The Partially Redacted 2022 Year in Review
Sean Falconer
AI @ Confluent | Advisor | ex-Google | Podcast Host for Software Huddle and Software Engineering Daily | ?? Snowflake Data Superhero | AWS Community Builder
In September of this year, Skyflow launched our data privacy podcast, Partially Redacted , with me as the host. I’d wanted to do this even before joining Skyflow because I’ve long felt like there was a need for a show like this: a show that would bring together cross-functional experts in privacy and security to share their knowledge and educate the market.
I originally conceived of the project as a monthly podcast, but then felt that wasn’t ambitious enough, so then I planned on an episode every other week… but that also felt like aiming too low. So, I eventually settled on the goal of publishing an episode each week – an ambitious goal when also balancing my other job responsibilities, business travel, and family. I couldn’t do it without the support of the Skyflow team, especially Fred Jongson Park , who edits and produces every episode.
The last episode of 2022 will come out this week, but don’t worry, we’ll be back with a whole new collection of episodes come January.?
In this post, I wanted to share some reflections on some of the themes and big takeaways from the 17 episodes we recorded this year.
Our first episode naturally featured Skyflow’s CEO and Co-founder, Anshu Sharma , where we discussed the idea of approaching data privacy as an architectural problem. Many businesses struggle with data privacy, security, and compliance because they simply don’t know where their customer data is. It’s all over the place and if you don’t know where it is, it’s impossible to protect it.
Anshu’s position is that sensitive customer data is a fundamentally different type of data than application or transactional data. As such, sensitive data needs to be treated differently, and not intermixed with your other (non-sensitive) data. Skyflow borrows data privacy techniques from companies like Netflix, Apple, Google, and others; and then combines those with proprietary techniques like polymorphic encryption to offer a radically different approach to data privacy: privacy by architecture via Skyflow Data Privacy Vault.
One of the nuggets of wisdom that Anshu shared in the interview that continues to stick with me is that to do privacy right, you need to do more than get it right in a single feature, or by owning privacy for a specific function. Instead, preserving data privacy has to be part of the cultural identity of the company. Everyone needs to have a sense of ownership in this mission, and understand the responsibility they have to protect and respect their customer’s sensitive data.
Data Protocol is a developer education platform designed to serve the learning needs of developers. The platform supports a variety of courses, but with a heavy concentration on privacy and security topics.
Jake Ward , the CEO and founder, joined the show to discuss why he created a course focused on privacy engineering. He talked passionately about how engineers care about privacy and how, by creating this course, he’s trying to arm them with the knowledge required to implement privacy engineering practices within their organization.
As a former educator myself, I am always in favor of educating and empowering people and I’d love to see more engineers learn the basics of privacy engineering. Sometimes we simply don’t know what we don’t know, and that can lead to unintended consequences. But we are past the era when we can afford to remain ignorant of the impact that a poor privacy posture has on our customers.?
Jake and I believe that privacy is a fundamental human right and everyone working in technology has a responsibility to be respectful of their customers’ sensitive personal data.
In our third episode, my friend and former teammate Daniel Myers joined the show to talk about the various security features available in the Snowflake Data Cloud. We discuss dynamic masking, deployment models, and various other security features available in Snowflake .
The data engineering, analytics, and data science space is absolutely exploding right now and Snowflake is very much in the center of the action. With 20% enterprise businesses now collecting data from over 1,000 different data sources, there’s a lot of complexity to think through and manage when it comes to the handling of sensitive customer data. Snowflake is trying to make this simpler for businesses, but even solving these issues across your Snowflake instance doesn’t address this challenge across your entire data stack.
It’s important to remember that privacy and security doesn’t exist within a silo, so you need a holistic approach to protecting data privacy.
Last June, I spoke at the Snowflake Summit about how to build a privacy preserving ETL pipeline and perform analytics operations using de-identified deterministic tokens. This approach helps you take advantage of all the awesome features of Snowflake while leveraging the value of a data privacy vault.
Daniel Wong is one of my favorite people to have lunch with. You’ll be hard pressed to find a smarter, more knowledgeable person that’s also completely approachable and super humble. I always learn something new from him.
Daniel has over 50 patents in database security and in this episode he discusses his experience and perspectives from working in security for over 20 years.?
We talk about how the cloud actually has advantages from a security perspective when compared to on-prem data centers. With the cloud, you get a lot of security best practices baked into your product without having to manage it yourself. Cloud updates are seamless, which increases your go to market speed.?
This is a theme that came up in other episodes as well, like the episode with Google architects about creating a secure CI/CD pipeline. Cloud does bring complexity, like shared owner responsibility and we’re still?
Robin A. , Skyflow’s Chief Privacy Officer, previously held privacy roles at Twilio, Google, and Yahoo!. She and I talk about the basics of privacy and what every company should know.
Both privacy engineering and the role of a Chief Privacy Officer are new and evolving roles. Having a Chief Privacy Officer is a signal that a company is taking privacy seriously.?
Robin’s recommendation for all companies was to dedicate someone to privacy. Even if you don’t have resources to hire someone, look internally for someone who wants to put their hand up and own the privacy program. After interviewing many people working in privacy engineering, this is actually how a lot of those people ended up falling into careers in privacy engineering. It wasn’t by design, but they picked up the responsibilities at an organization and then fell in love with it.?
Privacy is something that people tend to really like once they move into it. It feels like you’re helping people and that’s an easy thing to feel passionate about.
Landing Lorrie Cranor as a guest was a big get for me. Dr. Lorrie Cranor has been working in privacy for 25 years and has been a professor at 美国卡内基梅隆大学 for 19 years. She serves as the director of the CMU privacy engineering program.
We talk about the history of the program, the curriculum, and where her students end up after graduating. We also discuss privacy education generally, and then dive into her current area of research: privacy decision making.
As I mentioned earlier, I’m a big believer that everyone receiving a computer science education should have to take a course on privacy, and Dr. Cranor agrees. The CMU program has been around for a decade but has recently exploded and added a lighter weight certificate course to reach more students and mid-career professionals.
I highly recommend checking out the CMU program. Jobs in privacy engineering are only going to see increasing demand – and even if you work as a product engineer instead of a developer, having some background in data privacy is hugely valuable.
In this episode, Skyflow Product Lead Joseph McCarron , joins the discussion to break down two important privacy and security concepts, tokenization and encryption.
Tokenization is an approach that substitutes sensitive data for non-sensitive tokens. Unlike encryption, there’s no mathematical connection between the generated token and the original value, so you can’t reverse engineer the original value from the token. On the other hand, encryption is an algorithmic technique that transforms plaintext data into cyphertext. Decryption is the reverse mathematical process.
Both have important roles in privacy and security and either one alone isn’t a complete solution to data security. Encryption is great but typically you have to decrypt the data to use it, which means the original (potentially sensitive) data is available in memory and sometimes ends up being logged somewhere unintentionally. Additionally, searching over encrypted data and proper management of encryption keys are both challenging problems.
Tokenization is great for keeping sensitive data out of your downstream systems, but certain analytics queries, like performing a range query over tokenized coordinates, aren’t possible when working with tokenized data. Additionally, you’ll need to combine tokenization with a strong data governance solution to maintain security over the detokenization process.
Encryption is easy, but encryption key management is hard. Skyflow Lead Software Engineer Osvaldo Banuelos joins this episode to explain how encryption key management works.?
Managing encryption keys well is critically important to preserving data privacy, because without proper management of encryption keys, robust encryption techniques can be rendered ineffective.?
There’s a lot to think about when it comes to encryption key management and I’d recommend using an existing solution like AWS, Hashicorp’s Key Management System, or Skyflow’s integrated KMS. There’s little reason to roll your own encryption key management solution when you can rely on expert built solutions so you can focus on building features that serve your customers.
One of the biggest asks for the show to this point was to do an episode of differential privacy. I was fortunate enough to get introduced to Dr. Yun Lu from the 加拿大维多利亚大学 (my alma mater), whose area of expertise is differential privacy.
领英推荐
Differential privacy is a mathematical definition for privacy. The techniques used to achieve differential privacy typically inject randomness into a sample to help cast doubt on the truthfulness of any single piece of data. It’s a super fascinating topic with many practical use cases in analytics and machine learning.
We discuss local and global differential privacy and practical use cases for this technique, ranging from politics, to the US Census, and applications in industry.?
The biggest takeaway from this interview is that this is a hot and emerging area. I think there’ll be a lot of new companies offering differential privacy-based solutions in the future. It’s important to know that this approach doesn’t solve all technical privacy challenges, it addresses a specific class of problem. It’s powerful but not wholesale fix.
This was one of my personal favorite episodes because I hate keeping track of passwords. Passwords have been around for over 50 years and yet various approaches to make them more secure like, complex password schemes, have done little to stop password attacks.
In this episode, Passage by 1Password 's Nick Hodges discusses an authentication model based on biometrics, such as fingerprints or facial identification. This WebAuthN approach offers a significant enhancement to a consumer’s experience: they no longer need to remember a password, instead they can simply thumbprint ID with their phone to gain access to a system they’re logging into.
I can’t wait for this to become the norm. 1Password recently acquired Passage, so I’m apparently not the only one chomping at the bit for passwordless authentication to become the reality.
Digital health is a huge and fast growing field that has tremendous potential to transform our lives for the better, but there are also a lot of complex privacy concerns to navigate when handling sensitive health data.
Jordan Wrigley works as a researcher for health and wellness at the Future of Privacy Forum , and she shares her expertise in digital health privacy.
One of my favorite parts of this episode was our discussion about how culture impacts how an individual thinks about health-related data privacy. It’s really important for all of us to remember that our worldview isn’t necessarily the same as those of our customers or patients. So, if you’re building products in the digital health space to serve a worldwide audience, you need to be aware of this and seek out opportunities to broaden your perspective.
谷歌 cloud architects Anjali Khatri and Nitin Vashishtha joined the podcast for my first two-guest episode. They did an awesome job explaining how to use Google Cloud to build a secure CI/CD pipeline.
We also discussed a variety of other cloud-based security features, and similar to my discussion with Daniel Wong, both Anjali and Nitin believe the cloud is a more secure place to build your business. The products are built with best practices in mind and there’s literally thousands of engineers working to stay on top of the latest security vulnerabilities and adapt to the ever changing security and privacy landscape.
I really enjoyed our conversation and hopefully they’ll come back on the show to discuss other cloud security topics in the future.
This was one of our most popular episodes in 2022. Apparently there’s a lot of people that want to learn about PCI DSS and privacy for payments. Luckily, podcast listeners were in good hands with Bjorn Ovick , Skyflow’s Head of Fintech, who’s spent 20 years working in payments and has over 20 patents in the space.
We talk about the history of PCI DSS, how it works, what it means for different businesses, what’s involved with building PCI compliant infrastructure, and how to offload most of that responsibility with third party services.
One really interesting topic we dipped into was how to create a payment orchestration workflow where you’re not locked-in to working with a single payments vendor. With this approach, you offload storage and management of your customer credit cards to your Skyflow Vault, but continue to use third party payment processors for charging your customers. This gives you the flexibility to work with any payment processor you choose, or multiple payment processors, to maximize performance and reduce fees.
My former colleague Daniel Situnayake , now Head of ML at Edge Impulse , joined me on this episode to talk about edge devices and privacy.?
Edge devices can use on-device machine learning models to do amazing things like monitor factory equipment, recognize endangered species, or even keep astronauts alive on the International Space Station. There are some unique security challenges with these devices because they are often physically available for tampering, but they also have certain privacy advantages because they don’t need to store data for round trips to a server.?
The data used for inference can be ephemeral, which is great both from a storage capacity standpoint, and also for data privacy. Federated learning is also an interesting application of edge computing, where training can happen locally on device and only the new model is sent to a central server, keeping any sensitive data used to train that model out of your data centers.
It’s a really interesting emerging field and I highly recommend checking out Dan’s book AI at the Edge if you’re interested in learning more about this space.
“Be proactive, always be trying to break your system.”
That’s one key piece of security advice from Nenad Zaric 's, former pentester and bug bounty hunter, now CEO and founder of Trickest, Inc. .?
In this episode Nenad educates me on how bug bounties and pentesting work. We also discuss the cool product they’re building at Trickest that helps automate security workflows so you can always be proactively testing your system.
When it comes to security, you have to assume that anyone dedicated enough can get into your system, but that doesn’t mean you have to make it easy. By taking a proactive approach to constantly test the potential vulnerabilities of your system, you can significantly improve your security posture and make it much much harder for you to be the victim of an attack.
Here comes the energy and enthusiasm!
Ari Hoffman , Head of Customer Programs at Skyflow joins the podcast for this episode, and his passion for data privacy is contagious. Ari talks about how businesses should think about and approach their data privacy challenges.
A few pearls of wisdom from Ari include: You don’t have to boil the ocean, instead start small, then fix your major privacy issues, and then build from there. Improving your security and privacy posture doesn’t have to be a daunting, overwhelming multi-year process – but putting it off isn’t a good option, either.
Instead, you can get started by using a platform like Skyflow to fix data privacy issues and significantly accelerate your time to market, giving you more flexibility for new initiatives in the future.
After spending time in privacy programs at Amazon and Google, Pramod Raghavendran helped build the privacy program at Coinbase . In this episode, he shares his expertise about how to build, scale, and operationalize a privacy program from scratch.
I really enjoyed learning from Pramod, especially his views on how to build a culture of privacy within an organization. He believes privacy needs to be an engineering and product function. This naturally shifts privacy left because now privacy concerns have a seat at the table during the creation of the product.
You can’t solve privacy challenges independently within silos. That only increases your privacy debt over time because teams end up taking different approaches, duplicating data unnecessarily, and unintentionally making mistakes.
Hopefully I can have Pramod on again to discuss other privacy topics. He’s a great guest and super knowledgeable.
Final Thoughts
I started listening to podcasts in 2006, long before most people knew what a podcast was. In the past decade, I’ve likely consumed more hours of podcast episodes than all other forms of entertainment that I indulge in combined. I love the medium. I love that there’s a niche podcast out there for everyone, so it’s my great pleasure to host Partially Redacted.
I hope if you’re a listener, you’ve enjoyed the show so far and I’m looking forward to getting back at it in 2023. If you ever have feedback or show suggestions, you can reach me at [email protected] .
Thank you so much for listening and reading.
Thanks to all the guests, and Happy Holidays and Happy New Year!
We help B2B businesses attract and convert clients through Power Writing | Got our clients published on Forbes, Entrepreneur
1 年Awesome. Looking forward to it!
Software Geek. Presenter. Writer.
1 年Thanks again, Sean.? I really appreciate the opportunity to talk with you.?
Group Director - Walmart | Ex-Google | Ex-Amazon
1 年I listened to many of these podcasts you reference and learnt a lot from them. Looking forward to more awesome content in 2023. Happy to come back on the show as well.