CASE STUDY
Employing Tags to Enforce Consistent Data Access and Use Policies Across Multiple Zones in Big Data Analytics Platform
SERVICES
THE CHALLENGE
Expanding Data Access & Use While Managing Risk
A national integrated health delivery system initiated their analytic digital foundation program to reduce the expense of future analytic projects and to consolidate independent analytic systems across the organization into one platform.
The platform is designed to handle the full lifecycle of data from acquisition to analysis and disposition. It brings conformity and comparability to program wide metrics.
One significant challenge is the enablement and application of consistent data access & use policies for all tenants across the platform. We endeavored to design a solution to meet this challenge.
One significant challenge is the enablement and application of consistent data access & use policies for all tenants across the platform. We endeavored to design a solution to meet this challenge.
OUR SOLUTION
Data Access & Use Design Strategy & Implementation
We began with the question: Who can access what, when can they do so, and why? Given the client’s status as an integrated health delivery system, we centered the architecture effort around incorporating health-specific regulatory data protections.
We addressed this across the platform constituted by multiple data zones by balancing the confidentiality, integrity, & availability triad with practical considerations; in so doing, we realized additional capabilities central to the governance of the platform.
TOOLKIT
Mapping & Tagging Data
Classification Taxonomy
HIPAA Privacy and Security Rules
THE RESULTS
Data Classification, Data Access and Defining Maintenance
We employed tags as a means of data classification. The application of tags allowed us to classify data, such as Protected Health Information (PHI). We could apply this to an entire table or selected columns of a table.
We associated the tags to roles. Roles represented an access and use profile to which users could be assigned. The access and use privileges assigned to tags associated with roles extended to the users assigned to those roles.
We mapped roles to data access and use policies. We separated the classification mechanism from policy definition, enabling job segregation, auditability and efficiency of maintenance.
To enable consistent data access and use across the full lifecycle of data, we also developed data classification taxonomy, user personas and roles, metadata management from acquisition to analysis and disposition, data resource inventory and data lineage.