Data is the new endpoint. If there’s one problem industries have been grappling with, it is the ability to balance the ubiquitous movement of data across digital platforms while maintaining AND demonstrating secure oversight.
Collaboration with the power of clean rooms
The whole concept of clean rooms centers on collaboration and the idea of two or more parties sharing data in a trusted, secure environment. As Chief Marketing Officers (CMO) leverage and continue to build on such digital capabilities, they are catapulted into a new role. That of a more focused digital capability owner which, in order to demonstrate continuous brand compliance and trust. To do so they will evolve key performance indicators (KPI) to integrate traditional security and compliance metrics which historically were segmented by department responsibilities. The CMO will attach deeper into the digital side of the brand’s architecture simply because trust in the brand is increasingly dependent on its digital supply chain. This makes a close relationship between the CMO, the CIO, and the CISO essential to maintaining the integrity and resilience of the brand as it moves through the rapidly changing ecosystem. The new set of KPIs helps the CMO demonstrate the digital-dependent brand strategy has trust indicators working as intended.
Shared responsibility enables innovation
In security, we defend at the code level, now we have the ability to monitor and maintain data sovereignty with the same intricacy.
The act of enabling innovative solutions which create efficiency, insights, and revenue growth in a manner that maintains regulatory, compliance, and security requirements is key. Creating value in a manner where data protection standards and data sovereignty oversight can be maintained and evidenced during an audit or demonstrate compliance with regulatory expectations. Acxiom and Snowflake have not only addressed this issue so that our clients realize the benefit, but we are also preparing for the next iteration of data protection and oversight requirements.
In a prior role, one of my mentors used to say to me, “Security is the enabler of a frictionless ecosystem.” My mentor is wise, and that sentence, in essence, captures the power, freedom, and flexibility of data clean room capabilities. Acxiom’s data clean room solution, hosted on Snowflake, addresses and harnesses the latest technological evolution in cloud-based data clean room solutions. Coupled with data-centric security monitoring tools, we have the additional capabilities to solve client problems.
It is a really exciting time to be working in this sector. And clean room technology is still evolving at an incredible rate, with the next capabilities likely to come from the field of generative AI.
But, as with any rapid digital evolution, there’s the need to secure the capabilities not just at the speed they are being developed but at the even faster pace of potential disruptions. Effective data clean rooms can only exist with a robust security posture. So let’s take a look at some of the security trends and developments that have got us to where we are with clean rooms today and will keep us a step ahead moving forward.
Shared responsibility within cloud environments
The factor that’s had the biggest impact on data clean room development in recent years is the shared responsibility model of cloud environments.
When data clean rooms were hosted within an organization’s on-premise environment, the ability to curtail and manage risks was limited to the relative level of security investments. Now it’s possible to outsource the infrastructure and hosting capabilities to a cloud partner, who helps distribute and takes responsibility for securing those elements, so the clean room provider, like Acxiom, can turn its full attention to securing a solution built within that environment.
At Acxiom, we have a strategic partnership with Snowflake for our data clean room solution. Snowflake invests billions of dollars in its security and data protection posture, and it secures the infrastructure on which we build the data clean room solution. This means we can focus our investment on protecting the products we build on top of that infrastructure.
Of course, shared responsibility also comes with shared accountability to monitor the full stack. Snowflake needs to ensure our solutions aren’t impacted by any attack or compromise, and we need to be sure our products can’t backdoor into the Snowflake environment. Constantly monitoring the bi-directional relationship between Acxiom’s data clean room solution and the environment in which it is hosted gives us full confidence that we are keeping our client’s data safe.
Staying ahead of evolving regulations
With data protection regulations regularly revised and updated across the globe, we have to continually evolve how we secure the data clean room environment and how we validate the security of that environment.
In January 2023, for example, some countries introduced new regulatory expectations that require the ability to demonstrate the integrity of any algorithms that run analytics capabilities. In addition, some countries now require any algorithm that generates a decision (for example, in digital advertising) to be able to demonstrate algorithmic fairness. This means proving that the business rule behind the algorithm is operating as intended, that it can’t be compromised, and that it’s been tested for resilience against a cyber attack.
Fortunately, we have the capacity to prepare for these types of regulatory changes proactively. In the above cases, we started designing new testing protocols, so we’re able to act on the new expectations and are validating them with third-party legal and compliance firms. These protocols enable us to demonstrate to regulatory agencies that our algorithms, and the business logic rules behind them, are operating as intended. We can even test to validate the integrity of the (mostly open-source) code within those business logic rules to ensure it can’t compromise the algorithm build. Changing regulations create a little more complexity in how we test and validate our clean room solution. We’re always up for the challenge, especially when every additional layer of protection increases the security of our client’s data.
Shifting to data-centric protection
The future is now. As I mentioned above, we defend at the level of code, the new regulations require the same level of transparency when evidencing data sovereignty. Introduced by Gartner in its 2022 Hype Cycle™, Data Security Posture Management (DSPM) is the key. Different from Cloud Security Posture Management which focuses on the nuts and bolts of cloud infrastructure, DSPM focuses on the security of the data in these environments. Partnering with Symmetry Systems’ DSPM the combination of partners is the right combination for Acxiom’s data clean room services.
Because data is fluid and can be shared across solutions, it is becoming the new edge. Rather than just protecting traditional endpoints such as servers and laptops, the data itself now needs to be secured. Symmetry Systems’ data-centric capabilities are like data firewalls designed to monitor the integrity of the data in its intended environment, including within a data clean room.
This data-centric protection will become vital as industries move towards an aggressive digital landscape where cloud and digital environments are more connected. When we think of data access, we tend to think about people, but data is increasingly accessed by non-human system identities through automated workflow calls. And that’s where we increase data protection capabilities.
If a data clean room instance is spun up and then spun down again in a cloud environment, we still need to understand what happened during the time that the ephemeral instance was active. Who accessed the data, and how it was accessed? Was it processed? Did it move? This requires monitoring at a higher level of intelligence using machine learning, and it’s where data-centric capabilities will be critical as we move forward.
By working with Symmetry Systems and Snowflake on our data clean room solution, we can validate our data-centric posture and provide a high level of comfort to our clients – especially those in heavily regulated industries like financial services, healthcare, and biotech pharma and in regions with strict data laws such as Germany and California.
Of course, there also needs to be cooperation between the security and privacy teams because there’s a very close correlation between privacy regulations around data protection and the ability to demonstrate data is secured as far as possible. As our Chief Privacy Officer Jordan Abbott explains in another blog post, the privacy team can only attest to the privacy of the data if the security team can first attest to the security of the data.
It’s an exciting time in the life-cycle of data clean rooms, where we can finally enable brands to make the most of their data in a central, secure location while still retaining and demonstrating full control and data sovereignty. And I’m happy to be on the front line securing that data as the technology evolves.
