Patent Issued for Data security across data residency restriction boundaries (USPTO 11855995): Kyndryl Inc.

2024 JAN 17 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- Kyndryl Inc. (New York, New York, United States) has been issued patent number 11855995, according to news reporting originating out of Alexandria, Virginia, by NewsRx editors.

The patent’s inventors are Cheng, Karen (North York, CA), Lam, Thanh (Fontana, CA, US), Riley, Daniel S. (Wake Forest, NC, US), Rudden, Mary E. (Denver, CO, US), Trim, Craig M. (Ventura, CA, US).

This patent was filed on December 1, 2022 and was published online on December 26, 2023.

From the background information supplied by the inventors, news correspondents obtained the following quote: “Data is easily shared from one locale to another in the global information landscape. There are an increasing number of legal ramifications that make sharing data across geographic, jurisdictional, political, and other types boundaries complex. The General Data Protection Regulation (GDPR) is legislation that addresses the export of personal data outside of the European Union (EU). The GDPR aims primarily to give control of personal data back to citizens and residents of the EU. Another example legislation is The Health Insurance Portability and Accountability Act (HIPPA), which requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. There are various other legislative and geo-political restrictions on handling of data that demand adherence because of the monetary and other penalties incurred for violations.

“One challenging aspect to identifying and protecting sensitive data, such as personally identifiable information (PII), is how to deal with “unstructured” content, including documents or files on file shares, personal computing devices, and content management systems. These files, which may contain sensitive data subject to data residency restrictions, can be generated within and/or outside an organization, using many applications, can be converted to multiple file formats (commonly to PDF), and can seemingly have unlimited form and content. While the data or portions thereof may be subject to data residency restrictions such that their movement across a boundary is restricted, in many cases it is acceptable that the insights from data, when removed from the PII and other sensitive information, may be sent across such boundaries, even though the data itself may not.”

Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “Shortcomings of the prior art are overcome and additional advantages are provided through the provision of a computer-implemented method. The method automatically generates a container image based on an identified profile level for a dataset and data residency restrictions that restrict transfer of the dataset across a boundary to another location. The container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location. The method additionally digitally stores the container image to a container registry.

“Further, a computer system is provided that includes a memory and a processor in communication with the memory, wherein the computer system is configured to perform a method. The method automatically generates a container image based on an identified profile level for a dataset and data residency restrictions that restrict transfer of the dataset across a boundary to another location. The container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location. The method additionally digitally stores the container image to a container registry.

“Yet further, a computer program product that includes a computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit is provided for performing a method. The method automatically generates a container image based on an identified profile level for a dataset and data residency restrictions that restrict transfer of the dataset across a boundary to another location. The container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location. The method additionally digitally stores the container image to a container registry.

“In some embodiments, the method also includes making available the container image for selection and instantiation on the container host, which has an advantage that container may be reused where appropriate, saving additional processing and configuration. The method can check whether an appropriate container for processing the dataset into the reformatted dataset already exists as a container image in the registry, and automatically perform the generating the container based on determining that no appropriate container for processing the dataset into the reformatted dataset already exists in the registry.

“In some embodiments, a container instantiated from the generated container includes an input data volume for storing the dataset and an output data volume for storing the reformatted dataset, which has an advantage in that is compartmentalizes data that is safe to send across the boundary and data which is not safe to send across the boundary. This has an advantage in that the appropriate permissions, access, and purging of the data can be easily applied to the subject volume. The method can include generating a data definition language defining data structures to hold the reformatted dataset in the output data volume, which has an advantage in that it provides structure to potentially unstructured data, to facilitates desired analytics processing and data reformatting.”

The claims supplied by the inventors are:

“1. A computer-implemented method comprising: automatically generating a container image based on an identified profile level for a dataset and data residency restrictions that restrict transfer of the dataset across a boundary to another location, wherein the container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location; and digitally storing the container image to a container registry.

“2. The method of claim 1, further comprising making available the container image for selection and instantiation on the container host.

“3. The method of claim 2, further comprising checking whether an appropriate container for processing the dataset into the reformatted dataset already exists as a container image in the container registry, wherein the automatically generating the container image is performed based on determining that no appropriate container for processing the dataset into the reformatted dataset already exists as a container image in the registry.

“4. The method of claim 1, wherein a container instantiated from the generated container image comprises an input data volume for storing the dataset and an output data volume for storing the reformatted dataset.

“5. The method of claim 4, wherein the generating the container image configures the generated container image such that, based on terminating the container instantiated from the generated container image, data of the input data volume is lost.

“6. The method of claim 5, wherein the generating the container image configures the generated container image such that the instantiation of the generated container image includes restrictions that prevent extraction of data from the input data volume out of the container instantiated from the generated container image.

“7. The method of claim 4, further comprising generating a data definition language defining data structures to hold the reformatted dataset in the output data volume.

“8. The method of claim 1, further comprising: instantiating the generated container image on a data processing system, wherein the data processing system comprises a server responsible for a database in which the dataset is stored; and receiving a script by the data processing system and executing the script to perform profiling the dataset and identifying the profile level for the dataset based on identifying the another location and based on the data residency restrictions that restrict the transfer of the dataset across the boundary.

“9. The method of claim 1, wherein the profile level is based on classifying personally identifiable information of the dataset, and wherein the reformatted dataset has the personally identifiable information removed or aggregated, such that the reformatted dataset does not include the personally identifiable information.

“10. The method of claim 1, wherein the generated container image specifies executable code and dependencies to process the dataset into the reformatted dataset, wherein processing the dataset into the reformatted dataset performs a desired analysis of the dataset, and wherein the reformatted dataset comprises at least some results of the desired analysis for transfer to the another location.

“11. The method of claim 1, wherein a desired analysis of the dataset is to be performed by processing across the one location and a plurality of additional locations of which the another location is a part, wherein a respective data processing system at each additional location of the plurality of additional locations is to analyze respective intermediate data of the desired analysis, wherein respective data residency restrictions apply to the intermediate data residing at the additional location and restrict transfer of the intermediate data from that additional location across a respective boundary to a next additional location of the plurality of additional locations, and wherein the method further comprises: automatically generating a respective container image for each additional location of the plurality of additional locations, the generated respective container image generated based on (i) an identified profile level of the intermediate data that is to reside at the additional location and (ii) the data residency restrictions that restrict the transfer of the intermediate data to the next additional location, the generated respective container image being configured for instantiation and execution as a respective container host to: receive the intermediate data for processing at that additional location; process the intermediate data into a reformatted intermediate dataset that is not restricted for transfer across the boundary to the next additional location; and transfer, to the generated respective container for the next additional location, the reformatted intermediate dataset as the respective intermediate data for analysis at that next additional location.

“12. A computer system comprising: a memory; and a processor in communication with the memory, wherein the computer system is configured to perform a method comprising: automatically generating a container image based on an identified profile level for a dataset and data residency restrictions that restrict transfer of the dataset across a boundary to another location, wherein the container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location; and digitally storing the container image to a container registry.

“13. The computer system of claim 12, wherein a container instantiated from the generated container image comprises an input data volume for storing the dataset and an output data volume for storing the reformatted dataset.

“14. The computer system of claim 13, wherein the method further comprises generating a data definition language defining data structures to hold the reformatted dataset in the output data volume.

“15. The computer system of claim 12, wherein the method further comprises: instantiating the generated container image on a data processing system, wherein the data processing system comprises a server responsible for a database in which the dataset is stored; and receiving a script by the data processing system and executing the script to perform profiling the dataset and identifying the profile level for the dataset based on identifying the another location and based on the data residency restrictions that restrict the transfer of the dataset across the boundary.

“16. The computer system of claim 12, wherein a desired analysis of the dataset is to be performed by processing across the one location and a plurality of additional locations of which the another location is a part, wherein a respective data processing system at each additional location of the plurality of additional locations is to analyze respective intermediate data of the desired analysis, wherein respective data residency restrictions apply to the intermediate data residing at the additional location and restrict transfer of the intermediate data from that additional location across a respective boundary to a next additional location of the plurality of additional locations, and wherein the method further comprises: automatically generating a respective container image for each additional location of the plurality of additional locations, the generated respective container image generated based on (i) an identified profile level of the intermediate data that is to reside at the additional location and (ii) the data residency restrictions that restrict the transfer of the intermediate data to the next additional location, the generated respective container image being configured for instantiation and execution as a respective container host to: receive the intermediate data for processing at that additional location; process the intermediate data into a reformatted intermediate dataset that is not restricted for transfer across the boundary to the next additional location; and transfer, to the generated respective container for the next additional location, the reformatted intermediate dataset as the respective intermediate data for analysis at that next additional location.

“17. A computer program product comprising: a computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising: automatically generating a container image based on an identified profile level for a dataset and data residency restrictions that restrict transfer of the dataset across a boundary to another location, wherein the container image is configured for instantiation as a container on a container host and execution on the container host to provide a virtual environment having one or more software applications executing therein to process the dataset into a reformatted dataset that is not restricted by the data residency restrictions for transfer across the boundary to the another location; and digitally storing the container image to a container registry.”

There are additional claims. Please visit full patent to read further.

For the URL and additional information on this patent, see: Cheng, Karen. Data security across data residency restriction boundaries. U.S. Patent Number 11855995, filed December 1, 2022, and published online on December 26, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(11855995)&db=USPAT&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)