The Client is an Ohio-based, innovative provider of equipment and services for data centers, with a portfolio of power, cooling and IT infrastructure solutions and services that extends from the cloud to the edge of the network. Headquartered in Columbus, Ohio, this company has twenty thousand employees and more than twenty five manufacturing and assembly facilities around the world. The company has regional headquarters around the world. The company is listed in the New York Stock Exchange (NYSE).
The scope of this project is to implement the PII Identification, PII Remediation and Governance for structured and unstructured data across their enterprise systems. This global implementation is a continuation of GDPR Audits and assessment completed for over three thousand five hundred databases. In this data governance project over five thousand and five hundred applications and databases are in scope. The approved sensitive attributes need to be identified in the ChainSys metadata management application. The sensitive data need to be remediated by data masking to avoid data breaches and stay compliant. The data Governance procedures and policies need to be established for continuous PII monitoring and remediation.
The Client is at the high risk of significant fines, data breach, brand reputation, and potential loss of customers if they do not mitigate the risk of adhering to GDPR, CCPA and other privacy laws. The sensitive and high value PII data is scattered across different applications and files across the organization and the client was looking for a centralized platform for PII Identification, Remediation and Data Governance.
The new rules grant people more rights regarding how companies handle their personally identifiable information (PII), and it imposes heavy fines for non-compliance and data breaches--up to 4 percent of a company’s yearly revenue. For security teams, this means making sure that PII is adequately protected and that the proper reporting processes are in place.
The client faced the following major challenges:
1. 5500 + Databases need to be scanned and identify the PI Data Categories.
2. Identified PII data needs to be remediated
3. Scheduling of PII Data scanning process
4. Scheduling of Data Remediation Process
The Technical Landscape at the client consists of 30+ heterogeneous applications and are integrated with a Big Data environment which consists of three Cloudera Hadoop clusters – Development, Production, and Disaster Recovery. The clusters are LDAP, Kerberos, and Sentry configured for authorization and access controls. Reporting is to be performed directly off the Production data lake only (via the Silver and/or Gold layers only) using standard reporting tools.
ChainSys deployed dataZense part of Smart Data Platform for PII data scanning, Remediation and for implementing the Data Governance.
The PII Data Profiling and Data Masking within the dataZense application is broken out into the following three high level process
1. PII Data Identification
Identify Systems considered for Sensitive Data Identification (PII) and run the Data profiling process to identify the PII Attributes. Provides the complete visibility of the identified PII data. i.e. Server, Instance, Database, Schema, Table, Column level details.
Personal data are grouped into two different categories Critical and Confidential Data Elements or Categories.
Critical data elements are those elements by which you can directly identify an individual/person such as their social security number, National Identifier, Visa Number, Passport Number, Employee Number etc.
Confidential data elements are information which when combined with other personal data elements are able to identify individuals. E.g.: First name, Last Name, Date of Birth.
2. Business Review and Approval
The identified PII attributes will go through False-Positive / False-Negative analysis and approved for remediation
3. PII Data Remediation and Governance
The PII Governance process is to get consent from the data owners to “Keep” the PII data in systems (Production and Non-Production). This will have a lineage to PII data value with the owner, Once the Owner gives consent or no-consent on their PII data attributes, we will trigger the appropriate remediation steps. The business approved PII attributes will be considered for remediation.
dataZense - To Visualize, Analyze, Catalog and Scramble Data for Effective Decision Making & Security.