Compliant collaborations in the media industry

This article presents a solution for sensitive data collaboration between publishers, advertisers and AdTech players in a secure and privacy-compliant way using Data Clean Rooms powered by Confidential Computing.

Architecture

Workflow

The solution involves the following steps:

1. Advertiser accesses the platform through Web UI or API
2. Advertiser pre-configures a Data Clean Room with analyses
3. Advertiser uploads their data, which will be stored encrypted on Azure Blob Storage
4. Advertiser invites the Publisher to the Data Clean Room
5. Publisher uploads their data, which will be stored encrypted on Azure Blob Storage
6. Advertiser activates analysis in the Decentriq platform
7. Data will be confidentially computed in the Decentriq platform using Intel SGX or AMD SEV-SNP
8. Results will be stored encrypted and become available for review through the Web UI by both parties

The same workflow can also be initiated by the Publisher, inviting the Advertiser to collaborate.

Components

• Azure Static Web Apps are used in this architecture to host a React Web UI, allowing autoscaling and high availability without the need to manage the infrastructure.
• Azure Virtual Machines provide flexible computing resources for running applications and handling various workloads. In this architecture, the application backend is run in VMs exposing API endpoints, and can scale based on need.
• Azure Blob Storage is a scalable and secure cloud storage service designed to store and retrieve large amounts of data, used in this architecture to persist encrypted datasets.
• Azure SGX VMs offer enhanced security and protection for virtual machines (VMs) by leveraging Trusted Execution Environments (TEEs) with Intel SGX. It ensures that the data in use and the code running inside the VMs remain encrypted and protected from unauthorized access, even from the cloud provider or administrators, providing an extra layer of security for sensitive workloads and data. It's also possible to combine the use of Azure Confidential VMs with AMD SEV-SNP in case Intel SGX is too restrictive for the compute payload.
• Azure Virtual Network is used to create isolated and secure virtual networks in the cloud, allowing control over network traffic using features like subnets and security groups. In this architecture, the connectivity between Azure VMs and Azure SGX VMs is made though Azure Virtual Network.
• Azure Monitor provides a unified platform for collecting and analyzing metrics, logs, and application and network insights to ensure optimal performance, detect issues, and gain actionable insights for proactive troubleshooting and optimization.
• Azure Backup offers a reliable and scalable solution for backing up virtual machines, databases, files, and other Azure services with features like incremental backups, encryption, long-term retention, and flexible recovery options to help ensure data resiliency and enable efficient data restoration in case of hardware failures, or other data loss scenarios.

Scenario details

Secure data collaboration in the media and advertising industry is increasingly becoming a necessity. The deprecation of third-party cookies, along with an increased awareness for and legislation of consumer privacy, calls for new, privacy-centric approaches to addressing audiences with relevant advertising.

With Decentriq Data Clean Rooms, brands and publishers have a privacy-compliant and secure method for uncovering joint insights based on first-party customer and audience data — without sharing the data itself, or proprietary algorithms. Simple and secure collaboration in Decentriq Data Clean Rooms allows brands and publishers to discover and target high-value and hard-to-reach audiences, extend the reach of campaigns while maintaining targeting quality with AI-based lookalikes, and more — with broad analytical flexibility and verifiable data confidentiality.

Compliance and control are enforced through trusted execution environment hardware technologies like Intel SGX and AMD SEV-SNP, ensuring that the program code and data are isolated into an enclave that cannot be accessed or modified. Data is encrypted not just at-rest and in-transit but also in-memory while in use. This architecture guarantees that sensitive data remains inaccessible to external parties.

Potential use cases

• Activate audiences with first-party data. Brands often serve ads on premium publishers’ inventory. In order to understand the categories to target, brand and publisher data needs to be matched. However, brands and publishers are not willing to share these sensitive datasets. With Decentriq Data Clean Rooms, this analysis is possible thanks to confidential computing that enables partners to collaborate on joint datasets without having to share any raw data.
• Uncover customer insights and enrich customer data. With signal loss increasing as third-party cookies are deprecated, brands capacity to uncover insights on their customers is impacted. However brands are not willing to share their CRM data with partners. With Decentriq Data Clean Rooms, brands can enrich their customer data with new insights, collaborating with partners on joint user datasets. Thanks to confidential computing, the raw data remains verifiably inaccessible at all times, also during analysis.
• Measure online campaign performance. Online campaign performance is difficult to measure in a world where third-party cookies are blocked by many browsers. In order to track and measure campaign effectiveness, brands, retailers, and publishers need to collaborate. With Decentriq Data Clean Rooms, this collaboration can happen without the risk of breaching consumer privacy and leaking consumer valuable data, since the data stays safeguarded and encrypted at all times.

Considerations

This architecture implements the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see the Microsoft Azure Well-Architected Framework.

Security

This solution makes use of Decentriq Data Clean Rooms enabled by Confidential Computing.

Data Clean Rooms enable users to work with and collaborate on data assets with minimal risk. As the first data collaboration platform where users do not have to trust each other, the platform operator, or the cloud provider, Decentriq mitigates the risks of collaborating on sensitive data sets and helps organizations unlock the full potential of their data.

Data protection is verifiable by implementing encryption not just at-rest and in-transit but also in-memory while data is in-use. This is made possible through trusted execution environment hardware technologies like Intel Software Guard Extensions (Intel SGX) and AMD Secure Encrypted Virtualization with Secure Nested Paging (AMD SEV-SNP) on Azure confidential computing. These technologies provide support to ensure that the program code and data are isolated into an enclave that cannot be accessed or modified.

Cost optimization

Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

For a deployment in a single region, example pricing information is available in the Pricing Calculator.

Deploy this scenario

Decentriq Media Data Clean Rooms are available as a low-code/no-code SaaS offering, and can be set up in just a few minutes.

Get started today with the Azure Marketplace solution, you can check it out here.

Contributors

Eduardo Abreu | Product manager, Decentriq

Andras Slemmer | Software engineer, Decentriq

Antoine Giovangigli | Senior sales engineer, Decentriq