451 Research - BigID Finds Personal Data Stored by Organizations to Comply with Global Privacy Laws

Summary

Under global data privacy laws and regulations, including the EU General Data Protection Regulation (GDPR), personal data is information relating to an identifiable person or data subject. Allowing unauthorized access to personal data can expose an organization to regulatory penalties and fines, increased regulatory oversight, litigation, and even criminal prosecution. Under the GDPR, unauthorized disclosure of personal data may cost an organization up to 4% of its annual global revenue.

BigID helps organizations better manage personal data, enabling them to customize and personalize product messaging without the risk of misusing the data, such as allowing unauthorized access to it. The company's big-data platform finds, inventories, and maps sensitive data in structured, unstructured and cloud data sources to realize where personal data is stored, who has access to it and what applications use it.

The 451 Take

Personal data is a primary target of data breaches, which can negatively impact a business regardless of whether stolen personal data was used to harm its subjects. There is no silver bullet for data breaches, but the least an organization can do is gain a view of the personal data it collects, where it is stored, what applications use it and who has access to it. The BigID platform provides this view of personal data to help organizations comply with global data privacy requirements, including the GDPR, effective May 2018. The platform's personal data inventory facilitates data subject access, remediation and removal – to support individual rights to be forgotten. It can build and maintain a catalog of personal data, and map data flows across business processes and geographies, to develop privacy impact assessments and track data access to identify anomalies and facilitate data-breach detection and response.

Context

Founded in February 2016, and with headquarters in New York and development offices in Tel Aviv, BigID helps enterprises identify, map and protect stored personal data. The company garnered $2.1m in seed investment in May 2016 from BOLDstart Ventures, Deep Fork Capital and Genacast Ventures. Although the company announced general availability of its Enterprise Privacy Management Platform in February at the RSA Conference in San Francisco, it remains in investment mode.

BigID was founded by CEO Dimitri Sirota and head of product Nimrod Vax. Sirota previously cofounded Layer 7 Technologies, which was sold to CA Technologies in 2013. Vax has more than 15 years of experience in identity and security as an engineer and product manager, and served as a product line manager for the identity management and governance product lines at CA Technologies.

Products

The BigID data security management platform runs on-premises or in customer instances of AWS or Azure and comprises data mapping and discovery modules for security and compliance. The platform finds personal data based on its relation to an identity in structured or unstructured data and cloud-based resources. It inventories the information by data subject, adding related data – such as permissions or consents to data collection and use, application access, business context, and purpose of use – and maps how the data flows in business processes for privacy assessments.

The platform's debut focuses on discovering, analyzing and reporting on personal information, such as Social Security numbers, customer identification data, phone numbers and zip codes; protected health information (PHI); and private financial information via search and machine-learning algorithms. BigID does not move, replicate or ingest identified privacy data. The platform leaves data in place, recording its location and gathering application and contextual metadata to report and search.

BigID has collaboration features to map data flows in business processes. Beyond the default algorithms to find privacy information, the BigID platform supports natural language queries and custom reports to comply with other privacy requirements, such as those found in the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes Oxley.

The BigID data mapping module costs $400 per collaborator per month. Customers consume the discovery module in an annual subscription model. Annual licenses come with all data connectors, product support, API and SDK.

Technology

BigID has four pending US patents for discovering, inventorying and mapping data in a scalable architecture. The BigID platform uses a REST API to connect to an organization's structured and unstructured data sources, such as databases (e.g., SQL, MongoDB), CRM and ERP systems, LDAP-based directories, and file shares; secondary sources, such as CASB, DAM and DLP systems; and log sources, such as Logstash, SIEM and Splunk logs. The platform uses APIs to integrate with technology controls and enable its own and third-party self-service portals to provide data subjects access to their information.

BigID uses default search algorithms to find identity-based data and machine-learning algorithms to classify the personal data by its sensitivity or risk of misuse. The platform processes data, metadata and data activities into an identity-centric command console with risk and data access details.

The command console provides a view of data use by country and the applications and users accessing it. Subscribers can collaboratively map data flows, internal to the organization and with partners, across borders. BigID can also identify and analyze collected consent forms and match them to stored data to determine the risk of misuse.

BigID is developing an SDK (C#, Java, JavaScript, Objective-C, Python SWIFT) to provide a services layer atop its data search and analysis. Platform services will include data anonymization, encryption, tokenization, adaptive authentication (to provide identity access control and data management) and user behavior analytics.

Compliance

The BigID platform can help organizations comply with the GDPR, which applies to collecting and processing personal data from activities in the EU. Personal data is any information that can identify a natural person (i.e., data subject). The platform can find where and what information falls under the regulation, the extent that the information is applicable to a consent form, and how data is used by individuals and applications to comply with GDPR articles 5, 24, 25, 28 and 32. BigID can identify duplicate data to ensure data minimization on collections to comply with articles 5 and 25. The platform's capability to map data use will facilitate the 'right to be forgotten' in article 17 and the right to data portability in article 20, as well as response to data breaches in articles 33 and 34.

Competition

With existing global privacy requirements and the forthcoming GDPR, effective May 2018, numerous vendors of data and information governance and e-discovery software are targeting global businesses that collect and store personal, private information and market their products. The competition, however, generally uses a search strategy with regular expressions to root out privacy information that adheres to a data classification, such as an SSN or credit card number.

HPE offers its GDPR Starter Kit to engage a personal data assessment to find what personal data is stored where. Like the BigID platform, the Starter Kit, with HPE ControlPoint, HPE Structured Data Manager and HPE Content Manager, searches structured and unstructured data and identifies, maps and tags personal data. With HPE SecureData, the Starter Kit goes beyond BigID's current capabilities to protect identified personal data with encryption and pseudonyms.

Exterro's Data Mapping product uses the Fusion platform to build and maintain a content directory of an organization's evolving data inventory. With Data Mapping, users can identify source repositories and view data maps to assess the risk of compliance in stored data.

FTI Consulting offers information governance and compliance services via its technology business unit. The IG compliance services can create security safeguards for sensitive data that include automatically alerting data controllers that sensitive data is not being secured according to policy, which can be developed by regulation or aligned with trade secrets. FTI Ringtail's Document Mapper visualizes and reviews search results or assignments that can surface personal and private information in workloads that require attention.

Guidance Software Enforce Risk Manager pinpoints, classifies, and controls sensitive, private information whether it is on-premises or in the cloud. Guidance Software's 360-degree visibility provides insight into stored personal data to understand risks and manage the asset.

IBM's Guardium GDPR Accelerator provides an understanding of data risk vis-à-vis the text of the regulation. The Accelerator runs security assessments to identify stored personal data, records activity against the identified data to determine who is accessing the data, and provides a detailed audit log to track data subjects' rights to access and delete their data.

Nuix's Sensitive Data Finder technology uses the Nuix Engine to search unstructured data repositories and find personal and private information (i.e., sensitive data). The product can interrogate large, complex repositories such as email systems, file shares, archives, databases and other enterprise storage systems, including optical-character-resolution output, without maintaining a permanent index. The Data Finder can set custom rules on retaining metadata.

Veritas Technologies' 360 Data Management for GDPR brings together the company's data management and search technologies with professional services to determine customers' GDPR readiness. Veritas' Information Map visualizes unstructured information from the NetBackup catalog to identify personal data. The Data Insight product monitors policy-based access to content, maintains audit trails of who accessed the data and when they changed it, and identifies access issues and anomalies.

Fernando Montenegro

Senior Analyst, Information Security

Fernando is a Senior Analyst on the Information Security team, based in Toronto. He has broad experience in security architecture, particularly network security for enterprise environments. He currently focuses on covering vendors and industry events in the endpoint security and cloud security spaces.

Jeremy Korn

Research Associate

Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received a MA in East Asian Studies from Harvard University, where he employed quantitative and qualitative methodologies to study the Chinese film industry.

Aaron Sherrill

Senior Analyst

Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation and disruption in the Managed Services and Managed Security Services sectors. Aaron has 20+ years of experience across several industries including serving in IT management for the Federal Bureau of Investigation.

Want to read more? Request a trial now.

First Name:

Last Name:

Email:

Job Title:

Company:

Phone:

Country:

utm_campaign_451:

utm_campaign_lt_451:

utm_source_451:

utm_source_lt_451:

utm_medium_451:

utm_medium_lt_451:

utm_term_451:

utm_content_451:

utm_content_lt_451:

451 Research Lead:

I consent to be contacted by The 451 Group and its subsidiaries. Note: You will be contacted with instructions on how to proceed with your trial regardless of consent.