“Breaking Changes” with Skyflow’s Anshu Sharma: A Privacy-Respecting API Economy
If security and privacy keep you up at night as a business leader, you don’t want to miss Breaking Changes episode 19, “How APIs Are Powering Privacy, Security, and Compliance.” Skyflow Co-founder and CEO Anshu Sharma has a very interesting perspective on privacy and security, and how APIs can help us shift these concepts left in the software development lifecycle by abstracting away personally identifiable information (PII). He talks about how PII has recently gone from an asset to a liability for many enterprise organizations, and how APIs are essential for helping us strike the right balance when it comes to the privacy, security, and access of our most valuable digital resources.
Watch episode 19 and read more of what I learned below:
APIs used for privacy
Anshu had the opinion that API developers should do what they do best, and shouldn’t have to be burdened with having to defend every piece of personally identifiable information (PII) that is present in their web and mobile applications. The Skyflow team believes that developers should be able to just pass any piece of valuable data off to a secure data vault via an API, receive a token back that represents the data, then store and use that token to represent PII in their applications. Developers can focus on the development of their applications and offload the privacy and security to Skyflow. This builds on a concept that has been around in API circles for years, but elevates it beyond just payments and some of the other ways we see this approach being used.
As Anshu and I continued to talk, we both acknowledged how APIs are all about abstracting very complex processes, workflows, and algorithms behind a single programmatic interface. This is no secret in the world of APIs. You see Twilio doing this for SMS, voice, and telephony. You see Stripe doing it for payments. Skyflow believes that this can be done for privacy. Once again using APIs, but this time to wrap around the common workflows and processes involved in the privacy and security of operating online each day. This puts security vaults and the expertise behind them in the hands of the average developer, helping level the playing field between small and large companies when it comes to the resources available to conduct business across an increasingly risky landscape.
Everyone should have vaults like tech leaders
When it comes to having the resources to properly secure data, Anshu noted that Google, Goldman Sachs, and other companies that have a strong handle on the privacy and security practices employ secure data vaults for their PII. He noted that they do not leave PII laying all around in any database and rely on designed vaults for all of their critical data storage. Skyflow is looking to make secure data vaults available to anyone via an API, regardless of the size of the company or the sensitivity of the data being handled. Using APIs to wrap something large, complex, and often expensive, and make it available to your average development team—lowering the barrier to entry for this essential aspect of data security.
Putting data out of reach
Everything Anshu was talking about sounded great, but I acknowledged that there is a lot of money to be paid selling data, and what Skyflow was proposing would put this valuable commodity out of reach for companies to make available to their partners. I asked Anshu, what are the incentives for CEOs to use a vault rather than just stick with what they are doing? He said billion-dollar fines, being hauled in front of congress, and increasing regulation like GDPR, CCPA, and other policies coming out of government. Anshu highlighted that some companies truly respect privacy and security, while others were more into doing it to protect their brand, but most will shy away from the fines and oversized media attention that comes with privacy and security breaches that lead to breaches of trust between providers and consumers.
Tech companies lying about data
I was happy to hear Anshu come straight out to say that many companies have been lying to us when they say they need location and other private data to sell us their products and services; they tell us that we need to trade our privacy for personalization. Even though many of us have believed this lie, people are increasingly realizing that the tradeoffs are just too great, and the government is beginning to take notice too. The reality is that you don’t need to know everything about us to sell us products and services, and there are still ways that companies can make money while still respecting all of our privacy and security. In fact, there is actually more money to be made in a world where we aren’t selling our customer’s data to the highest bidder and work to provide more value for them instead.
Revenue generation around data
Anshu saw making money by selling private data to partners as yesterday’s business model. There are far more ways to make money by respecting the privacy of our users, gaining their trust, and including them in the conversation by securely connecting them to more meaningful opportunities. He pointed out how Apple has been making huge movements in the healthcare space by providing secure lockers for your health data. The value generated by API companies like Twilio and Stripe isn’t just about the product and services they sell or the access to their user data, but the applications their APIs enable; powering ride-share, food delivery, and the other building blocks of the real-world economy. He noted that if we move towards a privacy-respecting API economy there will be even more opportunities for us to connect the dots and generate revenues in ways we never imagined. This is the API-first way.
Demonstrating during the pandemic
We discussed how Skyflow was demonstrating this during their recent work with the United States Health and Human Services (HHS) as part of COVID-19 data aggregation efforts. HHS noticed that labs, companies, and other key stakeholders in the process of collecting and aggregating critical data around COVID-19 research, hospitalizations, testing, and vaccinations didn’t want to share all of their data. They all needed a way to abstract away the PII that would violate patients’ privacy, while still being able to share key findings, demographic data, and other things federal, state, county, and the municipal government needed to properly assess and respond to the pandemic. It was an opportunity to demonstrate why APIs matter—how privacy APIs for data vaults can be used to store data and also securely make it available through very granular level tokenization that represents the most valuable parts of our personal and corporate data.
API privacy-enabled API economy
Anshu pointed out that what they are doing at Skyflow is not new. Stripe has shown the power of abstracting away credit cards from developers via an API and providing them with a token that represented that private data over the last decade. Stripe alone has enabled massive growth across many business sectors with this capability for credit card information. Anshu is just looking to repeat this for social security numbers, phone numbers, addresses, and other private data we depend on each day, allowing developers to do what they do best, while also shifting privacy and security left in the development process. This optimizes how web and mobile applications are being delivered while protecting the privacy and security of the users who depend on these applications. Friction is reduced throughout the software development lifecycle, reducing the cost of doing business by reducing risk, while allowing our private data to effectively flow across the applications and platforms we depend on, no matter where in the world they operate.
What keeps Skyflow up at night
I closed our discussion by asking Anshu what keeps Skyflow up at night. First, he said, is COVID-19 and the impact it is having on all of our lives, and then the increasing restriction on the flow of data. He noted how concerns around privacy and security often restrict access unnecessarily to data, but also how rent-seeking on valuable data, as well as data nationalization, can keep data from flowing over borders as needed. For data to possess the most value, it needs to flow where it is needed and be accessible via the applications that matter the most to end users. Anshu felt that companies should be able to generate revenue, and government agencies should be standing up for the interests of their constituents, but data should be able to flow freely in a way that respects the privacy and security of end users. The flow of data as part of the economy was the genesis behind naming their company Skyflow—they didn’t want to go with SkyVault, or something that locks data up. They wanted it to be confident and about the secure flow of our most important data, enabling what really matters to us.
Balancing privacy, security, and access
My conversation with Anshu really reinforced for me how APIs are all about striking the right balance between securing our digital resources while also making sure they are accessible by those who are supposed to have access to the application they need access to. Skyflow’s approach took this to the next level for me and demonstrated how important API-driven data vaults and tokenization for our private data is for all of this to work. I got why Stripe is so relevant to the API economy, but I didn’t see the potential for how you can tokenize not just your credit card numbers, but any piece of valuable data to protect our privacy. Maybe I am biased, but I really believe that APIs are the key to the future of our global economy, but my conversation with Anshu Sharma from Skyflow really drove home how we are going to have to get a handle on privacy and security if we are going to confidently move into the future. It also made me really happy to see Skyflow doing this with APIs, demonstrating once again how good APIs are at balancing privacy, security, and access of our digital—and increasingly physical—resources that matter the most.
What else have I discussed with other stellar guests from the API universe? Check out the key takeaways and full videos of previous Breaking Changes episodes here.