Sep 23–26, 2019

Data Security & Privacy Anti-Patterns

Steven Touw (Immuta)
11:20am12:00pm Wednesday, September 25, 2019
Location: 1E 09
Secondary topics:  Data Management and Storage, Privacy and Security

Who is this presentation for?

CISOs, CIOs, CTOs, Chief of Data Analytics, Innovation Officers, Data Analytics Leads, Legal and Compliance Professionals, Data Engineers, IT / DBAs.




Over the past 4 years we’ve worked to solve data security and privacy challenges across a heterogeneous set of customers and verticals – and we’ve seen very consistent patterns emerge, anti-patterns; several of them in fact. These are universally common mistakes made by the largest and the smallest of companies, across industries and engineering talent levels. This is the definition of an anti-pattern – intuition tells you it’s a great idea, until you implement it, and the blind spots take over.

We’ve also found that anti-patterns can be culture-defining. Some organizations don’t realize they even have a problem until the world changes underneath them: policies become more complex (think GDPR and CCPA) or the organization needs to be more data driven but analytical efforts are stymied. Defeating anti-patterns may also mean changing culture for the better. Realizing you have a problem is the first step to solving it.

There are five anti-patterns that have emerged. In the talk we will dive into those anti-patterns, but in fact spend more time solving them.

Data policy snowflakes. Each database or application manages policies on their data in their own unique way – like a snowflake. This leads to mistakes, validation issues, fragility in managing the policies, and fear – they are not recognized for data transfers within the organization, so analysis stops.

Conflating WHO, WHY, and WHAT. In short, RBAC is bad, and does not provide the flexibility needed and results in what we term “role bloat” in your identity management system. This bloat exacerbates runaway manual approval processes for data entitlements.

The Copy & Paste Data Sharing Method. Organizations think about data sharing as an ETL process, which is not scalable to a modern data privacy and security world, nor the fast past analysis world we live in.

Start From Scratch; Rinse, Repeat. The anti-pattern is that you are defining all policies from scratch every time you need to share data, in other words, you’re deciding what to give the user from scratch for every use case. This is not scalable and leads to similar issues as the data policy snowflakes.

Privacy Engineering Blunders. Privacy engineering is a nascent complex field with non-obvious pitfalls. This has been seen in the news with several privacy blunders such as the Netflix challenge. We’ll cover some of the most common and non-obvious blunders and some advances in privacy engineering such as differential privacy.

For each of the five anti-patterns, the talk will focus on the problem and real-world examples and then dive into simple mitigation strategies to get back on track. This will help you accelerate your analytical initiatives without sacrificing legal and compliance guidelines.

Prerequisite knowledge

Some basic understanding of data security architecture

What you'll learn

* You will be able to recognize if you have a problem with your current data security and privacy architecture. * You will be able to take simple steps to solve those problems and accelerate your data analytics initiatives that are stymied by these non-obvious anti-patterns. * You will leave with deeper knowledge of legacy security and privacy practices and modern scalable approaches. * You will have a better understanding of cutting edge privacy engineering techniques such as differential privacy.
Photo of Steven Touw

Steven Touw


Steve Touw is the cofounder and CTO of Immuta. Steve has a long history of designing large-scale geotemporal analytics across the US intelligence community, including some of the very first Hadoop analytics as well as frameworks to manage complex multi-tenant data policy controls. He and his cofounders at Immuta drew on this real-world experience to build a software product to make data security and privacy controls easier. Previously, Steve was the CTO of 42Six Solutions (acquired by Computer Sciences Corporation), where he led a large big data services engineering team. Steve holds a BS in geography from the University of Maryland.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)

Contact us

For conference registration information and customer service

For more information on community discounts and trade opportunities with O’Reilly conferences

For information on exhibiting or sponsoring a conference

Contact list

View a complete list of Strata Data Conference contacts