Startup Skyflow debuts a PII vault as a service that takes an API-first approach to PII security

something I call Tierless Architecture

(Composite of Skyflow screengrab with image © denisismagilov Fotolia)

One of the biggest cybersecurity risks any enterprise faces these days is that of a data privacy breach. Exposing the Personally Identifiable Information (PII) of clients, employees or prospects can lead to huge fines and even greater reputational damage. Organizations have therefore been investing in all kinds of measures to increase the security around the PII they hold — people’s names and addresses, phone numbers, email addresses, birthdays, credit card numbers and more. But these increasingly complex layers of security still leave multiple gaps and vulnerabilities, according to Skyflow, a startup that launched last December with $25+ million in funding. Today, it launches a new governance engine as part of its PII data vault SaaS offering. CEO Anshu Sharma says:

Our viewpoint strongly is that everybody’s been doing it wrong, and there is actually a simpler way of thinking about it.

The wrong way, according to Skyflow, is to layer a string of security and compliance measures around sensitive customer information that’s sitting in a variety of applications and data stores that have grown up over the years — a mish-mash of PII fragments, linked together in a variety of separate processes. Instead, it argues that all this PII should be stored in a single, highly protected data vault from which other applications access only the data or tokens they need to complete a transaction.

This is a principle that’s been followed by the likes of Apple and Netflix to protect their own PII data, but for the majority of enterprises it has been uneconomic or beyond their engineering capabilities. Skyflow offers its PII data vault as a service via an API, making PII governance available in the same way that Twilio offers communications capabilities or Okta offers identity management.

The Skyflow PII vault brings together expertise and technology that is rarely found in one place. “These people don’t even usually talk to each other,” says Sharma — people who understand SaaS, databases, identity, security, privacy, encryption, and “why you can’t use fully homomorphic encryption for certain subclasses of data structures.” They’ve thought through scenarios such as not only making sure that encryption keys are rotated every 30 days, but also keeping records so that a client who’s suffered a ransomware attack can recover data encrypted with the previous key. Sharma comments:

Oftentimes to a CTO I’m like, ‘Is there someone in your company who’s even capable of thinking about this problem, how does key rotation work? I think that’s really the IP that we’ve collected, which is smart people who are actually trying to solve the problem.

PII security shifts left

The result is that enterprises can, to use a phrase popular with developers, ‘shift left’ the point at which they deal with data privacy and security. Instead of adding a patchwork of security and compliance measures as a further layer built around and on top of existing systems, the API approach makes it possible to address data privacy and security at a much earlier stage of the development process. The Skyflow tooling provides a single point of control and system of record for matters such as security, residency and compliance. This is a much simpler approach, as Sharma explains:

Governance, security, compliance and data residency have to work, in our opinion, together in one solution. Some companies currently build it all, which requires teams of engineers. The next best option is to buy five to seven different tools, and then stitch them together.

As a CTO, let’s assume you’ve bought five tools, from OneTrust to SecurID to everything else, and I said, ‘Okay, can you tell me which applications are using our data? And whether the data is masked appropriately for call center users in Philippines versus Germany?’ Where is the source of truth for that answer? …

Our view is all of these features belong in the common PII vault. And that’s the product offering that we are announcing and launching.

This is particularly important for modern agile development teams working with fast-moving CI/CD pipelines. It doesn’t work to have data security as a separate function that only comes into play once the code has been delivered. Developers need to be able to specify the data views people will have so that this can then be configured appropriately on release. Sharma explains:

People are releasing applications, sometimes daily, sometimes weekly. You need to be sure that developers, when they are building an applications, get a sense of, ‘This user will see redacted data, and this user will see completely anonymized data.’ You can’t do that if your security tool is deployed only in your data center.

As you’re building your app with Skyflow APIs, you can actually see the fact that there’s two views of the data, so that when you ship, all you have to do is configure which users are which.

Change of mindset

This new approach to working with PII demands a change of mindset from traditional methods that depend on an array of security and compliance tools. Sharma gives the example of a consumer signing up for home delivery of fresh water. The billing process will need their credit card details, FedEx will need their address, Twilio will need their phone number to notify them when the shipment’s on its way. Using Skyflow’s zero-trust approach, none of those individual pieces of PII need to be stored or passed around in the application infrastructure, which therefore doesn’t need a PII security fence around it. Instead, Skyflow abstracts all of that behind its API. Sharma explains:

When we run into traditional IT security people, or even traditional technologists, they will often say, ‘Which of these nine companies do you compete with? Because right now, I am looking for the best tokenization solution for my credit cards, and I’m looking for the best governance solution for my data lake.’

We have to re-educate them and say, ‘Look, in this modern API-first world, that’s the wrong way to think about it. You don’t think in terms of boxes and how do I protect each box, because there is no data center, and there are no boxes to protect.

Instead, the application calls on a cloud function in the PII vault when Twilio needs to text the customer, and their phone number never touches the application. He continues:

You get hold of this data in your life cycle and just protect it as it goes everywhere because it’s in one PII API. That concept is a new concept, and basically we have to educate them.

Skyflow customers already include insurance companies, healthcare businesses running clinical trials, a credit card platform and several ISVs who are building products using its PII vault.

My take

I should disclose that I’ve known Anshu Sharma for a very long time as we’ve both been around the SaaS scene for at least 15 years and in the past we’ve worked together on several projects. Nevertheless, I do feel this has all the hallmarks of an elegant solution to a knotty problem.

I’m a big fan of an API-first, building-blocks approach to application development — something I call Tierless Architecture . PII security and governance seems to be a classic example of a function that, like cloud infrastructure and payment processing, most enterprises would be better off leaving to a highly scalable, expert provider such as Skyflow rather than exposing themselves to all the risks of attempting to build equivalent infrastructure in-house. One to watch.

Japan travel news, japan travel guides, japan holiday destinations and japan reviews



Trading tax hike adds to Hong Kong market gloom

HONG KONG — A move to reorient Hong Kong’s benchmark share index toward Chinese technology stocks was intended to reinvigorate interest and help investors capture growth in the country’s highest-profile growth sector. Instead, with China’s widening regulatory crackdown, the shift toward tech now threatens to bring the Hang Seng Index…

Read more: Trading tax hike adds to Hong Kong market gloom

‘A really ugly playing field’: How tech is tackling online trolling of athletes

Simone Biles’ shock exit from the gymnastics teams event at the Olympics last week led to the five-time Olympic medallist being both praised and pilloried on social media for prioritising her mental health. “Choke! The great athletes do not choke and quit under pressure,” one person posted. “You wanna blame…

Read more: ‘A really ugly playing field’: How tech is tackling online trolling of athletes

Malaysia regulator takes enforcement action against Binance

Malaysia has taken enforcement action against cryptocurrency platform Binance to stop it operating in the country, the Securities Commission said. The Commission said it had issued a public reprimand against Binance Holdings Limited, its CEO Zhao Changpeng and three other entities registered in the United Kingdom, Lithuania and Singapore, for…

Read more: Malaysia regulator takes enforcement action against Binance

Japan space center joins push to settle Mars and beyond

TOKYO — Like something out of a science-fiction movie, a mysterious, strangely shaped structure rises up from a barren red desert. Inside, buildings stand on tracts of green, grassy land and boats sail across vivid blue water — all on near-vertical walls. This computer-animated tableau was presented at the opening…

Read more: Japan space center joins push to settle Mars and beyond

Is 5G a waste of electricity? Experts say it's complicated

As 5G developers look desperately for a “killer app” to prove the usefulness of the superfast wireless technology, mobile carriers in China are complaining about the high energy cost of 5G signal towers. And the situation is, according to experts, more complicated than many have thought. The costly 5G 5G…

Read more: Is 5G a waste of electricity? Experts say it's complicated

Nothing Ear 1 Review: Something new, something different

When OnePlus co-founder Carl Pei announced the name of his new venture, Nothing, it took many by surprise. Enthusiasts and the average Joe interested in the tech space kept talking about the uniqueness/ different name that Pei chose to have for his new company. Since then, there has been some…

Read more: Nothing Ear 1 Review: Something new, something different

Value of China's BeiDou navigation industry to take up 25% of global share by 2025 The value of China’s homegrown BeiDou satellite navigation industry is estimated to exceed 1 trillion yuan (about $155 billion) by 2025, taking up 20 to 25 percent of the global share, according to an expert. Cao Chong, chief scientist of the GNSS (Global Navigation Satellite System) and LBS (Location…

Read more: Value of China's BeiDou navigation industry to take up 25% of global share by 2025

Jetpack Compose for Android turns GA

Jetpack Compose, Google’s native UI toolkit for Android mobile application development, has reached its official 1.0 production release status. Leveraging a declarative approach, Jetpack Compose is intended to make it easier and faster to build native Android applications. As an app state changes, the UI automatically updates. The toolkit’s Kotlin…

Read more: Jetpack Compose for Android turns GA

Russia blames space station lab incident on software failure

Toyota reports over two-fold rise in wholesales in July at 13,105 units

Tata Motors looking at changes in trim mix, direct buying from stockists to deal with chip shortage

Apple and Google go on the offensive against anti-vax app

Revision bill aims to allow players to withdraw from contracts with ‘unfair’ rollbacks

YouTube suspends Sky News Australia channel

Apple still dominates tablet market, earns $7.4 billion revenue in Q3 FY2021

Korea marks first trade surplus in pharmaceuticals in 2020