“Operator Isolation Based On Data Security Requirements” in Patent Application Approval Process (USPTO 20200104527)

2020 APR 22 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent application by the inventors Koster, David M. (Reston, VA); Nikolai, Jason A. (Rochester, MN); Santosuosso, John M. (Rochester, MN); Branson, Michael J. (Rochester, MN), filed on September 27, 2018, was made available online on April 2, 2020, according to news reporting originating from Washington, D.C., by NewsRx correspondents.

This patent application is assigned to International Business Machines Corporation (Armonk, New York, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “Conventional systems may be tasked with processing data that has restrictions, such as the Protected Health Information (PHI) data involved with glucose monitoring of data for sugar in a health system that requires Health Insurance Portability and Accountability Act (HIPAA) compliance or credit card data processing requiring Payment Card Industry (PCI) compliance.

“In conventional systems, developers have to work with these security considerations and uniquely design applications to work in complicated configurations, where the application data considerations burden the developers and administrators. Some conventional systems may provide features required to operate in such environments.

“However, the cost of operating in these environments is significantly higher than in generic cloud environments that are not fully compliant with these standards. Thus, current solutions that utilize a compliant cloud environment for such applications may be very expensive to create and maintain.

“Also, in order to meet various compliance requirements, every employee working in the infrastructure has to be trained, resulting in delays and higher costs as the pool of available people for any problem is smaller. Furthermore, if a large amount of hardware is needed, the costs rise quickly as it is expensive to build large isolated portions of data centers.

“Some conventional systems use de-identification. De-identification may be described as removing personal identifiers from data. For example, a medical record with identification information ‘John Smith’ contains blood work information, etc. De-identification removes ‘John Smith’ and replaces this identification information with a value that cannot tie back to the individual. This allows for research and statistical studies in the medical field to be conducted without violating HIPAA and patient privacy.”

In addition to the background information obtained for this patent application, NewsRx journalists also obtained the inventors’ summary information for this patent application: “In accordance with embodiments, a computer-implemented method is provided for operator isolation based on data security requirements. The computer-implemented method comprises: at a cloud node coupled to a tenant secure node and a tenant general node, receiving a graph that includes ingest portions of data and operators. For each of the operators, it is determined whether the operator processes protected data. In response to determining that the operator is tagged with an indication that the operator processes protected data, the operator is forwarded to the tenant secure node for processing. In response to determining that the operator is not tagged with an indication that the operator processes protected data, the operator is forwarded to the tenant general node for processing. Then, while the tenant general node is processing the operator, in response to determining that the operator is processing protected data, a tag is associated with the operator to indicate that the operator processes protected data and the operator is forwarded to the tenant secure node for processing.

“In accordance with other embodiments, a computer program product is provided for operator isolation based on data security requirements. The computer program product comprising a computer readable storage medium having program code embodied therewith, the program code executable by at least one processor to perform operations comprising: at a cloud node coupled to a tenant secure node and a tenant general node, receiving a graph that includes ingest portions of data and operators. For each of the operators, it is determined whether the operator processes protected data. In response to determining that the operator is tagged with an indication that the operator processes protected data, the operator is forwarded to the tenant secure node for processing. In response to determining that the operator is not tagged with an indication that the operator processes protected data, the operator is forwarded to the tenant general node for processing. Then, while the tenant general node is processing the operator, in response to determining that the operator is processing protected data, a tag is associated with the operator to indicate that the operator processes protected data and the operator is forwarded to the tenant secure node for processing.

“In yet other embodiments, a computer system is provided for operator isolation based on data security requirements. The computer system comprises one or more processors, one or more computer-readable memories and one or more computer-readable, tangible storage devices; and program instructions, stored on at least one of the one or more computer-readable, tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to perform operations comprising: at a cloud node coupled to a tenant secure node and a tenant general node, receiving a graph that includes ingest portions of data and operators. For each of the operators, it is determined whether the operator processes protected data. In response to determining that the operator is tagged with an indication that the operator processes protected data, the operator is forwarded to the tenant secure node for processing. In response to determining that the operator is not tagged with an indication that the operator processes protected data, the operator is forwarded to the tenant general node for processing. Then, while the tenant general node is processing the operator, in response to determining that the operator is processing protected data, a tag is associated with the operator to indicate that the operator processes protected data and the operator is forwarded to the tenant secure node for processing.”

The claims supplied by the inventors are:

“1. A computer-implemented method, comprising: at a cloud node coupled to a tenant secure node and a tenant general node, receiving a graph that includes ingest portions of data and operators; for each of the operators, determining whether the operator processes protected data; in response to determining that the operator is tagged with an indication that the operator processes protected data, forwarding the operator to the tenant secure node for processing; in response to determining that the operator is not tagged with an indication that the operator processes protected data, forwarding the operator to the tenant general node for processing; and while the tenant general node is processing the operator, in response to determining that the operator is processing protected data, associating a tag with the operator to indicate that the operator processes protected data; and forwarding the operator to the tenant secure node for processing.

“2. The computer-implemented method of claim 1, further comprising: associating a tag with an ingest portion of data of the ingest portions of data to indicate that the data for the ingest portion is protected data.

“3. The computer-implemented method of claim 1, further comprising: associating a tag with an operator of the operators to indicate that the operator processes protected data.

“4. The computer-implemented method of claim 1, further comprising: using at least one of rule-based patterns and learned patterns to determine whether each of the operators processes protected data.

“5. The computer-implemented method of claim 1, wherein the graph is for a tenant streaming application that is compiled to generate a Streams Application Bundle (SAB) file.

“6. The computer-implemented method of claim 1, wherein the tenant secure node has an underlying compliance infrastructure to ensure that pre-defined rules are being followed to process the protected data.

“7. The computer-implemented method of claim 1, wherein a Software as a Service (SaaS) is configured to perform method operations.

“8. A computer program product, the computer program product comprising a computer readable storage medium having program code embodied therewith, the program code executable by at least one processor to perform: at a cloud node coupled to a tenant secure node and a tenant general node, receiving a graph that includes ingest portions of data and operators; for each of the operators, determining whether the operator processes protected data; in response to determining that the operator is tagged with an indication that the operator processes protected data, forwarding the operator to the tenant secure node for processing; in response to determining that the operator is not tagged with an indication that the operator processes protected data, forwarding the operator to the tenant general node for processing; and while the tenant general node is processing the operator, in response to determining that the operator is processing protected data, associating a tag with the operator to indicate that the operator processes protected data; and forwarding the operator to the tenant secure node for processing.

“9. The computer program product of claim 8, wherein the program code is executable by the at least one processor to perform: associating a tag with an ingest portion of data of the ingest portions of data to indicate that the data for the ingest portion is protected data.

“10. The computer program product of claim 8, wherein the program code is executable by the at least one processor to perform: associating a tag with an operator of the operators to indicate that the operator processes protected data.

“11. The computer program product of claim 8, wherein the program code is executable by the at least one processor to perform: using at least one of rule-based patterns and learned patterns to determine whether each of the operators processes protected data.

“12. The computer program product of claim 8, wherein the graph is for a tenant streaming application that is compiled to generate a Streams Application Bundle (SAB) file.

“13. The computer program product of claim 8, wherein the tenant secure node has an underlying compliance infrastructure to ensure that pre-defined rules are being followed to process the protected data.

“14. The computer program product of claim 8, wherein a Software as a Service (SaaS) is configured to perform computer program product operations.

“15. A computer system, comprising: one or more processors, one or more computer-readable memories and one or more computer-readable, tangible storage devices; and program instructions, stored on at least one of the one or more computer-readable, tangible storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, to perform operations comprising: at a cloud node coupled to a tenant secure node and a tenant general node, receiving a graph that includes ingest portions of data and operators; for each of the operators, determining whether the operator processes protected data; in response to determining that the operator is tagged with an indication that the operator processes protected data, forwarding the operator to the tenant secure node for processing; in response to determining that the operator is not tagged with an indication that the operator processes protected data, forwarding the operator to the tenant general node for processing; and while the tenant general node is processing the operator, in response to determining that the operator is processing protected data, associating a tag with the operator to indicate that the operator processes protected data; and forwarding the operator to the tenant secure node for processing.

“16. The computer system of claim 15, further comprising: associating a tag with an ingest portion of data of the ingest portions of data to indicate that the data for the ingest portion is protected data.

“17. The computer system of claim 15, further comprising: associating a tag with an operator of the operators to indicate that the operator processes protected data.

“18. The computer system of claim 15, further comprising: using at least one of rule-based patterns and learned patterns to determine whether each of the operators processes protected data.

“19. The computer system of claim 15, wherein the graph is for a tenant streaming application that is compiled to generate a Streams Application Bundle (SAB) file.

“20. The computer system of claim 15, wherein a Software as a Service (SaaS) is configured to perform computer system operations.”

URL and more information on this patent application, see: Koster, David M.; Nikolai, Jason A.; Santosuosso, John M.; Branson, Michael J. Operator Isolation Based On Data Security Requirements. Filed September 27, 2018 and posted April 2, 2020. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220200104527%22.PGNR.&OS=DN/20200104527&RS=DN/20200104527

(Our reports deliver fact-based news of research and discoveries from around the world.)