Skyflow to developers - your approach to PII security is all wrong

By Phil Wainewright

July 21, 2021

Audio mode

(Composite of Skyflow screengrab with image © denisismagilov Fotolia)

One of the biggest cybersecurity risks any enterprise faces these days is that of a data privacy breach. Exposing the Personally Identifiable Information (PII) of clients, employees or prospects can lead to huge fines and even greater reputational damage. Organizations have therefore been investing in all kinds of measures to increase the security around the PII they hold — people's names and addresses, phone numbers, email addresses, birthdays, credit card numbers and more. But these increasingly complex layers of security still leave multiple gaps and vulnerabilities, according to Skyflow, a startup that launched last December with $25+ million in funding. Today, it launches a new governance engine as part of its PII data vault SaaS offering. CEO Anshu Sharma says:

Our viewpoint strongly is that everybody's been doing it wrong, and there is actually a simpler way of thinking about it.

The wrong way, according to Skyflow, is to layer a string of security and compliance measures around sensitive customer information that's sitting in a variety of applications and data stores that have grown up over the years — a mish-mash of PII fragments, linked together in a variety of separate processes. Instead, it argues that all this PII should be stored in a single, highly protected data vault from which other applications access only the data or tokens they need to complete a transaction.

This is a principle that's been followed by the likes of Apple and Netflix to protect their own PII data, but for the majority of enterprises it has been uneconomic or beyond their engineering capabilities. Skyflow offers its PII data vault as a service via an API, making PII governance available in the same way that Twilio offers communications capabilities or Okta offers identity management.

The Skyflow PII vault brings together expertise and technology that is rarely found in one place. "These people don't even usually talk to each other," says Sharma — people who understand SaaS, databases, identity, security, privacy, encryption, and "why you can't use fully homomorphic encryption for certain subclasses of data structures." They've thought through scenarios such as not only making sure that encryption keys are rotated every 30 days, but also keeping records so that a client who's suffered a ransomware attack can recover data encrypted with the previous key. Sharma comments:

Oftentimes to a CTO I'm like, 'Is there someone in your company who's even capable of thinking about this problem, how does key rotation work? I think that's really the IP that we've collected, which is smart people who are actually trying to solve the problem.

PII security shifts left

The result is that enterprises can, to use a phrase popular with developers, 'shift left' the point at which they deal with data privacy and security. Instead of adding a patchwork of security and compliance measures as a further layer built around and on top of existing systems, the API approach makes it possible to address data privacy and security at a much earlier stage of the development process. The Skyflow tooling provides a single point of control and system of record for matters such as security, residency and compliance. This is a much simpler approach, as Sharma explains:

Governance, security, compliance and data residency have to work, in our opinion, together in one solution. Some companies currently build it all, which requires teams of engineers. The next best option is to buy five to seven different tools, and then stitch them together.

As a CTO, let's assume you've bought five tools, from OneTrust to SecurID to everything else, and I said, 'Okay, can you tell me which applications are using our data? And whether the data is masked appropriately for call center users in Philippines versus Germany?' Where is the source of truth for that answer? ...

Our view is all of these features belong in the common PII vault. And that's the product offering that we are announcing and launching.

This is particularly important for modern agile development teams working with fast-moving CI/CD pipelines. It doesn't work to have data security as a separate function that only comes into play once the code has been delivered. Developers need to be able to specify the data views people will have so that this can then be configured appropriately on release. Sharma explains:

People are releasing applications, sometimes daily, sometimes weekly. You need to be sure that developers, when they are building an applications, get a sense of, 'This user will see redacted data, and this user will see completely anonymized data.' You can't do that if your security tool is deployed only in your data center.

As you're building your app with Skyflow APIs, you can actually see the fact that there's two views of the data, so that when you ship, all you have to do is configure which users are which.

Change of mindset

This new approach to working with PII demands a change of mindset from traditional methods that depend on an array of security and compliance tools. Sharma gives the example of a consumer signing up for home delivery of fresh water. The billing process will need their credit card details, FedEx will need their address, Twilio will need their phone number to notify them when the shipment's on its way. Using Skyflow's zero-trust approach, none of those individual pieces of PII need to be stored or passed around in the application infrastructure, which therefore doesn't need a PII security fence around it. Instead, Skyflow abstracts all of that behind its API. Sharma explains:

When we run into traditional IT security people, or even traditional technologists, they will often say, 'Which of these nine companies do you compete with? Because right now, I am looking for the best tokenization solution for my credit cards, and I'm looking for the best governance solution for my data lake.'

We have to re-educate them and say, 'Look, in this modern API-first world, that's the wrong way to think about it. You don't think in terms of boxes and how do I protect each box, because there is no data center, and there are no boxes to protect.

Instead, the application calls on a cloud function in the PII vault when Twilio needs to text the customer, and their phone number never touches the application. He continues:

You get hold of this data in your life cycle and just protect it as it goes everywhere because it's in one PII API. That concept is a new concept, and basically we have to educate them.

Skyflow customers already include insurance companies, healthcare businesses running clinical trials, a credit card platform and several ISVs who are building products using its PII vault.

My take

I should disclose that I've known Anshu Sharma for a very long time as we've both been around the SaaS scene for at least 15 years and in the past we've worked together on several projects. Nevertheless, I do feel this has all the hallmarks of an elegant solution to a knotty problem.

I'm a big fan of an API-first, building-blocks approach to application development — something I call Tierless Architecture . PII security and governance seems to be a classic example of a function that, like cloud infrastructure and payment processing, most enterprises would be better off leaving to a highly scalable, expert provider such as Skyflow rather than exposing themselves to all the risks of attempting to build equivalent infrastructure in-house. One to watch.