Follow Datanami:
January 5, 2022

Security, Privacy, and Governance at the Data Crossroads in ‘22


Keeping a handle on your growing pile of data isn’t easy in the best of circumstances. Luckily, we live in a world full of COVID-19, GDPR, a looming Metaverse, and the Great Resignation, which keeps the purveyors of security, privacy, and governance on their toes. How will these trends play out in 2022? We asked industry players, and this is what they said.

Data privacy regulations have proliferated in the past few years, with laws like CCPA, GDPR, and others going into effect. That anxiety-inducing trend will ratchet up another notch in 2022, and business leaders should absolutely take notice before it’s too late, according to Okera CEO Nick Halsey.

“Driven by both the fear of fines and damage to brand reputation, companies progressing on their compliance journey will shift their concern from simply the how-to, to now focusing on how to arbitrate among different regulations,” Halsey says. “A common approach will be to fulfill the technical requirements for one major regulation, perhaps CCPA or GDPR, then layer in the required capabilities for other regulations as needed. The consequences of this wait-and-see approach toward regulatory compliance will result in companies falling further behind while risks continue to increase – if they don’t act decisively in the coming year.”

For years, companies have strived to implement role-based access control (RBAC) to govern which employees get access to what data. In 2022, you can join Steve Touw, the CTO of Immuta, in celebrating the demise of RBAC.

“RBAC is holding enterprises back and is costing them big time,” Touw says. “The downstream costs of using RBAC could equate to hundreds of thousands of dollars in lost time and opportunity — a gap that will widen as users, data sets, data platforms, or any number of variables increase. The key to achieving cloud-scale is moving to dynamic attribute-based access control (ABAC). For 2022, data teams should invest in solutions that offer dynamic ABAC to harness the full value of their data with minimal overhead.”

Just when you thought it was safe to go outside, companies have started taking a “stream first” approach to their data collection and processing initiatives. That will help companies get quicker insights from data and make them more responsive to customer needs, but it also puts new pressures on how companies implement security, privacy, and governance, says Joe Witt, a corporate VP at Cloudera.

“…[B]ecause streaming data is rapidly becoming the system of record for companies, all this data now falls within the purview of compliance and governance teams, who must have insight into the full data lifecycle, including origin, provenance, sensitivity, location and transformations, as well as who has access to the data, when and from where,” Witt says.

Data governance can be messy and difficult, but it’s a requirement for responsible and reproducible analytics and AI initiatives. In 2022, practitioners will begin to lean more heavily on MLOps approaches to automate data governance, says Matthew Monahan, director of product management at Zaloni.

“The best ML technologies have well-defined training sets and MLOps techniques to identify data at the right time, from the development process through training and testing,” Monahan writes. “This MLOps transition parallels what we see in DataOps and what we saw with DevOps: you need to have good metadata to accomplish those processes. In the coming year, we will begin to see more crossover between data governance and MLOps because you need not just high-quality source data but also metadata to describe the data to feed into the MLOps process for development, training, and testing of those

Image: Continual


Employees across many sectors are on the move as they seek better employment fit. In 2022, that will result in a new focus on strengthening the privacy of employee data, says Megan Niedermeyer, Fivetran’s VP of legal.

“With the Great Resignation in full swing and employees holding more of the power in the work economy, companies will see more requests and expectations from their employee base to keep their information private,” Niedermeyer writes. “In order for this to happen, companies will have to vet their vendors more closely. Automatic integrations will also be more heavily scrutinized, causing the rise of questions such as where is this information going and why?”

On the flip side, as workers return the office, the potential security threats that insiders can pose will be on the mind of James Christiansen, vice president and CSO of cloud strategy at Netskope.

“In 2021 we’ve seen a rise of the Great Resignation and the utilization of gig workers,” he writes. “Specifically, with gig workers, the rapid churn of short-term projects and the widespread set of skills in demand means that background checks may be overlooked and the security of their own computers isn’t up to corporate standards. At the same time, in 2021 Netskope Threat Labs found that departing employees upload 3X more data to personal apps in their final month of employment. Taken together, both of these developments point to a need for corporations to rethink their insider threat strategy.”

Localized data will become more prominent in 2022 thanks to the proliferation of privacy laws, says Sovan Bin, the CEO of Odaseva.

“2021 saw the China Personal Information Protection Law (PIPL) implemented at astonishing speed, while U.S. states such as California, Virgina, Colorado have new compliance deadlines starting Jan. 1, 2023,” Bin writes. “Washington and other states are in the process of enacting similar legislation. This global patchwork of privacy regulations will require organizations to localize data in order to comply, which is a huge undertaking.”

(Panchenko Vladimir/Shutterstock)

New state privacy regulations are well-intended but inevitably will cause confusion, according to Quantcast Chief Privacy Officer Min-Jae Lee. Will a US version of the GDPR be the only way out?

“California, Virginia, and Colorado have each passed their own comprehensive data privacy laws aimed at protecting consumers’ digital data. More states will soon follow, with a half dozen states having similar bills active in their legislatures in late 2021,” Lee writes. “While these efforts are a positive step forward, this approach will result in confusion. With each state passing its own privacy laws, rules and regulations will vary throughout the US. The complexity will make it difficult for businesses to comply. Ultimately, this will underscore the need for a single set of federal data privacy regulations in the US, similar to GDPR.”

Country-level data privacy laws? Those are so passe. What the world needs now is a global data standard, says Krishna Tammana, CTO of Talend.

“New data privacy laws will continue to emerge, increasing compliance complexity and driving the need for a global consumer data privacy standard,” Tammana writes. “Using the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) as a model, governments globally and state-by-state in the US will create new regulations to give consumers rights over the data companies collect about them and how they use it. These disparate regulations will increase complexity for organizations trying to comply across regions. However, this could be the push we need to develop a truly global standard for consumer data privacy.”

After years of people being angry at social media platforms and technology in general, government regulation around the world will finally catch up with public opinion, says Patrick McFadin, VP of developer relations for DataStax.

“The result will be a very complicated regulatory maze for anyone building data-driven applications. Which means to say, everyone,” McFadin says. “Data regulation hasn’t been non-existent but has not kept up with the sophistication of privacy issues that constantly come up. Just this year we saw private industry try to self-regulate with a battle between Apple and Facebook. At the speed of government, this was too little too late. 2022 will be the beginning of a multi-year journey through new regulations and deadlines.”

During the peak of the pandemic, organizations shifted budgets to bolster initiatives that allowed them to explore data in new ways, but this was often haphazard and reactive, according to Sanjeev Mohan, a former Gartner analyst and current Okera advisor. The result of this will be an expansion of data governance to cover all data in the new year, Mohan says.

The Metaverse amplifies security and privacy concerns (is.a.bella/Shutterstock)

“Post COVID-19, data and analytics budgets are seeing their biggest increase in many years, according to Gartner,” he says. “Organizations are investing in expanded data and analytics environments to make timely and accurate decisions in a more strategic manner. New business use cases rely on multi-structured data from streaming IoT, 5G, logs and clickstream data sources. This data should be secured through a uniform and standardized approach to allow reusability and automation.”

James Carder, the Chief Security Officer & Vice President of Labs at LogRythym, shared a number of disturbing 2022 predictions, including the possibility of supply chain compromises of semi-conductor and vaccine manufacturers. But his prediction that hackers will blackmail Olympic athletes during the upcoming Winter Olympics games in Beijing took the cake.

“Hackers will breach various athletes’ accounts and find incriminating email exchanges regarding the use of performance-enhancing drugs and insight into the individual’s personal life,” Carder wrote. “This will result in athletes being blackmailed into helping hackers carry out cyberattacks on their home countries or face the release of incriminating evidence.”

The adoption of big data and AI tech in healthcare has been a long time in coming. But be careful what you wish for, as the consequences of breaches here are particularly severe here, according to Jonathan Reiber, the former White House chief strategy officer.

“The connection between healthcare services and technology will continue to tighten, elevating risks in the healthcare sector — particularly from ransomware – driving further investments in telehealth functions, like mobile technology, and enterprise cybersecurity,” he writes. “Telehealth and other technological innovations accelerated under the pandemic, and while access to telehealth has improved patient care under extraordinarily difficult circumstances for patients and doctors and IT departments alike, it has increased risks and forced security teams and application teams into a sprint.”

In 2022, citizens seeking access to services will be asked to verify their identity, including whether or not they have been vaccinated against COVID-19, according to Bala Kumar, CPO of Jumio.

Vaccine passports are just the start (Robert Avgustin/Shutterstock)

“Establishing COVID-19 vaccine passport programs will be a key international security focus in 2022,” Kumar writes. “The demand for vaccine passports is escalating, and digital vaccine passports are becoming the global standard proof of vaccination. In just the U.S., 82% of Americans are in favor of the idea. However, fraudsters are already one step ahead with the rise of a booming black market for counterfeit vaccine cards. In fact, fraudulent vaccine card selling has increased by 257% since March 2021. With fraud on the rise, organizations must ensure the person showing their digital vaccine passport is not using a counterfeit. This has become a major concern for U.S. government agencies as well with thousands of fraudulent vaccine cards seized by customs in just one week.”

We’re all just dying to get into the Metaverse. But before that can happen, we must be certain that the Metaverse’s AI doesn’t amplify the risks we’re already facing in the real world, according to Navrina Singh, the CEO and co-founder of Credo AI.

“Although the Metaverse opens the door for exciting opportunities, it also comes with a lot of risk, especially with AI,” Singh writes. “The risks of AI exist in both the real world and the virtual world, but are further amplified in the latter. By diving into the Metaverse headfirst with a lack of AI oversight, enterprises put their customers at risk for challenges like identity theft and fraud. It is paramount that AI and governance issues are solved in the real world now in order to keep consumers safe in the Metaverse.”

On the Internet, nobody knows you’re a dog. But that level of canine ambiguity will not fly in the Metaverse, according to Jimmy Fong, the chief commercial officer at SEON, who says digital identity passports will be de rigueur in the next iteration of the Internet.

(Image courtesy John Deere)

“Large entities like Facebook are pivoting their focus to the Metaverse and the next big thing will be using a ‘digital identity’ to work, shop, get education, collaborate, and interact socially,” Fong says. “With every major digital advancement comes fraudsters to prevent, and consumers and businesses will need to pivot to nimble digital fraud prevention to keep up with this pace. Digital identities are much easier to create, so security teams will need to look at how to use these digital footprints to accurately identify fraud, while consumers will be interested in protecting these digital identities from being used for fraud.”

Fraudsters will follow you into the Metaverse, but they can’t follow you into the new driverless tractors that John Deere unveiled this week at CES. Unfortunately, the cyberthugs will come up with other ways of spreading their hate and discontent in the physical world, says Audra Simons, the senior director of product management at Forcepoint.

“As we incorporate technology into more critical infrastructure, including agriculture, we’ll see the emergence of new technologies as high-value targets for cybercriminals,” Simons writes. “As the agricultural industry embraces digital transformation, new attack surfaces are formed. With remote controlled tractors and automatic watering devices or livestock feeders, the potential for disruption is sobering. Combine this with growth in smart cities built on IoT, and steps must be taken now to protect our streets and crops. It begs the question: are essential services like electricity, food and water becoming too smart for their own good?”

You may aspire to become the Tom Brady of digital transformation in your particular field this year. Just don’t forget how to block and tackle, recommends Delphix CISO Pritesh Parekh.

“The pandemic accelerated digital transformation everywhere, and it is clear that this year and next, many companies will continue to struggle with the ramifications,” Parekh writes. “Hybrid and remote are now the norm for the interactions that drive business (and our society), taking the boundaries between a business and the larger world down. As a result, endpoints are exposed and data is bouncing around in a lot of places it shouldn’t be. And attackers have realized that. They know that to be successful with an attack, you have to follow the path to access the data, and it’s become so easy to do that by looking at endpoints.

“The first most common mistake in 2022, will be not prioritizing security of the endpoints,” Parekh continues. “The second will be the lack of an effective response plan. The industry continues to focus obsessively on detection and prevention in the aim of protecting against every possible ransomware attack. In 2022 what will be more successful will be a focus on recovery and response of mission critical data.”

Related Items:

Data Science and AI Predictions for 2022

2022 Big Data Predictions from the Cloud

2021 Big Data Year in Review: Part 2