Summary
Under global data privacy laws and regulations, including the EU General Data Protection Regulation (GDPR), personal data is information relating to an identifiable person or data subject. Allowing unauthorized access to personal data can expose an organization to regulatory penalties and fines, increased regulatory oversight, litigation, and even criminal prosecution. Under the GDPR, unauthorized disclosure of personal data may cost an organization up to 4% of its annual global revenue.
The 451 Take
Context
BigID was founded by CEO Dimitri Sirota and head of product Nimrod Vax. Sirota previously cofounded Layer 7 Technologies, which was sold to CA Technologies in 2013. Vax has more than 15 years of experience in identity and security as an engineer and product manager, and served as a product line manager for the identity management and governance product lines at CA Technologies.
Products
The BigID data security management platform runs on-premises or in customer instances of AWS or Azure and comprises data mapping and discovery modules for security and compliance. The platform finds personal data based on its relation to an identity in structured or unstructured data and cloud-based resources. It inventories the information by data subject, adding related data – such as permissions or consents to data collection and use, application access, business context, and purpose of use – and maps how the data flows in business processes for privacy assessments.The platform's debut focuses on discovering, analyzing and reporting on personal information, such as Social Security numbers, customer identification data, phone numbers and zip codes; protected health information (PHI); and private financial information via search and machine-learning algorithms. BigID does not move, replicate or ingest identified privacy data. The platform leaves data in place, recording its location and gathering application and contextual metadata to report and search.
BigID has collaboration features to map data flows in business processes. Beyond the default algorithms to find privacy information, the BigID platform supports natural language queries and custom reports to comply with other privacy requirements, such as those found in the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes Oxley.
The BigID data mapping module costs $400 per collaborator per month. Customers consume the discovery module in an annual subscription model. Annual licenses come with all data connectors, product support, API and SDK.
Technology
BigID has four pending US patents for discovering, inventorying and mapping data in a scalable architecture. The BigID platform uses a REST API to connect to an organization's structured and unstructured data sources, such as databases (e.g., SQL, MongoDB), CRM and ERP systems, LDAP-based directories, and file shares; secondary sources, such as CASB, DAM and DLP systems; and log sources, such as Logstash, SIEM and Splunk logs. The platform uses APIs to integrate with technology controls and enable its own and third-party self-service portals to provide data subjects access to their information.
Compliance
The BigID platform can help organizations comply with the GDPR, which applies to collecting and processing personal data from activities in the EU. Personal data is any information that can identify a natural person (i.e., data subject). The platform can find where and what information falls under the regulation, the extent that the information is applicable to a consent form, and how data is used by individuals and applications to comply with GDPR articles 5, 24, 25, 28 and 32. BigID can identify duplicate data to ensure data minimization on collections to comply with articles 5 and 25. The platform's capability to map data use will facilitate the 'right to be forgotten' in article 17 and the right to data portability in article 20, as well as response to data breaches in articles 33 and 34.
Competition
HPE offers its GDPR Starter Kit to engage a personal data assessment to find what personal data is stored where. Like the BigID platform, the Starter Kit, with HPE ControlPoint, HPE Structured Data Manager and HPE Content Manager, searches structured and unstructured data and identifies, maps and tags personal data. With HPE SecureData, the Starter Kit goes beyond BigID's current capabilities to protect identified personal data with encryption and pseudonyms.
Exterro's Data Mapping product uses the Fusion platform to build and maintain a content directory of an organization's evolving data inventory. With Data Mapping, users can identify source repositories and view data maps to assess the risk of compliance in stored data.
FTI Consulting offers information governance and compliance services via its technology business unit. The IG compliance services can create security safeguards for sensitive data that include automatically alerting data controllers that sensitive data is not being secured according to policy, which can be developed by regulation or aligned with trade secrets. FTI Ringtail's Document Mapper visualizes and reviews search results or assignments that can surface personal and private information in workloads that require attention.
Guidance Software Enforce Risk Manager pinpoints, classifies, and controls sensitive, private information whether it is on-premises or in the cloud. Guidance Software's 360-degree visibility provides insight into stored personal data to understand risks and manage the asset.
IBM's Guardium GDPR Accelerator provides an understanding of data risk vis-à-vis the text of the regulation. The Accelerator runs security assessments to identify stored personal data, records activity against the identified data to determine who is accessing the data, and provides a detailed audit log to track data subjects' rights to access and delete their data.
Nuix's Sensitive Data Finder technology uses the Nuix Engine to search unstructured data repositories and find personal and private information (i.e., sensitive data). The product can interrogate large, complex repositories such as email systems, file shares, archives, databases and other enterprise storage systems, including optical-character-resolution output, without maintaining a permanent index. The Data Finder can set custom rules on retaining metadata.
Veritas Technologies' 360 Data Management for GDPR brings together the company's data management and search technologies with professional services to determine customers' GDPR readiness. Veritas' Information Map visualizes unstructured information from the NetBackup catalog to identify personal data. The Data Insight product monitors policy-based access to content, maintains audit trails of who accessed the data and when they changed it, and identifies access issues and anomalies.
Fernando is a Senior Analyst on the Information Security team, based in Toronto. He has broad experience in security architecture, particularly network security for enterprise environments. He currently focuses on covering vendors and industry events in the endpoint security and cloud security spaces.
Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation