Sep 23–26, 2019
Please log in

Data security and privacy anti-patterns

Steven Touw (Immuta)
11:20am12:00pm Wednesday, September 25, 2019
Location: 1E 09
Average rating: ****.
(4.50, 6 ratings)

Who is this presentation for?

  • CISOs, CIOs, CTOs, chiefs of data analytics, innovation officers, data analytics leads, legal and compliance professionals, data engineers, IT, and database administrators




Over the past four years, Immuta has worked to solve data security and privacy challenges across a heterogeneous set of customers and verticals—and very consistent anti-patterns have emerged, several of them, in fact. These are universally common mistakes made by the largest and the smallest companies, across industries and engineering talent levels. This is the definition of an anti-pattern—intuition tells you it’s a great idea until you implement it, and the blind spots take over.

Immuta has also found that anti-patterns can be culture defining. Some organizations don’t realize they even have a problem until the world changes underneath them: policies become more complex (think GDPR and the California Consumer Privacy Act [CCPA]) or the organization needs to be more data driven but analytical efforts are stymied. Defeating anti-patterns may also mean changing culture for the better. Realizing you have a problem is the first step to solving it.

Five anti-patterns have emerged. Steven Touw dives into those anti-patterns, but, in fact, spends more time solving them. The first anti-pattern is the data-policy snowflakes, where each database or application manages policies on its data in its own unique way—like a snowflake. This leads to mistakes, validation issues, fragility in managing the policies, and fear. It’s not recognized for data transfers within the organization, so analysis stops. Another anti-pattern is conflating who, why, and what, where role-based access control (RBAC) is bad and doesn’t provide the flexibility needed, and it results in “role bloat” in your identity management system. This bloat exacerbates runaway manual approval processes for data entitlements. The copy and paste dat-sharing method is when organizations think about data sharing as an ETL process, which is not scalable to a modern data privacy and security world, nor the fast past analysis world we live in. Start from scratch; rinse, repeat is an anti-pattern where you define all policies from scratch every time you need to share data; in other words, you’re deciding what to give the user from scratch for every use case. This is not scalable and leads to similar issues as the data-policy snowflakes. There’s also privacy engineering blunders, because privacy engineering is a nascent complex field with nonobvious pitfalls. This has been seen in the news with several privacy blunders such as the Netflix challenge. You’ll learn some of the most common and nonobvious blunders and some advances in privacy engineering, such as differential privacy.

For each of the five anti-patterns, Steven shares the problem and real-world examples and then dives into simple mitigation strategies to get back on track. You’ll leave able to accelerate your analytical initiatives without sacrificing legal and compliance guidelines.

Prerequisite knowledge

  • A basic understanding of data security architecture

What you'll learn

  • Recognize if you have a problem with your current data security and privacy architecture
  • Learn what simple steps to take to solve those problems and accelerate your data analytics initiatives that are stymied by these nonobvious anti-patterns
  • Discover deeper knowledge of legacy security and privacy practices and modern scalable approaches
  • Gain a better understanding of cutting-edge privacy engineering techniques, such as differential privacy
Photo of Steven Touw

Steven Touw


Steve Touw is the cofounder and CTO of Immuta. Steve has a long history of designing large-scale geotemporal analytics across the US intelligence community, including some of the very first Hadoop analytics, as well as frameworks to manage complex multitenant data policy controls. He and his cofounders at Immuta drew on this real-world experience to build a software product to make data security and privacy controls easier. Previously, Steve was the CTO of 42six (acquired by Computer Sciences Corporation), where he led a large big data services engineering team. Steve holds a BS in geography from the University of Maryland.

Comments on this page are now closed.


Picture of Steven Touw
Steven Touw | CTO
09/26/2019 10:57am EDT

Thanks for your interest, I’ve just emailed my slides to the coordinators, so they should be posted soon’ish.
For anyone that wants to reach out directly, feel free:

claudio marini |
09/26/2019 4:19am EDT

Could you share the slides?
Thank a lot,

  • Cloudera
  • O'Reilly
  • Google Cloud
  • IBM
  • Cisco
  • Dataiku
  • Intel
  • Io-Tahoe
  • MemSQL
  • Microsoft Azure
  • Oracle Cloud Infrastructure
  • SAS
  • Arcadia Data
  • BMC Software
  • Hazelcast
  • SAP
  • Amazon Web Services
  • Anaconda
  • Esri
  •, Inc.
  • Kyligence
  • Pitney Bowes
  • Talend
  • Google Cloud
  • Confluent
  • DataStax
  • Dremio
  • Immuta
  • Impetus Technologies Inc.
  • Keyence
  • Kyvos Insights
  • StreamSets
  • Striim
  • Syncsort
  • SK holdings C&C

    Contact us

    For conference registration information and customer service

    For more information on community discounts and trade opportunities with O’Reilly conferences

    For information on exhibiting or sponsoring a conference

    For media/analyst press inquires