Enhancing privacy- and security-by-design with TerraTrue’s Data Catalog

Written by the Data Catalog Development Team

A Data Catalog enables analysts, engineers and product managers to maintain a live inventory of the types of data an organization stores in their enterprise product or SaaS application. This valuable tool serves multiple purposes, including enabling data discovery in the organization, providing a basis for data governance, tracking data lineage, and so on, presenting a data-centric view that fuels product innovation.

Earlier this year, TerraTrue released a Data Catalog component within our core application, extending our vision of bringing product and trust (privacy and security) teams closer together for our customers. Authorized users can use the Data Catalog to set up connections to different data sources and view the types of data (metadata) they store from right within their trust-by-design workflow platform. This enhanced visibility allows privacy and security teams to:

• Quickly identify personal data, including high-risk data like financial records and biometric information, to confirm that it is processed appropriately.
• Identify ungoverned data and check on the right exposure of this data – e.g. should sensitive data be stored in unaltered form in a data warehouse used for aggregate analytics and reporting purposes?
• Know what data an organization has and where it is stored and managed to validate compliance with privacy regulations.
• Provide privacy professionals with visibility into their organization’s data systems, equipping them with a self-serve ability when they have questions about the types of data any of their systems contain.
  

Our foundational release of Data Catalog resonated well with both our prospective and current customers, who appreciated the benefit of an automatically maintained, live data map within their enterprise privacy tool. Today, we are thrilled to announce an update to the Data Catalog that will make on-going privacy compliance even easier to manage: Launch Triggers.

Launch Triggers can automatically initiate privacy and security review processes when the Data Catalog detects predefined changes to customers’ data maps and storage systems. These processes can notify relevant review teams and automatically capture all required observations and remediations in a streamlined experience. TerraTrue’s Data Catalog now goes well beyond the search and browse functionality that typical catalog solutions expose to an enterprise, facilitating an actionable flow for privacy professionals.

Privacy and security teams can now quickly react to changes in their data storage systems by ensuring that any mandatory reviews and assessments were completed and that all relevant stakeholders have approved the changes. This ability helps privacy and security teams validate that products and features are developed in line with the advice provided by their proactive privacy- and security-by-design processes.

TerraTrue’s Data Catalog can also be used to detect data processing that may have been overlooked at the time of feature design due to organizational challenges, such as complex product team structures in enterprise organizations, rapidly evolving product capabilities in fast-moving organizations, or organizations that are still at a relatively early stage in developing their privacy and security programs. Triggered launches provide an important check-and-balance to minimize any gaps in privacy and security review coverage.

Here are a few examples of events TerraTrue customers identify using Launch Triggers to strengthen their privacy and security programs:

Any new use of a specific data type: A customer wants

The first use of a known data type in a new data source. The customer already stores Social Security numbers of their users in PostgreSQL. They would like to detect the first appearance of this data type elsewhere, like in Snowflake, which is used for analytics and reporting. This observation allows review teams to determine whether SSN needs to be stored in Snowflake and, if so, that proper access controls are in place.

New appearance of a specific data type in the customer’s environment. The customer wants to create a shadow database instance for benchmarking the performance of the production database. A shadow database instance can store production data, but the load testing does not require precise location information of the users. The customer chooses the “Instance” scope in the launch trigger for the new appearance of location data in that database server. During review, the customer considers using hardening techniques like anonymization or minimizing the granularity of the location data in the shadow instance, to lower the risk of accidental abuse with precise location info.

We are eager to continue building upon the early success of Data Catalog as we continue to learn from customers how Launch Triggers can improve their privacy and security programs. Stay tuned for even more data source support, greater automation, and a deeper integration with our core review platform.

If you’d like a demo of TerraTrue’s Data Catalog and Launch Triggers, please fill out this form.