Redacting data in Zendesk
In our last blog about knowing your data, we talked about data ownership as a central piece of the data protection puzzle. Data Ownership is so critical to data security because our data footprints have continually expanded across various clouds, data stores, and, increasingly, SaaS tools. And as more tools are incorporated into processes, and integrated with other systems, sensitive customer and employee data can sprawl uncontrollably, making it paramount to monitor what data is stored in each system. When we talk to privacy and security leaders about what keeps them up at night, the lack of visibility into the data stored in SaaS tools is always near the top of the list.
There are many levels of risk when it comes to data protection in SaaS, depending on data ownership, how integrated the tool is with other production systems, who controls the data sent to that tool, and who has access to that data. In some cases, there isn’t much opportunity for PII and other sensitive data to make its way into external tools. Think of an outbound marketing tool like, say, Outreach. You need to store some personal data there, like names, emails, phone numbers, and the companies your prospective customers work at. But that data is either manually added by employees, or it’s syncing in from a CRM like Salesforce. Certainly a tool like Outreach comes with some data risk, but the inflow and outflow of PII is largely limited to a handful of structured data fields. You'd never find a passport number, bank account number, or blood type in Outreach.
On the other hand, there are some tools that allow companies much less control over what PII they collect, store, and display to employees, creating a dangerous unknown for security teams. On this side of the spectrum would be products that collect text-based data from employees and customers alike. Zendesk, the leading customer support product on the market, is a prime example of a SaaS tool that carries substantial risk for collecting, storing and displaying sensitive and personal data on a huge scale. Companies have almost no control over what information their customers and employees post, and many consumers fail to recognize the risk of sharing phone numbers, credit card information, home addresses, health information, and other data they should not be sharing in support tickets.
And as data breaches grow in frequency and scope, tools like Zendesk can be a key target for attacks. Just this month, a data breach was reported at mSpy, which exposed ten years worth of customer support tickets stored in Zendesk, impacting millions of customers. And while details of how the breach occurred remain fuzzy, the fallout may be enormous due to the contents of the tickets, including customer and employee names, email addresses, locations, IP addresses, and more. Had they been using Teleskope, mSpy could have easily redacted PII from ticket content, comments, and attachments, drastically reducing the scope of the attack.
Zendesk is well aware that their platform introduces serious data security risk, and in response to repeated pleas from customers has tried to address it by introducing a native redaction feature. But this technology is outside of Zendesk’s core competency, and the solution they have delivered does little to meet customer needs. Zendesk’s redaction is manual, meaning users with specific permissions have to manually highlight text they find within tickets or comments that should be removed. This is a deeply flawed solution, as it requires someone to stumble upon the violation, recognize it needs to be addressed, and report it or manually redact it. And sifting through thousands of tickets is inaccurate, unrealistic and unsustainable. Zendesk’s redaction feature also does not support redaction in attachments, can’t be applied to tickets created from external sources, and cannot proliferate redactions to integrated tools. Ultimately, Zendesk’s redaction feature is a partial solution which creates more work for tool admins, and does little to assure security and privacy teams that policies are being consistently enforced.
That’s why companies trust Teleskope to enforce data security and privacy policies in SaaS tools like Zendesk. With Teleskope’s Policy Maker, built on top of our proprietary data classification pipeline, you can enforce highly specific policies to ensure sensitive customer data is never stored and shared. Our intuitive UI lets you choose the tools you want to be covered by a policy, set a simple trigger like “a credit card number was found”, add additional filters like “ticket status = resolved”, and indicate whether you’d like Teleskope to redact that data automatically, or to include a human in the loop, who can approve the action. We’ll keep a log of policy actions, so you can track what’s being discovered and redacted, and from where.
Teleskope is on a mission to protect your data, wherever it is. Our integration list is growing, with similar features available in Google Workspace (Drive, Docs, Slides, Sheets etc.), Microsoft Onedrive, Slack, Jira and Salesforce. Are there other SaaS tools that you worry are storing PII? Let us know!
Introduction
Kyte unlocks the freedom to go places by delivering cars for any trip longer than a rideshare. As part of its goal to re-invent the car rental experience Kyte collects sensitive customer data, including driver’s licenses, delivery and return locations, and payments information. As Kyte continues to expand its customer base and implement new technologies to streamline operations, the challenge of ensuring data security becomes more intricate. Data is distributed across both internal cloud hosting as well as third party systems, making compliance with privacy regulations and data security paramount. Kyte initially attempted to address data labeling and customer data deletion manually, but this quickly became an untenable solution that could not scale with their business. Building such solutions in-house didn’t make sense either, as they would require constant updates to accommodate growing data volumes which would distract their engineers from their primary focus of transforming the rental car experience.
- list
- list
- list
- list
Continuous Data Discovery and Classification
In order to protect sensitive information, you first need to understand it, so one of Kyte’s primary objectives was to continuously discover and classify their data at scale. To meet this need, Teleskope deployed a single-tenant environment for Kyte, and integrated their third-party saas providers and multiple AWS accounts. Teleskope discovered and crawled Kyte’s entire data footprint, encompassing hundreds of terabytes in their AWS accounts, across a variety of data stores. Teleskope instantly classified Kyte’s entire data footprint, identifying over 100 distinct data entity types across hundreds of thousands of columns and objects. Beyond classifying data entity types, Teleskope also surfaced the data subjects associated with the entities, enabling Kyte to categorize customer, employee, surfer, and business metadata separately. This automated approach ensures that Kyte maintains an up-to-date data map detailing the personal and sensitive data throughout their environment, enabling them to maintain a structured and secure environment.
Securing Data Storage and Infrastructure
Another critical aspect of Kyte’s Teleskope deployment was ensuring the secure storage of data and maintaining proper infrastructure configuration, especially as engineers spun up new instances or made modifications to the underlying infrastructure. While crawling Kyte’s cloud environment, Teleskope conducted continuous analysis of their infrastructure configurations to ensure their data was secure and aligned with various privacy regulations and security frameworks, including CCPA and SOC2. Teleskope helped Kyte identify and fortify unencrypted data stores, correct overly permissive access, and clean up stale data stores that hadn’t been touched in a while. With Teleskope deployed, Kyte’s team will be alerted in real time if one of these issues surfaces again.
End-to-End Automation of Data Subject Rights Requests
Kyte was also focused on streamlining data subject rights (DSR) requests. Whereas their team previously performed this task manually and with workflows and forms, Kyte now uses Teleskope to automate data deletion and access requests across various data sources, including internal data stores like RDS, and their numerous third-party vendors such as Stripe, Rockerbox, Braze, and more. When a new DSR request is received, Teleskope seamlessly maps and identifies the user’s data across internal tables containing personal information, and triggers the necessary access or deletion query for that specific data store. Teleskope also ensures compliance by automatically enforcing the request with third-party vendors, either via API integration or email, in cases where third parties don’t expose an API endpoint.
Conclusion
With Teleskope, Kyte has been able to effectively mitigate risks and ensure compliance with evolving regulations as their data footprint expands. Teleskope reduced operational overhead related to security and compliance by 80%, by automating the manual processes and replacing outdated and ad-hoc scripts. Teleskope allows Kyte’s engineering team to focus on unlocking the freedom to go places through a tech-enabled car rental experience, and helps to build systems and software with a privacy-first mindset. These tangible outcomes allow Kyte to streamline their operations, enhance data security, and focus on building a great, secure product for their customers.
from our blog