A 2016 Pew Research Center report found that 74 percent of Americans classify limiting access to their personal information as “very important.” Yet, as companies roll out customer-focused applications to improve user experiences, people expect those companies requesting PII (Personally Identifiable Information) and PHI (Protected Health Information) to protect that information. PII discovery tools help companies identify PII and other sensitive information throughout their network infrastructure.
Continue reading to learn what PII data discovery tools are, how they protect your technology ecosystem, and how to select the right tool for your business.
What Do PII Scanning Tools Do?
Scanning tools enable companies to identify and track where PII goes throughout an information system. It allows companies to comply with regulations that specify PII collectors must know where PII resides at all times, where it is stored, and how it is used. These tools rank or label PII based on different risk impact levels. By collecting PII, companies increase service convenience and track financial information, demographic trends, and personal preferences. With this valuable knowledge, any company gathering and processing PII becomes a prime target for hackers.
What Are PII and PHI?
PII is anything unique to an individual, such as a home address, phone number, social security number, passport number, or insurance number. Using scanning tools helps companies identify potential vulnerabilities, such as unencrypted PII or PII in the wrong storage location.
Industries that collect PII include healthcare, financial, government, and telecommunication companies. Because PII provides the base for consumer services, it is often spread throughout a companies’ environment. With PII “at rest,” “in use,” and “in motion,” companies struggle to identify every instance of it within their environment.
Companies can use PII discovery tools on cloud platforms, servers, or desktop/laptops. Here are a few examples of PII that these tools can identify:
- Credit card and bank account information
- Passport or driver’s license information
- Names, DOBs, phone numbers
- Email addresses
- Medical conditions
- Relative information
PII Data Discovery Tools and Compliance
GDPR, PCI, CCPA, HIPAA, PDPA, and PIPEDA all require oversight of PII, although to varying degrees. If a compliance standard requires the location and securing of PII, then a PII discovery tool is highly recommended. Here’s one example of how privacy standards require close oversight of PII.
GDPR – The General Data Protection Regulation (GDPR) affects those living in the EU and European Economic Area (EEA). The GDPR places limitations on how EU resident PII can be used both within the EU and without. Any breach in PII requires the notification of those affected.
Additionally, the GDPR gives customers the right to know how companies use their PII, the right to request access, the right to correct inaccuracies, and the right to erasure. To fulfill these rights in the GDPR’s stipulated time frame, companies must identify where PII exists in their systems.
The Benefits of Discover Tools
At their core, sensitive data discovery tools help companies spend more time on productive, innovative work than on mundane, repetitive tasks. Rather than allocating numerous employees to a manual discovery of PII, these tools reduce the burden on IT and security teams.
- Reduce Data Exposure – Customers expect companies to implement safety measures to protect PII and PHI. Whenever such data is exposed, customers lose faith in a company. It is in any organization’s best interest to reduce data exposure, not just to avoid compliance violations and retain customer loyalty.
- Identify Encryption Gaps – If PII is compromised, encrypting that PII and sensitive data reduces the attack’s impact by preventing criminals from accessing and using the stolen data. Data discovery tools can identify where PII resides and whether it is encrypted, which helps companies relocate PII that may have slipped through the cracks.
- Tracking Manageability – For large companies that collect vast amounts of data, tracking PII becomes a hassle. Using discovery tools is especially beneficial for large companies since PII is often spread throughout information systems. Compliance standards usually require that companies know where PII resides and classified based on the degree of sensitivity. Using a discovery tool saves time and gives IT/Security departments more time to safeguard PII.
The Basics of PII Data Discovery Tools
Like with most products, not all PII discovery tools are equal. Some tools provide essential services that only fulfill the needs of small firms, while other discovery tools offer a more extensive toolbox of functionalities, including metadata discovery, filtering, content discovery, and classification. Estimating how much PII you collect and the size of your customer base will help narrow down the type or subscription type you will need.
Sensitive data tools overlap with many other security tools in terms of functionality. For example, data loss prevention software, data-centric software, and privacy software all provide some level of information discovery. However, not all tools specifically target sensitive data or have a user interface that makes it easier to manage sensitive data.
Manual vs. Automatic Sensitive Data Detection
Companies must choose between two options for identifying sensitive data like PII or PHI: manual discovery and automated discovery. The manual path requires companies to identify all incoming PII and map (e.g., manual surveys and workflow management) its path as it traverses the network environment. This option is feasible for small businesses but quickly becomes unrealistic for mid to large companies processing massive amounts of data and metadata. Thus, larger companies turn to automated tools. The list below covers six discovery tools commonly used by companies today to protect their PII and comply with privacy and security regulations.
Six PII Data Discovery Tools
1. One Trust
One Trust targets larger companies, such as fortune 500 firms. It has broad-spectrum applicability to fulfill multiple compliance requirements, including the CCPA, GDPR, LEPD, PDPA, ISO27001, and more. Like Egnyte, it utilizes AI and a robotic automation engine to identify and classify sensitive data. One Trust also offers a specific third-party risk product, since many companies do not solely own all of their PII or PHI. The pricing model varies based on the type of task, such as privacy requests, data mapping, targeted discovery. There are both single-user and unlimited options with a monthly fee based on the level of functionality.
Pros: Covers many different compliance regulations.
Cons: Aimed and priced for larger companies.
Nightfall, a web-based SaaS tool, uses machine learning to classify data, but the configuration determines how to handle sensitive data. For example, teams can configure Nightfall to delete unnecessary data, trigger alerts, or quarantine data. One unique aspect of Nightfall is its Nightfall Startup solution which specifically targets new-to-market companies and strives to secure systems while also allowing for flexibility and growth. Additionally, Nightfall offers Slack, Google Drive, Github, Confluence, Jira, and AWS solutions. Nightfall provides numerous templates for setting up sensitive data controls, including configurations to satisfy HIPAA, PCI DSS, GDPR, and the CCPA. A free version and free trial are available.
Pros: Integrates with Slack and is easy to install. Specific options for start-up or small and expanding businesses.
Cons: Pricing information is not readily available, and a demo may be required to determine all pricing options available.
Egnyte operates as a Software as a Service (SaaS) tool that searches repositories, device applications, and cloud collaborative/storage platforms (e.g., SharePoint, Azure). It is AI-supported and fulfills the discovery stipulations of SOX, HIPAA, and the GDPR with specific compliance settings. Egnyte offers pricing options based on the number of employees, and the solution targets small to large companies with approximately 2-1000 employees.
Pros: It covers multiple types of platforms and offers specific settings for compliance models.
Cons: The pricing model can quickly increase costs.
4. Windows Server File Classification Infrastructure (FCI)
Microsoft introduced File Classification Infrastructure (FCI) in 2008 as part of the Windows Server R2 offering. FCI, a sub-category of the File Server Resource Manager (FSRM), allows organizations to classify data stored on Windows servers. Files will be classified based on set properties and specified rules, or users can manually organize files. Additionally, companies can configure Microsoft Office templates so that metadata entered into such templates can be automatically classified. For files to retain their classification, users must store them in a New Technology File System (NTFS) format.
Pros: FCI does not require licensing or software on top of traditional Windows Server licensing. IT departments can use Active Directory to manage classification properties.
Cons: This tool will require knowledge of Microsoft configurations and is not ideal for individuals unfamiliar with Microsoft Server systems. Companies must set Classification rules on each file server and reports not aggregated for all servers (i.e., each file server must generate a report).
5. Azure Information Protection (AIP)
AIP relies on labels to classify data and uses Azure Rights Management Services (RMS) to secure data. Since it is a cloud-based solution, AIP protects data in the cloud, Windows Servers, SharePoint, etc.; it enables users to add a classification label to documents. Like Microsoft’s FCI, classification can be done manually or automatically. The label configuration determines access rights attached to data and whether it requires encryption. API’s logs specify which users access data, what happens to that data, which files get protected status, and categorizes sensitive information by labels. Although AIP works in conjunction with FCI scanning, users can install an AIP scanner instead for automated classification and local file protection.
Pros: A free but limited version is available. Only pay for what you need. The cost of the paid version increases based on functionality configurations/needs.
Cons: Requires a minimum knowledge base of configuring Microsoft systems and Azure products.
6. Netwrix Auditor
Like other options available, Netwrix covers sensitive data on file servers, Office 365, and SharePoint. What sets this tool apart, however, is its easy-to-use interface. Netwrix provides pre-built rules versus writing the conditions yourself. It also provides a search engine function to find data location quickly should a person request it, a key element of HIPAA and the GDPR.
Rather than categorizing data only by type, Netwrix allows users to categorize by regulation, such as running a report for PCI DSS-related data. The functionality of Netwrix enables effective prioritization of critical data, an option that supports risk assessment objectives as well. NTFS allows Netwrix users to manage access rights. Netwrix operates on a licensing/subscription basis (i.e., the price increases as more AD users or employees are added). However, Netwrix offers different pricing levels for government, educational institutions, and nonprofits. There is also a Netwrix Auditor Free Community Edition, although it focuses more on access control regulation.
Pros: Netwrix is built from an auditing perspective, with functionality geared toward addressing audit requests quickly. Easy user setup makes this tool ideal for less tech-savvy individuals or teams.
Cons: The pricing model may be high for smaller businesses.
Data Discovery in Sharepoint
Microsoft provides a sensitive data step-by-step guide for Sharepoint users on how to best configure and comply with privacy regulations. Microsoft recommends utilizing Azure Information Protection to classify data in conjunction with least-privilege configuring for the Sharepoint Server. To generate lists of classified data, users must run a Sharepoint Server search and eDiscovery. For more in-depth analysis and log correlation, many experts also suggest integrating a Security Information and Event Management (SIEM) tool.
- Estimate the amount of PII you intake before determining what type of sensitive data discovery tool to use.
- Choose a tool that fits your technological skills. A tool that is heavily reliant on configuration settings would not be ideal for individuals without a team to upkeep such settings or the technical knowledge to configure those settings correctly.
- Choose a tool that helps fulfill the requirements of the compliance standards for your industry. Some tools may offer more capabilities than you require.
Regulatory legislation increasingly gives control back to consumers when it comes to using their data, resulting in companies bearing greater responsibility for knowing where data resides at all times. Taking advantage of the sensitive data discovery tools available makes complying with privacy and security regulations just a bit easier.
If you need help choosing a PII data discovery tool or determining what regulations apply to your industry, contact RSI Security today for a consultation.