Knowledge is power. That’s why the most successful businesses today are taking data-driven business intelligence to the next level. They collect vast amounts of information, and use data science to discover new customers needs, develop new products and services, and identify trends and opportunities.
Digital companies have taken the lead in this next phase of data-driven decision-making, but it’s now extending across more kinds of organizations and more areas within organizations. Smart CTOs recognize the wealth of data trapped in silos across their business. That could include:
- Metrics tracking customer behavior across multiple channels and lines of business
- Usage data from Internet of Things sensors, which could be used to inform product development
- Clinical data that could inform hospital staffing levels and disease research
- Retailers gathering data across all their stores—customer traffic levels at different times of day, marketing promotions, local weather events, and more—to optimize staffing
In all of these cases, and many others, forward-looking CTOs are seeking to break down barriers between information stores. They see big data technologies as a potential solution—they know that if they can use big data tools to pool all of their organization’s information and apply data science to it, they can tap new insights and enable better decision-making across the organization.
But for CTOs, this shift to big data raises an important question: Once you’ve collected all that data in one place so it can be analyzed, what’s to stop anyone from doing anything they want with it?
To realize value from your data, you need to be able to share it among many stakeholders—internal lines of business, partners, researchers, and many others. But you also have a moral, ethical, and often legal, obligation to make sure that data is used responsibly. That means protecting individuals’ privacy and assuring that their data is used only for legitimate purposes. As you gather more data from more parts of your organization, that gets very tricky very fast.
Consider one example: connected washing machines that transmit sensor data back to a manufacturer. A customer service representative should have access to full customer data to provide assistance. But should the company’s marketing partners? What’s to stop someone from using that data to determine when a specific customer is on vacation, and his home is unprotected?
It quickly becomes clear that this is about more than simply checking a box for whether data is “secure.” It’s incredibly valuable to have all that data in one place where it can be analyzed, but you need to assure that different types of stakeholders can see only the information they legitimately need, and no more.
This is a complex problem, but there’s a straightforward solution. By borrowing “Zero Trust” concepts from the world of networking, you can implement fine-grained privacy and governance controls, even as you expand your ability to share and capitalize on your data.
What Is Zero Trust Data?
Traditional network security was based on establishing a security perimeter to protect “trusted” network segments. But this approach still left organizations vulnerable, because once something made it into the trusted zone, there were few controls limiting what it could do there.
Zero Trust networks emerged to eliminate the trusted zone. In a Zero Trust network, every single connection attempt is interrogated for appropriate authorization, every time. Security is not something applied after the fact as a bolt-on solution; it’s embedded into the network architecture itself. And modern Zero Trust networks use contextual identity—assessing the “who,” “what,” “where,” “when,” and “how” of every connection attempt—to further lock down access.
Zero Trust Data employs these same principles but extends them a layer deeper, into the data itself, so that CTOs can start unlocking more value from the information they collect and giving it to stakeholders who need the information. It starts with cataloging all data and encoding it with a metadata wrapper, as it’s collected. The metadata describes not only what the data contains, but also how it fits within the organization’s privacy and governance framework. For example, this data asset includes Personally Identifiable Information (PII) or Protected Health Information (PHI), which must be treated this way, according to policy.
Next, the system uses an attribute-based access control mechanism to enforce privacy and governance policy. All data can be made inaccessible by default. If the requestor doesn’t have the right attributes—which can include role, location, device type, time of day, and other factors—the request yields a null response.
Finally, a Zero Trust Data system employs an intermediary data processing engine that can repurpose the data on the fly to present different views to stakeholders with different levels of access. So, in the connected washing machine example, a customer service agent could see all of a customer’s data to provide assistance. Whereas a data analyst with an affiliated marketing firm could access the same data stores—and even the same records—but would see only de-identified information and trend analytics.
Breaking Down Information Silos
This Zero Trust Data model provides a powerful mechanism to unlock the value of data across an organization, without compromising privacy. With this model, CTOs can let end users apply data science to much more of the information they collect, and begin to harness the power of business intelligence in many more areas.
As an example, imagine a company building a new surgical robot that’s being evaluated by a few key hospitals. The CTO wants to collect all the data she can to understand how surgeons interact with the device, as well as to measure its impact on patient outcomes. The more she can collaborate with surgeons and hospital IT leaders, the better she will be able to guide development and demonstrate the benefits of the solution. But data silos and compliance requirements can throw up major roadblocks.
Since clinical records contain PHI, hospitals can’t just hand them over to the manufacturer. So traditionally, hospitals would have to de-identify that information and create a separate data mart for the initiative. More data will lead to better results for all stakeholders. But more data marts mean greater storage costs, and the more data stores need to be accessed, the more data marts will need to be created, maintained, and secured.
A Zero Trust Data system eliminates this entire overhead. It allows authorized stakeholders inside and outside the hospital to access the same data stores for their diverse needs, while assuring that confidential information remains private. A participating surgeon is able to access full clinical records. Hospital information management teams can see the number and types of cases treated to help evaluate the solution, but no personally identifiable information. Meanwhile, the CTO’s own analysts and product development teams can now access the same records (with patients’ consent), but see only aggregated information with no PHI.
Taking the Next Step in Business Intelligence
This is just one example of unlocking new business intelligence, in an environment where privacy, consent, and data governance are top institutional priorities. But the same advantages can extend to organizations in any industry. Wherever data is currently locked away inside organizational silos, Zero Trust Data concepts can empower CTOs to unlock big data insights and drive real value.