Leading Education Provider Chooses Imperva Camouflage to Deliver a Comprehensive Data Masking Solution, Dramatically Reducing Project Scope and Automating the Change Audit Process
The Higher Education Market
The need for sensitive data protection in the higher education market has been increasing as the necessity of protecting student data has been brought to light by many high profile data breaches affecting major institutions. The emergence of online technology has caused traditional brick and mortar institutions to shift online to serve learning (e.g. grading, online learning, communication) and administration purposes (e.g. human resources, admissions, finance, email, CRM). With major colleges and universities serving tens of thousands of students, this paradigm shift in providing educational services has created new challenges when it comes to managing and securing data.
Intensifying Legislation
Recognizing this, legislation has been created to ensure that educators are upholding standards in protecting their students’ data. Examples of these are the Family Educational Rights and Protection Act (FERPA) in the U.S., and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. These legislations hold education providers accountable for protecting data and prohibit disclosure of sensitive data to a third party without consent. A major issue for organizations, regardless of industry, is exposing personally identifiable information (PII) to those working in non-production environments such as application development, training, and testing, and the same issue exists for student data in higher education organizations. An Imperva client encountered this exact issue, and the Imperva Camouflage solution enabled them to successfully protect their student data and comply with FERPA legislation.
The Client
A leading online education services provider, this client operates accredited Universities in the United States. With a mandate to maintain the highest standard of data security and ensure strong protection of their students’ data, the client has taken a proactive stance by deploying a data masking software solution to dramatically reduce the risk of exposure of their student data.
Challenge
A major concern was extending protection to students in non-production environments, since extensive application development, testing, and training using student data was needed as part of their ongoing business requirements. Therefore there was a need to find a solution that could securely de-identify student information before sharing it for development, QA and training purposes. While ensuring the security of student information was the main priority, being compliant with FERPA was also driving the need for a solution.
Situation
Maintaining the integrity of the client’s brand is paramount, and ensuring a track record of secure student data is a mandate that they take very seriously. They needed a software solution that could effectively do this, while being time and resource efficient. Due to strict timelines and complex environment, they needed a vendor with the right technology and domain expertise. In addition, the ideal vendor needed to be in the data masking industry for several years, offering a mature, feature-rich and stable product. The technology solution needed to support the complexity of their underlying data and mask it intelligently so that the end result looks and acts like the original data. This meant database and application referential integrity was a key characteristic to include in the evaluation. Technology to provide consistent masking across varied in-scope database types deployed throughout different departments was needed. In addition to the technology requirements, the client also wanted a vendor with a strong consulting practice in order to leverage data masking experts and ultimately accelerate the project.
Solution
With industry leading data masking software and domain expertise, Imperva Camouflage was chosen to deliver a complete data masking solution. The solution exceeded the client’s expectations in terms of software functionality, deep domain expertise and consulting services.
Reducing Quantity of Data, Lowers Project Time and Costs
A major turning point during the vendor evaluation and the key to success was our discovery technology. The client deployed the discovery feature to scan databases for in-scope data to pinpoint the exact locations where Personally Identifiable Information (PII) existed within non-production environments. Initially, the client identified over 75 databases that could potentially contain PII. After using the discovery feature, that number was dramatically reduced as only 35 databases truly required masking. In turn, this saved the client over $750,000 in time and resources as many of the databases that they thought required data protection fell out of the high risk zone.
Delivering Data Masking Consulting, Remotely
After the client successfully located databases containing PII with the discovery feature, they implemented data masking to the prescribed areas, effectively and efficiently meeting the project’s tight time constraints. The client felt leveraging experts in data masking would accelerate project completion while still achieving a high standard of results. Today, the client has outsourced ongoing maintenance and support to Imperva Camouflage. Our specialists are engaged on a routine basis to maintain and update masking projects in response to any changes in the masking requirements or in the underlying database environment. This ongoing service is delivered remotely, increasing efficiency and reducing cost. Although on-site support remains available, to date it has not been needed during the maintenance phase.
Automating the Change Audit Process for Masking
The existing processes for application change management were updated to include steps related to data masking, but Imperva realized that there was still a risk that changes requiring additional masking could be missed. As a result, an audit process was designed to mitigate that risk by focusing on the case where new data is added that is not being masked. The discovery feature in Imperva Camouflage emerged as a solution to this problem. During the first phase of the data masking project, templates for his feature were configured for the client’s databases. By using the same templates and automatically filtering all previously encountered results, Imperva Camouflage is able to use the discovery feature in a change audit capacity to periodically scan production databases for new locations that might contain protected information. These results are correlated to the known changes that were already addressed and any discrepancies are flagged for review so that the masking configurations can be updated as needed.
Using the discovery feature in this way has resulted in a superior audit process. Since the alternative process would be a manual review of each production environment, the process is much faster and more efficient which saves time and expense. Additionally, it allows the audit to be conducted more frequently than would otherwise be possible. In many cases, the discovery feature is more thorough than a manual review, which results in an improved quality of audit.
Student databases were successfully protected using the Imperva Camouflage data masking solution, and the success in the installation prompted them to look to Imperva Camouflage for a managed masking service on an ongoing basis. The client looked for a vendor with solid technology, a strong consulting practice, and ease of overall The discovery feature emerged as a focal point in this solution by both dramatically decreasing the scope of data to be masked and innovatively enabling the creation of an automated change audit process. Data masking has been vital in the development of the client’s strategy to ensure its brand integrity is upheld, risk management policies are in check, and student data is secured.
