ABOUT
Industry:
Software-as-a-Service, Information and Media
Size:
1000-5000 employees
Private
Cloud Services:
AWS CloudTrail, AWS RDS, AWS S3, Google Cloud, BigQuery, Snowflake
ABOUT CUSTOMER
This data and technology firm is a major player in the consumer data industry. It specializes in collecting, analyzing, and selling consumer data to businesses. The company aggregates information from various sources to create detailed consumer profiles, which it provides to clients for marketing, risk management, and decision-making purposes. Its services include consumer analytics, identity verification, fraud detection, and marketing technology solutions. The firm serves multiple industries, including retail, finance, insurance, and healthcare.
The Challenge
In today’s data-driven marketing landscape, a global enterprise found itself grappling with increasingly complex data security challenges. Undergoing over 600 audits annually from customers, regulators, and other stakeholders, the company faced persistent and increasingly in depth scrutiny regarding its handling of customer data by employees and contractors. These audits also focused on how the organization was monitoring data flows across different geographies and jurisdictions, with particular attention to various data types and the identities who could access that data.. The Chief Information Security Officer (CISO) recognized a critical gap: the lack of sufficiently granular evidence to demonstrate appropriate data access restrictions and monitoring of employee activities related to this access.
The company’s global operations further complicated matters, as it needed to navigate a maze of compliance requirements including, but not limited to GDPR, PCI, and German Works Council regulations. These mandates carried significant business implications and potential fines for non-compliance.
Adding to this complex landscape was the 2023 Executive Order issued by President Biden, which aimed to strengthen protections around Americans’ sensitive personal data against foreign exploitation. This order placed renewed emphasis on safeguarding critical data types such as genomic, biometric, health, geolocation, and financial information of American citizens, with special consideration for members of the military and national security community. The order also highlighted the importance of protecting geolocation information related to sensitive government sites.
The Goal
Recognizing the need for enhanced visibility into data handling practices, the CISO outlined a set of objectives centered on achieving greater transparency in data flow and usage across the enterprise. The overarching aim was to gain a comprehensive, real-time understanding of how data moved through the organization and how it was accessed and utilized by employees and systems.
A key priority was to establish a clear and detailed view of data inventory and movement. This included mapping data flows across different zones (ASN/Production/Country), tracking data attributes, and monitoring how data moved between approved identities and workloads. The CISO aimed to create a system that could provide instant insights into data location, usage patterns, and compliance with regional regulations such as GDPR and PCI. This level of transparency would not only aid in proving compliance during audits but also enable proactive management of data risks.
Additionally, the company sought to implement mechanisms to monitor data treatment based
on its age and usage, aligning with client contract requirements and internal retention policies.
By achieving this granular level of visibility,
the organization aimed to quickly identify
and protectively reduce the data blast radius
and attack surface of their data environments.
The Choice
In the search for a comprehensive data security solution, Symmetry stood out as the clear choice for this organization. The unique deployment model was a key factor in the decision. Symmetry’s ability to operate within their own cloud environment, as well as on-premise, allowed them to enhance their data security posture without introducing additional supply chain risks. This approach aligned perfectly with the stringent security requirements, compliance audits and complex infrastructure needs.
Symmetry’s enterprise-scale capabilities were also crucial. At their scale, they needed a partner who could handle a global enterprise’s volume of data and complex data flows across multiple environments. Symmetry demonstrates not only the capacity to meet the current needs but also the scalability to grow as the data landscape evolves.
The company’s recognition as a Gartner Cool Vendor further validated our choice, highlighting Symmetry’s innovative approach in the data security market. However, what truly cemented our decision was the overwhelmingly positive feedback from fellow CISOs who were already using the product that they spoke to. Their real-world experiences and success stories provided valuable insights into Symmetry’s effectiveness in addressing complex data security challenges. Moreover, Symmetry’s high performance ratings on Gartner Peer Insights offered additional assurance. The consistently positive reviews from a wide range of enterprises across various industries underscored Symmetry’s ability to deliver tangible results and meet diverse security needs.
The Outcomes
The implementation of Symmetry and the advanced data transparency and monitoring provided across AWS and GCP environments highlighted immediate outcomes for the security team – providing a clear roadmap for enhancing their data security posture.
Symmetry helped pinpoint which data stores contained sensitive information. A significant portion of those data stores were in development environments – an immediate task for clean up. Similarly over-privileged access was a key concern, with over 10% of all identities considered to have privileged access. Symmetry helped identify the status of MFA for these identities, enable monitoring, and validate the dormancy and usage of these identities to enable removal of unused identities or permissions.
Using Symmetry, the client further identified that almost third of the remaining identities were also dormant, many with unnecessary permissions. Symmetry highlighted that a significant portion were non-human identities created for one-off infrastructure builds as part of the DevOps pipeline that are no longer needed. This included a default GCP Cloudbuild account with ‘owner’ privileges across thousands of data stores that should have been disabled after initial implementation. The expanded attack surface from these accounts was obvious with over numerous additional identities with ‘assume role’ permissions to these identities.
These comprehensive findings provided unprecedented visibility into the organization’s data landscape, revealing critical areas for improvement in access management, identity governance, and overall data security practices. The insights gained enabled the company to take immediate action, addressing vulnerabilities, optimizing cloud environments, and enhancing their compliance posture.
“Symmetry is the BASF of data security – they don’t make the data, they make it secure. Just like BASF improves products behind the scenes, Symmetry enhances our entire data ecosystem invisibly, giving us unprecedented control and proactive security management.”
About Symmetry Systems
Symmetry Systems is the industry’s first hybrid cloud data security platform that safeguards data in AWS, GCP, Azure services, and on-premise databases while supporting a data-centric zero trust model. With Symmetry, security and compliance teams can address threats quickly through AI-driven data security posture management (DSPM). Symmetry provides visibility into data risks from excessive permissions and anomalous data flows while giving organizations the evidence required to demonstrate compliance best practices.
