Secure Data Sharing: what it is and why it is so important
Secure data sharing is becoming the key success factor for different-sized companies worldwide and in different sectors.
This is because data constitutes the lifeblood of the factory and the companies of the future. Each hardware device and each software we use daily collects a huge amount of data about behavior, statistics, and logs.
Such data can be used to extract powerful information about the user, the machinery itself, and the context of usage. As they teach in macroeconomic courses, having more information and more data leads to asymmetric information and constitutes a significant competitive advantage for companies.
Being able to collect data is only one side of the story. True power comes when companies can analyze and obtain information from such raw data. In the future, those who will be able to generate more accurate information out of data will be able to optimize processes, make more accurate and informed decisions, and obtain new revenues.
Such a sentence has already been proven by the various scandals related to personal data (aka Personal Identifiable Information - PII), such as the one that hit Facebook (now Meta) and their relations with Cambridge Analytica. Industrial data do not have the same impact on speech and thought freedom but they have a huge impact on determining whether or not a company will be successful and sustainable in the future.
By secure data sharing, we mean the set of technologies, means and procedures that make the process of sharing (exchange, borrow, transfer…) data secure, easy to be governed, and observable by all the involved actors. So far, industries have considered data sharing only in simple use cases where data are used inside an organization to cover internal requirements. In such use cases, security was not the primary focus since data were always kept inside the same enterprise, they were not given externally. However, also this task can become very complex if the company has headquarters located in different countries or is subject to different regulatory authorities.
According to Gartner’s report, most of the value can be extracted when companies can share their data with peers and stakeholders. If they do so in a secure, compliant, and trustworthy manner, they’ll be able to generate 100% ROI from this investment. Secure data-sharing technologies and platforms promise that compliance, security, and trustworthiness can be achieved so that organizations can sustainably collaborate and grow.
Secure data sharing in cyber security
Whenever companies are interviewed about their data-sharing strategies, security is one of the most mentioned aspects. These days, most companies have already suffered (or heard about) a cyberattack that has broken at least one of the data security principles (Integrity, Confidentiality, and Availability). Such cyberattacks can be the (in)famously known ransomware/crypto lockers that from 2017 have hit companies very badly, or insider threats due to malicious employees. Companies must protect their data from inside and outside threats. There is no more a clear divide between in and out, every misbehavior can become a threat.
During 2020 and the pandemic crisis, many different companies had to stop their operations because of a cyberattack on data. A report coming from ENISA highlights that 58% of cyberattacks targeting supply chain hit data because, by doing so, the attack disrupts industrial operations and victims are either more willing to pay the ransom or to do what the attacker asks. In a modern value chain, data are being shared regularly, without the necessary security this becomes the weakest point.
Moreover, when thinking about possible attacks on data, one must always remember insider threats i.e. a malicious employee who decides to publish internal documents or information in exchange for money or because of personal reasons. For these reasons, it is of utmost importance to protect the full data lifecycle (and from data generation to data storage, from data access to data sharing, from data exchange to data deletion). The informed reader has already read about such aspects, since they are derived from GDPR (General Data Privacy Regulation), upcoming regulations have the ambition to do the same for industrial as well.
In this contest, data sovereignty is another key success factor. This concept is the ability of the data owner (whoever generates the data in the first place) to control data usage, lifecycle, and even secondary data usage. It means that data becomes a first-class citizen in IT/OT, and it becomes even more important than the infrastructure itself. The required change in ICT nowadays is that of thinking about the most important asset that needs to be protected: the data, rather than thinking only about the infrastructure. Seldom people do not mention data sovereignty, but all the features that it brings, the most important ones are:
— the possibility of giving the same information with a different level of granularity,
— the opportunity to give access to only the required information, nothing more (aka principle of least privilege)
— the possibility of revoking the usage of data
— the possibility of tracking the usage of data
Secure data sharing across organizations
To date, many companies are still focusing on how to share data within their companies. Especially when thinking about Medium enterprises, such companies may have headquarters in different countries leading to a variety of laws and regulations to be obeyed. However, it is only when data is shared across companies that companies will be able to generate additional value and accelerate innovation.
Several reports covering different industrial verticals highlight how the capability of secure sharing of industrial data can benefit the different actors. Data must be shared, in fact, both with companies in the same vertical, customers, or suppliers and with companies in different verticals to create additional knowledge on the processes. For the aforementioned risks involved in sharing data, proper security is fundamental.
When sharing data, companies want to control the following:
- who has access to data
- for which purpose are they using data
- which compensation is in place
- if and how data can be manipulated (e.g. approximated) beforehand
- which other parties can see the data
- how to be notified whenever data are accessed
- how to manage identities and enforce data policies
- how to write a contract about data sharing
- how to measure the risk involved in sharing
- how to measure the trustworthiness of the other parties
- how to automate the operations mentioned above
The usage control technology is the key enabler. Such technology enables control of data throughout their lifecycle enabling companies to set up triggers that automatically react to user or system behavior. For example, if a company states that data can be shared with a specific company as long as time is before 6 pm if somebody tries to access data at 6:01 pm their access is not granted, and, if it was already granted (usage session had started at 5 pm), the usage is going to be revoked.
The aforementioned aspects are key metrics to let a project of data sharing succeed. Thanks to technology, there are also tools that companies can use to increase their level of data protection, such as Homomorphic Encryption, Secure MultiParty Computation, or synthetic data generation. All such tools lower the risk of sharing data and can let the user be more confident in their operations.
How to achieve secure collaboration
To achieve secure data-driven collaboration between stakeholders, it is important to follow steps that mimic those typically performed to analyze risk. In this scenario, technology is of paramount importance, especially in terms of protection, but having a plan is just as important.
The main steps to be followed are:
- Define roles and responsibilities inside the company for the process. A clear and written document helps employees understand what they can do and which process to follow
- Understand which data I need/want to share. In this analysis, there are some questions to answer such as: where data are stored, whether Intellectual property or personal information is included, how to guarantee compliance…
- Define how such data can be shared according to the level of trust and the acceptable risk, whether or not it is important to be notified every time data are accessed, which tracking mechanism to put in place…
- Define for which operations such data can be used, and if data can be used only for specific purposes…
Only after a clear understanding of the situation one can start sharing the data. Sharing is different from the simple exchange or transfer. The main difference is that when data is being shared, the data owner doesn’t lose control over their data and if appropriate countermeasures are put in place, data is always under their control.
Whenever somebody sends a link to a file or a file in an attachment, most of the control over the data is completely lost. In the former case, the link can be re-shared, and appropriate permissions have to be set. In the latter, there is no control over what will happen to the attachment once the recipient has received it.
To have full control over data, one can adopt one of the available data security platforms where data can be shared between different parties only via the platform itself.
Innovating the data sharing as a new level of success
Secure data sharing, especially for industrial data, will offer a wide spectrum of opportunities to companies in different sectors. Most of the opportunities, especially that cross-sector, are still uncovered, waiting for innovations and visionary entrepreneurs willing to modernize their businesses. The promise of being able to obtain 100% ROI is emptying; that’s why it is so important to pick up the right partner, and the right tools.
In the EU, more and more initiatives related to secure data sharing are being launched, and new use cases and proofs are being shown to demonstrate the power of secure data sharing. This is the right time to act to anticipate competitors and embrace data evolution.
To learn more about secure data-sharing platforms and start creating more value through your data you can look at what GUARDA does and how it solves many of the issues we have addressed in this article.
I’m a cybersecurity expert with several published scientific papers and a solid technical background and a passion for ICT and math. I’ve worked as an Assistant Researcher, I played with technologies like usage control, IoT, car hacking, and malware analysis. In 2018, I co-founded Security Forge, an innovative startup that enables companies to securely share data and create new business opportunities.