An Enterprise Data Privacy Governance Model: Security-Centric Multi-Model Data Anonymization

Yıl 2023, Cilt: 15 Sayı: 2, 574 - 583, 14.07.2023

Yağmur Şahin İbrahim Dogru

https://doi.org/10.29137/umagd.1272085

Öz

The increasing need for data privacy and the rising complexity of data environments necessitate robust data anonymization techniques to safeguard personal and sensitive information. A multi-model approach to data anonymization can strike an optimal balance between privacy protection and data utility, integrating techniques such as data masking, differential privacy, machine learning algorithms, blockchain technology, and data encryption. This article introduces a Security-Centric Enterprise Data Anonymization Governance Model, a structured framework for managing data privacy across healthcare, finance, and government industries. The model ensures adherence to best practices and compliance with legal and regulatory requirements. The article addresses challenges in implementing data anonymization techniques, including maintaining data utility and preventing re-identification, by advocating for a multi-model approach that combines various technologies and methods. We suggest that by adopting this holistic approach, organizations can enhance their data protection measures and foster a culture of data privacy.

Anahtar Kelimeler

data privacy, data anonymization, multi-model approach, data utility, data governance

Bir Kurumsal Veri Gizlilik Yönetişim Modeli: Güvenlik-Merkezli Çoklu Model Veri Anonimleştirme

Öz

Veri gizliliği ihtiyacının artması ve veri ortamlarının karmaşıklığının yükselmesi, kişisel ve hassas bilgileri korumak için güçlü veri anonimleştirme tekniklerini zorunlu kılmıştır. Çoklu model yaklaşımı ile veri anonimleştirmeye dair, veri gizlilik koruması ve veri kullanılabilirliği arasında optimal bir denge sağlamak mümkündür. Bu yaklaşım, veri maskesi, diferansiyel gizlilik, makine öğrenimi algoritmaları, blockchain teknolojisi ve veri şifreleme gibi teknikleri bir araya getirerek sağlık, finans ve devlet sektörlerine yönelik veri gizliliğini yönetmek için yapılandırılmış bir çerçeve olan Güvenlik-Merkezli Kurumsal Veri Anonimleştirme Yönetişim Modeli'ni sunmaktadır. Model, yasal ve düzenleyici gerekliliklere uyumu güvence altına alacak şekilde tasarlanmıştır. Makale, veri anonimleştirme tekniklerinin uygulanmasındaki zorlukları, veri kullanılabilirliğini sürdürme ve yeniden tanımlamayı önleme gibi konuları ele alarak, çeşitli teknolojileri ve yöntemleri birleştiren çoklu model yaklaşımını savunmaktadır. Makalede bu bütüncül yaklaşımı benimseyerek kuruluşların veri koruma önlemlerini artırabileceği ve veri gizliliği kültürünü destekleyebileceği öne sürülmektedir.

Anahtar Kelimeler

Veri gizliliği, veri anonimleştirme, çoklu model yaklaşımı, veri kullanılabilirliği, veri yönetişimi

Kaynakça

• Ajayi, O. O., & Adebiyi, T. O. (2014). Application of Data Masking in Achieving Information Privacy. IOSR Journal of Engineering, 4(2), 13-21.
• Cavoukian, A., & Jonas, J. (2011). Privacy by design: A framework for designing privacy into the new technologies. Identity in the Information Society, 4(1), 3-23. doi: 10.1007/s12394-010-0052-3 Directive 95/46/EC, (2016). Retrieved from: https://eur-lex.europa.eu/legal-content/EN/TXT/uri=CELEX%3A02016R0679- 20160504&qid=1532348683434
• El Emam, K., Jonker, E., Arbuckle, L., & Malin, B. (2011). A systematic review of re-identification attacks on health data. Plos One, 6(12), 28071. https://doi.org/10.1371/journal.pone.0028071
• HIPAA, (2017). De-identification standard, Retrieved from: https://www.govinfo.gov/content/pkg/CFR-2017- title45-vol1/pdf/CFR2017-title45-vol1-sec164-514.pdf (accessed on 26 March 2023).
• ICO, (2021). How do we ensure anonymisation is effective? https://ico.org.uk/media/about-the-ico/documents/4018606/chapter-2-anonymisation-draft.pdf (accessed on 26 March 2023).
• IDStrong (2022). MyFitnessPal Breach: Learn About MyFitnessPal Hack. https://www.idstrong.com/sentinel/myfitnesspal-databreach/ (accessed on 26 March 2023.)
• Jassim, H., Atan, R., Jabar, M., & Abdullah, S. (2018). Factors and model for sensitive data management and protection in information systems’ decision of cloud environment. Journal of Theoretical and Applied Information Technology, 96, 8097–8108.
• Jiang, L., & Torra, V. (2022). On the Effects of Data Protection on Multi-database Data-Driven Models, Integrated Uncertainty in Knowledge Modelling and Decision Making, 226–238.
• Jin, X., Krishnan, R., & Sandhu, R. (2012). A unified attribute-based access control model covering DAC, MAC and RBAC. In Data and Applications Security and Privacy XXVI: 26th Annual IFIP WG 11.3 Conference, 26, 41-55.
• Kalloniatis, C., Mouratidis, H., Vassilis, M., Islam, S., Gritzalis, S., & Kavakli, E. (2014). Towards the design of secure and privacyoriented Information Systems in the Cloud: Identifying the major concepts. Computer Standards & Interfaces, 36(4), 759-775. https://doi.org/10.1016/j.csi.2013.12.010
• Kim, J., & Kim, H. J. (2012). A Study on Privacy Preserving Data Leakage Prevention System. In Recent Progress in Data Engineering and Internet Technology, 2 191-196.
• Kshetri, N. (2018). Blockchain's roles in meeting key supply chain management objectives. International Journal of Information Management, 39, 80-89. doi: 10.1016/j.ijinfomgt.2017.12.001
• LeFevre, K., DeWitt, D. J., & Ramakrishnan, R. (2006). Mondrian multidimensional k-anonymity. In 22nd International conference on data engineering, 25-25.
• Lu, J., & Holubová, I. (2019). Multi-Model Databases: A New Journey to Handle the Variety of Data. ACM Computing Surveys, 52(3).
• Lubarsky, B. (2017). Re-Identification of “Anonymized” Data. Georgetown Law Technology Review, 202, 1-12.
• Machanavajjhala, A., Kifer, D., Gehrke, J., & Venkitasubramaniam, M. (2007). L-Diversity: Privacy beyond k-Anonymity. The ACM Transactions on Knowledge Discovery from Data. 1(1), 3.
• Mackey, E., Elliot, M., & O’Hara, K. (2016). The anonymisation decision-making framework. (1st Edition). UK Anonymization Network.
• Mahmood, Z., & Jusas, V. (2022). Blockchain-Enabled: Multi-Layered Security Federated Learning Platform for Preserving Data Privacy. Electronics, 11(10), 1624. http://dx.doi.org/10.3390/electronics11101624
• Mourby, M., Mackey, E., Elliot, M., Gowans, H., Wallace, S. E., Bell, J., … Kaye, J. (2018). Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research. UK. Computer Law & Security Review, 34(2), 222–233. doi:10.1016/j.clsr.2018.01.002
• Nguyen, A. (2022). Understanding Differential Privacy. Retrieved from: https://towardsdatascience.com/understanding-differentialprivacy-85ce191e198a
• NIH, (2022). Achieving the Principles through a Precision Medicine Initiative Data Security Policy Framework, All of Us Research Program. Retrieved from: https://allofus.nih.gov/protecting-data-and-privacy/precision-medicine-initiative-data-security-policyprinciples-and-framework-overview/achieving-principles-through-precision-medicine-initiative-data-security-policy-framework
• NIST, (2014). Framework Version 1.0, Retrieved from: https://www.nist.gov/cyberframework/draft-version-11
• Ohm, P. (2009). Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. UCLA Law Review, 57, 1701.
• Oqaily, M., Jarraya, Y., Mohammady, M., Majumdar, S., Pourzandi, M., Wang, L., & Debbabi, M. (2021). SegGuard: SegmentationBased Anonymization of Network Data in Clouds for Privacy-Preserving Security Auditing. The IEEE Transactions on Dependable and Secure Computing, 18(5), 2486–2505. doi:10.1109/TDSC.2019.2957488
• Samarati, P., & Sweeney, L. (1998). Generalizing Data to Provide Anonymity When Disclosing Information (Abstract). Proceedings of the Seventeenth ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems, 188. doi:10.1145/275487.275508
• Statista, (2023). Retrieved from: Number of data breaches and victims U.S. Retrieved from: https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
• Sweeney, L. (2002). Achieving k-Anonymity Privacy Protection Using Generalization and Suppression. The International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10, 571-588.
• Tachepun, C., & Thammaboosadee, S. (2020, July). A Data masking guideline for optimizing insights and privacy under GDPR compliance. In Proceedings of the 11th international conference on advances in information technology, 1-9.
• Xu, J., Wang, W., Pei, J., Wang, X., Shi, B., & Fu, A. W. C. (2006, August). Utility-based anonymization using local recording.In Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining, 785-790.
• Zhou, B., & Pei, J. (2011). The k-anonymity and l-diversity approaches for privacy preservation in social networks against neighborhood attacks. Knowledge and information systems, 28(1), 47-77.