Data Discovery Tool Aids CCPA Compliance
Before you can tell your customers what data you have stored about them, you have to find it in your own systems. With today’s complex data flows, that’s not as easy as it sounds. But the company 1touch.io is hoping to make the CCPA compliance process easier and more automated with a new tool unleashed today.
Called Inventa, the new offering aims to help customers comply with the data reporting requirements imposed by the California Consumer Privacy Act (CCPA), the GDPR, and similar data regulations making their way through various national and state legislatures.
When California residents (or other data subjects) request to know what personal data a company has stored, the company has a certain amount of time to comply with the request. Many of these requests are being fulfilled manually, which is expensive, time-consuming, and prone to error. 1touch.io created Inventa to automate the response.
Inventa combines various capabilities to get a more complete view of consumers’ personal and sensitive data. It uses traditional data discovery techniques to catalog data residing in databases, file systems, and other locations where rests. But that doesn’t include network traffic, says Mark Wellins, 1touch.io’s chief customer officer.
“We start by looking at traffic,” Wellins says. “The first thing we have to do is find out where is your data. You know maybe 80% to 85% of locations of your data. What Inventa will do is it will look at your network traffic and it will actually find where that data is.”
For example, the presence of SQL commands in network traffic tells you something important about the data flow. “That might tell us there are five or six databases involved here, and they’re all joined by different keys,” he says. “We actually have visibility into that nobody else has.”
Wellins likens Inventa to Google Maps. Just as that program uses cars on the road to constantly update its maps of the world, Inventa uses network taps to map where all of an enterprise network traffic is heading to and from.
“We’re looking at the traffic and driving down that Ethernet cable or the wireless to understand what is that down that network route there?” Wellins says. “Oh, OK it’s an Oracle database. Excellent, make a note of that. Or it’s a Windows file share. Make some note of that. Some traffic went out of the environment into Box.com? Let’s make a note of that as well.”
Once the data-at-rest and data-in-motion assets are discovered, Inventa then starts to map the data subjects. It uses machine learning and natural language processing (NLP) algorithms to create a profile of the data subjects (i.e. the consumer who may submit a CCPA data request) that contains all the pertinent data on the subject, including personally identifiable information (PII).
“We do a whole data mapping exercise, so when we produce a profile of a data subject, it contains all the PII entries that you know about the individual,” he tells Datanami. “Once you attach the metadata, which might be the buying habits or Web browsing habits–whatever you know about me–and you attach that to this person, then you have a full picture for the data catalog itself.”
Companies are currently scrambling to comply with CCPA, the new GDPR-like law that went into effect on January 1 of this year and that is slated be enforced in July. “CCPA is scaring a lot of people because of the punitive nature,” Wellins says. “If I go to an organization in California and I am a California resident and I request my information, you’ve got a certain number of days” to respond.
Currently, many companies are assembling their CCPA reports manually. But that approach won’t scale as the number of requests grows. With Inventa, companies can expose part of the program via API, and customers can generate their own reports over the Web, eliminating the need for employees to visit multiple applications, databases, and cloud resources. “We’re a discovery tool that removes the hard work in actually finding where the data is,” Wellins says.
But as a “master capital” product, Inventa has uses beyond complying with data regulations. Wellins says the software’s capability to see all of a company’s dataflows makes it useful for business intelligence and data quality initiatives, too.
“That’s the Holy Grail for them,” he says. “What they’re trying to do is find a location, a place, they can trust and rely on that shows them the current state of play for their business data,” he says. “That’s what this launch is all about. The master capital will give a business visibility in all directions…whether they’re trying to look at it from a data governance perspective, from a compliance perspective, or security.”
1touch.io was founded in 2017 by three Israelis, Dimitry Shevchenko, Itzhak Assaraf, and Zak Rubinstein. The trio have years of experience in the security field, including at the firewall company Check Point Software, as well as building applications for Homeland Security in the US for the Israeli government.