Partially Redacted: Data, AI, Security, and Privacy

In this episode, Sanjeev Sharma, Product Lead from Skyflow, joins the show to explore the complex landscape of payment data residency regulations in India, focusing on the Reserve Bank of India's (RBI) 2018 mandate for local data storage and its impact on digital payments. The discussion covers the regulatory roles of RBI and NPCI, the challenges international businesses face in adapting to these regulations, and the implications for consumer data protection and business continuity.

Sanjeev and Sean delve into the technical and operational hurdles companies encounter, such as interpreting intricate payment flows and modifying global IT systems for local compliance. The episode also highlights the influence of technological innovations on payment systems, like mobile penetration and UPI, and offers strategic advice for entrepreneurs navigating this regulatory environment.

The episode provides a comprehensive overview of the evolving digital payment sector in India, emphasizing the importance of regulatory compliance for fostering innovation and security.

In this episode a stellar panel of privacy engineering experts delve into the evolving world of privacy engineering. Saima Fancy, Senior Privacy Specialist for Ontario Health, Jay Averitt, Privacy Product Manager and Engineer at Microsoft, and Mira Olson, Privacy Architect at Doordash, bring diverse perspectives from their extensive experience in the field. They kick off the discussion with personal introductions, shedding light on their roles and contributions to privacy engineering.

Jay helps tackle the fundamental question, "What is a privacy engineer?" sparking a thoughtful debate. Mira builds on this by reflecting on the evolution of the role and emerging trends in privacy engineering. Saima assesses the current maturity of the profession, highlighting areas of progress and those needing improvement.

The panel discusses the challenges and opportunities facing privacy engineers, with each guest offering insights from their unique vantage points. They explore the core responsibilities and misconceptions about the role, the need for specialized skills and certifications, and the importance of interdisciplinary collaboration. Ethical considerations and the balance between user privacy and technological innovation are also dissected.

The discussion dives into the growing privacy concerns surrounding AI and whether we need specialized regulations. Finally, the panel looks towards the future of privacy engineering over the next decade and what they’d change and impact they’d like to see.

In this episode, Pramod Raghavendran, a privacy engineering expert with prior experience at Google and Coinbase, joins the show. Together, Sean and Pramod discuss the dynamic landscape of privacy engineering, addressing hot topics and changes since Pramod's last appearance.

The conversation delves into the unique role of privacy engineers compared to security engineers, emphasizing collaboration between privacy and security teams. Pramod shares insights into how privacy functions intersect with security, governance, and data platforms. The episode also explores real-world examples, best practices, and future trends, offering a concise yet comprehensive look at the evolving relationship between privacy and other functions within organizations.

In this episode, Roshmik Saha, Co-founder and CTO of Skyflow, discusses the critical importance of Personally Identifiable Information (PII) data isolation. The principle is straightforward—separate sensitive and non-sensitive data for effective data governance and privacy. The conversation covers historical origins, government use, and real-world examples from companies like Apple and Google.

The episode explores why PII isolation is vital, detailing risks and consequences of not implementing it effectively. Roshmik contrasts data isolation with encryption and access control, emphasizing practicality. "Zero trust" in data security is introduced as a verification-centric approach. Challenges in isolating PII are acknowledged, with a focus on security principles.

Best practices for PII isolation include a "need to know" basis and fine-grained access control. Roshmik provides advice for organizations, urging them to prioritize isolation, avoid integration pitfalls, and adopt a zero-trust mindset for enhanced data security.

In this episode, we delve into developer experience (DX) and its pivotal role in data protection, security, and privacy. Ram Muthukrishnan, a product manager at Skyflow, joins the show again to share insights into DX's definition, the key elements of a great DX, and notable companies excelling in this domain. We explore the challenges developers face in implementing secure and privacy-respecting software, emphasizing the need to strike a balance between efficiency and robust security measures.

The conversation extends to how a developer's role evolves when tasked with integrating privacy and security into their code and essential skills for this role. We discuss best practices for infusing privacy and security considerations into the software development process, with a reference to Google's approach in product launches.

We also address common misconceptions, challenges with security tools, and how a better DX can enhance adoption. Furthermore, we highlight the significance of a positive DX in shaping data protection, especially in sectors like healthcare and finance. This episode offers a concise yet comprehensive exploration of DX's technical underpinnings and its profound impact on data security and privacy.

Robin Andruss, Skyflow’s Chief Privacy Officer is back to talk about AI governance and responsible AI. We touch on recent talks Robin gave at InfoGov World and IAPP PSR on privacy-enhancing technologies and AI governance.

In this episode, Robin sheds light on the pressing issues of data privacy within this new era of AI-driven product and consumer experiences. She discusses the key privacy challenges inherent to AI, highlighting the concerns voiced by privacy professionals as they navigate this evolving landscape. Robin explores how AI differs from previous technologies in terms of regulation and shares best practices for organizations to ensure data privacy when implementing AI solutions.

Topics:

• How does data privacy relate to AI, and what are the key privacy challenges associated with AI?
• What are you seeing amongst the privacy professionals in terms of concern around AI?
• Why is AI different from perhaps other forms of technology that we’ve developed regulations for in the past?
• What is AI governance?
• What are the ethical considerations when implementing AI technologies?
• Can you share some real-world examples of AI applications that have raised ethical concerns?
• What do companies working in the AI space or those interested in integrating with AI platforms or building out new products be thinking about when it comes to AI, privacy, and governance?
• Why is transparency and explainability important in AI, and how can organizations achieve these goals?
• Are there specific tools or methodologies that can help in making AI systems more transparent and understandable?
• What do you think the future looks like in terms of regulating AI?

In this episode, we discuss the evolving landscape of data protection, especially in the context of India's DPDP law. Kuldeep Tomar, the Head of Information Security at Games24x7, delves into the significance of safeguarding data beyond just access control, highlighting the importance of data protection itself. He discusses how data protection is a critical facet of a Chief Information Security Officer's (CISO) responsibilities and how a robust data protection strategy can enhance an organization's ability to respond effectively to data breaches, aligning with the DPDP's mandates.

Topics:

• Many people think of cybersecurity as primarily controlling who has access to data. Why is it important to emphasize the protection of the data itself, beyond just access control?
• How does a strong data protection strategy improve an organization's ability to respond to data breaches or security incidents as mandated by DPDP?
• Discuss the importance of continuous monitoring and auditing of data access and usage, and its alignment with DPDP compliance.
• DPDP encourages the principle of data minimization. Can you explain what this means and how it can be practically implemented?
• For organizations with a global presence, how can they ensure compliance with DPDP when transferring data internationally, considering data sovereignty?
• What are the biggest challenges companies face when it comes to complying with data privacy regulations in APAC?
• What are the key challenges that companies operating in India face when it comes to complying with data privacy regulations?
• How do cultural differences across APAC impact data privacy practices and regulations?
• What do you anticipate happening in APAC with regards to privacy regulations or the focus on privacy for companies over the next 3-5 years?

Former Chief Compliance and Privacy Officer of GeneDx, Murali Mani, joins the show to discuss data privacy in healthcare. Murali spent over 15 years working in privacy and healthcare across companies like Philips, IBM, and GeneDx.

In this episode he shares his thoughts on common misconceptions about data privacy in healthcare, breaks down which regulations apply to which type of company, history of privacy in healthcare, and the challenges companies face with compliance and data protection.

Topics:

• What are some common misconceptions or misunderstandings about data privacy in healthcare that you often encounter?
• How has the landscape of healthcare data privacy evolved in recent years, and what new challenges have emerged
• Traditionally security and privacy in health is not tightly controlled. Why is that?
• Historically, how do pharma and drug companies manage and secure personal data?
• What’s the problem with attempting to manage privacy challenges with purely written policies?
• How can companies accelerate compliance and prioritizing privacy?
• How can companies build trust and transparency with patients and data subjects?
• How does gen AI play a role?
• What’s the future look like for companies in this space? If you were advising a company today, what would your suggestion be for managing this problem?

Sam Sternberg, Customer Programs Lead at Skyflow, joins the show to discuss the world of privacy and security at scale within large enterprises. We explore the complex infrastructure, regulatory challenges, and evolving technologies that these giants face in protecting customer and employee data. From managing expansive data infrastructures and international privacy regulations to securing data in the cloud, both multi-cloud and hybrid cloud and harnessing AI, we provide insights and best practices for safeguarding sensitive information.

Check out the episode to delve into the technology and people-centric approaches to privacy and security within the data landscape of large organizations.

Topics:

• When we’re talking about a large enterprise, can you paint a picture for what the infrastructure of these companies might look like? How many databases, servers, and people are involved?
• What are the fundamental differences between data management in small to medium-sized businesses and large enterprise organizations, especially concerning security and privacy?
• How does the scale and complexity of data infrastructure in large companies impact their ability to maintain data privacy and security effectively?
• What are the main regulatory frameworks that enterprise companies must navigate, and how do these impact data management strategies?
• Large enterprises often have extensive data lakes and warehouses. How can these organizations ensure the confidentiality, integrity, and availability of their data in such environments?
• With the increasing adoption of cloud services, how should large enterprises approach cloud security and privacy concerns, especially in multi-cloud or hybrid cloud environments?
• Could you share some best practices for securely managing customer and employee data, considering the unique challenges faced by big companies in this regard?
• How has the adoption of artificial intelligence and machine learning impacted data security and privacy practices in large organizations, and what precautions should they take when implementing these technologies?
• Many large enterprises operate globally. How does managing security and privacy requirements across different countries and regions impact their strategies and challenges?
• What emerging trends or technologies do you foresee having a significant impact on data security and privacy in large enterprises in the near future?

In this episode, Ram Muthukrishnan, Senior Product Manager at Skyflow, joins the show to delve into the fundamental aspects of data protection.

Ram demystified key concepts like redaction, masking, and encryption, shedding light on their significance in the world of data protection. Ram walked us through the practical applications of these techniques and their role in ensuring data privacy and security in today's digital landscape.

Topics:

• Why is it important to protect sensitive customer data?
• What are the key differences between redaction, masking, encryption, and tokenization as data protection techniques?
• How does data redaction work, and in what scenarios is it typically used?
• What’s it mean to mask data and what are the different approaches?
• Can you break down the basics of encryption for our listeners?
• What are the primary differences between symmetric and asymmetric encryption, and when should each be used
• Tokenization is often associated with payment data. Could you explain how tokenization replaces sensitive data with tokens and its advantages?
• When does it make sense to use tokenization versus something like encryption? What advantages or disadvantages are there to tokenization?
• Access control is a critical aspect of data protection. How does it work, and what are some best practices for implementing effective access control measures?
• How can organizations balance the need for data security with the requirement for data accessibility by authorized personnel?
• Are there any common misconceptions or challenges when it comes to implementing these data protection techniques?
• What are some emerging trends or technologies in the field of data protection that we should be aware of?

Resources:

• Confidential Computing and Secure Enclaves with AWS's Arvind Raghu
• Secure Multi-Party Computation Explained with Skyflow's Liz Acosta
• Homomorphic Encryption with Skyflow’s Avradip Mandal

In this episode, we dive into the realm of cloud security with Merritt Baer, Field CISO of Lacework. Together, we look at the complex tapestry of perceptions surrounding on-premises security versus the cloud, shedding light on why some still view on-prem as the safer option.

Merritt lends her expertise to dissect the trade-offs that companies face by remaining in the traditional on-premises sphere rather than embracing the potential of the cloud. We explore the security considerations unique to the cloud-native world, offering insights into what it takes to navigate this transformation securely.

Whether you're a seasoned professional or just beginning your cloud journey, this episode will expand your understanding of cloud security, uncovering the pros, cons, and crucial factors to ponder when venturing into the realm of cloud computing.

Topics:

• Why do people think on-prem is more secure?
• What are the tradeoffs a company is making when they refuse to move to the cloud?
• What are the new challenges facing a company once they’ve moved to the cloud from a security perspective that perhaps they didn’t face in the on-prem world?
• Does the cloud reduce or increase your security risk footprint?
• Does the type of talent and team look different?
• How are cloud-native security tools and platforms different from traditional on-premises security solutions?
• How do you manage security at this kind of scale?
• As organizations adopt multi-cloud and hybrid cloud strategies, how do you recommend they maintain consistent security measures across different cloud environments?
• What are some emerging security threats in the cloud landscape, and how can organizations proactively defend against them?
• What is keeping CISOs up at night?

In this episode, we explore the world of General Data Protection Regulation (GDPR) Catawiki’s Data Protection Lead Paul Breitbarth. We cover GDPR's history, business essentials, compliance significance, and the art of harmonizing business objectives with regulatory demands.

Paul breaks down key GDPR components, emphasizing their role in safeguarding data privacy. From data handling to breach notification, listeners gain insights into essential compliance steps.

The heart of the conversation revolves around the challenge of balancing business goals with GDPR rules. Practical strategies are discussed, including privacy-conscious approaches and effective data protection policies. This episode is a guide for businesses and individuals navigating GDPR's complexities, offering actionable insights for responsible data management and privacy protection.

Topics:

• What was the immediate impact on businesses when GDPR came into effect? How did the world respond?
• What are the main requirements of a business when it comes to GDPR?
• What are the key rights granted to individuals under GDPR, and how can they exercise these rights?
• What are the technical requirements?
• What are some common challenges businesses face when implementing GDPR compliance?
• How has GDPR influenced the handling of data breaches and security incidents?
• What are the fines for non-compliance?
• What does it mean to be compliant?
• Can you really be 100% compliant? Is that realistic?
• How can a business navigate GDPR compliance, balance all the needs, and still do business?
• What are the responsibilities and obligations of data processors and data controllers under GDPR?
• Are there any recent updates or amendments to GDPR that businesses should be aware of?
• What’s the future of GDPR?

In this episode, Ray Everett, Head of Privacy and Data Protection at Avellino Lab, joins the show to discuss the rise of the privacy officer. The conversation delves into the essential role of privacy officers, providing listeners with a comprehensive understanding of their responsibilities and the challenges they encounter. Ray offers practical advice on effectively finding and hiring privacy officers, as well as initiating and managing successful privacy programs. This episode is a must-listen for anyone seeking to navigate the ever-evolving landscape of privacy protection.

Topics:

• How has the privacy landscape changed throughout your career? What are some of the big changes from when you started to today?
• Can you describe the role and responsibilities of a Chief Privacy Officer? How has this evolved over time?
• What does this function end up looking like within a large organization? Who’s on the team?
• When should a company be building a privacy function? How do they know they need it?
• When a company decides to establish a privacy officer role, what factors should they consider in determining the scope and authority of the position?
• How does one go about finding a qualified privacy officer? What skills, qualifications, and experience should be sought after?
• What sets a great privacy officer apart from an average one?
• Let’s say I’m a founder and I realize I should hire a privacy officer and build a privacy function, but I have no experience with it, I just know I need to do it. Where do I start? How do I know what to look for in a potential candidate?
• During the hiring process, what specific interview questions should I be asking? What kind of positive or negative signals should I be testing for?
• Even when privacy organizations exist, they are often under-resourced and under-appreciated. What are your suggestions or thoughts on how a privacy officer can work with an organization to prevent this from happening?
• What’s the typical career path for someone looking to move into privacy? What do you recommend for those listening that might want to build a career in privacy?
• What are your thoughts on the future of the privacy officer? Will they own more budget, have more authority?

Resources:

• Ray Everett LinkedIn
• International Association of Privacy Professionals

In the podcast episode Jodi Daniels, Founder & CEO of Red Clover Advisors, and Justin Daniels, Legal and Corporate Counsel at Baker Donelson, share valuable insights on privacy and security considerations in product development. They discuss the common mistakes made and the crucial questions to ask when designing new products, emphasizing the need for proactive data protection.

Jodi and Justin delve into core principles and best practices for integrating privacy-by-design, highlight the risks of neglecting privacy and security during product development, and explore ways to balance innovation and functionality with privacy and data protection requirements. They also address the importance of ingraining privacy and security throughout the product life cycle and provide guidance on evaluating the privacy and security implications of emerging technologies like AI.

Topics:

• From your point of view, what do you think is the biggest mistake or oversight people make when building new products when it comes to privacy and security?
• What kind of questions should I be asking myself when designing a new product when it comes to data protection?
• What are the core principles and best practices for operationalizing privacy-by-design when developing new products?
• What are the potential risks and challenges associated with neglecting privacy and security considerations during the product development phase?
• How can organizations effectively balance the need for innovation and functionality with the requirements of privacy and data protection?
• What steps can companies take to ensure that privacy and security are ingrained throughout the product life cycle, from design to deployment?
• Are there any specific regulations or standards that companies should be aware of when it comes to privacy and security in new product development?
• What are some of the privacy and security challenges facing companies interested in generative AI?
• When it comes to any kind of new technology, like AI, how can individuals and businesses evaluate the privacy and security implications before integrating them into their operations?
• What are some common misconceptions or myths surrounding privacy and security in AI, and how can they be addressed?

Resources:

• Data Reimagined: Building Trust One Byte at a Time

In this episode, Rachael Ormiston, Head of Privacy at Osano, joins the show to discuss the impact of generative AI on privacy. We covered a wide range of topics, including Rachael's initial impression of ChatGPT and the risks associated with generative AI. We also explored Italy's recent ban on ChatGPT, the measures that can be taken to mitigate risks and protect privacy, and how businesses and organizations can leverage generative AI responsibly without infringing on people's privacy rights.

Furthermore, we delved into the role of policymakers in regulating the use of generative AI to ensure privacy protection, as well as the ethical considerations that should be taken into account. Rachael provided valuable insights on how individuals can protect their privacy in the age of generative AI and the steps they can take to safeguard their personal information. Finally, we discussed the future of generative AI, highlighting the need to harness its potential while ensuring that privacy remains a top priority.

Join us in this enlightening conversation as we navigate the intersection of Generative AI and privacy, gaining valuable insights from Rachael Ormiston's expertise.

Topics:

• What was your first impression of ChatGPT?
• How can generative AI impact privacy, and what are some of the risks associated with it?
• Recently Italy became the first western country to ban ChatGPT, why did they do this?
• What might this mean for other countries?
• What measures can be taken to mitigate the risks of generative AI, and how can we ensure that privacy is protected?
• How can businesses and organizations leverage generative AI while ensuring that they don't infringe on people's privacy rights?
• How can policymakers regulate the use of generative AI to ensure that it doesn't infringe on people's privacy rights?
• What ethical considerations should be taken into account when using generative AI, and how can we ensure that it is used responsibly?
• How can individuals protect their privacy in the age of generative AI, and what steps can they take to safeguard their personal information?
• What is the future of generative AI, and how can we harness its potential while ensuring that it doesn't pose a threat to our privacy?

In this podcast episode, Jimmy Fong, Chief Commercial Officer at Seon, discusses online fraud and the role of Seon's fraud prevention tool. Jimmy covers common fraud patterns, evolving tactics, and the challenges of distinguishing legitimate user behavior from fraudulent activities. He shares Seon's journey, emerging fraud patterns, and best practices for security. Jimmy emphasizes collaboration and information sharing, highlighting the potential of generative AI in fraud prevention.

Topics:

• How does online fraud work and why is it such a concern for online businesses and consumers?
• What are some common fraud patterns that individuals or businesses should be aware of when conducting transactions online?
• How has fraud patterns changed over time?
• How do fraudsters typically exploit vulnerabilities in online systems to carry out their fraudulent activities?
• Why fraudulently submit demo requests to a business? What is a fraudster attempting to do?
• What are the challenges and complexities involved in distinguishing between legitimate user behavior and fraudulent activities?
• How did Seon start?
• Are there any notable trends or emerging fraud patterns that you've observed recently? How should businesses adapt to stay ahead of evolving fraud tactics?
• What are some best practices that individuals and businesses can implement to enhance their overall security posture and minimize the risk of falling victim to online fraud?
• How important is collaboration and information sharing between businesses, industry associations, and law enforcement agencies in combating online fraud? Are there any notable initiatives in this regard?
• In your opinion, what does the future of fraud prevention look like? What role might generative AI play on both sides?

Resources:

• Seon
• SEON Cat & Mouse Podcast

Manny Silva, Skyflow’s Head of Documentation, joins the podcast to share his journey of tinkering with generative AI systems and building a private GPT trained on internal Skyflow documents.

Manny discusses his first impression of ChatGPT, how he got interested in this space as a technical writer, and the non-obvious insights he gained along the way. He addresses common misconceptions about GPT, particularly regarding privacy and security. Manny explains the concept of creating a private GPT and explores the reasons why organizations would want to implement it. He provides valuable insights into effectively integrating a private GPT into existing workflows and systems, along with the challenges and considerations companies should be aware of.

Manny shares best practices for training and fine-tuning a private GPT to ensure optimal performance and accuracy. He delves into the impact of his work at Skyflow and the enhanced productivity observed in the field. Finally, Manny looks ahead to future advancements and trends in the field of private GPTs and discusses their transformative potential in the realms of documentation, product launches, and marketing.

Topics:

• When you first saw ChatGPT, what was your first impression?
• As a technical writer, how did you get so interested in this space and start tinkering with the Open AI platform and APIs?
• What are some of the non-obvious things you learned as you dove into this?
• What are some of the common misconceptions you’re seeing when it comes to GPT, in particular when talking about privacy and security?
• What’s it mean to create a private GPT and why would someone want to do that?
• How can organizations effectively implement and integrate a private GPT into their existing workflows and systems?
• What are some common challenges or considerations that companies should be aware of when building and utilizing a private GPT?
• What are some best practices and strategies for training and fine-tuning a private GPT to ensure optimal performance and accuracy?
• Can you describe what you built at Skyflow that leverages private GPT?\
• What kind of impact are you seeing in terms of yours or other people’s productivity?
• Looking ahead, what advancements or trends can we expect to see in the field of private GPTs, and how will they continue to transform the way we work with documentation, product launches, and marketing?

Resources:

• Privacy-First AI: Harnessing Snowflake and Skyflow to Customize GPT
• Generative AI Data Privacy with Skyflow GPT Privacy Vault

In this episode, Ashley Jose, a product lead at Skyflow with a decade of experience in SaaS product management, explores the importance of data governance in today's data-driven world. He discusses the impact of growing data on business decisions and highlights the key components of an effective data governance framework.

Ashley addresses misconceptions, explains the evolution of data governance, and its intersection with data privacy regulations. He also explores how data governance works within Skyflow's data privacy vault approach.

Ashley addresses common misconceptions about data governance and dispels myths surrounding the topic. He then delves into the evolution of data governance in the face of big data and technological advancements, highlighting both new challenges and opportunities. He explains how organizations must navigate privacy regulations like GDPR and incorporate them into their data governance strategies.

Drawing on Skyflow's expertise in data privacy vaults, Ashley explains how data governance functions within their approach. He demonstrates how this approach addresses challenges related to controlling access to sensitive data.

Ashley provides practical advice for engineers and technical professionals looking to enhance their involvement in data governance initiatives.

Topics:

• How has the growth of data that businesses store, process, and analyze impacted how they make business decisions?
• Can you explain what data governance is and why it is important in the context of today's data-driven world?
• What are the key components of a comprehensive data governance framework?
• What are the main challenges organizations face when implementing effective data governance practices? How does data governance impact engineers and technical teams directly? What role do they play in ensuring successful data governance?
• What are some common misconceptions or myths about data governance that you often come across? How would you address them?
• With the rise of big data and advancements in technology, how has data governance evolved over the years? Are there any new challenges or opportunities that have emerged?
• How does data governance intersect with data privacy and compliance regulations, such as GDPR or CCPA?
• In the context of Skyflow and the data privacy vault approach to the management of sensitive data, how does data governance work?
• How does a data privacy vault help address some of the challenges with controlling access to sensitive data?
• Are there any emerging trends or technologies in the data governance space that you find particularly interesting or promising?
• Do you have any practical advice or recommendations for engineers and technical professionals who want to enhance their understanding and involvement in data governance initiatives within their organizations?

Resources:

• Introducing the Skyflow Data Governance Engine
• Data Access Control with lakeFS’s Adi Polak
• The Partially Redacted 2022 Year in Review with Skyflow’s Ashley Jose
  

In this episode, Anshu Sharma, CEO and co-founder of Skyflow highlights the alarming disparity between the millions of dollars companies invest in cybersecurity and the persistent occurrence of breaches and cyber attacks. Despite these hefty investments, current approaches to cybersecurity are simply not enough to protect customer data. It's like putting a bandaid on a broken arm - it might temporarily cover the problem, but it won't heal the underlying issue.

According to Anshu, what we truly need is a security by default approach. We require systems that not only secure customer Personally Identifiable Information (PII) but also understand and handle the various types of workflows involving PII. This means implementing measures that go beyond mere protection and actively support the necessary tasks and operations involving sensitive data.

Skyflow has developed technology that addresses these challenges. Skyflow not only ensures the security of PII but also supports the specific workflows associated with it. By doing so, Skyflow's technology effectively insulates applications from the burdensome responsibility of managing customer data, allowing organizations to focus on their core business objectives.

Topics:

• Are we getting better at protecting customer data or worse?
• Why has the software industry failed at cybersecurity?
• How do you think the trend towards increased regulation and oversight of the cybersecurity industry will impact the development and adoption of new security technologies?
• What is security-by-default?
• What are some of the tactics companies can use to build products that are secure-by-default?
• How does this approach potentially change the culture of the company?
• What’s an example of a company building products with security built-in?
• What inspired you to start Skyflow, and how does your solution address the current challenges with cybersecurity in the software industry?
• What is the key difference between what Skyflow offers and what’s historically been done by businesses for data protection?
• How do you see the software industry evolving in terms of cybersecurity in the next few years, and what role do you think companies like Skyflow will play in this transformation?
• What’s next for Skyflow?

Resources:

• The software industry has failed at cybersecurity. What, now?
• Privacy by Architecture with Anshu Sharma

In this episode Roshmik Saha, Head of Engineering at Skyflow, dives into the fascinating realm of data privacy and security solutions. Whether you're considering building your own privacy solution or seeking insights into the infrastructure requirements for handling credit card data securely, this episode has you covered.

One important aspect that often goes underestimated is the maintenance costs associated with data privacy solutions. Roshmik emphasizes the significance of factoring in long-term maintenance expenses, as these solutions require ongoing updates, monitoring, and enhancements to adapt to evolving threats and regulations. It's crucial to recognize that compliance is merely a baseline and that solely building for compliance may not offer state-of-the-art security. Roshmik shares his expertise on how to go beyond compliance and implement robust security measures to protect sensitive data effectively.

During the conversation, Roshmik highlights key considerations and features when building a data privacy solution to securely store and govern access to data. From encryption techniques and access control mechanisms to comprehensive auditing capabilities, he offers insights into the foundational elements required for a robust privacy solution. Additionally, he emphasizes the importance of incorporating state-of-the-art security technologies and features to reduce the risk of data breaches and potential reputational damage.

Scalability is another critical aspect to address when developing a data privacy solution. Roshmik sheds light on the challenges faced by engineering teams in ensuring that the solution can meet the needs of a growing organization. He discusses strategies for building a scalable architecture that can handle increasing data volumes, user demands, and operational complexities.

Throughout the episode, Roshmik provides practical advice and shares his thoughts on various topics, including the future of data privacy and security technologies. By drawing from his vast experience and expertise, you'll gain valuable insights into building a data privacy solution that not only meets regulatory requirements but also ensures resilience against cyber attacks.

Topics:

• If I told you I was starting a B2C company and I was going to build my own privacy and security solution, what would your advice be
• Considering just credit card data, what would I need from an infrastructure standpoint to securely store, handle, and process credit card data?
• Beyond infrastructure costs, what other types of costs would I need to think through?
• What are the types of features or technologies I’d need to build to meet existing privacy requirements but also reduce the risk that I end up in the news for a data breach?
• What are the key considerations or features when building a data privacy solution to securely store data and govern access?
• What’s the engineering cost to build and maintain these?
• What kind of expertise does an engineering team require to build something that you think not only meets regulatory requirements, but also is resilient to cyber attacks?
• What are the most important security measures that need to be put in place to protect data privacy?
• How do you test and evaluate the effectiveness of the data privacy solution?
• How do you ensure that the data privacy solution remains up-to-date with evolving data privacy regulations and best practices?
• What are the biggest challenges that engineering teams face when building a data privacy solution?
• How do you ensure that the data privacy solution is scalable to meet the needs of a growing organization?
• Why do you think companies try to do this themselves?
• How do you ensure that the Skyflow is resilient to cyber attacks and other security threats?
• What advice would you give to other engineering teams building a data privacy solution for their organization?
• Are there any future data privacy or security technologies you’re excited about?

In this episode, Constantine Karbaliotis from nNovation, a certified privacy professional with a wealth of experience in the field of privacy and data protection joins the show. Constantine has served as a privacy officer for two multinational corporations, and now serves multiple organizations as a privacy advisor.

Constantine is well-versed in a range of privacy program management areas, including policy development, implementing PIA/PbD programs, vendor privacy management, breach management and response, addressing notice, consent, and data subject rights issues, as well as contract issues such as data transfer agreements and security/privacy addenda.

During our conversation, we explore the evolution of Canadian data privacy regulations, from their early beginnings to the current landscape, which is shaped by a range of federal and provincial laws. We discuss the primary Canadian privacy regulations that individuals and organizations should be aware of, and the differences between federal and provincial privacy laws, and how they impact individuals and organizations.

We also delve into how the Canadian government enforces privacy regulations, and the penalties that individuals and organizations can face for non-compliance. Additionally, we examine how recent high-profile data breaches have affected Canadian privacy regulations and the changes made in response.

We explore the challenges posed by emerging technologies, such as artificial intelligence and the Internet of Things, and their impact on Canadian privacy regulations. We also look at how individuals and organizations can stay up-to-date with the latest developments in Canadian privacy regulation and the resources available to help them comply.

Topics:

• How has Canadian privacy regulation evolved over the years, and what impact has this had on individuals and organizations?
• What are the primary Canadian privacy regulations that individuals and organizations should be aware of?
• What are the differences between federal and provincial privacy laws in Canada, and how do they impact individuals and organizations?
• How does the Canadian government enforce privacy regulations, and what penalties can individuals and organizations face for non-compliance?
• How have recent high-profile data breaches affected Canadian privacy regulations, and what changes have been made in response?
• How does Canadian privacy regulation compare to other countries, such as the EU's General Data Protection Regulation (GDPR)?
• How can individuals and organizations stay up-to-date with the latest developments in Canadian privacy regulation, and what resources are available to help them comply?
• How do emerging technologies, such as artificial intelligence and the Internet of Things, affect Canadian privacy regulations, and what challenges do they pose?
• What do you see as the future of Canadian privacy regulation, and how do you think it will continue to evolve in the years to come?

Resources:

• nNovation

In today's digital age, data privacy and security have become critical concerns for companies of all sizes. One way for companies to demonstrate their commitment to protecting customer data is by achieving SOC-2 compliance. But what exactly is SOC-2, and how can companies achieve it?

To answer these questions, Daniel Wong, Head of Security and Compliance at Skyflow, joins the show to share his insights into SOC-2 compliance and the steps companies can take to achieve it.

Throughout the interview, Daniel explains what SOC-2 compliance is, why it's important, and how it differs from other compliance standards. He also walks us through the key steps businesses can take to achieve SOC-2 compliance, including risk assessment, gap analysis, and remediation.

Daniel also highlights the benefits of using Skyflow's platform to achieve SOC-2 compliance, such as its ability to help companies protect sensitive data while still enabling secure data sharing. He also discusses the challenges that businesses may face when pursuing SOC-2 compliance and how to overcome them.

Whether you're a business owner or a data privacy professional, this interview with Daniel Wong provides valuable insights into SOC-2 compliance and how to achieve it.

Topics:

• Can you explain what SOC-2 compliance is, and why it's important for businesses to achieve it
• What’s the difference between SOC-2 Type 1 and Type 2?
• How do these compare to ISO 27001?
• How does SOC-2 compliance differ from other compliance standards, such as PCI DSS or HIPAA?
• What are some common challenges that businesses face when pursuing SOC-2 compliance, and how can they overcome them?
• Can you walk us through the key steps that businesses need to take to achieve SOC-2 compliance?
• Skyflow Data Privacy Vault is SOC-2 compliant, how long did that take and what was involved?
• What’s that mean for our customers that want to achieve SOC-2 compliance?
• What advice would you give to businesses that are just starting their SOC-2 compliance journey?
• With something like a car, I can’t just manufacture a car in my house and start selling it. There’s certain inspections from a safety perspective that I have to pass. Do you think software needs more requirements like this before you can just launch something and start having people use it?
• Where do you see standards like SOC-2 going in the future?

Resources:

• Common Data Security and Privacy Mistakes with Daniel Wong
• Skyflow is Certified SOC 2 Compliant

Data access control is becoming increasingly important as more and more sensitive data is being stored and processed by businesses and organizations. In this episode, the VP of Developer Experience at lakeFS, Adi Polak, joins to help define data access control and give examples of sensitive data that requires access control.

Adi also talks about the concept of role-based access control (RBAC), which differs from traditional access control methods and provides several advantages. The steps involved in implementing RBAC are discussed, as well as best practices and challenges. Real-world examples of RBAC implementation and success stories are provided, and lessons learned from RBAC implementation are shared.

We also discuss lakeFS, an open-source platform that provides a Git-like interface for managing data lakes. In particular, we get into the data management controls, the security and privacy features, and the future of the product.

Topics:

• What are some common types of data access controls?
• Why are these types of controls important?
• How can RBAC help organizations better manage and secure their data?
• What are some challenges in implementing effective data access controls?
• How can organizations balance data security with the need to provide employees with the information they need to do their jobs?
• What are some best practices for managing data access control?
• How do you ensure that data access controls remain effective over time as your organization grows and changes?
• What is lakeFS?
• What model of data access management does lakeFS support?
• What are some of the other privacy and security features of lakeFS?
• What’s next for lakeFS? Anything you can share?
• Where do you see data access control going in the next 5-10 years?

Resources:

• lakeFS Roadmap
• Scaling Machine Learning with Spark: Distributed ML with MLlib, TensorFlow, and PyTorch

Europe has seen a significant evolution in privacy regulation over the past decade, with the introduction of the EU's General Data Protection Regulation (GDPR) in 2018 being a significant milestone. The GDPR establishes a comprehensive framework for protecting personal data and gives individuals greater control over how their data is collected, processed, and used.

The impact of these privacy regulations on businesses has been significant. Companies that operate in the EU or process EU citizens' data must comply with the GDPR's requirements or face significant fines and other penalties. This has required many businesses to implement new processes and technologies to ensure compliance, such as appointing data protection officers, conducting privacy impact assessments, and implementing data subject access request processes.

One particularly tricky situation to navigate for businesses is transatlantic data transfers.

Transatlantic data transfers face numerous challenges, including differing legal frameworks and data protection standards between the European Union (EU) and the United States (US). These differences can create legal uncertainty and potential risks for companies that transfer personal data across the Atlantic. In particular, the invalidation of the EU-US Privacy Shield framework by the European Court of Justice in 2020 has left companies without a clear mechanism for transatlantic data transfers, highlighting the need for a new agreement that meets the requirements of both the EU and the US. Additionally, concerns about government surveillance and data breaches have further complicated the transatlantic data transfer landscape, underscoring the need for strong data protection measures and clear regulatory frameworks.

Privacy and data protection writer and expert Robert Bateman, who has published over 1500 articles related to privacy, joins the show to breakdown the evolution of privacy regulations in Europe, the impact that’s had on businesses, and explain the challenges surrounding transatlantic data transfers.

Topics:

• How have privacy regulations evolved and what impact have they had for businesses?
• Can you discuss some of the history of Meta challenges in Europe?
• How enforceable are the fines? Do companies actually end up paying the fines?
• What are the key concerns around transatlantic data transfers?
• How do the cultural differences between the US and EU impact their approach to privacy and what impact has this had?
• How do organizations ensure compliance with privacy laws when transferring data between the US and EU?
• EU and US data transfers. How do we make progress?
• Could someone build meta from scratch today such that it is in compliance or is a business like this something that just can't exist under European privacy laws?
• What are your thoughts on the impact that generative AI might have on privacy?

Resources:

• Data Protection Newsletter

Zero trust infrastructure is an approach to security that requires all users, devices, and services to be authenticated and authorized before being granted access to resources. Unlike traditional security models that assume everything inside the network is trusted, zero trust assumes that all traffic is untrusted.

In today's world, where cyber threats are becoming increasingly sophisticated, Zero trust infrastructure is crucial for protecting sensitive data and preventing unauthorized access.

Hashicorp is a company that provides a suite of tools for building and managing secure systems. Their products, such as Vault, Consul, and Boundary, can help organizations implement a zero trust approach to security.

Vault is a tool for securely storing and managing secrets such as passwords, API keys, and certificates. It provides a centralized place to manage access to secrets and has several features to ensure the security of these secrets, such as encryption, access control, and auditing.

Consul is a service discovery and configuration tool that provides a secure way to connect and manage services across different networks. It provides features such as service discovery, health checking, and load balancing, and can be integrated with Vault for secure authentication and authorization.

Boundary is a tool for securing access to infrastructure and applications. It provides a secure way to access resources across different networks and can be integrated with Vault and Consul for secure authentication and authorization.

Rosemary Wang, Developer Advocate at Hashicorp joins the show to explain zero trust infrastructure and how Vault, Consul, and Boundary help organizations build zero trust into their architecture.

Topics:

• Why do you think we need developer tooling for access and authorization at a lower level within someone’s infrastructure?
• Can you explain what zero trust is and why it's important for modern security architectures?
• How does HashiCorp Vault, Boundary, and Consul fit into a zero trust security model?
• What is HashiCorp Vault and what problem does it help a company solve?
• What are some common use cases for HashiCorp Vault, and how can it help organizations with their security and compliance requirements?
• How does HashiCorp Vault handle secrets rotation and expiration?
• What is application based networking and how does this concept relate to HashiCorp Consul?
• Can you walk us through the process of setting up and configuring HashiCorp Consul for a typical enterprise environment?
• What are some common challenges or pitfalls that organizations face when using HashiCorp Consul, and how can they overcome them?
• How does Boundary simplify remote access to critical resources in a zero trust environment?
• What are some common use cases for HashiCorp Boundary, and how can it help organizations with their security and compliance requirements?
• How does HashiCorp approach balancing security with ease of use for its products?
• Can you talk about any upcoming features or developments in Vault, Boundary, or Consul that users should be excited about?

Resources:

• @joatmon08
  
  

The privacy landscape is changing. There is increasing consumer awareness and concern over the use of their personal data and there’s an ever growing list of privacy regulations that companies need to navigate.

Regulations like GDPR, CCPA, and others carry stiff fines for companies that fail to comply with data deletion requests. However, actually being able to delete someone’s information from an existing system is more complicated than you might expect. Large systems have been developed over many years ignoring the potential impact of PII sprawl. As a consequence, user data is everywhere and no one actually knows all the locations it might exist in.

A data privacy vault is an architectural approach to data privacy that helps address data deletion, mapping, and other data privacy challenges. A data privacy vault is an isolated, protected, single source of truth for customer PII.

Lisa Nee, Compliance Officer United States, Data Privacy Legal Expert North America and Legal Advisor Americas for Atos and Robert Duffy Counsel for McDermott Will & Emery with a focus in privacy and cybersecurity have spent their careers working in privacy. They join the show to discuss why 2023 is the year of privacy, the impact that failing to delete data is having on businesses, and how a data privacy vault along with synthetic data are the keys to addressing these problems.

Topics:

• Why is 2023 the year of privacy?
• What laws are out there to require deletion?
• What is data retention and why is it a risk for businesses?
• What is PII sprawl?
• What’s the cost of a violation to delete someone’s data?
• How do you fix this problem?
• How do you comply?
• What is a data vault?
• Where did you first learn about this concept?
• How does a data vault help address the deletion problem?
• What is synthetic data and how does it help with the deletion problem?
• What future looking tools and technologies are you excited about

Resources:

• IEEE Privacy Engineering
• Data Mapping, Extracting Data Utility Before Deleting Data Files

Privacy threat modeling is a structured approach to identifying and assessing potential privacy risks associated with a particular system, application, or process. It involves analyzing how personal data flows through a system, identifying potential vulnerabilities or weaknesses, and evaluating the potential consequences of a privacy breach.

The goal of privacy threat modeling is to identify and prioritize potential privacy risks and to develop effective strategies for mitigating those risks. This process involves considering various aspects of the system or process being analyzed, including the data that is collected, how it is stored and processed, who has access to it, and how it is transmitted.

Privacy threat modeling can help organizations better understand their privacy risks and make more informed decisions about how to protect personal data. Implementing privacy measures and conducting regular privacy threat modeling can help organizations minimize the risk of a privacy breach and ultimately save them money in the long run.

Nandita Rao Narla, Head of Technical Privacy & Governance at DoorDash, joins the show to explain privacy threat modeling, the common misconceptions, and how to make a privacy threat model program successful.

Topics:

• What is privacy threat modeling?
• How do you balance the need to collect and use data with the need to protect privacy, and what role does privacy threat modeling play in this process?
• Who typically owns this process in an organization?
• What are some of the typical approaches companies follow to privacy threat modeling?
• How should companies think about setting up a process to continually iterate and evolve the model?
• Once you’ve performed this process, how do you go about fixing the identified issues?
• What are some common misconceptions about privacy threat modeling, and how would you address those misconceptions?
• How do you determine which threats to prioritize when conducting privacy threat modeling, and what factors do you consider when making these decisions?
• How do you involve stakeholders (e.g. customers, employees, regulators) in the privacy threat modeling process, and what benefits do you see in doing so?
• What challenges have you encountered when conducting privacy threat modeling, and how have you overcome these challenges?
• How does privacy threat modeling differ from other types of risk assessments (e.g. security risk assessments), and what unique challenges does it present?
• What advice would you give to other companies looking to implement privacy threat modeling as part of their privacy and security strategy?
• How do you see privacy threat modeling evolving in the future?

Resources:

• Shostack and Associates Blog
• Strategic Privacy by Design
• LINDDUN privacy engineering

A data analytics pipeline is important to modern businesses because it allows them to extract valuable insights from the large amounts of data they generate and collect on a daily basis. This leads to better decision making, improved efficiency, and increased ROI.

However, despite your best efforts, sensitive customer data tends to find its way into our analytics pipelines, ending up in our data warehouses and metrics dashboards. Replicating customer PII to your downstream services greatly increases your compliance scope and makes maintaining data privacy and security significantly more challenging.

In this episode, Engineering Lead at Skyflow Piper Keyes joins the show to discuss what goes into building a privacy-aware data pipeline, what tools and technologies should you be using, and how Skyflow addresses this problem.

Topics:

• What is a data analytics pipeline?
• What does it mean to build a privacy-aware data pipeline?
• Can you give some examples of use cases where privacy-aware data pipelines are particularly important?
• What’s it mean to de-identify data and how does that work?
• What are some common techniques used to preserve privacy in data pipelines?
• How does analytics work for de-identified data?
• How do you balance the need for data privacy with the need for actually being able to use the data?
• What’s it take to build a privacy-aware pipeline from scratch?
• What are some of the biggest challenges in building privacy-aware data pipelines?
• How does something like this work with Skyflow?
• Let’s say I have customer’s transactional data from Visa, how could I ingest that data into my data warehouse but avoid having to build PCI compliance infrastructure? Walk me through how that works.
• Could you build a machine learning model based on the de-identified data?
• Once I have the data in my warehouse, let’s say I needed to inform a clinical trial participant about an issue but I also want to maintain their privacy, how could I perform an operation like that?
• What other use cases does this product enable?

Resources:

• Running Secure Workflows with Sensitive Customer Data
• Maximize Privacy while Preserving Utility for Data Analytics

Merit’s verified identity platform brings visibility, liquidity, and trust to people-data, giving organizations the clarity to make better-informed decisions, engage with individuals effectively, and pursue their mission efficiently. Merit works with trusted private, state, and municipal organizations to solve critical real-world problems in sectors such as workforce development, emergency services, licensing, education, and defense readiness.

Merit ingests and processes highly sensitive data from a variety of government agencies. Privacy and security are of the utmost importance, but they must also balance data utility. To support customer and business needs, Merit uses a combination of off the shelf data stack tools and technologies along with off homegrown techniques around encryption and encryption key management.

Staff engineer and data tech lead, Charlie Summers, joins the show to breakdown Merit’s data stack, the life of data, the challenges they’ve faced with protecting sensitive data, and the ways they secure customer data.

Topics:

• Can you talk about Merit and your role there?
• What kind of data are you typically dealing with at Merit?
• What’s your data stack?
• Can you take me through the life of a piece of data?
• What’s the scale of the data you’re working with? How big is this data set?
• What challenges have you faced with securing sensitive data while using this stack?
• What tools, technologies, or techniques are you using to protect the data?
• How are you balancing the security of the data with the actual utility?
• How do you control access to the data?
• How does auditing work? Is every time the data touched logged in some way?
• How did you think through build versus buy?
• Why is privacy and security a priority for Merit?
• What future technologies in this space are you particularly excited about?

Resources:

• Careers at Merit

For years engineers have relied on encryption at rest and transit to help protect sensitive data. However, historically data needs to be decrypted to actually use it, which risks the potential exposure of the underlying data. Confidential computing is a computing paradigm that aims to protect data in use, not just data in transit or at rest. The goal of confidential computing is to provide a secure computing environment where sensitive data can be processed without the risk of exposure or compromise.

AWS Nitro Enclaves is a service provided by Amazon Web Services (AWS) that enables customers to create isolated compute environments within their Amazon Elastic Compute Cloud (EC2) instances. In a Nitro Enclave, the application code and data are encrypted and processed inside the enclave, ensuring that they are protected from both the hypervisor and the host operating system. This makes Nitro Enclaves ideal for workloads that require a high level of security, such as confidential computing, secure machine learning, and blockchain-based applications.

Arvind Raghu, Principal Specialist in EC2 and Confidential Computing at AWS, joins the show to explain confidential computing, AWS Nitro Enclaves, and the use cases this technology unlocks.

Topics:

• What is confidential computing?
• What’s the motivation behind the investment in this technology?
• What are some of the problems this approach to privacy and security solves that were previously a potential vulnerability for companies?
• How does a hardware-based trusted execution environment prevent a bad actor from executing unauthorized code? How is the memory space protected?
• Can you explain how Nitro Enclaves enhance the security of confidential computing on AWS?
• What’s the process for using Nitro Enclaves versus a standard EC2 instance
• How do I go about using Nitro Enclave for performing an operation on sensitive data? What does the programming process look like to do that?
• What are some use cases that you’ve seen that you are particularly excited about?
• How can Nitro Enclaves be used to protect sensitive data in specific use cases, such as financial services or healthcare?
• Are there any limitations or trade-offs to consider when using Nitro Enclaves for confidential computing?
• What innovations or business directions do you think secure enclaves will enable in the future?
• What’s next for Nitro Enclaves? Anything you can share?
• Where do you see the area of confidential computing going in the next 5-10 years?

Resources:

• Introducing Unified ID 2.0 Private Operator Services on AWS Using Nitro Enclaves
  
  

In this episode, Manish Ahluwalia, the field CTO of Skyflow, discusses the technical aspects of data residency and the usage of a data privacy vault.

He explains the concept of data residency and data localization. He noted that with the increasing amount of data being generated and shared, it is becoming increasingly important for organizations to ensure that their data is being stored and processed in compliance with local laws and regulations. However, this is a technically challenging problem because data typically ends up all over the place and companies lose track of what and where they’re storing it.

Ahluwalia then discussed the role of a data privacy vault in addressing data residency concerns. He explained that a data privacy vault is a secure, centralized repository for sensitive data that can be used to enforce data residency requirements.

He also discussed how companies can use the data privacy vault to ensure that data is only accessed by authorized parties, and that the data is only used for specific purposes. He also explained that data privacy vaults can be used to track and audit data access, which can be useful for compliance and regulatory purposes.

Topics:

• What is data residency?
• When did data residency requirements first start and what was the motivation behind their introduction?
• Why is this hard for companies from a technical perspective?
• How are companies solving this problem today? What technical solutions/options do they have at their disposal?
• What are the key technical considerations when designing a data architecture that meets data localization requirements?
• How does a data privacy vault help simplify complying with a data residency requirement?
• How do you ensure that data stays within the specified geographic boundaries during transfers and storage?
• In the scenario where there’s multiple vaults, one for each country with a data residency law, how does something like computing global analytics work?
• If I’m using a data privacy vault to meet data residency requirements, how does sharing data with third parties work?
• In the vault world, tokens are stored within the downstream services. How does a company control access to who or what can detokenize that data to retrieve the original value?
• What are your thoughts on the future of data privacy? Are the technical challenges of protecting customer data going to get easier?

Resources:

• What is Data Residency & How Can a Data Privacy Vault Help?

Historically, backup and recovery has been a job relegated to a junior person on the team. It’s the kind of grungy work that all companies know they should do, but no one wants to own it. As such, many companies have a poor backup and recovery posture and aren’t even sure they can recover from a disaster. Additionally, in recent years, homegrown backup systems have been the target of more and more ransomware and cyber attacks.

Attackers target the backups, either deleting them completely and then attacking other parts of the system or steal the backups, break the encryption, and now have access to tons of company data.

W. Curtis Preston has been working in backup and disaster recovery for nearly 30 years and has written five books on the subject. He joins the show to discuss backup and recovery missteps, best practices, and how Druva, the SaaS-based backup and recovery platform helps businesses offload backup responsibility.

Topics:

• How did you get interested in the field of data protection and disaster recovery, and what sparked your passion for it?
• What are some common mistakes that organizations make when it comes to data backup and recovery?
• What’s the relationship between backups, data protection, and cybersecurity?
• What’s the best practices around backing up personal user data, like account data or perhaps other sensitive data?
• What are the common ways data loss happens for organizations?
• How can organizations ensure that their data is secure and protected during the backup and recovery process?
• What are some best practices for designing a data backup and recovery system, and how can organizations implement these practices effectively?
• Can you give some examples of real-world data loss scenarios, and how proper data backup and recovery systems could have prevented or mitigated the impact of those losses?
• How can organizations test their data backup and recovery systems to ensure that they are working properly and can be relied upon in the event of a disaster?
• Can you provide an overview of the Druva platform and how it helps organizations protect their data?
• What sets the Druva platform apart from other data protection and backup solutions on the market?
• Can you provide some examples of how organizations have successfully implemented the Druva platform to protect and recover their data in the face of disasters or other challenges?
• What’s the future for this space look like?

Resources:

• Modern Data Protection
• Druva

In this episode, we discuss the topic of secure multi-party computation. Since its introduction in the eighties, secure multi-party computation – also known as SMPC – has evolved into a subfield of cryptography for which a variety of protocols have been developed. SMPC is a technique used to allow multiple parties to jointly compute a function on their private inputs without revealing any information about those inputs to the other parties.

Liz Acosta, Developer Advocate at Skyflow, joins the show to explain SMPC and share her recent research into the subject. We begin by explaining the basic concept of SMPC and how it differs from traditional methods of computation.

We also discuss the practical applications of SMPC, such as in the financial industry for secure trading and in the healthcare industry for secure sharing of patient data. We also highlight the challenges that still need to be addressed in the field, such as scalability and ensuring the security of the computation.

Topics:

• What is Yao’s millionaire problem and how does it relate to secure multi-party computation?
• Can you explain what secure multi-party computation is and how it works?
• Where did this concept come from? What’s the history?
• Can you walk me through an example of using SMPC to solve a problem?
• In what types of scenarios is secure multi-party computation particularly useful?
• How is secure multi-party computation being used in the real world today?
• How does secure multi-party computation enable collaboration while still preserving the privacy of individual parties?
• What are the challenges and opportunities for the wider adoption of secure multi-party computation in the future?
• How far away do you think we are from secure multi-party computation being more widely adopted?
• Beyond SMPC, are there technologies in this space that you are particularly excited about?
• Where should someone look to learn more about secure multi-party computation or other privacy-enhancing technologies

Resources:

• What is Secure Multi-Party Computation?

Most of the news and conversations around data privacy, security, breaches, and the impact to consumers and businesses is centered around big tech. However, big tech only makes up a small percentage of total businesses and privacy and security is something that has the potential to impact all businesses.

Denise Farnsworth has an incredibly diverse background in privacy, from big tech to small businesses and everything in between. She served as Deputy Data Protection Officer for Facebook, Chief Privacy Officer at Jazz Pharmaceuticals, Lead Privacy Counsel for NetSuite and Head of Legal, Data Privacy and Compliance Officer for Microsoft, and is now CEO and Founder of Inspire! Privacy and Security, a company focused on helping SMBs with privacy challenges.

Denise joins the show to discuss some of her past experience working at Microsoft and Meta during both pre and post GDPR and how she’s transferred those skills and experiences to what she does today. We discuss how privacy impacts small and medium businesses, why they should prioritize privacy, and how Denise’s company helps them operationalize and build out a privacy program.

Topics:

• What are some of the major changes that have happened in privacy, both for businesses, consumers, and as a privacy professional?
• You’ve worked with a number of major companies in the context of getting them ready for GDPR. What was involved in that process?
• You were the Deputy Data Protection Officer at Facebook, building out their DPO program. What was that experience like? How did you go about building that team and what was the scope of work?
• In a big organization like Facebook or Microsoft, how does the legal, privacy, and compliance functions of the business typically work with other areas of the organization like engineering or product?
• You are the CEO and founder of Inspire! Privacy and Security. Can you tell me a bit about this company? Why did you start it and what are you trying to do?
• You’re focusing on small to medium sized businesses. What is an SMB in this context?
• What’s the difference between working with SMBs when it comes to compliance versus huge technology companies?
• How has privacy regulations impacted SMBs?
• What are the top 5 risks for a business when it comes to data privacy?
• What should a SMB be thinking about when it comes to privacy? When should they be prioritizing privacy and compliance?
• Have you seen a shift in SMBs being more concerned about privacy and compliance? And if so, what’s led to this change?
• How do you typically work with companies? What’s the service you’re providing and helping them accomplish?
• You’ve built out a comprehensive framework for privacy. Can you talk a bit about what this is, how you built it, and how it helps companies
• Where do you see privacy regulations and privacy considerations for businesses going in the future?
• Is this going to get easier for companies? What needs to happen to help get us there?

Resources:

• Inspire! Privacy and Security LLC
  
  

Imagine being able to perform any computational operation over any kind of data but do it while the data is fully encrypted. That is the promise of fully homomorphic encryption.

Fully homomorphic encryption was first theorized in the 1970s, but the first proposal for a plausible construction of a fully homomorphic encryption scheme didn’t arrive until 2009. We are now in the fourth-generation of fully homomorphic encryption and although performance is still a blocker for many applications, there’s been a series of major breakthroughs allowing real world application to take advantage of the approach.

Dr. Avradip Mandal received his PhD from the University of Luxembourg where his research focused on cryptography, in particular homomorphic encryption and theoretical symmetric key cryptography. He joins the show to describe what homomorphic encryption is, how it works, the history, and breakthroughs.

Topics:

• Can you explain what homomorphic encryption is and how it works?
• Where did this concept come from and what’s the history with it?
• What are some of the main advantages of using homomorphic encryption?
• In what types of situations is homomorphic encryption particularly useful?
• How does homomorphic encryption compare to other types of encryption, such as symmetric or asymmetric encryption?
• Why is homomorphic encryption so slow?
• Are there any challenges or obstacles that need to be overcome in order to fully realize the potential of homomorphic encryption?
• Are there real-world applications of homomorphic encryption?
• How has homomorphic encryption evolved over time?
• What impact do you see homomorphic encryption having on the future of data privacy and security?
• What advice do you have for organizations or individuals considering using homomorphic encryption?
• Do you think we’ll get to a point where fully homomorphic encryption is readily available and if so, when do you think that will happen?
• Besides homomorphic encryption, are there future looking privacy and security technologies that you are particularly excited about?

Fraud can be crippling to a business. It hurts your revenue, reputation, and customers. Fintech fraud is a super complex space, with bad actors using a variety of attacks like identity attacks, credit card theft, and phishing scams, it’s a lot for any company to tackle on their own. Sophisticated fraudsters leverage weaknesses in protocols like SMS, the phone system, email, and DNS.

Soups Ranjan, CEO and Founder of Sardine, joins the show to discuss the different types of fintech fraud attacks that take place and how Sardine uses machine learning to automatically detect and prevent fraud.

Soups has a PhD from Rice University in denial-of-service attack prevention and has been working in fraud detection for a decade across companies like Yelp and Coinbase. With a strong background in data science and a ton of real world experience, Soups is an expert in this space.

Topics:

• How did you learn fraud prevention?
• What is fraud for fintechs and how is this different from other forms of fraud like ecommerce fraud?
• Who are the fraudsters?
• Is detecting fraud for crypto harder than other forms of fraud detection?
• What were some of the tools and technologies you’ve built to help reduce fraud?
• Why is machine learning the right approach? Are there ever humans in the loop as well?
• What’s the input to the model?
• How does training work? Where are the labels for training coming from?
• What does it mean to deploy a ML model? How do you know the model is an improvement?
• How has your experience in the fraud space led to the founding of Sardine
• How does Sardine help optimize someone’s fraud pipeline?
• What’s the typical evolution for fraud detection that a company goes through? Do they start out trying to DIY something?
• What impact does Sardine have for a business and how quickly do they see ROI?
• What are your thoughts on the future of fraud detection?
• Are there technologies in this space that you are particularly excited about?

Resources:

• https://www.sardine.ai
• https://www.sardine.ai/company#jobPosts

The technology industry has changed a lot over the past 10 years with the move from on-prem systems to the cloud. With that came new types of challenges from a privacy and security perspective. Controlling access to data was no longer just about putting up a firewall, but you needed to know who and what was accessing the data at all times for audit purposes. Authorization models had to adapt and become flexible to support more fine-grained access.

With new challenges comes new opportunities. There's been a growth in startups focused on developing solutions that help companies address privacy and security challenges. Privacy is shifting left and becoming an engineering effort. Additionally, there's an increased interest in venture funding available to companies attacking these privacy and security challenges.

Rak Garg, Principal at Bain Capital Ventures, joins the show to discuss his prior work as a product manager working on Atlassian's data security and governance products. He also shares his thoughts on trends he's seeing in the industry as an investor interested in the data privacy and security space.

Topics:

• Can you talk about leading product on Atlassian Access, their data security and governance product?
• What were the motivations for the product investment?
• Prior to Access, how were Atlassian customers managing data security?
• What were some of the challenges with designing and building that product?
• What motivated you to move away from product roles in industry to becoming an investor
• What are your areas of interest in investing?
• How did you become interested in these particular areas?
• How has the landscape of startups focused on privacy and security changed throughout your career?
• Have you seen a change in privacy and security concerns with startups in comparison to when you started your career?
• If so, what do you think has led to this change and how has it impacted the way companies think about building products and going to market?
• What advice would you give to founders building out a new product? Should they be thinking about privacy and security from day one or is that something that can come later?
• Are you seeing more interest in institutional investment for companies working in the privacy and security space versus a few years ago?
• What has led to the interest and belief that this is a potential area of growth?
• What trends are you seeing in the security space that you’re excited about?
• How has growth in cloud infrastructure and AI/ML impacted concerns over privacy and security?
• What do you see as the big challenges in data security and privacy that we need to solve?
• Are there new privacy and security technologies that you’re particularly excited about?
• Where do you hope the industry is in the next 5-10 years when it comes to the challenges of privacy and security? Is this going to get easier for companies?

We launched the Partially Redacted podcast in 2022 and since then have published 17 episodes with industry experts covering everything from the basics of tokenization and encryption to differential privacy. We've had shows about privacy engineering training and how to build and scale a privacy engineering program.

In this final episode of 2022, we're breaking format. This is a special episode where we look back at the 17 episodes we’ve done and discuss some of the biggest themes and notable insights that our guests had.

Ashley Jose, Product Lead at Skyflow joins as Sean's guest to share his thoughts on the themes and trends from the first collection of episodes.

We'll be back in January with a new collection of episodes. Happy Holidays and Happy New Year!

With the changing landscape of privacy regulations and the growing consumer awareness about the collection and management of personal data, more and more companies are prioritizing privacy earlier in their lifecycle than ever before. This is fantastic news for privacy practitioners, but as a founder or product leader, how do you go about building, operationalizing, and scaling a privacy program?

Pramod Raghavendran, Director of Privacy and Data Protection at Coinbase, joins the show to share his thoughts and experience about building privacy programs. Pramod worked as an engineer, solutions architect, technical programs manager, and engineering manager before finding his way into privacy. With deep technical expertise and privacy experience from Amazon, Google, and now Coinbase, Pramod is uniquely positioned to have insights into building privacy functions and establishing a culture of privacy.

Topics:

• How did you get interested in working in privacy and security?
• What changes have you seen in privacy throughout your career?
• Are companies starting to focus on privacy earlier in their life cycle than previously?
• How do you make privacy part of the organizational culture of a company?
• For newer companies, perhaps a startup that needs to start a privacy program, who should they be looking to hire? What characteristics and skills make a good privacy leader for building and operationalizing a privacy program from scratch?
• If you joined a new company to build their privacy program, what’s your first 30 days look like?
• Can privacy be a product differentiator?
• What does it mean to operationalize a privacy program and how do you go about operationalizing a company’s privacy program?
• How do you go about making privacy a design consideration so that the company adopts a shift left process for privacy?
• As a company scales and everything is moving really fast, how do you ensure privacy isn’t something that gets pushed aside in favor of shipping products fast?
• How do you work with engineering and product so that they see the program as value add rather than something that is blocking them from doing their job?
• How do you scale a privacy program?
• What are the typical roles and responsibilities of a privacy function?
• Where do you see privacy engineering going in the next 5-10 years?

Resources:

• Software Engineering’s Next Great Challenge: Data Privacy

Ari Hoffman has spent his career helping businesses implement and solve technically challenging problems at companies like Cisco and Fivserv. Today, he serves as the Director of Customer Programs at Skyflow, where he helps Skyflow customers tackle their privacy and security challenges.

Ari joins the show to share his expertise about the common privacy challenges and use cases businesses are facing today and how to break apart these challenges into bite-sized and manageable pieces.

Ari discusses his career path, why he joined Skyflow, Skyflow Data Privacy Vault, and how companies are using this technology to address some of the biggest privacy and security challenges that face them today. Talking through specific examples, like PCI compliance, PII data protection, data minimization and governance, Ari provides actionable advice for businesses looking to get a handle on data privacy, security, and compliance.

Topics:

• How did you end up working in the privacy space and why Skyflow?
• What is Skyflow? What does it do and how do customers use it?
• What are some of the common use cases and challenges companies are trying to solve when it comes to data privacy?
• How does a company avoid big bang security implementations?
• How do you avoid this being an overwhelming problem that stops a company from taking action?
• How long will an implementation actually take? Do companies need to scope out 6 months or more to make this change?
• How can I have flexibility to work with any payment vendor, or maybe even multiple vendors, but not take on the responsibility of PCI compliance myself?
• If I'm using 10 different PCI systems today, how do I disentangle that and migrate to something that’s more flexible and simple to manage?
• What about protecting data beyond credit card data? Where do I begin to start locking this down?
• Are you seeing concentrated customer areas and trends thus far?
• What are some of the most popular Skyflow features that customers use?
• What are some of the best practices for privacy implementations?
• Thoughts on the future of privacy for businesses and consumers?
• What are the big gaps in data privacy today? What future technology or development are you excited about?
• Where should someone looking to learn more about the data privacy space begin?

Resources:

• Skyflow
• Skyflow Demo

Companies use bug bounties and penetration testing to proactively look for vulnerabilities in their systems. These programs should be part of any security conscious organization.

However, even with these systems in place, it can be difficult to stay ahead of the hackers and potential attacks. Additionally, the tools available for running penetration tests can be complex to run and often require using a combination of tools.

Former pentester and bug bounty hunter Nenan Zaric joins the show to talk about the types of vulnerabilities that companies should be looking for and about how to automate security workflows through the Trickest platform, a company he founded. Nenad's advice from years of cybersecurity work is to be proactive and always attack yourself so that you can find the problems before the attacker does.

Topics:

• Tell me about your history as a former penetration tester and bug bounty hacker. First, what is pentesting and bug bounty hacking
• How did you get into this field and learn the skills necessary to hack into systems?
• What are some of the common mistakes companies make when it comes to security that allows a hacker to penetrate their security?
• How should companies think about protecting themselves and their customer data to prevent such attacks?
• What is Trickest?
• Is the idea of automating security workflows something new? How is this traditionally done and how does Trickest improve on the traditional model?
• What are the common use cases that people are using Trickest for?
• What sort of common attacks does Trickest help prevent?
• Who’s your typical user? Is it a white collar hacker, like a pentester, or is it security professionals within an organization wanting to have an automated system for testing their security?
• Walk me through how to set up an automated security workflow. What’s the output of a workflow?
• How do the ready-made workflows work? What are some examples?
• Where do these security workflows fit with the overall development process for a company? Is this an on-going thing that should be continually run and tested for weaknesses?
• A large amount of attacks have a human element, social engineering and such, how does Trickest help prevent such attacks?
• What are your thoughts on the future of security? Are we getting better at protecting and locking down systems?
• What’s next for Trickest? Anything in the future roadmap that you can share?

Resources:

• Trickest

Edge devices are hardware devices that sit at the edge of a network. They could be routers, switches, your phone, voice assistant, or even a sensor in a factory that monitors factory conditions.

Machine learning on the edge combines ideas from machine learning with embedded engineering. With machine learning models running on edge devices amazing new types of applications can be built, such as using image recognition to only take pictures of the objects you care about, developing self-driving cars, or automatically detect potential equipment failure.

However, with more and more edge devices being used all the time that might be collecting sensitive information via sensors, there are a number of potential privacy and security concerns.

Dan Situnayake, Head of Machine Learning at Edge Impulse, joins the show to share his knowledge about the practical privacy and security concerns when working with edge IoT devices and how to still leverage this incredible technology but do so in an ethical and privacy-preserving way.

Topics:

• What’s your background and how did you end up as the head of machine learning at Edge Impulse?
• What is an edge device?
• What is Edge Impulse and what are the types of use cases people are solving with AI on edge devices through the Edge Impulse platform?
• What are the unique security challenges with edge devices?
• Since these devices are potentially observing people, collecting information about someone’s movements, what kind of privacy concerns does someone building for these devices need to think about?
• Are there industry best practices for protecting potentially sensitive information gathered from such devices?
• Is there research into how to collect data but protect someone's privacy when it comes to building training sets in machine learning?
• What happens if someone steals one of these devices? Are there safeguards in place to protect the data collected on the device?
• Where do you see this industry going in the next 5-10 years?
• Do you foresee security and privacy getting easier or harder as these devices become more and more common?

Resources:

• Edge Impulse
• AI at the Edge

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. It was introduced to create a level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data and ultimately reduce fraud.

Merchants that wish to accept payments need to be PCI compliant. Without PCI compliance, the merchant not only risks destroying customer trust in the case of a data breach, but they risk fines and potentially being stopped from being able to accept payments.

Payment processors like Stripe, Adyen, Braintree, and so on, help offload PCI compliance by providing PCI compliant infrastructure available through simple APIs. 

Bjorn Ovick, Head of Fintech at Skyflow, formerly of Wells Fargo, Visa, Samsung, and American Express, holds over 20 patents related to payment applications. He joins the show to share his background, thoughts on the evolution of technology in this space, break down PCI DSS, payment processors, and how Skyflow helps not only offload PCI compliance but gives businesses flexibility to work with multiple payment processors.

Topics:

• Can you share a bit about your background and how did you end up working in the financial industry?
• You also have over 20 patents for payment applications, what are some of those patents?
• So you are Head of Fintech Business and Growth at Skyflow, what does that consist of and how did you come to work at Skyflow?
• Can you talk a bit about the evolution and change of the fintech market from when you started your career to today?
• What is PCI DSS and where did it come from?
• How does a company achieve PCI DSS compliance?
• What’s a company’s responsibilities with respect to PCI compliance?
• What's it take to build out PCI compliant infrastructure?
• What happens if you violate PCI compliance?
• How do you offload PCI compliance and still accept payments?
• What is PCI tokenization?
• What patterns do you see in payments and what should someone consider as they build their payment stack?
• Why would a merchant use multiple payment processors?
• How does a company use multiple payment processors?
• What is network tokenization and how does that improve privacy and security?
• What is 3D secure?
• What are the big gaps in terms of payment processing today? What problems still need to be solved?
• Where do you see the payment technology industry going in the next 5-10 years?
• Where should someone looking to learn more about the payments space go?

Resources:

• Network Tokenization: Everything You Need to Know
• Multiple Payment Gateways: The Why and How

DevOps is a concept that has exploded in the past few years, allowing software development teams to release software and automate the process. This decreases time to market and speeds up learning cycles. Continuous Integration and Continuous Delivery (CI/CD), automates the software delivery pipeline, continuously deploying new software releases in an automated fashion.

But when we deploy code quickly, it's imperative that we don't ignore the security aspect from the beginning. Ideally, we shift security left and incorporate it into the pipeline right from the start. This reduces software vulnerabilities and makes sure our cloud resources are configured following the best practices in terms of security.

Google Cloud Principle Architect Anjali Khatri and Google Cloud Solutions Engineer Nitin Vashishtha join the show to discuss DevOps, DevSecOps, the shift left movement, and how to use Google Cloud to create a secure CI/CD pipeline.

Topics:

• How has the cloud changed the way people need to think about architecting secure systems?
• How does the scale of cloud potentially impact the scale of a security or privacy issue?
• What is DevOps?
• Why is this area so hot right now?
• What problems has the DevOps movement helped solve that were traditionally difficult or impossible to address?
• How does the Shift Left movement for security relate to what’s happening in DevOps?
• What is DevSecOps?
• How does DevSecOps fit into a company’s overall security and privacy program and strategy?
• When it comes to things like CI/CD, what are the common mistakes people can make when it comes to security, privacy, or compliance?
• Cloud Build is a serverless CI/CD platform, why do I need something beyond this to automate my pipeline?
• What other Cloud tools and components should I be using to make sure my CI/CD system is not only able to support my team’s day to day development but is actually secure?
• Can you talk about Artifact Registry and what that product means in terms of security?
• How does Cloud’s Binary Authorization system work? Why would I use it and how does that improve my security posture?
• Does the addition of security as part of say my CI/CD pipeline impact performance in a meaningful way?
• Can you walk me through what the CI/CD process looks like using the combination of Cloud tools and resources?
• How much knowledge and experience do I need to set this up?
• How does a combination of tools like this play with configuring Cloud resources directly within the Google Cloud Console?
• Are there Cloud products that help me lock down my source code?
• Are there Cloud products that automatically scan my code for security or privacy vulnerabilities?
• What are your thoughts on the future of cloud security?
• Are there technologies in this space that you are particularly excited about?
• Where should someone looking to learn more DevSecOps and cloud security?

Resources:

• Building a secure CI/CD pipeline using Google Cloud built-in services
• Introducing Google Cloud's new Assured Open Source Software Service
• Software Delivery Shield overview
• Cloud Workstations
• Identity & Security
• Google Cloud Security Best Practices

Over the past 20 years, there's been tremendous growth in technology for digital health. From healthcare management software, medical devices, to fitness trackers, there's more health data available about an individual than at any other time.

However, with an increase in data, there's also been an increase in considerations for the secure management of this data. Privacy regulations haven't been able to keep up with the explosion of technological growth.

Jordan Wrigley, Researcher for Health and Wellness at the Future of Privacy Forum, joins the show to share her expertise about digital health data privacy. Sean and Jordan discuss the goals and activities of the Future of Privacy Forum, how culture impacts how an individual thinks about health-related privacy, the shift in concern over health data privacy, and what a company needs to be thinking about when building products that collect or process digital health data.

Topics:

• Who are you? What’s your educational background, work history, and how you ended up where you are today?
• What is the Future of Privacy Forum?
• What are the goals, activities, and focus areas of the organization?
• How do people and companies typically engage the FPF?
• What is your role and area of expertise at the FPF?
• Do you think there’s been a shift in privacy sensitivity with regards to medical and health data in the past few years and if so, what has led to the growing concern and focus?
• What’s considered health-related data when it comes to privacy regulations?
• What types of tools/techniques should a company be considering to improve their privacy and security posture when dealing with health data?
• Let's say I'm a gym own. What do I need to know about my responsibilities in terms of privacy when it comes to the collection and management of health-related data?
• Where is the line between a fitness tracker and an actual medical device? And should these trackers have more regulatory demands placed on them?
• What are the regulatory requirements for an actual medical device?
• If I’m processing clinical trial data and I want to be able to perform analytics on the data and produce sharable reports, what do I need to know about maintaining privacy in this scenario?
• How does developing for children impact the types of privacy and security considerations that a company needs to be thinking about?
• What are your thoughts on the future of privacy? Are there tools, technologies, or trends that you’re excited about?
• What are some of the big challenges in privacy that we need to solve?

Resources:

• Future of Privacy Forum

Passwords have been around since the 1960s and as a means to keep someone out of a non-connected terminal, they were relatively secure. The scale of a compromised system was relatively low. But the world has changed drastically in that time. Every computer is connected to a massive network of other computers. The impact scale of a compromised password is multiple times more problematic than it was even 30 years ago, yet we continue to rely on passwords as a security means to protect account information.

Security means like longer passwords, more complicated schemes, no dictionary words, and even two-factor authentication have had limited success with stopping hacks. Additionally, each of these requirements adds friction to a user accomplishing their task, whether that's to buy a product, communicate with friends, or login to critical systems.

WebAuthN is a standard protocol for supporting passwordless authentication based on a combination of a user identifier and biometrics. Consumers can simply login via their email and using their thumb print on their phone or relying on facial recognition on their device. Passwordless authentication not only reduces frictions for users, but it removes a massive security vulnerability, the password.

Nick Hodges, Developer Advocate at Passage, joins the show to share his knowledge and expertise about the security issues with traditional passwords, how passwordless works and addresses historical security issues, and how Passage.id can be used to quickly create a passwordless authentication systems for your product.

Topics:

• What’s the problem with passwords?
• Why have passwords stuck along so long?
• What’s it mean to go passwordless?
• What is a passkey and how do they work?
• How does the privacy and security of a passkey compare to a standard password?
• A Passkey is stored within the Trusted Platform Module of a phone. What happens if someone steals my phone?
• What happens if I upgrade my device? Do my passkeys come with me?
• What are the potential security risks or limitations of passkey based login?
• What if I don’t have my phone? Can I still login?
• Can you share an account with someone else? How does that work?
• When a business switches over to using a passkey approach, what’s the reaction from their customers?
• Is there a big educational challenge to convince companies to ditch passwords?
• Why is a passkey approach to login not more widely adopted? What’s stopping mainstream use?
• What is Passage and how is helping businesses go passwordless?
• Who’s your typical customer? Startups just building their auth system or are people replacing existing systems for this approach?
• What’s it take to get started? How hard would it be for me to rip out my existing authentication and adopt Passage?
• What are your thoughts on the future of passwords and password security? How far away are we from completely getting rid of passwords?
• What’s next for Passage? Anything on the future roadmap that you can share?

Resources:

• Passage
• Passage Demo
• Connect with Nick

Differential privacy provides a mathematical definition of what privacy is in the context of user data. In lay terms, a data set is said to be differentially private if the existence or lack of existence of a particular piece of data doesn't impact the end result. Differential privacy protects an individual's information essentially as if her information were not used in the analysis at all.

This is a promising area of research and one of the future privacy-enhancing technologies that many people in the privacy community are excited about. However, it's not just theoretical, differential privacy is already being used by large technology companies like Google and Apple as well as in US Census result reporting.

Dr. Yun Lu of the University of Victoria specializes in differential privacy and she joins the show to explain differential privacy, why it's such a promising and compelling framework, and share some of her research on applying differential privacy in voting and election result reporting.

Topics:

• What’s your educational background and work history?
• What is differential privacy?
• What’s the history of differential privacy? Where did this idea come from?
• How does differential privacy cast doubt on the results of the data?
• What problems does differential privacy solve that can’t be solved by existing privacy technologies?
• When adding noise to a dataset, is the noise always random or does it need to be somehow correlated with the original dataset’s distribution?
• How do you choose an epsilon?
• What are the common approaches to differential privacy?
• What are some of the practical applications of differential privacy so far?
• How is differential privacy used for training a machine learning model?
• What are some of the challenges with implementing differential privacy?
• What are the limitations of differential privacy?
• What area of privacy does your research focus on?
• Can you talk a bit about the work you did on voting data privacy
• How have politicians exploited the data available on voters?
• How can we prevent privacy leakage when releasing election results?
• What are some of the big challenges in privacy research today that we need to try to solve?
• What future privacy technologies are you excited about?

Resources:

• Dr. Yun Lu's research
• The Definition of Differential Privacy - Cynthia Dwork
• Differential Privacy and the People's Data
• Protecting Privacy with MATH

When managing your company’s most sensitive data, encryption is a must. To fit your overall data protection strategy, you need a wide range of options for managing your encryption keys so you can generate, store, and rotate them as needed.

The risk of sensitive data being misused or stolen can be limited, as long as just the people (and services) who are authorized to access data for approved purposes can access the key. Without proper management of encryption keys robust encryption techniques can be rendered ineffective. So, while encryption is a core feature of any effective data privacy solution, encryption only enhances data privacy when paired with effective key management.

Osvaldo Banuelos, lead software engineer at Skyflow, joins the show to share his knowledge and expertise about encryption key management and its role in modern data privacy.

Topics:

• Can you share some of your background from where you started your engineering career to where you are today?
• How did you end up with an interest in working in the data privacy space? And what’s your work history in this space?
• What are the fundamentals of encryption?
• How do you protect against the key being leaked and rendering encryption ineffective?
• What is an encryption key management system?
• What are the components of an effective key management system?
• How often should a key be rotated and does a KMS provide that functionality out of the box?
• How does key rotation work?
• Who within an organization is typically responsible for key management?
• What are some of the popular KMS systems on the market today?
• From a feature perspective, are they all the same or are their pros and cons to one over the other?
• How does key management work in Skyflow?
• When it comes to data privacy, you likely want to protect your customer data using encryption and to do that effectively, you need a robust key management system. Is this enough or are there other technologies a company would need to incorporate to have an effective privacy and compliance strategy?
• What are the big gaps in data privacy today? What future technology or development are you excited about?
• Where should someone looking to learn more about the data privacy space begin?

Resources:

• Encryption Key Management and Its Role in Modern Data Privacy

Joe McCarron, with prior roles at Zendesk and Apollo GraphQL, has spent much of his career thinking about and building products for developers. Today, he serves as the product lead for Skyflow's Vault, APIs, and developer experience.

In this episode, Joe discusses how his undergrad in Political Science and career working on developer-first products led him to Skyflow. Sean and Joe discuss tokenization and encryption, how they are different, the problems they solve, and what every engineer should know about these techniques.

Topics:

• What is your background as a product manager?
• How did you end up with an interest in working in the data privacy space? And what’s your work history in this space?
• What is tokenization?
• What is encryption?
• How are they different?
• What problems does each solve?
• Do they compete with each other or are they complementary?
• How much does your typical engineer need to understand about encryption and tokenization?
• What are the big gaps in data privacy today? What future technology or development are you excited about?
• Where should someone looking to learn more about the data privacy space begin?

Resources:

• Demystifying Tokenization

Dr. Lorrie Cranor began her career in privacy 25 years ago and has been a professor at Carnegie Mellon University in the School of Computer Science for 19 years. Today, she serves as director and professor for the CMU privacy engineering program.

In this episode, Dr. Cranor discusses how she started her career in privacy and then eventually moved into academics. She talks about the history of the CMU privacy engineering program, what the program entails as a student, and the career opportunities available to graduates.

Dr. Cranor's area of research focuses on the usability of privacy and privacy decision making. She discusses several recent studies looking at how real world users understand and navigate cookie consent popups and design best practices for companies. She also explains privacy labels and how developers building applications on iOS and Android can do a better job creating these labels.

We also discuss the future of privacy education and technologies, touching on the responsibilities of companies and privacy-enhancing technologies like differential privacy.

Topics:

• How did you get interested in security and privacy and start working in this field?
• What’s the history of CMU’s Privacy Engineering Program? How did it start?
• Which department is the program part of?
• If I’m taking the Master’s degree program, what does that consist of?
• What’s the typical undergraduate background of someone taking the Master’s degree program?
• Do graduates typically end up working as privacy engineers and what sort of companies do they end up at?
• What’s the difference between the Master’s program and the certificate program?
• How has engagement with the privacy program changed over the past decade?
• Should privacy education be part of a standard software engineering undergraduate program?
• How would you describe your areas of privacy research and the types of problems you’re interested in studying?
• What have you discovered about how individuals make privacy-related decisions?
• How can companies go beyond the bare minimum in terms of communicating privacy choices to their users?
• Privacy choices are notoriously difficult to navigate and understand, what does your research help teach us about improving the usability of UX for privacy controls?
• How can you test privacy choice? Does the collection of test data potentially violate someone’s privacy?
• What is a privacy nutrition label and what problems is it meant to address?
• Starting in 2020, Apple started using this concept by requiring that all apps in the Apple app store include a privacy label. Labels are self-generated by the app developer. How good is the resulting privacy label if the developer lacks privacy training and education?
• What are the common mistakes developers are making with creating these privacy labels?
• What advice do you have for developers so that they can create an accurate privacy label?
• Cookie consent overlays and popups are now very common. What event led to the introduction of these consent dialogs for consumers?
• What problems have you discovered with the usability of cookie consent screens?
• Do we need privacy regulations like GDPR to be more prescriptive in terms of how you meet their requirements, which could include usability guidelines for something like cookie consent?
• Thoughts on the future of privacy engineering?
• What are your predictions about privacy education and awareness over the next 5-10 years?

Resources:

• CMU's Privacy Program
• Dr. Cranor's Research

Related episode:

• Data Protocol’s Privacy Engineering Certificate Course with Jake Ward

Robin Andruss has spent her career working in and thinking about privacy and compliance. She's previously held privacy roles at Google, Yahoo!, and Twilio, where she served as the Global Director for Privacy and Data Protection. She's currently the Chief Privacy Officer for Skyflow.

In this episode, she discusses her background, how she got interested in privacy, privacy engineering, the responsibilities of a Chief Privacy Officer, and what every company needs to be thinking about when it comes to the ever changing privacy landscape.

Topics:

• What are the responsibilities of a chief privacy officer?
• How did you end up with an interest in working in the data privacy space? And what’s your work history in this space?
• What is privacy engineering?
• What is the typical background of someone that ends up working as a privacy engineer?
• Where does privacy engineering typically sit in an organization
• How does an engineering team typically work with the privacy function within an organization?
• People tend to lump security and privacy together, what’s the difference?
• If you were advising a startup today, what advice would you give them about how to navigate the ever changing privacy landscape?
• What should every company be thinking about when it comes to data privacy?
• Does every company need to hire a privacy specialist? If not, at what point does that make sense?
• What are the big gaps in data privacy today? What future technology or development are you excited about?
• Where should someone looking to learn more about the data privacy space begin?

Resources:

• Effective Privacy is Always Proactive
• NIST Framework
• CMU Privacy Engineering Programming
• Data Protocol Privacy Engineering Certificate Program
• IAPP Privacy. Security. Risk. 2022

Daniel Wong has spent his career thinking about data security and privacy. He holds more than 50 patents on database security, and spent 8 years serving as Oracle's Director of Engineering, Security, pioneering much of the modern database security methods and techniques.

Daniel now serves as Skyflow's Head of Security and Compliance, where he makes sure Skyflow and Skyflow customers are compliant with the privacy rules and regulations around the world and that security best practices are followed and understood.

In this episode, Daniel discusses his background, the evolution of privacy and security from on-prem computing to the cloud, and also discusses the common mistakes companies make when it comes to data security and privacy. He touches on what impact that could have on their business and how can companies prevent these mistakes from happening.

Topics:

• What were some of the security technologies that you helped pioneer during your time at Oracle?
• How has company privacy and security requirements and thinking changed throughout your career?
• What do you do as the Head of Security and Compliance at Skyflow?
• What are some of the common mistakes you see companies make when it comes to security and privacy?
• What are the consequences of these mistakes?
• How can companies prevent these mistakes from happening?
• Is privacy just about compliance for companies or are they motivated by other factors?
• What tools and technologies should companies be investing in?
• At what point does it make sense for a company to hire a security and compliance expert?
• What are the big gaps in data privacy today? What future technologies or development are you excited about?

Resources:

• Skyflow Achieves PCI Level 1 Service Provider Certification
• Five Essential Ingredients of a Data Privacy Vault
• Demystifying Tokenization: What Every Engineer Should Know

Snowflake went public last year and is one of the fastest growing companies in the data cloud space. Businesses from all over the world are utilizing Snowflake for data storage, processing, and analytics.

Businesses using Snowflake are storing massive amounts of data, including regulated and highly sensitive customer data.

In this episode, Dan Myers, developer advocacy lead from Snowflake, joins the show to discuss how he ended up working in the data space, Snowflake's various configuration and deployment models, and what each means from a security perspective as well as some of the recent privacy features Snowflake announced during their conference this past June.

Topics:

• How did you end up in the job you're in today?
• Where did your interest in the data space begin?
• What is Snowflake and how do people use it?
• What are some of the features Snowflake provides to help protect customer data?
• What are the different deployment models for Snowflake and how do they impact security?
• When might it make sense for a business to use a multi-tenant versus single tenant cloud architecture?
• How does Snowflake's data masking and external tokenization features work?
• What are some of the tools Snowflake provides to facilitate secure data sharing?
• What is tag-based data masking versus dynamic data masking?

Resources:

• Snowflake Quickstarts
• Snowflake Summit Announcements

Follow Dan on Twitter @jdanielmyers

Data Protocol is a developer education platform designed specifically to serve the learning styles and needs of engineers. The platform includes a live terminal environment and immersive platform to teach, train, and certify professionals.

Companies like Uber and Meta have created courses for the platform and employees serve as instructors. Data Protocol also includes many courses focused on data privacy and security, including the Privacy Engineering Certificate course led by the Head of Privacy Engineering at Uber, Nishant Bhajaria.

Jake Ward, CEO and Founder of Data Protocol joins the show to discuss his motivations for creating the platform, why focus on privacy, and how they were able to take Nishant's real world experience and turn it into a course.

Topics:

• What's your background and how did you end up where you are today?
• What is Data Protocol and what were your motivations for launching the platform?
• Why are developers different? Why train and educate that audience specifically?
• How did you get an interest in privacy and why focus training engineers in privacy?
• What are some of the privacy-related courses and certifications offered on the platform?
• How do these courses get designed and come together?
• How are people and businesses using these courses?
• What can someone expect from taking one of these courses?
• Have you faced an educational challenge with generating interest in people taking privacy-related courses or are you seeing a shift to more interest in privacy?
• Privacy and security are buzz words we hear more and more these days, are things really changing - if not / why not?

• What’s next for Data Protocol? Anything exciting on the horizon that you can share?

Resources:

• Data Protocol
• Privacy Engineering Certificate Course

Both compliance regulations and consumer needs are creating increasing pressure on companies to do a better job of securing and managing their sensitive customer data. Yet, companies continue to struggle to comply with regulations, meet consumer privacy demands, and prevent data breaches.

Anshu Sharma, CEO and founder of Skyflow, joins the show to discuss a radically different approach to privacy, the data privacy vault. With a data privacy vault, a company is making the architectural decision to move their sensitive customer data out of their existing infrastructure and into a vault. The vault is isolated and protected, becoming the single source of truth for all sensitive customer PII, effectively de-scoping existing systems from the responsibilities of compliance, data security, and data privacy.

The data privacy vault makes the principles of privacy by design actionable, creating a system for engineers to implement the principles in the form of privacy by architecture.

Topics covered:

• How did you end up with an interest in working in the data privacy space
• Why should companies care about privacy?
• Why is privacy hard for companies?
• What is a data privacy vault?
• Where did this technology come from?
• How does the data privacy vault help with things like data security and compliance?
• How is this different from just a dedicated encrypted database for PII?
• Why haven't more companies built their own vaults?
• Why is an API the right way to deliver this technology?
• How does the vault facilitate data utility while still protecting the data?

Resources:

• What is a Data Privacy Vault
• What if privacy had an API?

Follow Anshu on Twitter @anshublog.

Welcome to the trailer episode for Partially Redacted.

In this episode, Sean Falconer, Head of Developer Relations at Skyflow, introduces the goals and motivations behind creating a podcast about privacy, what you can expect from each show, and a teaser for some upcoming episodes.

If you work in privacy, data, security, compliance, or related fields, make sure you subscribe. You can also join the conversation and community at https://skyflow.com/community.