How does your enteprise cope up with sensitive data?

1      Background

·         Enterprise security spending is $75B+

·         93% of enterprises feel vulnerable to security threats

·         61% have had data breach

·         781 breaches compromising 169M records happened in 2015. This figure is rising since then.

·         $217 per record is the cost of data breach

The proliferation of customer identifiable data processed by financial firms drives increased scrutiny of practices to ensure end customer rights. These regulations impose obligations and penalties for non-compliance on the treatment of customer data, storage, distribution and access. The person’s data access changes based on location. There is a hard requirement to lock down customer identifiable data (CID) with infrastructure, regional, services and people based boundaries using compliant policies.

The above stringent conditions have put the organizations on tenterhooks and these organizations continue to spend a lot in this area. As a result, lot of potential for outsourcing and cost savings have become difficult to realize. Moreover, as data becomes proliferated through horizontal and vertical lines, few organizations have a grip on what constitutes sensitive data, where the data is lying and complete intelligence on them.

EU's GDPR regulation came into effect on May 2018. The GDPR imposes specific requirements on data controllers (for example, Deutsche Bank or Credit Suisse) and data processors (for example, a FinTech or IT Service provider). Both the data controller and processor are held accountable for ensuring Subject Rights enforcement, including Right to Access (what customer data is held, how is it processed, what is it used for and who is it shared with), and Right to Forget. Similar laws are applicable in the US and UK.

2      FS(Financial Services) space & Use Cases

Currently, the intelligence on sensitive data is driven by human declarations, and process driven enforcement to policy. This can turn out to be extremely costly for a firm in the event of a breach or non-compliance.

First, there is an urgent need to perform scientific identification the sensitive data. Today, many financial organizations have little clue when it comes to categorizing and inventorying the data. This has many dimensions like attribute, location, access rights etc. Most banks tend to keep the sensitive roles in the same location as they deal with the data. Even within the function, the question becomes more relevant when it comes to considering different roles.

DBAs have enhanced levels of access, not just from an application, but also using back-end entry points such as database client applications and scripts, and access to log files, which may contain sensitive data. In order to unlock the benefits of right-shoring for talent and cost, the definition of DBA security policies must provide comprehensive and effective anonymization mechanisms to ensure DBAs, irrespective of location, access mechanism etc.. are productive in their roles.

3      ESDM (Enterprise Sensitive Data Management) Solution

The ESDM solution is about achieving the following:

·         Establish a complete intelligence system on the sensitive data lying throughout the organization

·         Eliminate roadblocks in adoption of location strategy or cloud deployments driving faster TCO (Total Cost of Ownership) Optimization

·         Drive responsive compliance and evidence based reporting to evolving data protection regulations

·         Achieve total protection of sensitive data

There are many by-products of implementing a solution on ESDM. Some of them are:

·        A dynamic repository of complete sensitive data and its whereabouts

·         Optimal access based on such sensitive data

·         Freeing up resources at onsite to move to other locations based on clear implementation of   ESDM solution

·         Amenability for outsourcing or elimination of roadblocks for more outsourcing

·         Elimination of barriers for adoption of new technologies

Here are few examples of sensitive data grouped by different categories:

1.      Personal Identification (Name, Gender…)

2.      Address

3.      Personal IDs

4.      Customer Identification

5.      Career details

6.      Birth details

7.      Family details

Any ESDM solution should look at the entire stack and be tool driven. Our guiding principles are:

-        

• Right tool: selecting the right tool is critical. For this, a technical PoC is recommended. This can be used for verifying the usefulness of the tool, scalability of the model and the cost-benefit analysis. Possible operations for managing sensitive data could be static masking, dynamic masking and finally retirement.

• Easy adoption: Critical use cases are to be covered first.

• Scalable operating model: The service delivery model should be aligned to the outcome.

• Co-existence: The solution must co-exist in a heterogeneous environment supporting non-greenfield estate.

4      A point of view 

Many products have come to address this with each one advertising various features, ability to do statics / dynamic data masking etc. Gartner has also published its ranking too. Whatever be the product, it should be used to discover the sensitive data accurately, mask seamlessly, monitor continuously and retire securely.

The product or tool should address the challenges posed by different environments in the life cycle such as Test, Pre-production, Production etc. covering data, code and the user community as depicted below.

The approach starts with the PoC, development of business pilot, realizing quick wins before rolling out to the rest of the organization.

Subsequently, the solution can be rolled out to other units over the next year. By end of this, the organization has control on its sensitive data and its usage, access and deployment. Any future regulation in this area can be easily addressed.

Organizations should adopt ESDM culture from top down.

Potential Benefits

They accrue in the form of an established sets up an ecosystem with:

·       Complete inventory of sensitive data lying in the organization covering type of data, repository, artefacts, programs accessing the data, users, locations etc.

·        Ability to consume mature IT services delivery

·        Optimise Infrastructure spend by adoption of multi-location models and platforms (Cloud)

·        Clear segregation of roles with respect to data access

·        Unlocking of previously held roles at the customer’s location to other low cost locations after analysing and implementing a suitable solution

·        Elimination of roles that are no longer required in this connection

·        Compliance to the local laws and ability to report clearly

Which agile model is right for you? What are the solution considerations?

Choosing the right type of agile model is of paramount importance. Enterprises are experimenting with Scrum Kanban, XP, Spotify etc. Looking at the user interaction and rate of change as two parameters, we can make use a specific approach. The following diagram gives one such idea.

In the table below, the considerations of application type, type of work, type of team, volatility etc. determine the applicability of different methodology.

Parameter	Description
Application Type	Strategic Maintain Run to Retire PoC
Volatility Type	High, Medium, Low
Work Type	Large/Medium enhancement Maintenance/Small enhancement Migration Large platform based Innovation
Variability Type	Small, Medium, Large
Team Type	Independent Frequent collaboration High collaboration
System Type	Stand-alone/Small Medium complex/Medium dependencies Highly complex/Multi-dependencies

Based on the above, we can construct a table that shows the usage and applicability of various models.

Parameter	Scrum + XP	Scrum	Kanban	Waterfall
Application Type	PoC	Strategic	Maintain Run to Retire	Maintain Run to Retire
Work Type	Innovation Platform	Large/Medium enhancements	Small changes	Maintenance Migration
Team Type	High collaboration Frequent feedback	High collaboration Frequent feedback	Independent	Independent
Volatility Type	High	Medium	Low	Medium/Low
Variability Type	Large	Medium	Small	Medium/Small
System Type	Large/Complex	Medium complex	Small / Stand-alone	Medium complex/Medium dependencies

What are the factors to be considered in designing the solution and commercials?

When working with a customer's IT organization that is in some form of agile, the solutions team need to consider the following factors and ensure their impact on delivery as well as commercials is understood.

Area	Considerations	Impacting
Transition	·           Current level of agile maturity across business units (Each unit can operate in a different level) ·           Current offshoring maturity ·           Usage of distributed agile ·           Consider various scenarios like: o   Waterfall to Agile o   Agile to Agile.	·           Knowledge absorption: Include pair programming and architectural runway (Existing code, hardware components and software functionality that technically enable near term business features) ·           Replication: Sprint based execution ·           Boot camp duration and costs (focus on Agile foundation, Agile Associate, Scaled Agile. behaviour aspect - People mind set, culture ·           open-up and express their view) ·           Include time and effort for doing agile assessment of the in-scope portfolio ·           Onshore ratio ·           Timeline
Steady State	·           Agile maturity of different business units ·           Level of life cycle management and DevOps tools usage ·           Type of full stack engineers required ·           Availability of roles like PO, Agile coach, Scrum master with the customer ·           Time proposed for transformation ·           Quantum of work ·           Current effective tools usage ·           Usage of DevOps ·           Current mapping of resource levels	·           Operating Model ·           Evolution of ToM across time line ·           Squad size ·           Release cycle ·           Onshore ratio across months/years as the customer moves up on the maturity curve ·           Type of resources and their distribution ·           Productivity % resulting from people, process and tools
Commercials	·           Physical Infrastructure ·           Connectivity requirement considering more online interactions / meetings ·           Typical squad size per ODC (there could be many special requirements per squad)	·           # Travels could be more as compared to a traditional model ·           Special infrastructure (meeting rooms, furniture, boards, interactive rooms etc.)  costs ·           Special equipment like monitor (big size, two monitors per person) ·           Additional tools/license ILF (initial License Fee) and RLF (Recurring License Fee) ·           Cost of baselining the resources of the customer and plotting them against standard models like SFIA or Dreyfus model ·           Recruiting costs (cost of running hackathon) ·           Cost of hosting customer periodically ·           Cost of building Academy ·           Cost of configuration/customization of existing tools, frameworks and accelerators ·           Training / Upskilling costs covering the initial training required to make the resources more engagement ready as well as upskilling as they move the Dreyfus cycle. The traditional training materials will not do.