February 15, 2020

532 words 3 mins read

Data security and privacy anti-patterns

Data security and privacy anti-patterns

Anti-patterns are behaviors that take bad problems and lead to even worse solutions. In the world of data security and privacy, theyre everywhere. Over the past four years, data security and privacy anti-patterns have emerged across hundreds of customers and industry verticalsthere's been an obvious trend. Steven Touw details five anti-patterns and, more importantly, the solutions for them.

Talk Title Data security and privacy anti-patterns
Speakers Steven Touw (Immuta)
Conference Strata Data Conference
Conf Tag Make Data Work
Location New York, New York
Date September 24-26, 2019
URL Talk Page
Slides Talk Slides

Over the past four years, Immuta has worked to solve data security and privacy challenges across a heterogeneous set of customers and verticals—and very consistent anti-patterns have emerged, several of them, in fact. These are universally common mistakes made by the largest and the smallest companies, across industries and engineering talent levels. This is the definition of an anti-pattern—intuition tells you it’s a great idea until you implement it, and the blind spots take over. Immuta has also found that anti-patterns can be culture defining. Some organizations don’t realize they even have a problem until the world changes underneath them: policies become more complex (think GDPR and the California Consumer Privacy Act [CCPA]) or the organization needs to be more data driven but analytical efforts are stymied. Defeating anti-patterns may also mean changing culture for the better. Realizing you have a problem is the first step to solving it. Five anti-patterns have emerged. Steven Touw dives into those anti-patterns, but, in fact, spends more time solving them. The first anti-pattern is the data-policy snowflakes, where each database or application manages policies on its data in its own unique way—like a snowflake. This leads to mistakes, validation issues, fragility in managing the policies, and fear. It’s not recognized for data transfers within the organization, so analysis stops. Another anti-pattern is conflating who, why, and what, where role-based access control (RBAC) is bad and doesn’t provide the flexibility needed, and it results in “role bloat” in your identity management system. This bloat exacerbates runaway manual approval processes for data entitlements. The copy and paste dat-sharing method is when organizations think about data sharing as an ETL process, which is not scalable to a modern data privacy and security world, nor the fast past analysis world we live in. Start from scratch; rinse, repeat is an anti-pattern where you define all policies from scratch every time you need to share data; in other words, you’re deciding what to give the user from scratch for every use case. This is not scalable and leads to similar issues as the data-policy snowflakes. There’s also privacy engineering blunders, because privacy engineering is a nascent complex field with nonobvious pitfalls. This has been seen in the news with several privacy blunders such as the Netflix challenge. You’ll learn some of the most common and nonobvious blunders and some advances in privacy engineering, such as differential privacy. For each of the five anti-patterns, Steven shares the problem and real-world examples and then dives into simple mitigation strategies to get back on track. You’ll leave able to accelerate your analytical initiatives without sacrificing legal and compliance guidelines.

comments powered by Disqus