Partially Redacted: Data Privacy, Security & Compliance

In this episode, Sean sat down with Jack Godau to dive deep into the world of pseudoanonymization. They started by discussing Jack's career trajectory working with highly sensitive data and how that experience shapes his engineering mindset. Jack shared how pseudoanonymization differs from anonymization, explaining its value for maintaining data utility while complying with stringent regulations like GDPR. Jack also walked us through the challenges and key components of building a pseudoanonymization engine, including the complexities of handling re-identification risks, ensuring scalability, and optimizing performance for large datasets. He shared insights on the trade-offs between data protection and usability, and whether building these systems in-house is worth the investment for startups. Finally, they explored where the field is heading, especially as data privacy concerns continue to grow.

In this episode, Sean sits down with Ben Burkert, Co-founder and CTO of Anchor, to dive into the world of certificate management and internal TLS. We explore how certificates and TLS function, the inherent difficulties in managing internal TLS certificates, and why nearly every engineer has a horror story related to it. Ben also shares insights into how Anchor is addressing these challenges and making internal TLS certificate management simpler and more reliable. Key Topics: Understanding Certificates and TLS: Basics of how certificates and TLS work. The role of TLS in securing internal communications. The Challenges of Internal TLS Certificate Management: Why managing internal TLS certificates is so difficult. Common pitfalls and challenges engineers face. Engineer Horror Stories: Real-world examples of certificate management gone wrong. The impact of these failures on teams and organizations. How Anchor is Fixing the Problem: Anchor's approach to simplifying internal TLS certificate management. Key features and benefits of Anchor's solution. If you've ever struggled with internal TLS certificates or are looking for a way to avoid the pain altogether, Ben's expertise provides a clear path to overcoming the challenges of certificate management with a modern, reliable approach. Resources: https://anchor.dev/ https://lcl.host/

In this episode, we sit down with Ori Rafael, CEO and Co-founder of Upsolver, to explore the rise of the lakehouse architecture and its significance in modern data management. Ori breaks down the origins of the lakehouse and how it leverages S3 to provide scalable and cost-effective storage. We discuss the critical role of open table formats like Apache Iceberg in unifying data lakes and warehouses, and how ETL processes differ between these environments. Ori also shares his vision for the future, highlighting how Upsolver is positioned to empower organizations as they navigate the rapidly evolving data landscape.

In this episode, Sean Falconer is joined by Aubrey King, solutions architect and community evangelist at F5, to discuss the top 10 security issues for LLM applications. They explore critical threats such as prompt injections, insecure output handling, and training data poisoning, among others. Aubrey provides insights into why these issues arise, the attacks being observed, and the methods used to mitigate these risks. This episode is essential listening for anyone interested in the security of large language models and their applications.

In this episode, host Sean Falconer sits down with Eric Flaningam, a researcher at Felicis Ventures, to explore the fascinating world of data warehouses. They dive into the history, evolution, and future trends of data warehousing, shedding light on its importance. Key topics discussed include an overview of the article "A Primer on Data Warehouses," and the definition and key characteristics of data warehouses. They also cover the historical evolution and major milestones in data warehousing, the shift from batch processing to real-time data, and the convergence of data warehouses and SQL. Eric and Sean discuss the impact of unstructured and complex data, advancements in technology and their effect on data warehouses, and the technical architecture and components of a typical data warehouse. They share real-world benefits and use cases of data warehouses, common challenges in implementing and maintaining data warehouses, and future trends and the influence of AI and machine learning on data warehouses. For further reading, check out Eric Flaningam's article, A Primer on Data Warehouses: https://www.generativevalue.com/p/a-primer-on-data-warehouses

Join us as we chat with Tim Jensen, a privacy enthusiast, about personal online security. Tim shares his journey to becoming a privacy advocate and teacher and provides insights into the common mistakes people make with passwords. We discuss why passwords have persisted for over 60 years, the issues with current password creation methods, and the balance between complexity and usability. We also explore strategies to protect personal information beyond just using better passwords. Finally, Tim shares his thoughts on future approaches to password and identity protection.

In this episode Sean welcomes Brian Vallelunga, CEO and founder of Doppler, to discuss secrets management. Brian shares the journey of founding Doppler, a company dedicated to securing sensitive data such as API keys and credentials. Sean and Brian discuss the nuances of secrets management, its distinction from password management, and the importance of dedicated services for safeguarding secrets. The episode also addresses the alarming rise in data breaches, common mistakes companies make, and essential practices for managing secrets effectively. Brian offers expert advice on protecting secrets, the necessity for secret rotation, and the future of secrets management.

In this episode, Sean is joined by Eric Dodds, Head of Product Marketing at RudderStack, to dive into the world of data management, data pipelines, and common data mistakes. Eric shares his insights on when organizations should transition from basic tools like spreadsheets to a more sophisticated data stack, including data warehouses and modern tooling. They discuss the challenges businesses face in data management, specifically about coming up with a common set of definitions that an organization is aligned around. They also discuss how to address these issues, and the importance of secure handling of customer data. Eric also provides an overview of RudderStack, its open-source approach, and the value it brings to managing customer data. Eric shares a ton of practical advice on building and optimizing your data infrastructure.

In this episode, Kirk Marple, CEO and Co-founder of Graphlit, joins the show. Sean and Kirk dive into the world of unstructured data management, discussing the evolution and current challenges in the field. While structured data has been well-handled since the 1970s, 80-90% of the world's data remains unstructured, with predictions of 175 billion terabytes by 2025. Despite this vast amount, companies struggle to utilize it effectively due to immature tools and processes. Graphlit was founded to address this gap, providing scalable, maintainable systems with enhanced observability to handle unstructured data efficiently. Kirk discusses the challenges in data security and privacy when building RAG-based applications. He discusses some of their exploration into PII scrubbing and also controlled access to the vector embeddings based on the roles of a user. Finally, looking forward, Kirk shares insights into the future of Graphlit and their continued focus on enhancing the accessibility and utility of unstructured data for businesses across various industries.

In this episode, Jake Moshenko, CEO and co-founder of AuthZed, joins the show to explore the world of user permissions at scale. Inspired by Google's Zanzibar, AuthZed aims to tackle the challenges of authorization - a less common focus compared to authentication in the tech industry. Jake discusses the initial simplicity and subsequent complications in role-based permission models, where businesses often struggle as they scale and need more nuanced access controls. He explains the Zanzibar paper from Google and the technical challenges with implementing the approach successfully. He explains how AuthZed facilitates a flexible and maintainable permission system and how companies get started.

In this episode host Sean Falconer is joined by Aaron Painter, CEO of Nametag, to explore the evolving threat and potential of AI deepfakes. They discuss the increasing sophistication of deepfake technology, highlighted by the significant rise in incidents such as the Retool hack, and how these technologies can manipulate public perception and security. Aaron discusses the development of technologies to both create and detect deepfakes, discussing the arms race that pits innovation against security. Aaron shares insights into how his company, Nametag, is at the forefront of combating deepfake fraud by protecting identity data and providing solutions for both companies and individuals to safeguard themselves. They conclude with thoughts on the future, discussing the ongoing technological advancements that are expected to play a crucial role in the fight against deepfakes, aiming to balance innovation with security in the digital landscape.

In this episode we're joined by Shubh Sinha, CEO and Co-founder of Integral, to discuss the protection and utilization of sensitive health data. Shubh shares insights from his varied career in sales, engineering, and product management, and dives into the challenges of maintaining privacy and security in healthcare. The conversation covers HIPAA regulations, the balance of securing data while keeping it accessible, and the role of generative AI in healthcare innovations. Tune in for a detailed look at how technology is shaping the future of patient treatment and data privacy.

In this episode, we dive into the world of MLOps, the engine behind secure and reliable AI/ML deployments. MLOps focuses on the lifecycle of machine learning models, ensuring they are developed and deployed efficiently and responsibly. With the explosion of ML applications, the demand for specialized tools has skyrocketed, highlighting the need for improved observability, auditing, and reproducibility. This shift necessitates an evolution in ML toolchains to address gaps in security, governance, and reliability. Jozu is a platform founded to tackle these very challenges by enhancing the collaboration between AI/ML and application development teams. Jozu aims to provide a comprehensive suite of tools focusing on efficiency throughout the model development and deployment process. This conversation discusses the importance of MLOps, the limitations of current tools, and how Jozu is paving the way for the future of secure and reliable ML deployments. Resources: Jozu KitOps  

In this episode, we dive deep into the world of prompt injection attacks in Large Language Models (LLMs) with the Devansh, AI Solutions Lead at SVAM. We discuss the attacks, existing vulnerabilities, real-world examples, and the strategies attackers use. Our conversation sheds light on the thought process behind these attacks, their potential consequences, and methods to mitigate them. Here's what we covered: Understanding Prompt Injection Attacks: A primer on what these attacks are and why they pose a significant threat to the integrity of LLMs. Vulnerability of LLMs: Insights into the inherent characteristics of LLMs that make them susceptible to prompt injection attacks. Real-World Examples: Discussing actual cases of prompt injection attacks, including a notable incident involving DeepMind researchers and ChatGPT, highlighting the extraction of training data through a clever trick. Attack Strategies: An exploration of common tactics used in prompt injection attacks, such as leaking system prompts, subverting the app's initial purpose, and leaking sensitive data. Behind the Attacks: Delving into the minds of attackers, we discuss whether these attacks stem from a trial-and-error approach or a more systematic thought process, alongside the objectives driving these attacks. Consequences of Successful Attacks: A discussion on the far-reaching implications of successful prompt injection attacks on the security and reliability of LLMs. Aligned Models and Memorization: Clarification of what aligned models are, their purpose, why memorization in LLMs is measured, and its implications. Challenges of Implementing Defense Mechanisms: A realistic look at the obstacles in fortifying LLMs against attacks without compromising their functionality or accessibility. Security in Layers: Drawing parallels between traditional security measures in non-LLM applications and the potential for layered security in LLMs. Advice for Developers: Practical tips for developers working on LLM-based applications to protect against prompt injection attacks. Links: Devansh on LinkedIn AI Made Simple

In this episode, Joice John, Senior Product Manager at Skyflow, joins the show to discuss the complexities of managing privacy and security with unstructured data. Joice explains what unstructured data is and its distinction from structured data, and then dives into the technologies that tackle these challenges. Joice discusses the unique privacy concerns and significant security risks unstructured data poses, highlighting why they're especially tough to mitigate. Sean and Joice also discuss the support modern data lakes offer for secure unstructured data management, alongside Skyflow's solutions for overcoming analytics challenges and protecting sensitive customer information.

Daniel Wong, Head of Security and Compliance at Skyflow, is back for his third appearance. Daniel discusses his extensive career at the forefront of security engineering, having worked with industry behemoths like Oracle, Salesforce, and CrowdStrike. He discusses the critical differences in security needs between large enterprises and smaller businesses, the evolution of security technologies, and the unique challenges of ensuring enterprise-grade compliance. Daniel shares his personal experiences and the innovative security features he helped pioneer, offering listeners an insider's view of what it takes to protect some of today's leading enterprises. Links: Common Data Security and Privacy Mistakes with Daniel Wong Understanding SOC-2 Compliance and Achieving It with Skyflow's Daniel Wong

This episode dives into how we can keep our texts and calls safe from scammers. Sean Falconer chats with Dave Erickson, the co-founder of Phound, which is redefining the way people connect and communicate. Dave shares why texts can easily get targeted by scams, how fraudsters hide their identity, and the tricks they use to trick people. Learn about the simple steps you can take to protect yourself from these scams. Dave also talks about how Phound is working to make our phone numbers safer by creating a self-managed contact card. Users of Phound only receive phone calls and SMS from approved contacts and they're in control over how long someone can contact them. If you're worried about phone scams or interested in how technology is fighting back, this episode and the work Phound is doing should help. Links: Phound

In this episode Rishi Bhargava, Co-founder of Descope, joins the show to delve into the intricacies of authentication and identity management. Rishi, with his extensive experience in security, spanning from McAfee to Palo Alto Networks and co-founding Demisto and Descope, shares his insights on the evolution of the security landscape and the persistent challenges surrounding password-based security. Rishi elaborates on the longevity of passwords, their inherent security weaknesses, and the efforts to bolster their security, often at the expense of user convenience. The conversation shifts to emerging alternatives like passkeys, magic links, social logins, and biometrics, exploring their mechanisms, privacy implications, and potential risks. Rishi explains the nuances of passkey technology, addressing concerns about device theft, and the transition to new devices. Rishi articulates his vision for solving unaddressed challenges in authentication and identity management, differentiating Descope from other passwordless solutions. He outlines the integration process, common migration challenges, and the factors that drive companies to switch to third-party authentication providers. Links: Confidential Computing and Secure Enclaves with AWS's Arvind Raghu

In this episode Sean is joined by Pedram Naveed, Head of Data Engineering at Dagster Labs. They discuss the unique challenges and opportunities in the realm of data engineering, particularly the culture of learning and sharing within the field. Pedram discusses the traditionally guarded nature of data engineering, contrasting it with the more open-source approach in software engineering. He highlights the potential downsides of this secrecy, such as the difficulty in learning best practices and innovating. The discussion also touches on the balance companies must strike between contributing to communal knowledge and protecting valuable data and intellectual property. Pedram shares insights from his experiences at Dagster Labs, including the development of the Dagster Open Platform and its impact on fostering a culture of openness in data engineering. Additionally, they explore the future of collaboration in the field, considering emerging technologies and methodologies that could further encourage sharing and innovation over the next 5-10 years. Links: Dagster Open Platform Pedram Navid

In this episode Zena Obebe, the founder of Hill Redaction Services, joins the show to discuss the critical role of document redaction in maintaining privacy and security. Zena, an expert in the field, discusses the increasing demand for document redaction across various industries, particularly in legal and medical sectors.Document redaction, the process of obscuring sensitive information in documents, is vital for compliance with privacy laws and protecting personal data. Zena sheds light on the challenges organizations face in redacting documents, emphasizing the complexity and necessity of accurately obscuring information without compromising the integrity of the document. She highlights the evolution of technology in this domain, noting how advancements in AI and automation have enhanced the efficiency and accuracy of redaction processes. Despite these technological strides, Zena cautions against over-reliance on automation, underscoring the importance of human oversight to mitigate risks. The conversation also covers best practices for effective redaction and the need for industry-specific awareness to meet legal and regulatory requirements.

In this episode, Sanjeev Sharma, Product Lead from Skyflow, joins the show to explore the complex landscape of payment data residency regulations in India, focusing on the Reserve Bank of India's (RBI) 2018 mandate for local data storage and its impact on digital payments. The discussion covers the regulatory roles of RBI and NPCI, the challenges international businesses face in adapting to these regulations, and the implications for consumer data protection and business continuity. Sanjeev and Sean delve into the technical and operational hurdles companies encounter, such as interpreting intricate payment flows and modifying global IT systems for local compliance. The episode also highlights the influence of technological innovations on payment systems, like mobile penetration and UPI, and offers strategic advice for entrepreneurs navigating this regulatory environment. The episode provides a comprehensive overview of the evolving digital payment sector in India, emphasizing the importance of regulatory compliance for fostering innovation and security.

In this episode a stellar panel of privacy engineering experts delve into the evolving world of privacy engineering. Saima Fancy, Senior Privacy Specialist for Ontario Health, Jay Averitt, Privacy Product Manager and Engineer at Microsoft, and Mira Olson, Privacy Architect at Doordash, bring diverse perspectives from their extensive experience in the field. They kick off the discussion with personal introductions, shedding light on their roles and contributions to privacy engineering. Jay helps tackle the fundamental question, "What is a privacy engineer?" sparking a thoughtful debate. Mira builds on this by reflecting on the evolution of the role and emerging trends in privacy engineering. Saima assesses the current maturity of the profession, highlighting areas of progress and those needing improvement. The panel discusses the challenges and opportunities facing privacy engineers, with each guest offering insights from their unique vantage points. They explore the core responsibilities and misconceptions about the role, the need for specialized skills and certifications, and the importance of interdisciplinary collaboration. Ethical considerations and the balance between user privacy and technological innovation are also dissected. The discussion dives into the growing privacy concerns surrounding AI and whether we need specialized regulations. Finally, the panel looks towards the future of privacy engineering over the next decade and what they'd change and impact they'd like to see.

In this episode, Pramod Raghavendran, a privacy engineering expert with prior experience at Google and Coinbase, joins the show. Together, Sean and Pramod discuss the dynamic landscape of privacy engineering, addressing hot topics and changes since Pramod's last appearance. The conversation delves into the unique role of privacy engineers compared to security engineers, emphasizing collaboration between privacy and security teams. Pramod shares insights into how privacy functions intersect with security, governance, and data platforms. The episode also explores real-world examples, best practices, and future trends, offering a concise yet comprehensive look at the evolving relationship between privacy and other functions within organizations.

In this episode, Roshmik Saha, Co-founder and CTO of Skyflow, discusses the critical importance of Personally Identifiable Information (PII) data isolation. The principle is straightforward—separate sensitive and non-sensitive data for effective data governance and privacy. The conversation covers historical origins, government use, and real-world examples from companies like Apple and Google. The episode explores why PII isolation is vital, detailing risks and consequences of not implementing it effectively. Roshmik contrasts data isolation with encryption and access control, emphasizing practicality. "Zero trust" in data security is introduced as a verification-centric approach. Challenges in isolating PII are acknowledged, with a focus on security principles. Best practices for PII isolation include a "need to know" basis and fine-grained access control. Roshmik provides advice for organizations, urging them to prioritize isolation, avoid integration pitfalls, and adopt a zero-trust mindset for enhanced data security.

In this episode, we delve into developer experience (DX) and its pivotal role in data protection, security, and privacy. Ram Muthukrishnan, a product manager at Skyflow, joins the show again to share insights into DX's definition, the key elements of a great DX, and notable companies excelling in this domain. We explore the challenges developers face in implementing secure and privacy-respecting software, emphasizing the need to strike a balance between efficiency and robust security measures. The conversation extends to how a developer's role evolves when tasked with integrating privacy and security into their code and essential skills for this role. We discuss best practices for infusing privacy and security considerations into the software development process, with a reference to Google's approach in product launches. We also address common misconceptions, challenges with security tools, and how a better DX can enhance adoption. Furthermore, we highlight the significance of a positive DX in shaping data protection, especially in sectors like healthcare and finance. This episode offers a concise yet comprehensive exploration of DX's technical underpinnings and its profound impact on data security and privacy.

Robin Andruss, Skyflow's Chief Privacy Officer is back to talk about AI governance and responsible AI. We touch on recent talks Robin gave at InfoGov World and IAPP PSR on privacy-enhancing technologies and AI governance. In this episode, Robin sheds light on the pressing issues of data privacy within this new era of AI-driven product and consumer experiences. She discusses the key privacy challenges inherent to AI, highlighting the concerns voiced by privacy professionals as they navigate this evolving landscape. Robin explores how AI differs from previous technologies in terms of regulation and shares best practices for organizations to ensure data privacy when implementing AI solutions. Topics: How does data privacy relate to AI, and what are the key privacy challenges associated with AI? What are you seeing amongst the privacy professionals in terms of concern around AI? Why is AI different from perhaps other forms of technology that we've developed regulations for in the past? What is AI governance? What are the ethical considerations when implementing AI technologies? Can you share some real-world examples of AI applications that have raised ethical concerns? What do companies working in the AI space or those interested in integrating with AI platforms or building out new products be thinking about when it comes to AI, privacy, and governance? Why is transparency and explainability important in AI, and how can organizations achieve these goals? Are there specific tools or methodologies that can help in making AI systems more transparent and understandable? What do you think the future looks like in terms of regulating AI?

In this episode, we discuss the evolving landscape of data protection, especially in the context of India's DPDP law. Kuldeep Tomar, the Head of Information Security at Games24x7, delves into the significance of safeguarding data beyond just access control, highlighting the importance of data protection itself. He discusses how data protection is a critical facet of a Chief Information Security Officer's (CISO) responsibilities and how a robust data protection strategy can enhance an organization's ability to respond effectively to data breaches, aligning with the DPDP's mandates. Topics: Many people think of cybersecurity as primarily controlling who has access to data. Why is it important to emphasize the protection of the data itself, beyond just access control? How does a strong data protection strategy improve an organization's ability to respond to data breaches or security incidents as mandated by DPDP? Discuss the importance of continuous monitoring and auditing of data access and usage, and its alignment with DPDP compliance. DPDP encourages the principle of data minimization. Can you explain what this means and how it can be practically implemented? For organizations with a global presence, how can they ensure compliance with DPDP when transferring data internationally, considering data sovereignty? What are the biggest challenges companies face when it comes to complying with data privacy regulations in APAC? What are the key challenges that companies operating in India face when it comes to complying with data privacy regulations? How do cultural differences across APAC impact data privacy practices and regulations? What do you anticipate happening in APAC with regards to privacy regulations or the focus on privacy for companies over the next 3-5 years?

Former Chief Compliance and Privacy Officer of GeneDx, Murali Mani, joins the show to discuss data privacy in healthcare. Murali spent over 15 years working in privacy and healthcare across companies like Philips, IBM, and GeneDx. In this episode he shares his thoughts on common misconceptions about data privacy in healthcare, breaks down which regulations apply to which type of company, history of privacy in healthcare, and the challenges companies face with compliance and data protection. Topics: What are some common misconceptions or misunderstandings about data privacy in healthcare that you often encounter? How has the landscape of healthcare data privacy evolved in recent years, and what new challenges have emerged Traditionally security and privacy in health is not tightly controlled. Why is that? Historically, how do pharma and drug companies manage and secure personal data? What's the problem with attempting to manage privacy challenges with purely written policies? How can companies accelerate compliance and prioritizing privacy? How can companies build trust and transparency with patients and data subjects? How does gen AI play a role? What's the future look like for companies in this space? If you were advising a company today, what would your suggestion be for managing this problem?

Sam Sternberg, Customer Programs Lead at Skyflow, joins the show to discuss the world of privacy and security at scale within large enterprises. We explore the complex infrastructure, regulatory challenges, and evolving technologies that these giants face in protecting customer and employee data. From managing expansive data infrastructures and international privacy regulations to securing data in the cloud, both multi-cloud and hybrid cloud and harnessing AI, we provide insights and best practices for safeguarding sensitive information. Check out the episode to delve into the technology and people-centric approaches to privacy and security within the data landscape of large organizations. Topics: When we're talking about a large enterprise, can you paint a picture for what the infrastructure of these companies might look like? How many databases, servers, and people are involved? What are the fundamental differences between data management in small to medium-sized businesses and large enterprise organizations, especially concerning security and privacy? How does the scale and complexity of data infrastructure in large companies impact their ability to maintain data privacy and security effectively? What are the main regulatory frameworks that enterprise companies must navigate, and how do these impact data management strategies? Large enterprises often have extensive data lakes and warehouses. How can these organizations ensure the confidentiality, integrity, and availability of their data in such environments? With the increasing adoption of cloud services, how should large enterprises approach cloud security and privacy concerns, especially in multi-cloud or hybrid cloud environments? Could you share some best practices for securely managing customer and employee data, considering the unique challenges faced by big companies in this regard? How has the adoption of artificial intelligence and machine learning impacted data security and privacy practices in large organizations, and what precautions should they take when implementing these technologies? Many large enterprises operate globally. How does managing security and privacy requirements across different countries and regions impact their strategies and challenges? What emerging trends or technologies do you foresee having a significant impact on data security and privacy in large enterprises in the near future?

In this episode, Ram Muthukrishnan, Senior Product Manager at Skyflow, joins the show to delve into the fundamental aspects of data protection. Ram demystified key concepts like redaction, masking, and encryption, shedding light on their significance in the world of data protection. Ram walked us through the practical applications of these techniques and their role in ensuring data privacy and security in today's digital landscape. Topics: Why is it important to protect sensitive customer data? What are the key differences between redaction, masking, encryption, and tokenization as data protection techniques? How does data redaction work, and in what scenarios is it typically used? What's it mean to mask data and what are the different approaches? Can you break down the basics of encryption for our listeners? What are the primary differences between symmetric and asymmetric encryption, and when should each be used Tokenization is often associated with payment data. Could you explain how tokenization replaces sensitive data with tokens and its advantages? When does it make sense to use tokenization versus something like encryption? What advantages or disadvantages are there to tokenization? Access control is a critical aspect of data protection. How does it work, and what are some best practices for implementing effective access control measures? How can organizations balance the need for data security with the requirement for data accessibility by authorized personnel? Are there any common misconceptions or challenges when it comes to implementing these data protection techniques? What are some emerging trends or technologies in the field of data protection that we should be aware of? Resources: Confidential Computing and Secure Enclaves with AWS's Arvind Raghu Secure Multi-Party Computation Explained with Skyflow's Liz Acosta Homomorphic Encryption with Skyflow's Avradip Mandal

In this episode, we dive into the realm of cloud security with Merritt Baer, Field CISO of Lacework. Together, we look at the complex tapestry of perceptions surrounding on-premises security versus the cloud, shedding light on why some still view on-prem as the safer option. Merritt lends her expertise to dissect the trade-offs that companies face by remaining in the traditional on-premises sphere rather than embracing the potential of the cloud. We explore the security considerations unique to the cloud-native world, offering insights into what it takes to navigate this transformation securely. Whether you're a seasoned professional or just beginning your cloud journey, this episode will expand your understanding of cloud security, uncovering the pros, cons, and crucial factors to ponder when venturing into the realm of cloud computing. Topics: Why do people think on-prem is more secure? What are the tradeoffs a company is making when they refuse to move to the cloud? What are the new challenges facing a company once they've moved to the cloud from a security perspective that perhaps they didn't face in the on-prem world? Does the cloud reduce or increase your security risk footprint? Does the type of talent and team look different? How are cloud-native security tools and platforms different from traditional on-premises security solutions? How do you manage security at this kind of scale? As organizations adopt multi-cloud and hybrid cloud strategies, how do you recommend they maintain consistent security measures across different cloud environments? What are some emerging security threats in the cloud landscape, and how can organizations proactively defend against them? What is keeping CISOs up at night?

In this episode, we explore the world of General Data Protection Regulation (GDPR) Catawiki's Data Protection Lead Paul Breitbarth. We cover GDPR's history, business essentials, compliance significance, and the art of harmonizing business objectives with regulatory demands. Paul breaks down key GDPR components, emphasizing their role in safeguarding data privacy. From data handling to breach notification, listeners gain insights into essential compliance steps. The heart of the conversation revolves around the challenge of balancing business goals with GDPR rules. Practical strategies are discussed, including privacy-conscious approaches and effective data protection policies. This episode is a guide for businesses and individuals navigating GDPR's complexities, offering actionable insights for responsible data management and privacy protection. Topics: What was the immediate impact on businesses when GDPR came into effect? How did the world respond? What are the main requirements of a business when it comes to GDPR? What are the key rights granted to individuals under GDPR, and how can they exercise these rights? What are the technical requirements? What are some common challenges businesses face when implementing GDPR compliance? How has GDPR influenced the handling of data breaches and security incidents? What are the fines for non-compliance? What does it mean to be compliant? Can you really be 100% compliant? Is that realistic? How can a business navigate GDPR compliance, balance all the needs, and still do business? What are the responsibilities and obligations of data processors and data controllers under GDPR? Are there any recent updates or amendments to GDPR that businesses should be aware of? What's the future of GDPR?

In this episode, Ray Everett, Head of Privacy and Data Protection at Avellino Lab, joins the show to discuss the rise of the privacy officer. The conversation delves into the essential role of privacy officers, providing listeners with a comprehensive understanding of their responsibilities and the challenges they encounter. Ray offers practical advice on effectively finding and hiring privacy officers, as well as initiating and managing successful privacy programs. This episode is a must-listen for anyone seeking to navigate the ever-evolving landscape of privacy protection. Topics: How has the privacy landscape changed throughout your career? What are some of the big changes from when you started to today? Can you describe the role and responsibilities of a Chief Privacy Officer? How has this evolved over time? What does this function end up looking like within a large organization? Who's on the team? When should a company be building a privacy function? How do they know they need it? When a company decides to establish a privacy officer role, what factors should they consider in determining the scope and authority of the position? How does one go about finding a qualified privacy officer? What skills, qualifications, and experience should be sought after? What sets a great privacy officer apart from an average one? Let's say I'm a founder and I realize I should hire a privacy officer and build a privacy function, but I have no experience with it, I just know I need to do it. Where do I start? How do I know what to look for in a potential candidate? During the hiring process, what specific interview questions should I be asking? What kind of positive or negative signals should I be testing for? Even when privacy organizations exist, they are often under-resourced and under-appreciated. What are your suggestions or thoughts on how a privacy officer can work with an organization to prevent this from happening? What's the typical career path for someone looking to move into privacy? What do you recommend for those listening that might want to build a career in privacy? What are your thoughts on the future of the privacy officer? Will they own more budget, have more authority? Resources: Ray Everett LinkedIn International Association of Privacy Professionals

In the podcast episode Jodi Daniels, Founder & CEO of Red Clover Advisors, and Justin Daniels, Legal and Corporate Counsel at Baker Donelson, share valuable insights on privacy and security considerations in product development. They discuss the common mistakes made and the crucial questions to ask when designing new products, emphasizing the need for proactive data protection. Jodi and Justin delve into core principles and best practices for integrating privacy-by-design, highlight the risks of neglecting privacy and security during product development, and explore ways to balance innovation and functionality with privacy and data protection requirements. They also address the importance of ingraining privacy and security throughout the product life cycle and provide guidance on evaluating the privacy and security implications of emerging technologies like AI. Topics: From your point of view, what do you think is the biggest mistake or oversight people make when building new products when it comes to privacy and security? What kind of questions should I be asking myself when designing a new product when it comes to data protection? What are the core principles and best practices for operationalizing privacy-by-design when developing new products? What are the potential risks and challenges associated with neglecting privacy and security considerations during the product development phase? How can organizations effectively balance the need for innovation and functionality with the requirements of privacy and data protection? What steps can companies take to ensure that privacy and security are ingrained throughout the product life cycle, from design to deployment? Are there any specific regulations or standards that companies should be aware of when it comes to privacy and security in new product development? What are some of the privacy and security challenges facing companies interested in generative AI? When it comes to any kind of new technology, like AI, how can individuals and businesses evaluate the privacy and security implications before integrating them into their operations? What are some common misconceptions or myths surrounding privacy and security in AI, and how can they be addressed? Resources: Data Reimagined: Building Trust One Byte at a Time

In this episode, Rachael Ormiston, Head of Privacy at Osano, joins the show to discuss the impact of generative AI on privacy. We covered a wide range of topics, including Rachael's initial impression of ChatGPT and the risks associated with generative AI. We also explored Italy's recent ban on ChatGPT, the measures that can be taken to mitigate risks and protect privacy, and how businesses and organizations can leverage generative AI responsibly without infringing on people's privacy rights. Furthermore, we delved into the role of policymakers in regulating the use of generative AI to ensure privacy protection, as well as the ethical considerations that should be taken into account. Rachael provided valuable insights on how individuals can protect their privacy in the age of generative AI and the steps they can take to safeguard their personal information. Finally, we discussed the future of generative AI, highlighting the need to harness its potential while ensuring that privacy remains a top priority. Join us in this enlightening conversation as we navigate the intersection of Generative AI and privacy, gaining valuable insights from Rachael Ormiston's expertise. Topics: What was your first impression of ChatGPT? How can generative AI impact privacy, and what are some of the risks associated with it? Recently Italy became the first western country to ban ChatGPT, why did they do this? What might this mean for other countries? What measures can be taken to mitigate the risks of generative AI, and how can we ensure that privacy is protected? How can businesses and organizations leverage generative AI while ensuring that they don't infringe on people's privacy rights? How can policymakers regulate the use of generative AI to ensure that it doesn't infringe on people's privacy rights? What ethical considerations should be taken into account when using generative AI, and how can we ensure that it is used responsibly? How can individuals protect their privacy in the age of generative AI, and what steps can they take to safeguard their personal information? What is the future of generative AI, and how can we harness its potential while ensuring that it doesn't pose a threat to our privacy?

In this podcast episode, Jimmy Fong, Chief Commercial Officer at Seon, discusses online fraud and the role of Seon's fraud prevention tool. Jimmy covers common fraud patterns, evolving tactics, and the challenges of distinguishing legitimate user behavior from fraudulent activities. He shares Seon's journey, emerging fraud patterns, and best practices for security. Jimmy emphasizes collaboration and information sharing, highlighting the potential of generative AI in fraud prevention. Topics: How does online fraud work and why is it such a concern for online businesses and consumers? What are some common fraud patterns that individuals or businesses should be aware of when conducting transactions online? How has fraud patterns changed over time? How do fraudsters typically exploit vulnerabilities in online systems to carry out their fraudulent activities? Why fraudulently submit demo requests to a business? What is a fraudster attempting to do? What are the challenges and complexities involved in distinguishing between legitimate user behavior and fraudulent activities? How did Seon start? Are there any notable trends or emerging fraud patterns that you've observed recently? How should businesses adapt to stay ahead of evolving fraud tactics? What are some best practices that individuals and businesses can implement to enhance their overall security posture and minimize the risk of falling victim to online fraud? How important is collaboration and information sharing between businesses, industry associations, and law enforcement agencies in combating online fraud? Are there any notable initiatives in this regard? In your opinion, what does the future of fraud prevention look like? What role might generative AI play on both sides? Resources: Seon SEON Cat & Mouse Podcast

Manny Silva, Skyflow's Head of Documentation, joins the podcast to share his journey of tinkering with generative AI systems and building a private GPT trained on internal Skyflow documents. Manny discusses his first impression of ChatGPT, how he got interested in this space as a technical writer, and the non-obvious insights he gained along the way. He addresses common misconceptions about GPT, particularly regarding privacy and security. Manny explains the concept of creating a private GPT and explores the reasons why organizations would want to implement it. He provides valuable insights into effectively integrating a private GPT into existing workflows and systems, along with the challenges and considerations companies should be aware of. Manny shares best practices for training and fine-tuning a private GPT to ensure optimal performance and accuracy. He delves into the impact of his work at Skyflow and the enhanced productivity observed in the field. Finally, Manny looks ahead to future advancements and trends in the field of private GPTs and discusses their transformative potential in the realms of documentation, product launches, and marketing. Topics: When you first saw ChatGPT, what was your first impression? As a technical writer, how did you get so interested in this space and start tinkering with the Open AI platform and APIs? What are some of the non-obvious things you learned as you dove into this? What are some of the common misconceptions you're seeing when it comes to GPT, in particular when talking about privacy and security? What's it mean to create a private GPT and why would someone want to do that? How can organizations effectively implement and integrate a private GPT into their existing workflows and systems? What are some common challenges or considerations that companies should be aware of when building and utilizing a private GPT? What are some best practices and strategies for training and fine-tuning a private GPT to ensure optimal performance and accuracy? Can you describe what you built at Skyflow that leverages private GPT? What kind of impact are you seeing in terms of yours or other people's productivity? Looking ahead, what advancements or trends can we expect to see in the field of private GPTs, and how will they continue to transform the way we work with documentation, product launches, and marketing? Resources: Privacy-First AI: Harnessing Snowflake and Skyflow to Customize GPT Generative AI Data Privacy with Skyflow GPT Privacy Vault

In this episode, Ashley Jose, a product lead at Skyflow with a decade of experience in SaaS product management, explores the importance of data governance in today's data-driven world. He discusses the impact of growing data on business decisions and highlights the key components of an effective data governance framework. Ashley addresses misconceptions, explains the evolution of data governance, and its intersection with data privacy regulations. He also explores how data governance works within Skyflow's data privacy vault approach. Ashley addresses common misconceptions about data governance and dispels myths surrounding the topic. He then delves into the evolution of data governance in the face of big data and technological advancements, highlighting both new challenges and opportunities. He explains how organizations must navigate privacy regulations like GDPR and incorporate them into their data governance strategies. Drawing on Skyflow's expertise in data privacy vaults, Ashley explains how data governance functions within their approach. He demonstrates how this approach addresses challenges related to controlling access to sensitive data. Ashley provides practical advice for engineers and technical professionals looking to enhance their involvement in data governance initiatives. Topics: How has the growth of data that businesses store, process, and analyze impacted how they make business decisions? Can you explain what data governance is and why it is important in the context of today's data-driven world? What are the key components of a comprehensive data governance framework? What are the main challenges organizations face when implementing effective data governance practices? How does data governance impact engineers and technical teams directly? What role do they play in ensuring successful data governance? What are some common misconceptions or myths about data governance that you often come across? How would you address them? With the rise of big data and advancements in technology, how has data governance evolved over the years? Are there any new challenges or opportunities that have emerged? How does data governance intersect with data privacy and compliance regulations, such as GDPR or CCPA? In the context of Skyflow and the data privacy vault approach to the management of sensitive data, how does data governance work? How does a data privacy vault help address some of the challenges with controlling access to sensitive data? Are there any emerging trends or technologies in the data governance space that you find particularly interesting or promising? Do you have any practical advice or recommendations for engineers and technical professionals who want to enhance their understanding and involvement in data governance initiatives within their organizations? Resources: Introducing the Skyflow Data Governance Engine Data Access Control with lakeFS's Adi Polak The Partially Redacted 2022 Year in Review with Skyflow's Ashley Jose

In this episode, Anshu Sharma, CEO and co-founder of Skyflow highlights the alarming disparity between the millions of dollars companies invest in cybersecurity and the persistent occurrence of breaches and cyber attacks. Despite these hefty investments, current approaches to cybersecurity are simply not enough to protect customer data. It's like putting a bandaid on a broken arm - it might temporarily cover the problem, but it won't heal the underlying issue. According to Anshu, what we truly need is a security by default approach. We require systems that not only secure customer Personally Identifiable Information (PII) but also understand and handle the various types of workflows involving PII. This means implementing measures that go beyond mere protection and actively support the necessary tasks and operations involving sensitive data. Skyflow has developed technology that addresses these challenges. Skyflow not only ensures the security of PII but also supports the specific workflows associated with it. By doing so, Skyflow's technology effectively insulates applications from the burdensome responsibility of managing customer data, allowing organizations to focus on their core business objectives. Topics: Are we getting better at protecting customer data or worse? Why has the software industry failed at cybersecurity? How do you think the trend towards increased regulation and oversight of the cybersecurity industry will impact the development and adoption of new security technologies? What is security-by-default? What are some of the tactics companies can use to build products that are secure-by-default? How does this approach potentially change the culture of the company? What's an example of a company building products with security built-in? What inspired you to start Skyflow, and how does your solution address the current challenges with cybersecurity in the software industry? What is the key difference between what Skyflow offers and what's historically been done by businesses for data protection? How do you see the software industry evolving in terms of cybersecurity in the next few years, and what role do you think companies like Skyflow will play in this transformation? What's next for Skyflow? Resources: The software industry has failed at cybersecurity. What, now? Privacy by Architecture with Anshu Sharma

In this episode Roshmik Saha, Head of Engineering at Skyflow, dives into the fascinating realm of data privacy and security solutions. Whether you're considering building your own privacy solution or seeking insights into the infrastructure requirements for handling credit card data securely, this episode has you covered. One important aspect that often goes underestimated is the maintenance costs associated with data privacy solutions. Roshmik emphasizes the significance of factoring in long-term maintenance expenses, as these solutions require ongoing updates, monitoring, and enhancements to adapt to evolving threats and regulations. It's crucial to recognize that compliance is merely a baseline and that solely building for compliance may not offer state-of-the-art security. Roshmik shares his expertise on how to go beyond compliance and implement robust security measures to protect sensitive data effectively. During the conversation, Roshmik highlights key considerations and features when building a data privacy solution to securely store and govern access to data. From encryption techniques and access control mechanisms to comprehensive auditing capabilities, he offers insights into the foundational elements required for a robust privacy solution. Additionally, he emphasizes the importance of incorporating state-of-the-art security technologies and features to reduce the risk of data breaches and potential reputational damage. Scalability is another critical aspect to address when developing a data privacy solution. Roshmik sheds light on the challenges faced by engineering teams in ensuring that the solution can meet the needs of a growing organization. He discusses strategies for building a scalable architecture that can handle increasing data volumes, user demands, and operational complexities. Throughout the episode, Roshmik provides practical advice and shares his thoughts on various topics, including the future of data privacy and security technologies. By drawing from his vast experience and expertise, you'll gain valuable insights into building a data privacy solution that not only meets regulatory requirements but also ensures resilience against cyber attacks. Topics: If I told you I was starting a B2C company and I was going to build my own privacy and security solution, what would your advice be Considering just credit card data, what would I need from an infrastructure standpoint to securely store, handle, and process credit card data? Beyond infrastructure costs, what other types of costs would I need to think through? What are the types of features or technologies I'd need to build to meet existing privacy requirements but also reduce the risk that I end up in the news for a data breach? What are the key considerations or features when building a data privacy solution to securely store data and govern access? What's the engineering cost to build and maintain these? What kind of expertise does an engineering team require to build something that you think not only meets regulatory requirements, but also is resilient to cyber attacks? What are the most important security measures that need to be put in place to protect data privacy? How do you test and evaluate the effectiveness of the data privacy solution? How do you ensure that the data privacy solution remains up-to-date with evolving data privacy regulations and best practices? What are the biggest challenges that engineering teams face when building a data privacy solution? How do you ensure that the data privacy solution is scalable to meet the needs of a growing organization? Why do you think companies try to do this themselves? How do you ensure that the Skyflow is resilient to cyber attacks and other security threats? What advice would you give to other engineering teams building a data privacy solution for their organization? Are there any future data privacy or security technologies you're excited about?

In this episode, Constantine Karbaliotis from nNovation, a certified privacy professional with a wealth of experience in the field of privacy and data protection joins the show. Constantine has served as a privacy officer for two multinational corporations, and now serves multiple organizations as a privacy advisor. Constantine is well-versed in a range of privacy program management areas, including policy development, implementing PIA/PbD programs, vendor privacy management, breach management and response, addressing notice, consent, and data subject rights issues, as well as contract issues such as data transfer agreements and security/privacy addenda. During our conversation, we explore the evolution of Canadian data privacy regulations, from their early beginnings to the current landscape, which is shaped by a range of federal and provincial laws. We discuss the primary Canadian privacy regulations that individuals and organizations should be aware of, and the differences between federal and provincial privacy laws, and how they impact individuals and organizations. We also delve into how the Canadian government enforces privacy regulations, and the penalties that individuals and organizations can face for non-compliance. Additionally, we examine how recent high-profile data breaches have affected Canadian privacy regulations and the changes made in response. We explore the challenges posed by emerging technologies, such as artificial intelligence and the Internet of Things, and their impact on Canadian privacy regulations. We also look at how individuals and organizations can stay up-to-date with the latest developments in Canadian privacy regulation and the resources available to help them comply. Topics: How has Canadian privacy regulation evolved over the years, and what impact has this had on individuals and organizations? What are the primary Canadian privacy regulations that individuals and organizations should be aware of? What are the differences between federal and provincial privacy laws in Canada, and how do they impact individuals and organizations? How does the Canadian government enforce privacy regulations, and what penalties can individuals and organizations face for non-compliance? How have recent high-profile data breaches affected Canadian privacy regulations, and what changes have been made in response? How does Canadian privacy regulation compare to other countries, such as the EU's General Data Protection Regulation (GDPR)? How can individuals and organizations stay up-to-date with the latest developments in Canadian privacy regulation, and what resources are available to help them comply? How do emerging technologies, such as artificial intelligence and the Internet of Things, affect Canadian privacy regulations, and what challenges do they pose? What do you see as the future of Canadian privacy regulation, and how do you think it will continue to evolve in the years to come? Resources: nNovation

In today's digital age, data privacy and security have become critical concerns for companies of all sizes. One way for companies to demonstrate their commitment to protecting customer data is by achieving SOC-2 compliance. But what exactly is SOC-2, and how can companies achieve it? To answer these questions, Daniel Wong, Head of Security and Compliance at Skyflow, joins the show to share his insights into SOC-2 compliance and the steps companies can take to achieve it. Throughout the interview, Daniel explains what SOC-2 compliance is, why it's important, and how it differs from other compliance standards. He also walks us through the key steps businesses can take to achieve SOC-2 compliance, including risk assessment, gap analysis, and remediation. Daniel also highlights the benefits of using Skyflow's platform to achieve SOC-2 compliance, such as its ability to help companies protect sensitive data while still enabling secure data sharing. He also discusses the challenges that businesses may face when pursuing SOC-2 compliance and how to overcome them. Whether you're a business owner or a data privacy professional, this interview with Daniel Wong provides valuable insights into SOC-2 compliance and how to achieve it. Topics: Can you explain what SOC-2 compliance is, and why it's important for businesses to achieve it What's the difference between SOC-2 Type 1 and Type 2? How do these compare to ISO 27001? How does SOC-2 compliance differ from other compliance standards, such as PCI DSS or HIPAA? What are some common challenges that businesses face when pursuing SOC-2 compliance, and how can they overcome them? Can you walk us through the key steps that businesses need to take to achieve SOC-2 compliance? Skyflow Data Privacy Vault is SOC-2 compliant, how long did that take and what was involved? What's that mean for our customers that want to achieve SOC-2 compliance? What advice would you give to businesses that are just starting their SOC-2 compliance journey? With something like a car, I can't just manufacture a car in my house and start selling it. There's certain inspections from a safety perspective that I have to pass. Do you think software needs more requirements like this before you can just launch something and start having people use it? Where do you see standards like SOC-2 going in the future? Resources: Common Data Security and Privacy Mistakes with Daniel Wong Skyflow is Certified SOC 2 Compliant  

Data access control is becoming increasingly important as more and more sensitive data is being stored and processed by businesses and organizations. In this episode, the VP of Developer Experience at lakeFS, Adi Polak, joins to help define data access control and give examples of sensitive data that requires access control. Adi also talks about the concept of role-based access control (RBAC), which differs from traditional access control methods and provides several advantages. The steps involved in implementing RBAC are discussed, as well as best practices and challenges. Real-world examples of RBAC implementation and success stories are provided, and lessons learned from RBAC implementation are shared. We also discuss lakeFS, an open-source platform that provides a Git-like interface for managing data lakes. In particular, we get into the data management controls, the security and privacy features, and the future of the product. Topics: What are some common types of data access controls? Why are these types of controls important? How can RBAC help organizations better manage and secure their data? What are some challenges in implementing effective data access controls? How can organizations balance data security with the need to provide employees with the information they need to do their jobs? What are some best practices for managing data access control? How do you ensure that data access controls remain effective over time as your organization grows and changes? What is lakeFS? What model of data access management does lakeFS support? What are some of the other privacy and security features of lakeFS? What's next for lakeFS? Anything you can share? Where do you see data access control going in the next 5-10 years? Resources: lakeFS Roadmap Scaling Machine Learning with Spark: Distributed ML with MLlib, TensorFlow, and PyTorch

Europe has seen a significant evolution in privacy regulation over the past decade, with the introduction of the EU's General Data Protection Regulation (GDPR) in 2018 being a significant milestone. The GDPR establishes a comprehensive framework for protecting personal data and gives individuals greater control over how their data is collected, processed, and used. The impact of these privacy regulations on businesses has been significant. Companies that operate in the EU or process EU citizens' data must comply with the GDPR's requirements or face significant fines and other penalties. This has required many businesses to implement new processes and technologies to ensure compliance, such as appointing data protection officers, conducting privacy impact assessments, and implementing data subject access request processes. One particularly tricky situation to navigate for businesses is transatlantic data transfers. Transatlantic data transfers face numerous challenges, including differing legal frameworks and data protection standards between the European Union (EU) and the United States (US). These differences can create legal uncertainty and potential risks for companies that transfer personal data across the Atlantic. In particular, the invalidation of the EU-US Privacy Shield framework by the European Court of Justice in 2020 has left companies without a clear mechanism for transatlantic data transfers, highlighting the need for a new agreement that meets the requirements of both the EU and the US. Additionally, concerns about government surveillance and data breaches have further complicated the transatlantic data transfer landscape, underscoring the need for strong data protection measures and clear regulatory frameworks. Privacy and data protection writer and expert Robert Bateman, who has published over 1500 articles related to privacy, joins the show to breakdown the evolution of privacy regulations in Europe, the impact that's had on businesses, and explain the challenges surrounding transatlantic data transfers. Topics: How have privacy regulations evolved and what impact have they had for businesses? Can you discuss some of the history of Meta challenges in Europe? How enforceable are the fines? Do companies actually end up paying the fines? What are the key concerns around transatlantic data transfers? How do the cultural differences between the US and EU impact their approach to privacy and what impact has this had? How do organizations ensure compliance with privacy laws when transferring data between the US and EU? EU and US data transfers. How do we make progress? Could someone build meta from scratch today such that it is in compliance or is a business like this something that just can't exist under European privacy laws? What are your thoughts on the impact that generative AI might have on privacy? Resources: Data Protection Newsletter

Zero trust infrastructure is an approach to security that requires all users, devices, and services to be authenticated and authorized before being granted access to resources. Unlike traditional security models that assume everything inside the network is trusted, zero trust assumes that all traffic is untrusted. In today's world, where cyber threats are becoming increasingly sophisticated, Zero trust infrastructure is crucial for protecting sensitive data and preventing unauthorized access. Hashicorp is a company that provides a suite of tools for building and managing secure systems. Their products, such as Vault, Consul, and Boundary, can help organizations implement a zero trust approach to security. Vault is a tool for securely storing and managing secrets such as passwords, API keys, and certificates. It provides a centralized place to manage access to secrets and has several features to ensure the security of these secrets, such as encryption, access control, and auditing. Consul is a service discovery and configuration tool that provides a secure way to connect and manage services across different networks. It provides features such as service discovery, health checking, and load balancing, and can be integrated with Vault for secure authentication and authorization. Boundary is a tool for securing access to infrastructure and applications. It provides a secure way to access resources across different networks and can be integrated with Vault and Consul for secure authentication and authorization. Rosemary Wang, Developer Advocate at Hashicorp joins the show to explain zero trust infrastructure and how Vault, Consul, and Boundary help organizations build zero trust into their architecture. Topics: Why do you think we need developer tooling for access and authorization at a lower level within someone's infrastructure? Can you explain what zero trust is and why it's important for modern security architectures? How does HashiCorp Vault, Boundary, and Consul fit into a zero trust security model? What is HashiCorp Vault and what problem does it help a company solve? What are some common use cases for HashiCorp Vault, and how can it help organizations with their security and compliance requirements? How does HashiCorp Vault handle secrets rotation and expiration? What is application based networking and how does this concept relate to HashiCorp Consul? Can you walk us through the process of setting up and configuring HashiCorp Consul for a typical enterprise environment? What are some common challenges or pitfalls that organizations face when using HashiCorp Consul, and how can they overcome them? How does Boundary simplify remote access to critical resources in a zero trust environment? What are some common use cases for HashiCorp Boundary, and how can it help organizations with their security and compliance requirements? How does HashiCorp approach balancing security with ease of use for its products? Can you talk about any upcoming features or developments in Vault, Boundary, or Consul that users should be excited about? Resources: @joatmon08

The privacy landscape is changing. There is increasing consumer awareness and concern over the use of their personal data and there's an ever growing list of privacy regulations that companies need to navigate. Regulations like GDPR, CCPA, and others carry stiff fines for companies that fail to comply with data deletion requests. However, actually being able to delete someone's information from an existing system is more complicated than you might expect. Large systems have been developed over many years ignoring the potential impact of PII sprawl. As a consequence, user data is everywhere and no one actually knows all the locations it might exist in. A data privacy vault is an architectural approach to data privacy that helps address data deletion, mapping, and other data privacy challenges. A data privacy vault is an isolated, protected, single source of truth for customer PII. Lisa Nee, Compliance Officer United States, Data Privacy Legal Expert North America and Legal Advisor Americas for Atos and Robert Duffy Counsel for McDermott Will & Emery with a focus in privacy and cybersecurity have spent their careers working in privacy. They join the show to discuss why 2023 is the year of privacy, the impact that failing to delete data is having on businesses, and how a data privacy vault along with synthetic data are the keys to addressing these problems. Topics: Why is 2023 the year of privacy? What laws are out there to require deletion? What is data retention and why is it a risk for businesses? What is PII sprawl? What's the cost of a violation to delete someone's data? How do you fix this problem? How do you comply? What is a data vault? Where did you first learn about this concept? How does a data vault help address the deletion problem? What is synthetic data and how does it help with the deletion problem? What future looking tools and technologies are you excited about Resources: IEEE Privacy Engineering Data Mapping, Extracting Data Utility Before Deleting Data Files

Privacy threat modeling is a structured approach to identifying and assessing potential privacy risks associated with a particular system, application, or process. It involves analyzing how personal data flows through a system, identifying potential vulnerabilities or weaknesses, and evaluating the potential consequences of a privacy breach. The goal of privacy threat modeling is to identify and prioritize potential privacy risks and to develop effective strategies for mitigating those risks. This process involves considering various aspects of the system or process being analyzed, including the data that is collected, how it is stored and processed, who has access to it, and how it is transmitted. Privacy threat modeling can help organizations better understand their privacy risks and make more informed decisions about how to protect personal data. Implementing privacy measures and conducting regular privacy threat modeling can help organizations minimize the risk of a privacy breach and ultimately save them money in the long run. Nandita Rao Narla, Head of Technical Privacy & Governance at DoorDash, joins the show to explain privacy threat modeling, the common misconceptions, and how to make a privacy threat model program successful. Topics: What is privacy threat modeling? How do you balance the need to collect and use data with the need to protect privacy, and what role does privacy threat modeling play in this process? Who typically owns this process in an organization? What are some of the typical approaches companies follow to privacy threat modeling? How should companies think about setting up a process to continually iterate and evolve the model? Once you've performed this process, how do you go about fixing the identified issues? What are some common misconceptions about privacy threat modeling, and how would you address those misconceptions? How do you determine which threats to prioritize when conducting privacy threat modeling, and what factors do you consider when making these decisions? How do you involve stakeholders (e.g. customers, employees, regulators) in the privacy threat modeling process, and what benefits do you see in doing so? What challenges have you encountered when conducting privacy threat modeling, and how have you overcome these challenges? How does privacy threat modeling differ from other types of risk assessments (e.g. security risk assessments), and what unique challenges does it present? What advice would you give to other companies looking to implement privacy threat modeling as part of their privacy and security strategy? How do you see privacy threat modeling evolving in the future? Resources: Shostack and Associates Blog Strategic Privacy by Design LINDDUN privacy engineering

A data analytics pipeline is important to modern businesses because it allows them to extract valuable insights from the large amounts of data they generate and collect on a daily basis. This leads to better decision making, improved efficiency, and increased ROI. However, despite your best efforts, sensitive customer data tends to find its way into our analytics pipelines, ending up in our data warehouses and metrics dashboards. Replicating customer PII to your downstream services greatly increases your compliance scope and makes maintaining data privacy and security significantly more challenging. In this episode, Engineering Lead at Skyflow Piper Keyes joins the show to discuss what goes into building a privacy-aware data pipeline, what tools and technologies should you be using, and how Skyflow addresses this problem. Topics: What is a data analytics pipeline? What does it mean to build a privacy-aware data pipeline? Can you give some examples of use cases where privacy-aware data pipelines are particularly important? What's it mean to de-identify data and how does that work? What are some common techniques used to preserve privacy in data pipelines? How does analytics work for de-identified data? How do you balance the need for data privacy with the need for actually being able to use the data? What's it take to build a privacy-aware pipeline from scratch? What are some of the biggest challenges in building privacy-aware data pipelines? How does something like this work with Skyflow? Let's say I have customer's transactional data from Visa, how could I ingest that data into my data warehouse but avoid having to build PCI compliance infrastructure? Walk me through how that works. Could you build a machine learning model based on the de-identified data? Once I have the data in my warehouse, let's say I needed to inform a clinical trial participant about an issue but I also want to maintain their privacy, how could I perform an operation like that? What other use cases does this product enable? Resources: Running Secure Workflows with Sensitive Customer Data Maximize Privacy while Preserving Utility for Data Analytics

Merit's verified identity platform brings visibility, liquidity, and trust to people-data, giving organizations the clarity to make better-informed decisions, engage with individuals effectively, and pursue their mission efficiently. Merit works with trusted private, state, and municipal organizations to solve critical real-world problems in sectors such as workforce development, emergency services, licensing, education, and defense readiness. Merit ingests and processes highly sensitive data from a variety of government agencies. Privacy and security are of the utmost importance, but they must also balance data utility. To support customer and business needs, Merit uses a combination of off the shelf data stack tools and technologies along with off homegrown techniques around encryption and encryption key management. Staff engineer and data tech lead, Charlie Summers, joins the show to breakdown Merit's data stack, the life of data, the challenges they've faced with protecting sensitive data, and the ways they secure customer data. Topics: Can you talk about Merit and your role there? What kind of data are you typically dealing with at Merit? What's your data stack? Can you take me through the life of a piece of data? What's the scale of the data you're working with? How big is this data set? What challenges have you faced with securing sensitive data while using this stack? What tools, technologies, or techniques are you using to protect the data? How are you balancing the security of the data with the actual utility? How do you control access to the data? How does auditing work? Is every time the data touched logged in some way? How did you think through build versus buy? Why is privacy and security a priority for Merit? What future technologies in this space are you particularly excited about? Resources: Careers at Merit

For years engineers have relied on encryption at rest and transit to help protect sensitive data. However, historically data needs to be decrypted to actually use it, which risks the potential exposure of the underlying data. Confidential computing is a computing paradigm that aims to protect data in use, not just data in transit or at rest. The goal of confidential computing is to provide a secure computing environment where sensitive data can be processed without the risk of exposure or compromise. AWS Nitro Enclaves is a service provided by Amazon Web Services (AWS) that enables customers to create isolated compute environments within their Amazon Elastic Compute Cloud (EC2) instances. In a Nitro Enclave, the application code and data are encrypted and processed inside the enclave, ensuring that they are protected from both the hypervisor and the host operating system. This makes Nitro Enclaves ideal for workloads that require a high level of security, such as confidential computing, secure machine learning, and blockchain-based applications. Arvind Rague, Principal Specialist in EC2 and Confidential Computing at AWS, joins the show to explain confidential computing, AWS Nitro Enclaves, and the use cases this technology unlocks. Topics: What is confidential computing? What's the motivation behind the investment in this technology? What are some of the problems this approach to privacy and security solves that were previously a potential vulnerability for companies? How does a hardware-based trusted execution environment prevent a bad actor from executing unauthorized code? How is the memory space protected? Can you explain how Nitro Enclaves enhance the security of confidential computing on AWS? What's the process for using Nitro Enclaves versus a standard EC2 instance How do I go about using Nitro Enclave for performing an operation on sensitive data? What does the programming process look like to do that? What are some use cases that you've seen that you are particularly excited about? How can Nitro Enclaves be used to protect sensitive data in specific use cases, such as financial services or healthcare? Are there any limitations or trade-offs to consider when using Nitro Enclaves for confidential computing? What innovations or business directions do you think secure enclaves will enable in the future? What's next for Nitro Enclaves? Anything you can share? Where do you see the area of confidential computing going in the next 5-10 years? Resources: Introducing Unified ID 2.0 Private Operator Services on AWS Using Nitro Enclaves

In this episode, Manish Ahluwalia, the field CTO of Skyflow, discusses the technical aspects of data residency and the usage of a data privacy vault. He explains the concept of data residency and data localization. He noted that with the increasing amount of data being generated and shared, it is becoming increasingly important for organizations to ensure that their data is being stored and processed in compliance with local laws and regulations. However, this is a technically challenging problem because data typically ends up all over the place and companies lose track of what and where they're storing it. Ahluwalia then discussed the role of a data privacy vault in addressing data residency concerns. He explained that a data privacy vault is a secure, centralized repository for sensitive data that can be used to enforce data residency requirements. He also discussed how companies can use the data privacy vault to ensure that data is only accessed by authorized parties, and that the data is only used for specific purposes. He also explained that data privacy vaults can be used to track and audit data access, which can be useful for compliance and regulatory purposes. Topics: What is data residency? When did data residency requirements first start and what was the motivation behind their introduction? Why is this hard for companies from a technical perspective? How are companies solving this problem today? What technical solutions/options do they have at their disposal? What are the key technical considerations when designing a data architecture that meets data localization requirements? How does a data privacy vault help simplify complying with a data residency requirement? How do you ensure that data stays within the specified geographic boundaries during transfers and storage? In the scenario where there's multiple vaults, one for each country with a data residency law, how does something like computing global analytics work? If I'm using a data privacy vault to meet data residency requirements, how does sharing data with third parties work? In the vault world, tokens are stored within the downstream services. How does a company control access to who or what can detokenize that data to retrieve the original value? What are your thoughts on the future of data privacy? Are the technical challenges of protecting customer data going to get easier? Resources: What is Data Residency & How Can a Data Privacy Vault Help?