Partially Redacted: Data, AI, Security, and Privacy

In this episode, Manish Ahluwalia, the field CTO of Skyflow, discusses the technical aspects of data residency and the usage of a data privacy vault.
He explains the concept of data residency and data localization. He noted that with the increasing amount of data being generated and shared, it is becoming increasingly important for organizations to ensure that their data is being stored and processed in compliance with local laws and regulations. However, this is a technically challenging problem because data typically ends up all over the place and companies lose track of what and where they’re storing it.
Ahluwalia then discussed the role of a data privacy vault in addressing data residency concerns. He explained that a data privacy vault is a secure, centralized repository for sensitive data that can be used to enforce data residency requirements.
He also discussed how companies can use the data privacy vault to ensure that data is only accessed by authorized parties, and that the data is only used for specific purposes. He also explained that data privacy vaults can be used to track and audit data access, which can be useful for compliance and regulatory purposes.
Topics:
What is data residency?
When did data residency requirements first start and what was the motivation behind their introduction?
Why is this hard for companies from a technical perspective?
How are companies solving this problem today? What technical solutions/options do they have at their disposal?
What are the key technical considerations when designing a data architecture that meets data localization requirements?
How does a data privacy vault help simplify complying with a data residency requirement?
How do you ensure that data stays within the specified geographic boundaries during transfers and storage?
In the scenario where there’s multiple vaults, one for each country with a data residency law, how does something like computing global analytics work?
If I’m using a data privacy vault to meet data residency requirements, how does sharing data with third parties work?
In the vault world, tokens are stored within the downstream services. How does a company control access to who or what can detokenize that data to retrieve the original value?
What are your thoughts on the future of data privacy? Are the technical challenges of protecting customer data going to get easier?
Resources:
What is Data Residency & How Can a Data Privacy Vault Help?

Historically, backup and recovery has been a job relegated to a junior person on the team. It’s the kind of grungy work that all companies know they should do, but no one wants to own it. As such, many companies have a poor backup and recovery posture and aren’t even sure they can recover from a disaster. Additionally, in recent years, homegrown backup systems have been the target of more and more ransomware and cyber attacks.
Attackers target the backups, either deleting them completely and then attacking other parts of the system or steal the backups, break the encryption, and now have access to tons of company data.
W. Curtis Preston has been working in backup and disaster recovery for nearly 30 years and has written five books on the subject. He joins the show to discuss backup and recovery missteps, best practices, and how Druva, the SaaS-based backup and recovery platform helps businesses offload backup responsibility.
Topics:
How did you get interested in the field of data protection and disaster recovery, and what sparked your passion for it?
What are some common mistakes that organizations make when it comes to data backup and recovery?
What’s the relationship between backups, data protection, and cybersecurity?
What’s the best practices around backing up personal user data, like account data or perhaps other sensitive data?
What are the common ways data loss happens for organizations?
How can organizations ensure that their data is secure and protected during the backup and recovery process?
What are some best practices for designing a data backup and recovery system, and how can organizations implement these practices effectively?
Can you give some examples of real-world data loss scenarios, and how proper data backup and recovery systems could have prevented or mitigated the impact of those losses?
How can organizations test their data backup and recovery systems to ensure that they are working properly and can be relied upon in the event of a disaster?
Can you provide an overview of the Druva platform and how it helps organizations protect their data?
What sets the Druva platform apart from other data protection and backup solutions on the market?
Can you provide some examples of how organizations have successfully implemented the Druva platform to protect and recover their data in the face of disasters or other challenges?
What’s the future for this space look like?
Resources:
Modern Data Protection
Druva

In this episode, we discuss the topic of secure multi-party computation. Since its introduction in the eighties, secure multi-party computation – also known as SMPC – has evolved into a subfield of cryptography for which a variety of protocols have been developed. SMPC is a technique used to allow multiple parties to jointly compute a function on their private inputs without revealing any information about those inputs to the other parties.
Liz Acosta, Developer Advocate at Skyflow, joins the show to explain SMPC and share her recent research into the subject. We begin by explaining the basic concept of SMPC and how it differs from traditional methods of computation.
We also discuss the practical applications of SMPC, such as in the financial industry for secure trading and in the healthcare industry for secure sharing of patient data. We also highlight the challenges that still need to be addressed in the field, such as scalability and ensuring the security of the computation.
Topics:
What is Yao’s millionaire problem and how does it relate to secure multi-party computation?
Can you explain what secure multi-party computation is and how it works?
Where did this concept come from? What’s the history?
Can you walk me through an example of using SMPC to solve a problem?
In what types of scenarios is secure multi-party computation particularly useful?
How is secure multi-party computation being used in the real world today?
How does secure multi-party computation enable collaboration while still preserving the privacy of individual parties?
What are the challenges and opportunities for the wider adoption of secure multi-party computation in the future?
How far away do you think we are from secure multi-party computation being more widely adopted?
Beyond SMPC, are there technologies in this space that you are particularly excited about?
Where should someone look to learn more about secure multi-party computation or other privacy-enhancing technologies
Resources:
What is Secure Multi-Party Computation?

Most of the news and conversations around data privacy, security, breaches, and the impact to consumers and businesses is centered around big tech. However, big tech only makes up a small percentage of total businesses and privacy and security is something that has the potential to impact all businesses.
Denise Farnsworth has an incredibly diverse background in privacy, from big tech to small businesses and everything in between. She served as Deputy Data Protection Officer for Facebook, Chief Privacy Officer at Jazz Pharmaceuticals, Lead Privacy Counsel for NetSuite and Head of Legal, Data Privacy and Compliance Officer for Microsoft, and is now CEO and Founder of Inspire! Privacy and Security, a company focused on helping SMBs with privacy challenges.
Denise joins the show to discuss some of her past experience working at Microsoft and Meta during both pre and post GDPR and how she’s transferred those skills and experiences to what she does today. We discuss how privacy impacts small and medium businesses, why they should prioritize privacy, and how Denise’s company helps them operationalize and build out a privacy program.
Topics:
What are some of the major changes that have happened in privacy, both for businesses, consumers, and as a privacy professional?
You’ve worked with a number of major companies in the context of getting them ready for GDPR. What was involved in that process?
You were the Deputy Data Protection Officer at Facebook, building out their DPO program. What was that experience like? How did you go about building that team and what was the scope of work?
In a big organization like Facebook or Microsoft, how does the legal, privacy, and compliance functions of the business typically work with other areas of the organization like engineering or product?
You are the CEO and founder of Inspire! Privacy and Security. Can you tell me a bit about this company? Why did you start it and what are you trying to do?
You’re focusing on small to medium sized businesses. What is an SMB in this context?
What’s the difference between working with SMBs when it comes to compliance versus huge technology companies?
How has privacy regulations impacted SMBs?
What are the top 5 risks for a business when it comes to data privacy?
What should a SMB be thinking about when it comes to privacy? When should they be prioritizing privacy and compliance?
Have you seen a shift in SMBs being more concerned about privacy and compliance? And if so, what’s led to this change?
How do you typically work with companies? What’s the service you’re providing and helping them accomplish?
You’ve built out a comprehensive framework for privacy. Can you talk a bit about what this is, how you built it, and how it helps companies
Where do you see privacy regulations and privacy considerations for businesses going in the future?
Is this going to get easier for companies? What needs to happen to help get us there?
Resources:
Inspire! Privacy and Security LLC

Imagine being able to perform any computational operation over any kind of data but do it while the data is fully encrypted. That is the promise of fully homomorphic encryption.
Fully homomorphic encryption was first theorized in the 1970s, but the first proposal for a plausible construction of a fully homomorphic encryption scheme didn’t arrive until 2009. We are now in the fourth-generation of fully homomorphic encryption and although performance is still a blocker for many applications, there’s been a series of major breakthroughs allowing real world application to take advantage of the approach.
Dr. Avradip Mandal received his PhD from the University of Luxembourg where his research focused on cryptography, in particular homomorphic encryption and theoretical symmetric key cryptography. He joins the show to describe what homomorphic encryption is, how it works, the history, and breakthroughs.Topics:
Can you explain what homomorphic encryption is and how it works?
Where did this concept come from and what’s the history with it?
What are some of the main advantages of using homomorphic encryption?
In what types of situations is homomorphic encryption particularly useful?
How does homomorphic encryption compare to other types of encryption, such as symmetric or asymmetric encryption?
Why is homomorphic encryption so slow?
Are there any challenges or obstacles that need to be overcome in order to fully realize the potential of homomorphic encryption?
Are there real-world applications of homomorphic encryption?
How has homomorphic encryption evolved over time?
What impact do you see homomorphic encryption having on the future of data privacy and security?
What advice do you have for organizations or individuals considering using homomorphic encryption?
Do you think we’ll get to a point where fully homomorphic encryption is readily available and if so, when do you think that will happen?
Besides homomorphic encryption, are there future looking privacy and security technologies that you are particularly excited about?

Fraud can be crippling to a business. It hurts your revenue, reputation, and customers. Fintech fraud is a super complex space, with bad actors using a variety of attacks like identity attacks, credit card theft, and phishing scams, it’s a lot for any company to tackle on their own. Sophisticated fraudsters leverage weaknesses in protocols like SMS, the phone system, email, and DNS.
Soups Ranjan, CEO and Founder of Sardine, joins the show to discuss the different types of fintech fraud attacks that take place and how Sardine uses machine learning to automatically detect and prevent fraud.
Soups has a PhD from Rice University in denial-of-service attack prevention and has been working in fraud detection for a decade across companies like Yelp and Coinbase. With a strong background in data science and a ton of real world experience, Soups is an expert in this space.
Topics:
How did you learn fraud prevention?
What is fraud for fintechs and how is this different from other forms of fraud like ecommerce fraud?
Who are the fraudsters?
Is detecting fraud for crypto harder than other forms of fraud detection?
What were some of the tools and technologies you’ve built to help reduce fraud?
Why is machine learning the right approach? Are there ever humans in the loop as well?
What’s the input to the model?
How does training work? Where are the labels for training coming from?
What does it mean to deploy a ML model? How do you know the model is an improvement?
How has your experience in the fraud space led to the founding of Sardine
How does Sardine help optimize someone’s fraud pipeline?
What’s the typical evolution for fraud detection that a company goes through? Do they start out trying to DIY something?
What impact does Sardine have for a business and how quickly do they see ROI?
What are your thoughts on the future of fraud detection?
Are there technologies in this space that you are particularly excited about?
Resources:
https://www.sardine.ai
https://www.sardine.ai/company#jobPosts

The technology industry has changed a lot over the past 10 years with the move from on-prem systems to the cloud. With that came new types of challenges from a privacy and security perspective. Controlling access to data was no longer just about putting up a firewall, but you needed to know who and what was accessing the data at all times for audit purposes. Authorization models had to adapt and become flexible to support more fine-grained access.
With new challenges comes new opportunities. There's been a growth in startups focused on developing solutions that help companies address privacy and security challenges. Privacy is shifting left and becoming an engineering effort. Additionally, there's an increased interest in venture funding available to companies attacking these privacy and security challenges.
Rak Garg, Principal at Bain Capital Ventures, joins the show to discuss his prior work as a product manager working on Atlassian's data security and governance products. He also shares his thoughts on trends he's seeing in the industry as an investor interested in the data privacy and security space.
Topics:
Can you talk about leading product on Atlassian Access, their data security and governance product?
What were the motivations for the product investment?
Prior to Access, how were Atlassian customers managing data security?
What were some of the challenges with designing and building that product?
What motivated you to move away from product roles in industry to becoming an investor
What are your areas of interest in investing?
How did you become interested in these particular areas?
How has the landscape of startups focused on privacy and security changed throughout your career?
Have you seen a change in privacy and security concerns with startups in comparison to when you started your career?
If so, what do you think has led to this change and how has it impacted the way companies think about building products and going to market?
What advice would you give to founders building out a new product? Should they be thinking about privacy and security from day one or is that something that can come later?
Are you seeing more interest in institutional investment for companies working in the privacy and security space versus a few years ago?
What has led to the interest and belief that this is a potential area of growth?
What trends are you seeing in the security space that you’re excited about?
How has growth in cloud infrastructure and AI/ML impacted concerns over privacy and security?
What do you see as the big challenges in data security and privacy that we need to solve?
Are there new privacy and security technologies that you’re particularly excited about?
Where do you hope the industry is in the next 5-10 years when it comes to the challenges of privacy and security? Is this going to get easier for companies?

We launched the Partially Redacted podcast in 2022 and since then have published 17 episodes with industry experts covering everything from the basics of tokenization and encryption to differential privacy. We've had shows about privacy engineering training and how to build and scale a privacy engineering program.
In this final episode of 2022, we're breaking format. This is a special episode where we look back at the 17 episodes we’ve done and discuss some of the biggest themes and notable insights that our guests had.
Ashley Jose, Product Lead at Skyflow joins as Sean's guest to share his thoughts on the themes and trends from the first collection of episodes.
We'll be back in January with a new collection of episodes. Happy Holidays and Happy New Year!

With the changing landscape of privacy regulations and the growing consumer awareness about the collection and management of personal data, more and more companies are prioritizing privacy earlier in their lifecycle than ever before. This is fantastic news for privacy practitioners, but as a founder or product leader, how do you go about building, operationalizing, and scaling a privacy program?
Pramod Raghavendran, Director of Privacy and Data Protection at Coinbase, joins the show to share his thoughts and experience about building privacy programs. Pramod worked as an engineer, solutions architect, technical programs manager, and engineering manager before finding his way into privacy. With deep technical expertise and privacy experience from Amazon, Google, and now Coinbase, Pramod is uniquely positioned to have insights into building privacy functions and establishing a culture of privacy.
Topics:
How did you get interested in working in privacy and security?
What changes have you seen in privacy throughout your career?
Are companies starting to focus on privacy earlier in their life cycle than previously?
How do you make privacy part of the organizational culture of a company?
For newer companies, perhaps a startup that needs to start a privacy program, who should they be looking to hire? What characteristics and skills make a good privacy leader for building and operationalizing a privacy program from scratch?
If you joined a new company to build their privacy program, what’s your first 30 days look like?
Can privacy be a product differentiator?
What does it mean to operationalize a privacy program and how do you go about operationalizing a company’s privacy program?
How do you go about making privacy a design consideration so that the company adopts a shift left process for privacy?
As a company scales and everything is moving really fast, how do you ensure privacy isn’t something that gets pushed aside in favor of shipping products fast?
How do you work with engineering and product so that they see the program as value add rather than something that is blocking them from doing their job?
How do you scale a privacy program?
What are the typical roles and responsibilities of a privacy function?
Where do you see privacy engineering going in the next 5-10 years?
Resources:
Software Engineering’s Next Great Challenge: Data Privacy

Ari Hoffman has spent his career helping businesses implement and solve technically challenging problems at companies like Cisco and Fivserv. Today, he serves as the Director of Customer Programs at Skyflow, where he helps Skyflow customers tackle their privacy and security challenges.
Ari joins the show to share his expertise about the common privacy challenges and use cases businesses are facing today and how to break apart these challenges into bite-sized and manageable pieces.
Ari discusses his career path, why he joined Skyflow, Skyflow Data Privacy Vault, and how companies are using this technology to address some of the biggest privacy and security challenges that face them today. Talking through specific examples, like PCI compliance, PII data protection, data minimization and governance, Ari provides actionable advice for businesses looking to get a handle on data privacy, security, and compliance.
Topics:
How did you end up working in the privacy space and why Skyflow?
What is Skyflow? What does it do and how do customers use it?
What are some of the common use cases and challenges companies are trying to solve when it comes to data privacy?
How does a company avoid big bang security implementations?
How do you avoid this being an overwhelming problem that stops a company from taking action?
How long will an implementation actually take? Do companies need to scope out 6 months or more to make this change?
How can I have flexibility to work with any payment vendor, or maybe even multiple vendors, but not take on the responsibility of PCI compliance myself?
If I'm using 10 different PCI systems today, how do I disentangle that and migrate to something that’s more flexible and simple to manage?
What about protecting data beyond credit card data? Where do I begin to start locking this down?
Are you seeing concentrated customer areas and trends thus far?
What are some of the most popular Skyflow features that customers use?
What are some of the best practices for privacy implementations?
Thoughts on the future of privacy for businesses and consumers?
What are the big gaps in data privacy today? What future technology or development are you excited about?
Where should someone looking to learn more about the data privacy space begin?
Resources:
Skyflow
Skyflow Demo