> evolution from “data as value” to “data as risk”<p>This jumped out at me in the blog post. IMHO "data as value" is 3/4 of the problem.<p>Storage evolution has made data hoarding cheap and the hoarding desire is mostly driven by "monetization" goals.<p>Those who bitch and moan the loudest about regulatory compliance are generally those who hoard the most for the least necessary reason.<p>Keep only the data you require and the amount that needs securing when compliance comes knocking is far more manageable than attempting to secure an ocean of guff.
> ...field-level encryption should be a starting place for new application development...<p>What does the state of the art look like here? Particularly when it comes to familiar tech like Postgres and Redis?<p>> Conversely, this will generally be a pain to work with ... (You can, of course, build something like a trigger to allow retrieving the keys within the database, but that would significantly undermine the value of this entire enterprise.)<p>Is this limitation inherent to the concept, or are there some creative ways to retain the benefits without having to lose the relational aspect of the DB?
Its like being in manufacturing in the late 60s, noticing the EPA is coming, and wondering how to continue operating.<p>When you can't work in a geographic location anymore, the answer has always been to offshore or close. Silicon Valley in 2040 will probably look a lot like Detroit does today. Remember that Detroit in 1960 looked a lot like SV now, correcting for inflation and technology, etc. Actually Detroit in 1960 was a much nicer place to live than SV now.<p>"Relatively soon" the concept of storing the general public's data for them, while officially or unofficially sharing with everyone for profit, will disappear from most countries.<p>My guess is some kind of weird legal fiction where I have something like an encrypted google drive that I "own" and google can't access, and everyone storing data about me is actually looking at documents they signed and encrypted that I store "for" them in "my" storage, although I probably can't even decode the data I'm storing for them.<p>By analogy, the easiest way for Citibank to extend me credit card available credit is to have a big list on their side of everyone they've ever extended credit to, which I'm sure many people would love to steal and sell for aggregated marketing data and similar nonsense. However, in theory, citibank could store nothing at all, and extend several thousand one dollar credits to me in the form of letters or documents and a software infrastructure could trivially prove my ownership of those credits. Kind of like block chain but none of that pesky privacy stuff nobody wants but the endusers and nobody cares what endusers want, so we're not going to get that.<p>This is how the paper coupon market worked back when people used paper coupons. They were pretty big with the WWII "ration book" generation, not so popular now. Back in 1981 I was never on a list at company HQ of dudes allowed to buy a can of Pepsi for 20 cents instead of 25 cents, I just had a paper token claiming five cents off.<p>Technically in the old days dental records were on paper in folders and you'd carry them from dentist to dentist as you move. Somehow I lost mine when I moved and the old dentist went out of business, those things happen, so I have no dental records from before I was 30 or so. Anyway you can't steal my records from the dentist if he doesn't have my records because my records exist solely on a flash drive in my pocket. Hopefully I'll keep backups but "the way things are" will have to change to tolerate some percentage of your customers losing all their data every year. Most data is trash anyway so not much loss. There's a lot of misplaced faith in data that my tooth records could somehow improve my QoL or make someone a pile of money, but IRL my tooth records are not in practice of any value and if a dentist wants to know if I have a filling he can just take a look at the tooth, its pretty obvious.
There are really two different groups of compliance programs: privacy compliance programs like GDPR and CCPA, and security compliance programs like SOC2, PCI and HITRUST. What's been happening over the last few years is that some of these security compliance programs like SOC2 or HITRUST are adding privacy concerns (usually as optional components) so that companies can do one audit for everything instead of doing multiple audits.