A new framework is required to ensure privacy and control data. In this webinar, Cyral is pleased to host privacy engineering expert Nishant Bhajaria -- Head of Technical Privacy, Engineering and Architecture for Uber, and former privacy leader at Google, Netflix, and Nike -- in a discussion with our CTO Srini Vadlamani on the 4 core components of a modern data privacy and security architecture.
6. 6
Digital Growth Initiatives are Driving Adoption of the Data Cloud
Continuous Development
• Quickly deliver new experiences
• Exponential increase in data
Data Democratization
• Become a data driven business
• IT not the single gateway to data
Infrastructure as Code
• Platform interoperability
• Heterogenous data services
8. 8
Personalization leads to massive incremental increase in data
Transactions
Web Behavior
Mobile Activity
Email Behavior
Social Behavior
Preferences
Demographics
1% User Growth
DataVolume
2-3X Data Growth
10. 10
Data is now everywhere
I don’t know where my data is
Am I collecting the same data
many times over?
Am I collecting the wrong data?
3rd party data sharing
How do legal and product
teams work together?
How/when to leverage AI/ML
and automation?
13. 13
Step 1: Discover
1 Tribal knowledge-based AI/ML based2
• Lack of a priori models
• Training datasets hard to find
• Tribal knowledge to get started
LESSONS LEARNED
• Co-opt both data platform and data science teams
14. Backend
Team
Frontend
Team
14
Step 2: Classify
Classify Minimize
Collect
Analyze
LESSONS LEARNED
• Use differential controls for sensitive data (e.g. location data)
• Calibrate data collection
• Is it the right amount?
• Is it the right quality?
• Get backend / frontend teams to collaborate
15. 15
Step 3: Segment
Policy as Code Engine
LESSONS LEARNED
• Decouple application code from policy engine
• Policy as Code simplifies collaboration, versioning
• Compliance / privacy teams own policies
• Dictate data collection, storage, retention,
access
16. 16
Step 4: Enforce
LESSONS LEARNED
• Find a happy medium between complete lockdown and the wild west
• Build classification/tagging first before enforcing using AI
• Rotate / revoke / recertify encryption keys
periodically
• Time box sensitive data access
• Anonymize / aggregate for analytics teams
18. 18
Online Retail App Example
Compliance Needs
• Retention capped to order lifetime
• Access limited to order fulfillment
Business Analysis Needs
• Buying patterns
• Seasonality
• App vs Website traffic
22. 22
Technology: Stateless Interception for Data Endpoint Requests
Sidecars Deployed locally
• Stateless interception of data requests
• All data and logs remain private
• Deployed by DevOps, no change to apps
STRUCTURED AND SEMI-STRUCTURED DATA STORES
TOOLS, USERS, APPS, SERVICES
SaaS Control Plane
Observe Protect
Control
23. 23
Security as Code Model
1
Deployment as Code
Use existing workflows
• DevOps deployment
• Infra-as-Code model
3
Policies as Code
Use existing source code tools
• CI/CD integration
• ChatOps model
2
Automated observability
Use existing dashboards
• API-first architecture
• No learning curve
24. • The four-pillar framework to build trust and reduce risk
• Discover: Identify where all your sensitive data is
• Classify: Calibrate, analyze and minimize data being collected
• Segment: Identify rules of access by co-opting compliance, product and business teams
• Enforce: Control access using time-boxing, data anonymization and key rotation
• Remember to
• Exhaust tribal knowledge before starting with AI/ML and automation
• Decouple writing and enforcing of security policies
• Find a happy medium between complete lockdown and the wild west
24
Summary & Key Takeaways