Make a submission

Accepting submissions till 28 Feb 2022, 11:00 AM

What are lean data practices and how can you adopt it for compliance? How do you handle user data deletion requests at an exobyte scale? How can you anonymize PII while also sharing data with third party tools and services? What data governance strategies do the best organizations in India follow?

The Privacy Mode Best Practices Guide is a compendium of answers to these, and other questions around privacy and data security. Compiled from talks, interviews, focus group discussions, the BPG guide is a practitioner’s view of implementing better privacy from the design stage, and ensuring compliance with national and international laws.

Each submission is a chapter of the BPG, and will cover one or more of the following topics

  • Data asset enumeration
  • Data flow enumeration
  • Data classification
  • Access control based on classification

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by

Omidyar Network India invests in bold entrepreneurs who help create a meaningful life for every Indian, especially the hundreds of millions of Indians in low-income and lower-middle-income populations, ranging from the poorest among us to the existing middle class. To drive empowerment and social i… more
We’re the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. As a hyperscale cloud service provider, AWS provides access to highly advanced computing tools on rent for startups and SMEs at affordable prices. We help t… more

Anwesha Sen

@anwesha25

Jan Hecking

Jan Hecking

@jhecking

Best Practices Guide: Guardrails for the Data Economy

Submitted Apr 28, 2022

Name of Organization: Borneo

Domain: Data Security Company

Talk by Jan Hecking

Summary

Borneo is a real-time data security and privacy observability platform for hyper-growth businesses and builds tools that empower companies to protect their customer’s data. It enables one to identify, understand, and remediate sensitive data risk at cloud scale, as well as automate governance for data warehouses.

In this guide, Jan explains how Borneo has been building the “Guardrails of the Data Economy” using a case study which illustrates how they helped their client fastrack PCI DSS compliance of their cloud infrastructure. They used an inspection engine that is capable of ingesting large amounts of data and inspecting whether it contains any sensitive information. Wherever sensitive information was found, they pinpointed the source of the problem and were able to prevent the recurrence of such information being logged.

Terms/Glossary

  • PCI DSS: Payment Card Industry Data Security Standard

Detailed study

Borneo is a real-time data security and privacy observability platform for hyper-growth businesses and builds tools that empower companies to protect their customer’s data. It enables one to identify, understand, and remediate sensitive data risk at cloud scale. This guide talks about how the Borneo team have been building the guardrails of the data economy using the example of how they helped their client meet PCI DSS requirements.

They use an inspection engine that is capable of ingesting large amounts of data and inspecting whether it contains any sensitive information. Gaining visibility is the first step to understanding where sensitive information is stored and how it can be protected.

The client that worked with Borneo was a large Indian fintech start-up who had to comply with PCI DSS regulations. The process to comply with such regulations can be broken down into three steps:

  • De-Scope - identify the systems that make up one’s data infrastructure and handle the data that fall under the particular regulation. In the case of PCI DSS, this includes cardholder data. These systems would have to comply with the security requirements.
  • De-Risk - to mitigate the risk of handling such sensitive data, one needs to implement the required security measures to ensure that the data is stored and processed securely
  • Document - one also needs to document if and how the security measures are implemented and other compensating controls.

De-scoping is crucial because if one can prove that their systems do not contain any cardholder data then they need not add security measures to comply with PCI DSS. One needs to be able to document this for a PCI auditor, proving that their systems do not contain cardholder data.

The client that Borneo worked with was already PCI DSS compliant, but they had to prove to the PCI auditors that their new data infrastructure in the AWS cloud did not contain cardholder data and hence, was out of scope for PCI compliance.

They first looked at their primary data stores which were a fleet of Amazon RDS MySQL instances and Borneo inspected the data. They ingest the data from every table and RDS instances to inspect the data and determine whether any sensitive data is present. By analyzing the columns, they collected the data and metadata about all the sensitive data that was present and were able to show that none of this data contained cardholder data.

However, they also ran sample scans on the S3 buckets and detected some credit card numbers as well as other sensitive data in one of the buckets. Then, to pinpoint the source of the problem, Borneo did a full bucket scan which generated a detailed list of findings with every token that was detected. These findings helped the engineering team to locate the credit card numbers in the files.

The specific log entry was used to determine the root cause of why the credit card numbers were getting logged. One of the systems was expecting the credit card numbers to be passed as an integer number but it was receiving the numbers as a formatted string. This caused a number format exception. The engineering team was able to suppress these kinds of logs going forward.

The whole process took 3 weeks and as a result, the client company was able to fastrack their PCI compliance. Borneo was able to generate documents and reports within a few days which may have otherwise taken the team weeks to produce and convince the PCI auditors to take their AWS cloud infrastructure out of scope for PCI compliance.

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Make a submission

Accepting submissions till 28 Feb 2022, 11:00 AM

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by

Omidyar Network India invests in bold entrepreneurs who help create a meaningful life for every Indian, especially the hundreds of millions of Indians in low-income and lower-middle-income populations, ranging from the poorest among us to the existing middle class. To drive empowerment and social i… more
We’re the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. As a hyperscale cloud service provider, AWS provides access to highly advanced computing tools on rent for startups and SMEs at affordable prices. We help t… more