Building Trust by Protecting the Data, not Just the Database
Written by Rich Truex & David Hough
It’s the digital age so do you really know who you are talking to out there on the Internet? Is it the person or business you think you are communicating with? Or is it an imposter, or a fraudster, or someone who has stolen your identity or your business or just your money? The answer is that you don’t, which is why eNotus is proposing a new and innovative solution in response to the G20/B20’s concerns about the lack of trust in the International SME trade community. We call this solution the Global Trust Registry (GTR).
There are many reasons we are having trouble with the trust issue but in our opinion, the one that is most overlooked is the incompatibility of the technology and our continued dependence on the relational database – a dependency that is global and goes back to the beginning of the computer age. We think that the solution is simple – change the database architecture to one that protects the individual data elements and not just the database. We acknowledge that making the change will not be easy. Nevertheless, it must be done. So let step back and have a look at how we got here and what we need to do to make this change.
First we need a “process”. The one I learned in high school, the one that has always worked for me, is what is known as the 5 W’s + H – the evaluation of the Who, What, Where, When, Why and How of the problem. Keep in mind that the order is not as important as the substance of each category.
Who. In the beginning there were only two parties conducting business– the buyer and the seller. They looked each other in the eye, took measure of the “trust”, and if agreement was reached, they shook hands. In today’s world of global trade with many more players, mostly unknown to each other, and very little are face-to-face time, the process has changed. As goods, services, information and money travel greater distances and across international boundaries, the complexity has multiplied. The supply chain is now long and complex with an increasing need to protect both business as well as national interests. It’s the “Wild West” out there and many players, known and unknown, are now involved.
What. Whether it is identity theft, changing the content, or redirecting the financial components of a business transaction, data stream interdiction, corruption and manipulation are on the increase world wide. Digital information can come from anywhere and go anywhere and there is, with today’s data management architecture, little one can do to stop it. Nothing seems to work. Encryption, passwords, firewalls, and certification stamps have all been tried and yet we remain at least one step behind the hackers and the fraudsters – and falling farther behind.
Where. There are two places where we are most vulnerable – in the networks where the data is moved and in the databases where the data is stored. Although both have “firewalls” and other forms of protection, once inside perpetrators have access to all of the data and all the time in the world to do just about what they want. The bigger the database, the greater the opportunity, the greater reward.
When. Sometimes a new way to do things is not introduced in time to keep us from becoming permanently “stuck” with the old way. The best example of this is the typewriter/computer keyboard, also known as the QWERTY keyboard. Introduced in the 1860’s, it was designed, on purpose, to be inefficient . The idea was to slowdown the typist by placing the most used keys opposite the weakest fingers on the weakest hand. By the time computerized technology came on the market, the jammed key problem was long forgotten. It was too late to change the keyboard and we are stuck with it forever.
So the question now before us is “can we make a fundamental change to the way we store data before it is too late?”
Why. Why is this a problem and why is it so hard to fix? The short answer is that it is because we are still focused on protecting the database – the one component of the information age that has not changed in over 35 years. The relational database (DB2, SQL and Oracle), the database that makes big data possible and data storage so practical has become the defacto “standard.” It has not changed because it works. It is what we all use. It is everywhere, which is why our concern is that if it becomes the “QWERY keyboard” of data storage, it will make creating a trusted commerce environment virtually impossible. We have to act now!.
How. Now for the hardest part – how do we fix this problem? By “reversing the telescope”. (Note: hang in there as understanding this concept is very important.) About 500 years ago the astronomer Copernicus discovered that the sun, not the earth, was the center of our solar system. It took another 300 years of denial before the Vatican got on board and agreed to look at our solar system from the opposite direction – hence the expression “reversing the telescope”. A more contemporary example took place during the early days of television. To record a half hour, black and white TV show it required a kinescope machine, a sort of tape recorder about the size of a kitchen table with a fixed head and two 12 inch diameter reels of two inch wide tape. When color TV came along, with its need for a much wider spectrum of “electrical energy,” the reels grew to 60 inches and required a tape strong enough to withstand very high speeds as it moved across the fixed head. It didn’t happen. The problem was finding a tape that was strong enough to withstand the increased stress and higher speed. What did happen was that some enterprising engineer thought it would be easier to slow down the tape and have it, pass over a rotating head. And so the VCR was born. It was much smaller and had new features such a fast forward and slow motion. The engineer “reversed the telescope.” Lesson learned: we need to do the same for the GTR.
It’s the data, not the database!
Isn’t it interesting that while new ways do doing things and new technologies in the information age are seemingly introduced every day, yet we are still using SQL, DB2, or Oracle relational databases and have done so for so many years! Consequently, our focus has been to protect the database and not the data. Opps! Is it too late to reverse the telescope? Or has the relational database mindset become our next QWERTY keyboard?
At eNotus we believe that it is not too late. We also believe that not all data is the same. There is transactional data, personal data, unstructured data, research data, conversational data, protected data, Big Data and Small Data. The variety is almost limitless, which is why you can’t provide the security and protection required for each type by only protecting the database. You have to reverse the telescope! You have to look at the problem from the data side.
There is precedence for this in the way we do paperless business today. Since the late 1970’s Electronic Data Interchange (EDI) has steadily become the global standard for conducting computerized B2B business. EDI is highly structured and transactional. Each message/transaction has its own codes and syntax provided by specialized translation software. Hacking a company’s database is not possible without knowing all of the “rules.” Furthermore, each transaction requires a specific acknowledgement of receipt and content thus immediately alerting both parties if there is any intrusion. In other words, it is the data that is being well protected as it moves around the world, not the database.
Now let’s have a look at how we store (and protect) the other business data we care about – the details of the business relationship that are need to establish and protect the trusted relationship. We can do this by reversing the telescope. To explain…
Suppose there are 100 million small and medium enterprises (SME) around the world each with their own website, apps, and associated (relational) databases that provide information about the company, their products and services, and how they conduct business. Supporting these businesses are banks, customs and shipping, government, tax and insurance, and other participants in the global supply chain that also have their own databases. In other words, SME data is everywhere in millions of databases, known and unknown, and with varying degrees of protection. No wonder we are having problems with trading partner trust.
Now, let’s reverse the telescope and create a system where each SME has all of its data in a single, protected location. Using the concept known as the “single version of the truth” the objective is to have only one “secure place” to source and store the original and only version of that data. There may be other versions of that data in other locations but their accuracy is not or cannot be validated as correct, up-to-date, and tamper free. Thus, only the original data can be trusted and only those with proper authorization can use it or replicate it as needed. All of the data sent, received, and stored is kept in a unique database known as a single-object datastore (SOD), which unlike a relational database, has object-level security for each independent and separately managed grouping of SME data.
The typical business cycle would be as follows. A SME’s wishing to do business with another SME must first be granted access to the SOD through a special identification and registration validation registry (in this case the Global Trust Registry or GTR) operated by the independent SOD administrator (in this case the ICC or its designee.) The architecture would be closed ended and transactional so each structured contact/request would require acknowledgement, recording and review by the receiving SME – all in real-time. As the owner of that data, the receiving SME would have full visibility of the process knowing that the sender was who they said they were and that they were actually at the other end. The result would be fewer databases (only one for each SME), less data maintenance, greater security, greater accuracy, greater awareness, infinitely more control, and far less expense.
The GTR and the SOD are the first two technology steps . eNotus is in the unique position to bring together the two separate and innovative technologies, the GTR and the SOD, to address the SME trust problem. The GTR architecture will be based years of experience developing the leading fraud detection solutions for the card-not-present (CNP) detection and prevention for the on-line retail retail industry. The SOD architecture will be based years of experience with the Lotus method of folder-based storage – a methodology quite different from that of the relational and SQL database technologies that dominate current data storage and management and that are the cause of much of their current privacy and security problems. The SOD is quite similar to the recently emerging NoSQL database architecture.