Provenance literally means knowing where something came from. The term has most frequently been used in the art world as galleries, investors and archivists seek to prove the origin of specific works of art. But more recently it has been adopted by the data science community and now the wider assurance sector. Why? Knowing not only where an asset originated, but its whole history of ownership, maintenance, and changes has become a vital element in securing complex digital supply chains across connected enterprises. Just as with art, establishing provenance is complex and requires forensic analysis of detailed documentation – both call upon the skills of experienced archivists.
KNOWING WHAT YOU’VE GOT
Originally, in the art world, provenance dealt mainly with authentication of specific artworks. Was this painting really painted by Rembrandt? However, provenance also extends to the complete life history of a specific piece. Who has owned it, where has it been stored, has it been looted? Establishing a full ‘chain of custody,’ to use the legal term, is essential to support valuation and avoid falling victim to fraud or accusations of trafficking stolen goods.
Modern digital supply chains demand the same attention to provenance. For example, it is estimated that as much as 97 percent of the software code used in organizations is open source – meaning it was written by someone outside of the enterprise. Knowing where that code came from is an essential first step in managing risk. The digital economy is driven by data, and to thrive businesses of all types much find, access, consume and transform data from external sources with software from outside their organization. Knowing exactly what you are consuming and where it came from is just common sense!
AND WHERE IT’S BEEN
But establishing the origin of a critical asset is just the first step. Although artworks can be altered over their lives and are impacted by the conditions in which they are kept, the pace, variety, and interrelatedness of changes to digital assets are several magnitudes greater. Today’s digital archivists must precisely identify and record every event in an asset’s lifecycle. Who has handled, updated, maintained, and licensed it? How often has it been audited, what upstream and downstream dependencies are associated with it? And unlike the relatively small numbers of artworks in the world, a connected enterprise might need to prove the lineage and pedigree of hundreds of thousands of individual assets. Documenting and continuously auditing provenance at this scale is clearly beyond what’s humanly possible.
SCALE AND SPEED OF RISK
Not only has the pace and breadth of the challenge multiplied, but the stakes are much higher. Failing to notice, or act upon the smallest anomaly in the lineage of a critical asset could be catastrophic; acting with blind trust in unverified data could be even worse! Not only are cyber-supply chains exposed to constant attackers seeking to exploit weaknesses, but increasing automation, AI and machine learning processes rely upon verifiable data. Small errors or weaknesses can quickly cascade across organizations to become major risks.
CAPTURE EVERY LIFETIME EVENT
Our solution, RKVST, provides developers with the tools and processes to capture a full shared history of any critical asset and record everything that has happened or has been done to it. RKVST allows any organization to fully document every asset and event – who created it, who owns it, who maintains it, when was the last change made, and by whom. What’s more, it does all this as a service that can be easily integrated by developers using a simple API. Provenance can be established as a core element in any process using a few lines of code, increasing security without adding to the workload of hard-pressed developers.
A LEXICON OF SHARING
Knowing the detail of the assets your business depends on is the foundation of digital supply-chain security. But to be effective this information needs to be shared in a format that is intelligible and usable by all the parties that collaborate with an asset. Establishing clear rules around who can see what information when is a key attribute of RKVST which we’ll cover in another blog. But, creating a common lexicon, a framework for the identification of assets, and a language that describes their pedigree and lineage in common terms is fundamental to the role of an archivist, and to RKVST. As a cloud service RKVST establishes the templates, formats, and terms that ensure all parties are talking about the same thing in the same way, and that everyone that needs it has full, up-to-the-minute provenance of each asset and its lifetime of events.
Provenance is a simple concept hard to execute. It has never been more important to capture and record the complete life history of critical assets. Knowing exactly what you have, and what you are bringing into your organization, managing the dependencies stemming from those assets, and constantly monitoring them for changes is essential. RKVST establishes provenance as part of Continuous Assurance as a Service that’s easy to implement to reduce risk and save time and money. To find out more, see our documents and try it for free.