Unintentional Exposure

When financial companies, such as banks and stock markets, use online systems (the cloud), their important private information can sometimes move there without them meaning to. To stop data from being accidentally exposed and to follow the rules for keeping information safe (like those for credit cards and privacy), these companies often need to find where this private data is in the cloud and be able to hide or remove it automatically, even when dealing with a lot of information.

Achieve Ultimate Security

One approach financial services companies are taking to meet this critical challenge involves utilizing tools like Datadog's Sensitive Data Scanner.

Datadog's Sensitive Data Scanner empowers organizations to achieve their security and compliance objectives by identifying, categorizing, and masking sensitive information within logs, traces, real user monitoring data, and events. This real-time, scalable scanning occurs as data enters the system or even before, using predefined or custom rules to hash or redact sensitive data. This helps businesses maintain compliance with regulations like GDPR, HIPAA, and CCPA.

This type of solution provides the functionalities required to manage data security in cloud environments, allowing DevOps and security teams to:

• Sensitive Data Discovery & Class: Easily find and classify sensitive data (credit cards, bank details, PII) across logs, traces, RUM, and events – common leak locations.
• Compliance Mapping (PCI, GDPR): Intelligently map detected sensitive data to PCI-DSS, GDPR, providing immediate regulatory context.
• Pre-Ingest Data Redaction: Automatically redact sensitive info before it enters Datadog, crucial for preventing leaks and meeting PCI-DSS requirements.

Core Data Protection Strategies

a. Building a Scalable and Holistic Data Security and Compliance Strategy

• Precisely Define Scan Targets: Use filters to pinpoint exactly which data points across your logs, APM spans, RUM events, and other telemetry you want to monitor.
• Implement Proactive, Scalable Scanning: Proactively scan your data in real-time and at a scale that meets your needs to support a comprehensive strategy for preventing data loss.
• Redact Sensitive Data Pre-Egress: Utilize Observability Pipelines to identify and remove sensitive information before it exits your systems.

b. Gain Comprehensive Visibility into Sensitive Data

• Discover where sensitive data lives across cloud environments, such as AWS S3 and RDS instances.
• Quickly and easily prioritize sensitive data matches in the cloud and kickstart remediation efforts as needed.
• Correlate sensitive data issues with Cloud Security for contextualized vulnerability assessment.

c. Implement Standardized Sensitive Data Classification

• Classify sensitive data based on its content, source, or designated risk level.
• Standardize data classification across dev, ops, and security teams and across different cloud platforms and hybrid environments.
• Accelerate classification through out-of-the-box rules that capture common patterns, such as credit card numbers, API keys, tokens, AWS secret keys, and others.

d. Enforce Sensitive Data Protection and Access Control

• Redact sensitive data and monitor user activity to support data security initiatives.
• Scrub sensitive data with predefined scanners from Datadog’s Data Scanner Library or custom scanners.
• Manage who can access sensitive data by combining sensitive data scanning with Datadog’s fully integrated role-based access control (RBAC) permissions and restriction queries.

e. Enable Rapid Detection and Alerting of Sensitive Data Issues

• Quickly detect sensitive data issues with dashboards and alerts.
• Save time by scanning and tagging new hosts, containers, and applications as soon as they are spun up.
• Tag sensitive data to allow teams to create real-time alerts and build dashboards.