Policy-Based Query Governance | Zetaris

Introduction

Organisations face significant regulatory and compliance risks from their data management and analytics practices. With the proliferation of data and the significant business opportunities centring around data analytics and AI, real-time policy-based governance of data, operations and development is essential.

The typical organisation with data obligations will say: ‘We have access control, state of the art security, a privacy policy, a Chief Data Officer, advisors, and we train our staff.’ However, they do not have a system of control and oversight for the developer in real-time as he or she develops. They do not really know what their data scientist is doing when an algorithm runs. There is no way to remember whether the AI complies with the new policy or legislation. They have limited control over the management of the way data is joined by coders. They have no control over behaviour at the lower level. Data extracts are all over the place, on banker laptops, on store servers, and in varying forms of encryption, and the BI tools are joining data over the top in arbitrary ways with no oversight.

We have seen the evidence of this lack of lower-level oversight and control in recent regulatory breaches involving application processing and data.

So, you might have the best intentions and the best consultants, people, and security access measures, but if your policy is not actively embedded in the code, then you are not complying. And, if you don't bring in the right systems, you will be liable.

What is needed is the policy embedded within every line of code. Policy embedded in every query. And the policy needs to be in a real-time active policy service, not just in training materials or PowerPoint slides.

So, what's the risk?

If you are a bank, do you really know what algorithms, code, and queries your analyst is experimenting with right now? Are they breaching data regulation? Do you really have a system that can report in real time, every second, on compliance?

If you are a telecommunications company, can you manage, control, and restrict operations when you share data with a third party to ensure there is no privacy breach?

If you are a retailer, do you really know what that AI bot is doing with the data? Is a new policy being applied that was not in the original design?

If you are a government department, can you link your data with that of other departments in a way that ensures real-time behaviour-based compliance? Do you generate an exception report automatically if something non-compliant with policy occurs? If so, does the report indicate more than inappropriate access? Does it provide a deep assessment of what the analyst was doing? Do you have that level of operational oversight?

If you are a member of the general public, would you like real, policy-based, behavioural-level oversight of how organisations are handling your data every day, every minute, every second?

Zetaris for Networked Data Platform & Operational Data-and-Query Governance

Zetaris: The Networked Data Platform joins data across many data stores, networks, and clouds to create the views that analytical tools require in real time without duplicating data, processes or systems. This is a step-change in the data platform and integration world, where the old approach involves copying data from its original source and restructuring or transforming it to make it uniform before any value can be created.

Zetaris has implemented, within its query engine and data access layer, a global standard and framework for policy management: Policy-Based Governance (PBG). Using PBG, Zetaris: The Networked Data Platform unifies policy enforcement across the data ecosystem.

With Zetaris: The Networked Data Platform, every query, algorithm, or data operation performed by an analyst, developer, AI agent, or BI user is assessed for policy compliance before it is run. This means that both the data and the operations performed on the data across your data landscape are managed in real time. This is granular policy-based data governance.

Overview

PBG means every query runs policy decision-making from policy enforcement. When your software needs to make policy decisions, Zetaris sends queries to the policy server and returns authorisation data.

Policy Coding

PBG generates policy decisions by evaluating the query input against policies and data.

For example:

• What combinations of data joins are permitted?
• Which users can access which resources?
• Prevent data breaches before they happen.
• Which user can perform what query or implement which algorithm?
• What AI can access which data with what operation?
• To which subnets are egress traffic allowed?
• To which clusters must a workload be deployed?
• At which times of day can the system be accessed?

Policy decisions are not limited to simple ‘yes/no’ or ‘allow/deny’ answers. Like query inputs, your policies can generate arbitrary structured data as output.

[Zetaris is an inter-operable platform that can connect easily with tools such as OPA]