I am a Solution Engineer for Spirion, LLC. My adventure using the data security software began in 2007 as the Indiana University Technology Services Manager for Student Enrollment Services. We had an organizational mission to provide a solution that would allow a better understanding our data footprint and the types of data existing on our workstations, servers, and websites. As it happens fate guided me to the Identity Finder software (These days known as Spirion - Sensitive Data Manager).
My first exposure to Identify Finder was in 2007 and I recall being impressed by the ease to a create custom installer for our workstations and how easily it was to review the data sent back from the managed devices. This was an empowering moment as a data steward and ultimately enabled the university with compliance (HIPPA and PCI-DSS), audit, all things data warehouse, and security. The software has continued to impress me by the quality of development and flexibility of settings. In May of 2015 I moved to an operational security engineer role to implement an enterprise adoption of the software at Indiana University and was successfully adopted. As result of this experience my relationship with the Spirion support, sales, and leadership teams also matured. Having first-hand experience managing, implementing strategy, and the adoption of the product, it seemed that joining the Spirion team would allow me to share my real-world expertise with its customers and help with sales. Spirion asked me to join the team in 2017!
During the course of many years administrating the Spirion (Formally Identity Finder) Sensitive Data Manager client and web console services I acquired experiences managing large and small deployments in both centrally and decentralized managed environments. As result of these varied experiences I have gained great insight into varied architectural and implementation strategies, real world exposure to managing data, the value of reporting to make decisions, and strategic plans to ensure success by meeting compliance.
Success can be hard to measure, however success of this software tool for me was the visibility gained by understanding where data resided, the classification (importance and sensitivity of the data), and the data types (SSN's, CCN, and more). It allowed a better understand where data was located and the sensitivity of the data which facilitated strategic decisions based on that data!
In my experiences of Sensitive Data Protection implementations, success was measured differently for each organization. However, establishing good communications and setting expectations for the tools use will garner adoption by the End-Users. For Indiana University we saw in just a few years' adoption of more than 20,000 deployed clients on Windows, Mac, and Linux devices. The efficiency to implement the software helped with adoption and deployment. The Sensitive Data Manager software helped me better understand the data footprint by recognizing patterns, interpreting business needs, and as result support the allocation of resources dedicated to certain types of data such as file servers for HIPPA and PCI-DSS or for specific levels of data classification. This further led to organizational business process changes, for example enabling the SharePoint rights management services as result of the Spirion data provided.
Remediation of the data is the ultimate goal and which the software provides flexibility to be creative in ways to meet your business goals. The changing tides of the cyber world and increased awareness of IT security, understanding the where, the type, and criticality of data has been in my security experiences the most enlightening aspect of being able to make informed decisions and improving IT security.
My hope is that as a security practitioner I can share my real world experiences using the Spirion Sensitive Data Manager in varied scenarios, provide encouragement, tips, architectural design, and provide useful decision points and guidelines for the decision makers as a new world of data discovery becomes possible. I am certain there are many components I have likely left out, however I will continue to add and modify resources to help make your deployment, adoption, and remediation as successful as possible.
I leave you with one thought, take a moment to think about this, "IT security ultimately results in an effort to protect the Human, that data contains." Mind blown!
The Sensitive Data Manager solution has a central web console acessible by any major web browsers to view the sensitive data results, locations, data types, data classification, and much more. The technology provides client and and clientless deployment methods which report back to the central web console.
The solution provides many automated processes that locate PII, PHI, and PCI data. The solution utilizes advanced algorithms incorporating contextual analysis, proximity checks, validations, industry checksums, minimum counts, and a variety of user customizable settings.
The solutions validation algorithms that identify keywords, negative keywords, context, minimum counts, and a variety of user-customizable settings, allowing the solution to only match the sensitive information. Once potentially sensitive data is located, the solution validates results against rules, such as Social Security Administration rules to ensure that an SSN could have been issued. It passes potential credit card numbers through the Luhn algorithm, and compares the number against definitions from issuing banks and financial institutions.
These few examples of intelligent, real-time and context-aware search features maximize accuracy and drastically reduce false positive results.