Geeking Out On Privacy with TROPT

We recently sat down for a webcast with Lourdes Turrecha, CEO & co-founder of the TROPT Privacy Tech Database (TROPT). Lourdes shares our mission to drive privacy tech and innovation, providing our CEO & co-founder Gil Dabah with an exciting platform to explore Piiano’s privacy philosophy. Below is an edited transcript of that conversation, changed for brevity and clarity.

Why Build Piiano?

LT: How did you end up building in the emerging privacy tech industry? You're notoriously one of Israel's top hackers.

‍GD: My co-founder Ariel and I have been so frustrated with data breaches littering the headlines. We started dreaming up a solution that would finally cut straight to the problem. Everybody has been trying to solve it with firewalls, DLPs and so many other different technologies and products that have yet to succeed. ‍

GD: Then our engineer and hacker senses started tingling–and we realized that proper data protection requires us to prioritize what needs the most. This is what got the Piiano ball rolling.

GD: You can sign up for a free Vault trial and start protecting data right away.

The Intersection of Security and Privacy

LT: I love that you’re talking about the intersection of privacy and security. You’re certainly in it, coming into the privacy field with your security background.

‍GD: Regulations like GDPR (General Data Protection Regulation), and even the role of a Data Protection Officer, really underscore how you can’t have one without the other. The specific challenge with privacy is that it's not only about security controls, it's also about how you work with data. Both are now thoroughly addressed by regulations with an emphasis on putting data first.

‍LT: Right, securing data is an important aspect of privacy but it’s still only one aspect. It's about the entire processing of data, not just the security of it.

Piiano’s Privacy Philosophy

LT: Let’s talk about Piiano’s Privacy and Security Vault. There are a lot of privacy buzzwords out there, and TROPT is on a mission to help educate and bring awareness to the privacy conversation. Prior to Piiano, data vaults weren’t product categories, but data modeling methodologies instead. How would you define this product category?

‍GD: On the most basic level, privacy is mostly ruled by legal professionals, and Piiano is trying to convert their regulations into practical architecture and infrastructure with the aim of helping enterprises comply.

‍GD: Today, so many different storage solutions and databases are housing enterprise data. Some don’t even know where their data is–which is why there are already so many data visibility solutions. Knowing this, Ariel and I began to fixate on the remediation of data breaches themselves.

‍GD: The truth is that you can’t protect everything. In that vein, if I were speaking to a child, I would liken the Vault to where “mommy puts all of her jewelry so that unwanted people can’t take it”. We use safes at home even though we have doors and locks for very special items. The same analogy can be applied to data in backend systems.

‍GD: If you have lots of information spread out across many data stores, it’s a good idea to have one special place for the most sensitive data. We believe in decoupling PII and isolating the most important PII, such as full names or social security numbers, in this special place. Doing so “pseudonymizes” the information, and ensures that the remaining, potentially more exposed data, is censored and stripped of its sensitivity.

‍GD: This lies at the heart of the value we bring to enterprise privacy posture. Naturally, security tries to protect everything, but privacy requires us to prioritize these efforts for when enterprises are inevitably breached. This strategy prevents leaks.

To Centralize or Decentralize? That is the Question

LT: Decentralization is becoming a big trend among big tech companies and the Web 3 space as well. Instead of putting everything into one repository, we’re seeing some of them processing it at the edge. Meanwhile, Piiano’s Vault is a centralizing solution.

‍GD: Consider how GDPR disrupted Web 2.0–suddenly, the massive amounts of data amassed by enterprises became a major liability. I can’t see Web 3.0 killing (solving) privacy or moving us entirely towards decentralized PII. It reminds me of when people think that data decentralization (or really, data sprawl) can keep bad actors away, similar to security by obfuscation or security by obscurity–approaches that don’t really solve the problem but only sound good.

‍GD: We foresee lots of companies continuing to centralize their sensitive information. This doesn’t mean that Web 3’s decentralized models are bad–some are quite good, as they require bad actors to hack into individual devices or accounts without giving them access to everything at once. But this is less applicable to today’s backend systems. We can’t discount when Web 3 is coming, but it's not quite here yet. Even when it is, it will need to be built with privacy-by-design to accommodate things like the right to be forgotten.

‍LT: We still have to deal with the data that's been collected under Web 2.0. We’ve still got a long way to go until we reach a future decentralized age of the internet.

Who’s Piiano for?

LT: You guys participated in the TROPT privacy tech stack review program, where we have potential buyers as reviewers. Considering how cross-functional the field of privacy is, who’s Piiano’s customer and end-user?

‍GD: Developers. Privacy’s an exciting field because we’re currently battling privacy debt for the first time in an era where data is king. It’s pretty amazing that sensitive information is still stored in plain text when everything else is managed with far more mindfulness. PII is neglected when we consider how we manage today’s API keys, passwords, and certificates.

Developers are scrambling to fill this gap with DIY vault-like features or hardened databases. Unfortunately, building out this infrastructure is really time-consuming and resource-intensive. It can take years to complete basic privacy-by-design architecture. This is an uphill battle when you account for extant data as well as the incoming onslaught of information collected on a daily basis. Most enterprises simply can’t do this. That’s where Piiano comes in.

‍GD: As a startup, we like to see this kind of repetitive gap. We’re offering to do the heavy lifting for developers the right way with pre-built, ready-to-use infrastructure. By eliminating so much of the manual labor involved, this near-instantaneous privacy-by-design saves them significant time and changes how their entire organizations store and interact with PII, as well as implement GDPR-related requests and other privacy workflows.

What’s Next for Piiano

LT: Aside from the Vault, what are you building right now? What’s your long-term vision for the company?

‍GD: We’re going to go open source and offer some features for free to make privacy-by-design as accessible as possible! This is important for making meaningful change around the world, familiarizing everyone with privacy-by-design, and gaining the trust of the developer community. Our aims surpass product-focus. We really want to focus on the market and bring awareness to the unique handling PII requires. How can we still be storing PII in plain text? We must do better when customers are entrusting their most sensitive information to enterprises.

‍GD: The world is going to go through a massive change. I’m not sure the enterprises fully appreciate the challenges the changing privacy landscape is setting before them. Eventually, they’ll have no choice but to adopt privacy-by-design, change their systems and add metadata to their databases. It’s about so much more than access controls.

It’s about privacy controls, too. All of this will dramatically affect development pipelines. Think about all the SaaS companies businesses integrate with today. How are they supposed to implement privacy rights when everyone runs with different standards? I hope we can see a future of open API protocols for GDPR like the right to be forgotten.