smaller protection level is required to the "knowledge" itself. • Protected private or confidential data is retrieved and composed back to original state only at the IT system information exit points (user interface, reports, export routines, etc.), what requires the "knowledge" mentioned above and compliance with previously specified data pieces retrieval limitations. • Protected private or confidential data is not transferred over corporate or open networks in composed open or encrypted forms. • Possibility of flexible and rapid adoption and enhancement of executed steps and logic without changing of the invented data protection method itself and changing of basic data protection method principles, mentioned in the method description. 2. The invented data protection method is characterized with: • possibility to adopt to typical regional or national private and confidential data protection legislation without changing of ΓΤ systems, data processing techniques or IT system operators business processes; • possibility to be applied to typical corporate and internet systems with small integration effort based on standardized instructions; • no dependency on the level of the protection of the secrets (keys) as it is in cryptography methods or other data manipulation protection methods; • allows partial or full exclusion of IT system's operator from typical private and confidential data protection legislation jurisdiction with any complexity of original data, which is subject for the protection; • can be applied to the IT systems owned and managed by operator or only used by operator (i.e. cloud IT systems); • possibility to remove the risk of protected data security incidents if processed in cloud IT systems, owned by different parties; • irrespective of IT system physical location can allow protected data pieces storage in required geographical area or with required storage partners; • does not have dependencies from the program languages, used in the IT systems, because of following to the open worldwide standards. |
[0001] BACKGROUND
[0002] Private and confidential data (hereinafter "data") protection for companies worldwide gradually becomes more sensitive matter, which can result in significant loses in case of legislation not compliance, security incidents or claims from data subjects or data owners. In parallel, states increase level of formal regulation in collection, processing and protection of such data and in some cases connect inappropriate corporate behavior in data protection, especially in Internet or public systems, with violation of national or regional security. Most of developing legislation requirements in various states and regions, data protection technologies, data security violation technologies currently lead to the significantly increasing costs of secure and compliant collection, processing and protection of such data for companies, who operate information systems and databases, which contain private and confidential data (hereinafter "IT system operators").
[0003] As an alternative approach, it is proposed to eliminate data before it's transmission from the client device using voluntary data decomposition on attribute or binary levels and store the resulting data pieces after their possible encryption in pseudo random independent storages, which do not belong legally to the IT system operator. Such operator stores only special identifiers, which allow him or specially desired subjects to request, receive data pieces, and compose original data. Wherein data pieces storage operators do not have any direct possibility to identify other dependent pieces or identify where other pieces are stored across the entire network of storage operators.
[0004] FIELD OF INVENTION
[0005] The present invention relates to data protection in information systems (as internet oriented systems, as internal corporate systems). Under the "data" here and below is understood mainly private and confidential data, any security incident with which can be a sensitive event to the IT system operator, it's market position or sensitive event to the owner of such data.
[0006] PRIOR ART
[0007] In recent years the key focus in private and confidential data protection had been made on development of technologies and techniques, which allow IT system operator to protect data in each IT system element starting from it's collection from the source of the data and up to presentation of the data to it's consumer. The key characteristics of these technologies and techniques are:
(i) minimize changes in the business applications;
(ii) use as much as possible cryptographic algorithms or any of their combinations in order to reduce the number of measures used for data protection from leaks from technical channels;
(iii) strengthening of organizational measures of information protection, development of more complicated policies and control techniques.
[0008] Thus, the more complex ΓΓ system is the more complex technologies, processes and policies are used on top of business applications in order to reduce risks of security incidents with protected data. Among others, into this category fall cryptography, electronic data transmission protection technologies, end user device protection technologies, access control systems, intruder detection technologies and other similar areas (hereinafter "traditional data protection technologies, techniques").
[0009] One of the independent approaches, which allows ΓΤ system operators to reduce the required traditional data protection technologies and which works only in relation to private data is depersonalization approach. This approach assumes split among separate databases, exchange or other types of manipulations with private data attributes in order to reduce mandatory protection category of IT system's particular subsystem, component or module. In order to follow such approach IT system operators have to perform significant changes in the IT system data models, data storage and data querying logic, maintain logically connected relational or post relational databases and protect the entire data overall across most likely spread IT system.
[0010] DETAILED DESCRIPTION
[0011] The present invention in data protection assumes the participation of the following participants:
(i) private data subject or legal owner of the confidential information (participant type A);
(ii) the operator of IT system, which collects, processes or stores protected data (participant type B);
(iii) the coordination and supporting of the invention usage organization (participant type C);
(iv) the network of independent electronic data storage operators, which provide standardized by the coordinator store and retrieve capabilities to the IT system operators (participant type D).
[0012] Participants should have the following contractual relationship: type A with type B, type B with type C and type C with type D. Particular legal model of the relationship between type A and type B participants can vary among different countries or regions and will depend on national or regional legislation.
[0013] The invention assumes the following fundamental principles, followed by the IT systems and participants:
(i) participants with types C and D neither legally nor actually do not have the possibility to determine what pieces of private or confidential data they process, where other pieces of the related data are located among them, as well as do not have possibility using any reasonable combination techniques to determine the relationship between data pieces or receive actually stored private or confidential data;
(ii) participants of type B do not store any decompositioned or depersonalized private or confidential data in their databases, ΓΤ systems and do not expect transferring of complete set of protected data in open or encrypted form over corporate or open networks;
(iii) participants of types A and B have full ability to retrieve stored data and restore original protected data using the available for them information, but with following to the data retrieval limitations set by participants type B to participants type D via participant type C. For participants type A will be required usage of IT systems of their contracted participants type B in most of the cases.
(iv) protected data, which is collected at the entry point (it can be user interface form or received electronic package with data), never leaves this point in AS IS, any open or encrypted form (when level of data's protection level is determined by the security strength of used traditional data protection technologies).
(v) protected data should be restored in the original content only on the exit points (user interface form with detailed data or report (set of data), data export routines and similar exit points). The invention principles do not prohibit participant type B to do it in other points, what will be his full responsibility.
[0014] The invention assumes the entire process separation into three phases:
(i) pre-operational phase - set of events and activities happening before starts typical operations with private and confidential data (collect, process, store);
(ii) operational phase - set of events and activities assuming operations with particular private or confidential data;
(iii) post-operational or maintenance phase - set of events and activities, which may happen or may not happen and related to operations with protected data, IT systems, which processing this data or are related to parties contractual obligations;
[0015] On pre-operational phase assumed execution of the following tasks:
(i) based on policies, data processing purposes and other reasons relevant to the participant type B provide variable parameters of the invented data protection method to participant type C in order to (a) distribute them among participants type D; (b) generate, when available, final program libraries for particular technologies used in participant's type B IT systems; (c) follow them during operational phase, when participant type C participates in the invented data protection method, (ii) incorporate with possible minimal changes generated libraries into original IT systems of participant type B and extend data query capabilities of these ΓΤ systems to use other known methods like hashes instead of querying databased with open data queries.
[0016] Key variable parameters of the invented data protection method are:
(i) details of protected data decomposition approach on the client side of participant B IT systems. It can be either attribute based or binary based decomposition. In attribute based decomposition participant type B specifies which attributes of which protected data will go into which data piece during decomposition. Binary approach assumes specification of the bit masks or other bit picking rules, which will be applied to the protected data, represented in a binary mode (for example in case the source data is split by attributes it can be JSON, XML or other formatted string generated based on single rules with use of particular data attribute values).
(ii) data pieces retrieval limitations from participants type D by the IT systems of participants type B or other undetermined requestors. Among these limitations can be (but not limited to): known or unknown IP addresses, domain names, requestor locations, additional authentication means, digitally signed requests, hash from some protected data attributes or their parts or separate password instead of hash, identifier or public key of particular authorized recipients or other similar types of limitations, which allowing to the participants type B reduce security risks and (or) follow legal rules of some countries for cross-border data transfer or other similar rules.
(iii) participants type D selection limitations during store operations performed by IT systems of participants type B. Among such limitations can be physical local of participants type B, time or volume limitations, frequency limitations and other similar limitations, required by data protection policies of participant type B or request by the national or regional legislation. This is done in spite of the following by the participants the principle (i), specified in paragraph [0013].
[0017] Operational phase on invented data protection approach starts from the moment, when on entry point into participant B IT system protected data attributes are first time available to the IT system (had been entered by the user or received out of electronic message) or binary array with protected data is first time available to the system. Operational cycles assumes the following types of situations: new data arrived, data should be retried at the exit point, data should be changed, data should be deleted.
[0018] When it is required to store newly arrived protected data the following steps are performed at the entry point instead of storing protected data into ΓΓ system of participant B:
(i) request a list of available participants of type D from participant type C or retrieve this list from a cache. Together with request are provided participant type B identification, IT system of participant of type B identification (optional), type of protected data (optional). As a result returned possible participants type D names (addresses) in the maximum available quantity or reasonably required quantity;
(ii) perform protected data decomposition based on specified algorithms (see above) and, if specified so and if possible, encryption of the resulted decompositioned data pieces as an additional measure of security; each data piece after decomposition can be extended with generated identifier of previous data piece (in case of processing the from end to start), which will allow system of participant type B store only one last data piece identifier in it's database and because of encryption will not allow participants of type D to determine where the previous piece of data is stored;
(iii) send the final data piece to randomly selected from the previously provided list participant of participants type D. Data piece is stored there and as a result the data piece identifier is returned. It is possible to determine to which participant type D does the identifier belongs to only via participant type C, who keeps periodically changing participants type D identifiers.
[0019] When it is required to modify stored data the delete and submit steps are used.
[0020] When it is required to delete stored data ΓΓ system of participant type B provides to participant type C the list of identifiers previously received during store phase together with expected authorization data. Participant type C perform data removal internally among required participants type D. Other variations of this step are possible as well, but the risks of un authorized data deletion should be reduced.
[0021] When it is required to retrieve protected data the exit point of IT system of participant type B has to send a request to all participants type D based on the data pieces identifier part, which allows to the participant type C provide actual name (IP address) of the participant type D. Together with identifier are provided participant type B identification parameters and possibly required data pieces retrieval limitation parameters (such as passwords, digitally signed data in order to verify requestor public key or other). After receipt of all the data pieces the composition is performed. After the composition data is returned into exit point locations such as entry fields of user interface form, IT system method parameters, cells or lines of the generated report and others.
[0022] Post-operational phase assumes any single time data retrieval or deletion requests from participants type B to participant type C. It can be requests such as "provide all the data pieces, which had been submitted by participant type B" or "remove all data pieces, which had been submitted by participant type B", other types of requests, required for maintenance of the entire data sets and leaving to participants type B all the rights to process the data they own or operate.
[0023] In order to leave to participants type A and B the data query capabilities, which are based on the knowledge of particular data attribute values or value intervals should be used the known techniques of generation of hashes during the time of new protected data processing and decomposition and their storage in the IT systems of participant B in existing or new data attributes. Other data processing needs are covered with known techniques as well.
[0024] The invention is used on top of all measures of data protection, which protected data owner wants to use in order to reduce security risks and especially risks of leaking of the protected data over technical channels. The invention does not have an intention to replace such security measures.
[0025] The variation of the described approach can be performance of all possible functions of participant type C by each participant type B independently, but with mandatory usage of legally independent participants of type D.
[0026] BRIEF DESCRIPTION OF THE DRAWINGS. There are no drawings presented.
[0027] UTILITY
[0028] The utility of the present invention is in the significant reduction of security expenses of the protected data operators because of IT any particular IT system where personalized or depersonalized protected data is stored. Invention allowed with minimal monetary and time costs implement legally required limitations of private and confidential data processing without rejection of currently used by operator IT systems (which in significant number of cases either are not fully controlled by the operator). Invention also allows to increase resiliency for disasters, unauthorized data modifications, data stealing without enablement of owned by operator or outsources traditional IT infrastructure components.
[0029] DESCRIPTION OF THE BEST EMBODIMENT
[0030] Because of current worldwide trends in fast spreading of cloud computing, SaaS, PaaS, IaaS and other similar offerings, because of strengthening of national and regional legislation in private and confidential data protection, because of wide demand to the possible alternative solutions to the data protection from any type of companies (from small to multinationals, from manufacturing to banking) the best embodiment of the invention is seen as an internet service, which performs functions of participant type C, independent internet services, performing functions of participants type D and contracted with participant type C, when participant type C can support participants type B in automated generation of program libraries based on the invention logic and provide to them methodical support in overall private and confidential data protection.
Next Patent: IDENTIFYING AND CONTROLLING MULTIPATH TRAFFIC