Estuate Secures Private Data for Financial Services Firm

single image
Client  
         :  A leading online investing services company.

Industry       :  Financial Services

Practice Area  :   


Background:

The client is a leading online investing services company and a provider of online retail banking products and services, commercial lending and commercial equipment financing. Founded in 1980 to provide investors and traders with a better way to invest and make their own trading decisions, it has grown into the largest branch network among online investing firms and provides education to help millions of investors invest for themselves.

The client’s finance services was named by The Monitor as one of 2014’s "Top 25 Most Active Players in the Vendor Channel," with $96.9 million of vendor/dealer related new business volume. Overall in 2014, the division had nearly $291 million in new business volume.

The client was also named number 83 in sales volume and number 65 in new business volume on the 2015 Monitor 100 ranking, published by the trade publication The Monitor. The ranking lists the 100 largest equipment finance and leasing companies in the United States by annual volume and asset size.

Business Challenge:

The rapid growth of the client, a major financial services firm, brought with it significant pressures related to data security. With the increasing sophistication and number of threats to data security (both internal and external), data security had to be bullet proof, tested continually, and free of complications. Like most financial institutions, Customer Sensitive Information (CSI) was highly secured in the production environment. However, security measures in the test environment were more relaxed.

Due to federal requirements, their corporate parent mandated secure CSI in the test environment via a robust data masking process. Significant amount of sensitive data existed (such as SSN, Tax ID) in non-production systems, which contributed to significant risk. There was a need to mask the data in these systems which were primarily used for development, testing and support purposes. The client needed a comprehensive approach to protect the Customer Sensitive Information (CSI) in the test environment while reducing the probability of a data breach and the associated financial and customer loyalty implications.

Estuate also needed to address several technical challenges while delivering the project, including that:

  • The client was storing the SSN/Tax ID in the same column. They did not have any flag to differentiate these elements. SSN and Tax ID have different validation rules. The data had to be consistently masked for both data types.
  • The client was storing the data in encrypted fields within SQL server. The data needed to be decrypted, masked and encrypted back. This was a specialized capability not supported by IBM InfoSphere Optim.
  • iSeries had multiple record format files. In these files the SSN/Tax Id were stored in different positions based on record types. All the data for a particular row were stored in a single column. This data had to be extracted and masked in a single iteration.
  • The client had a lot of database systems with a huge volume of data. The data had to be masked within stipulated time frame without any down time.

The Estuate Solution:

Estuate delivered an approach to data masking that enabled the client to successfully lock down production data, while allowing for full-daily testing and development activities. The solution delivered covered both data identification and data masking.

The first stage of the data masking project was to understand what data was needed to mask and where it was located. Data Identification was performed to know the location, trends and relationships within to perform the consistent masking runs.

Automated data discovery was used to ensure an objective, a systematic approach to data sampling, making it possible to verify that all of the required sensitive content has been identified and secured on an ongoing basis. Estuate developed new algorithms to identify potentially sensitive trends and relationships within the data and filter them out.

Once the Estuate established what sensitive data is going to be masked and where it was located,  IBM InfoSphere Optim’s scalable data masking techniques were deployed across applications, databases, operating systems and hardware platforms to meet current and future needs. Estuate developed new routines and techniques for accurately masking complex data elements. Estuate incorporated specific data transformation routines that integrated processing logic from multiple related applications that supported even the most complex data masking requirements.

Solution Overview:

  • Replaced sensitive customer information, such as credit card or social security numbers with realistic values.
  • Developed new templates and format rules, consistently transforming data in order to maintain referential integrity for applications.
  • Supported extensive search capabilities to scan enterprise databases for sensitive data.
  • Helped comply with data privacy mandates such as Sarbanes-Oxley, Payment Card Industry (PCI) Data Security Standard (DSS) etc,.

Business Impact:

Estuate’s solution shielded confidential data, such as credit card numbers, addresses, and phone numbers from unintended exposure by de-identified data that can be shared safely internally or externally. It also:

  • Prevented data breaches by avoiding disclosure or leakage of sensitive data.
  • Ensured data integrity by preventing unauthorized changes to data, data structures, configuration files and logs.
  • Reduced cost of compliance by automating and centralizing controls and simplifying audit review process.
  • Protected privacy by preventing disclosure of sensitive information by masking data in databases, applications, reports on demand across the enterprise.


        We needed to be confident that identifiable personal data is completely protected from unauthorized use for compliance reasons. However, we also needed to use production-derived data in non-production environments to enable efficient and thorough testing. Failure to ensure data privacy compliance could have resulted in millions of dollars in financial penalties and possibly even more. Estuate understood the challenges we had and they delivered a solution with no disruption to the day-to-day business that had to keep going. The solution with the masking capability is now helping us protect sensitive data and also meet stringent targets for test data management.

 





Manager – Information Security