Name of Organization: Borneo
Domain: Data Security Company
Talk by Jan Hecking
Borneo is a real-time data security and privacy observability platform for hyper-growth businesses and builds tools that empower companies to protect their customer’s data. It enables one to identify, understand, and remediate sensitive data risk at cloud scale, as well as automate governance for data warehouses.
In this guide, Jan explains how Borneo has been building the “Guardrails of the Data Economy” using a case study which illustrates how they helped their client fastrack PCI DSS compliance of their cloud infrastructure. They used an inspection engine that is capable of ingesting large amounts of data and inspecting whether it contains any sensitive information. Wherever sensitive information was found, they pinpointed the source of the problem and were able to prevent the recurrence of such information being logged.
- PCI DSS: Payment Card Industry Data Security Standard
Borneo is a real-time data security and privacy observability platform for hyper-growth businesses and builds tools that empower companies to protect their customer’s data. It enables one to identify, understand, and remediate sensitive data risk at cloud scale. This guide talks about how the Borneo team have been building the guardrails of the data economy using the example of how they helped their client meet PCI DSS requirements.
They use an inspection engine that is capable of ingesting large amounts of data and inspecting whether it contains any sensitive information. Gaining visibility is the first step to understanding where sensitive information is stored and how it can be protected.
The client that worked with Borneo was a large Indian fintech start-up who had to comply with PCI DSS regulations. The process to comply with such regulations can be broken down into three steps:
- De-Scope - identify the systems that make up one’s data infrastructure and handle the data that fall under the particular regulation. In the case of PCI DSS, this includes cardholder data. These systems would have to comply with the security requirements.
- De-Risk - to mitigate the risk of handling such sensitive data, one needs to implement the required security measures to ensure that the data is stored and processed securely
- Document - one also needs to document if and how the security measures are implemented and other compensating controls.
De-scoping is crucial because if one can prove that their systems do not contain any cardholder data then they need not add security measures to comply with PCI DSS. One needs to be able to document this for a PCI auditor, proving that their systems do not contain cardholder data.
The client that Borneo worked with was already PCI DSS compliant, but they had to prove to the PCI auditors that their new data infrastructure in the AWS cloud did not contain cardholder data and hence, was out of scope for PCI compliance.
They first looked at their primary data stores which were a fleet of Amazon RDS MySQL instances and Borneo inspected the data. They ingest the data from every table and RDS instances to inspect the data and determine whether any sensitive data is present. By analyzing the columns, they collected the data and metadata about all the sensitive data that was present and were able to show that none of this data contained cardholder data.
However, they also ran sample scans on the S3 buckets and detected some credit card numbers as well as other sensitive data in one of the buckets. Then, to pinpoint the source of the problem, Borneo did a full bucket scan which generated a detailed list of findings with every token that was detected. These findings helped the engineering team to locate the credit card numbers in the files.
The specific log entry was used to determine the root cause of why the credit card numbers were getting logged. One of the systems was expecting the credit card numbers to be passed as an integer number but it was receiving the numbers as a formatted string. This caused a number format exception. The engineering team was able to suppress these kinds of logs going forward.
The whole process took 3 weeks and as a result, the client company was able to fastrack their PCI compliance. Borneo was able to generate documents and reports within a few days which may have otherwise taken the team weeks to produce and convince the PCI auditors to take their AWS cloud infrastructure out of scope for PCI compliance.