Patent Issued for Data security across data residency restriction boundaries (USPTO 11552955): Kyndryl Inc.
2023 JAN 26 (NewsRx) -- By a
Patent number 11552955 is assigned to
The following quote was obtained by the news editors from the background information supplied by the inventors: “Data is easily shared from one locale to another in the global information landscape. There are an increasing number of legal ramifications that make sharing data across geographic, jurisdictional, political, and other types boundaries complex. The General Data Protection Regulation (GDPR) is legislation that addresses the export of personal data outside of the
“One challenging aspect to identifying and protecting sensitive data, such as personally identifiable information (PII), is how to deal with “unstructured” content, including documents or files on file shares, personal computing devices, and content management systems. These files, which may contain sensitive data subject to data residency restrictions, can be generated within and/or outside an organization, using many applications, can be converted to multiple file formats (commonly to PDF), and can seemingly have unlimited form and content. While the data or portions thereof may be subject to data residency restrictions such that their movement across a boundary is restricted, in many cases it is acceptable that the insights from data, when removed from the PII and other sensitive information, may be sent across such boundaries, even though the data itself may not.”
In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventors’ summary information for this patent: “Shortcomings of the prior art are overcome and additional advantages are provided through the provision of a computer-implemented method. The method obtains a dataset on which a desired analysis is to be performed. At least some results of the desired analysis are to be transferred from one location to another location. The dataset is subject to data residency restrictions that restrict transfer of the dataset across a boundary to the another location. The method also includes profiling the dataset to identify a profile level for the dataset. The method additionally includes automatically generating a container image based on the identified profile level for the dataset and the data residency restrictions that restrict the transfer of the dataset across the boundary. The container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location. The method further digitally stores the container image to a container registry.
“Further, a computer system is provided that includes a memory and a processor in communication with the memory, wherein the computer system is configured to perform a method. The method obtains a dataset on which a desired analysis is to be performed. At least some results of the desired analysis are to be transferred from one location to another location. The dataset is subject to data residency restrictions that restrict transfer of the dataset across a boundary to the another location. The method also includes profiling the dataset to identify a profile level for the dataset. The method additionally includes automatically generating a container image based on the identified profile level for the dataset and the data residency restrictions that restrict the transfer of the dataset across the boundary. The container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location. The method further digitally stores the container image to a container registry.
“Yet further, a computer program product that includes a computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit is provided for performing a method. The method obtains a dataset on which a desired analysis is to be performed. At least some results of the desired analysis are to be transferred from one location to another location. The dataset is subject to data residency restrictions that restrict transfer of the dataset across a boundary to the another location. The method also includes profiling the dataset to identify a profile level for the dataset. The method additionally includes automatically generating a container image based on the identified profile level for the dataset and the data residency restrictions that restrict the transfer of the dataset across the boundary. The container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location. The method further digitally stores the container image to a container registry.
“In some embodiments, the method also includes making available the container image for selection and instantiation on the container host, which has an advantage that container may be reused where appropriate, saving additional processing and configuration. The method can check whether an appropriate container for processing the dataset into the reformatted dataset already exists as a container image in the registry, and automatically perform the generating the container based on determining that no appropriate container for processing the dataset into the reformatted dataset already exists in the registry.
“In some embodiments, a container instantiated from the generated container includes an input data volume for storing the dataset and an output data volume for storing the reformatted dataset, which has an advantage in that is compartmentalizes data that is safe to send across the boundary and data which is not safe to send across the boundary. This has an advantage in that the appropriate permissions, access, and purging of the data can be easily applied to the subject volume. The method can include generating a data definition language defining data structures to hold the reformatted dataset in the output data volume, which has an advantage in that it provides structure to potentially unstructured data, to facilitates desired analytics processing and data reformatting.”
The claims supplied by the inventors are:
“1. A computer-implemented method comprising: obtaining a dataset on which a desired analysis is to be performed, with at least some results of the desired analysis to be transferred from one location to another location, wherein the dataset is subject to data residency restrictions that restrict transfer of the dataset across a boundary to the another location; profiling the dataset to identify a profile level for the dataset; automatically generating a container image based on the identified profile level for the dataset and the data residency restrictions that restrict the transfer of the dataset across the boundary, wherein the container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location; and digitally storing the container image to a container registry.
“2. The method of claim 1, further comprising making available the container image for selection and instantiation on the container host.
“3. The method of claim 2, further comprising checking whether an appropriate container for processing the dataset into the reformatted dataset already exists as a container image in the container registry, wherein the automatically generating the container image is performed based on determining that no appropriate container for processing the dataset into the reformatted dataset already exists as a container image in the registry.
“4. The method of claim 1, wherein a container instantiated from the generated container image comprises an input data volume for storing the dataset and an output data volume for storing the reformatted dataset.
“5. The method of claim 4, wherein the generating the container image configures the generated container image such that, based on terminating the container instantiated from the generated container image, data of the input data volume is lost.
“6. The method of claim 5, wherein the generating the container image configures the generated container image such that the instantiation of the generated container image includes restrictions that prevent extraction of data from the input data volume out of the container instantiated from the generated container image.
“7. The method of claim 4, further comprising generating a data definition language defining data structures to hold the reformatted dataset in the output data volume.
“8. The method of claim 1, further comprising: instantiating the generated container image on a data processing system, wherein the data processing system comprises a server responsible for a database in which the dataset is stored; and receiving a script by the data processing system and executing the script to perform the profiling and the identifying the profile level for the dataset based on identifying the another location and based on the data residency restrictions that restrict the transfer of the dataset across the boundary.
“9. The method of claim 1, wherein the profiling classifies personally identifiable information of the dataset and determines the profile level for the dataset based on the classified personally identifiable information, and wherein the reformatted dataset has the personally identifiable information removed or aggregated, such that the reformatted dataset does not include the personally identifiable information.
“10. The method of claim 1, wherein the generated container image specifies executable code and dependencies to process the dataset into the reformatted dataset, wherein processing the dataset into the reformatted dataset comprises a portion of the desired analysis of the dataset, and wherein the reformatted dataset comprises the at least some results of the desired analysis for transfer to the another location.
“11. The method of claim 1, wherein the desired analysis is to be performed by processing across the one location and a plurality of additional locations of which the another location is a part, wherein a respective data processing system at each additional location of the plurality of additional locations is to analyze respective intermediate data of the desired analysis, wherein respective data residency restrictions apply to the intermediate data residing at the additional location and restrict transfer of the intermediate data from that additional location across a respective boundary to a next additional location of the plurality of additional locations, and wherein the method further comprises: automatically generating a respective container image for each additional location of the plurality of additional locations, the generated respective container image generated based on (i) an identified profile level of the intermediate data that is to reside at the additional location and on (ii) the data residency restrictions that restrict the transfer of the intermediate data to the next additional location, the generated respective container image being configured for instantiation and execution as a respective container to: receive the intermediate data for processing at that additional location; process the intermediate data into a reformatted intermediate dataset that is not restricted for transfer across the boundary to the next additional location; and transfer, to the generated respective container for the next additional location, the reformatted intermediate dataset as the respective intermediate data for analysis at that next additional location.
“12. A computer system comprising: a memory; and a processor in communication with the memory, wherein the computer system is configured to perform a method comprising: obtaining a dataset on which a desired analysis is to be performed, with at least some results of the desired analysis to be transferred from one location to another location, wherein the dataset is subject to data residency restrictions that restrict transfer of the dataset across a boundary to the another location; profiling the dataset to identify a profile level for the dataset; automatically generating a container image based on the identified profile level for the dataset and the data residency restrictions that restrict the transfer of the dataset across the boundary, wherein the container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location; and digitally storing the container image to a container registry.
“13. The computer system of claim 12, wherein a container instantiated from the generated container image comprises an input data volume for storing the dataset and an output data volume for storing the reformatted dataset.
“14. The computer system of claim 13, wherein the method further comprises generating a data definition language defining data structures to hold the reformatted dataset in the output data volume.
“15. The computer system of claim 12, wherein the method further comprises: instantiating the generated container image on a data processing system, wherein the data processing system comprises a server responsible for a database in which the dataset is stored; and receiving a script by the data processing system and executing the script to perform the profiling and the identifying the profile level for the dataset based on identifying the another location and based on the data residency restrictions that restrict the transfer of the dataset across the boundary.
“16. The computer system of claim 12, wherein the desired analysis is to be performed by processing across the one location and a plurality of additional locations of which the another location is a part, wherein a respective data processing system at each additional location of the plurality of additional locations is to analyze respective intermediate data of the desired analysis, wherein respective data residency restrictions apply to the intermediate data residing at the additional location and restrict transfer of the intermediate data from that additional location across a respective boundary to a next additional location of the plurality of additional locations, and wherein the method further comprises: automatically generating a respective container image for each additional location of the plurality of additional locations, the generated respective container image generated based on (i) an identified profile level of the intermediate data that is to reside at the additional location and on (ii) the data residency restrictions that restrict the transfer of the intermediate data to the next additional location, the generated respective container image being configured for instantiation and execution as a respective container to: receive the intermediate data for processing at that additional location; process the intermediate data into a reformatted intermediate dataset that is not restricted for transfer across the boundary to the next additional location; and transfer, to the generated respective container for the next additional location, the reformatted intermediate dataset as the respective intermediate data for analysis at that next additional location.”
There are additional claims. Please visit full patent to read further.
URL and more information on this patent, see: Cheng, Karen. Data security across data residency restriction boundaries.
(Our reports deliver fact-based news of research and discoveries from around the world.)
Patent Issued for Complex composite tokens (USPTO 11553352): eBay Inc.
Retiree medical costs are soaring
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News