Over the last two years at Sumo Logic we have been preparing heavily for the European Union (EU) General Data Protection Regulation (GDPR) — in a steady march toward D-Day — also known as May 25, 2018, the day that GDPR becomes law. Not only did we need to put the proper controls in place at Sumo Logic to meet GDPR requirements, but we knew it was also our duty to ensure we were doing everything in our power to help our customers determine if and how much of their data was considered sensitive, and what that meant for not just GDPR, but all privacy and compliance concerns.
As part of this, we built a mature privacy program, then hired a dedicated Data Protection Officer (DPO) and finally worked on our Data Protection Addendum (DPA). We were lucky enough to execute on all of our goals and were feeling good about our progress, but had to stop and ask ourselves a very serious question: were we capturing as much personally identifiable information (PII) from our customers as possible?
If we were truly going to build and implement a “privacy by design” program, it would be imperative to do PII checks across all data sources to address Article 4 of GDPR, and more broadly, any existing or new privacy regulations impacting organizations across the globe.If we were truly going to build and implement a ‘privacy by design’ program, it would be imperative to do PII checks across all data sources to address Article 4 of GDPR
Announcing Sumo Logic Privacy & GDPR Dashboards
In order to make sure we were gathering as much PII as possible in order to best serve our customers, we turned to the Sumo Logic platform and created a custom GDPR privacy dashboard. We will be showing demos of these dashboards at the Sumo Logic booth 4516 in the North Hall during RSA Conference 2018 in San Francisco next week.
I tasked one of our DevSecOps engineers, Michael Halabi, to collaborate with some technical field resources and produce an application that could be leveraged at the DPO level, as well as the technical level with some drill down capabilities to dig deeper into the data. We first started looking for IP addresses coming from Europe and started combining them with email addresses, country IDs, and for the U.S., Social Security Numbers.
The information we received back was extremely useful in mapping PII, and below you can find a sample high-level dashboard that shows IP hits by geographic location. What makes it more interesting is the combination of German IDs and email addresses associated with those users. By leveraging the dashboard capabilities, users can also get recommendations on remediation such as blocking, masking or hashing the data to keep PII from being ingested.
The privacy dashboards are intended to cast a wide net so that you can gain visibility into what, if any, sensitive information exists in your relevant data. The dashboards come with filters that allow you to search for common keywords, patterns, PII and other privacy-related types within the data sets the application is installed against.
Let’s take a deeper look at a specific use case for the Sumo Logic privacy dashboards. Say our DPO, Jen Brown, wants more detail on the German IPs. Our privacy and security analysts can dig into the dashboard to glean additional details on the Germain IDs, source hosts and source categories.
Here is an example drill down from the main dashboard that Jen can use to account for our data and make sure it is relevant to our business.
One important aspect of GDPR for all organizations is to make sure they clearly understand how their log vendors are accounting for their data — sensitive PII or not.
The example I provided is an internal one of the Sumo Logic operations and security operations center (SOC) data, but what are folks out there doing with security analytics tools besides driving a DPA? How do they really know if and what kind of PII is being passed via logs?
My team has been using these dashboards at Sumo Logic, and we will continue to run them internally in order to understand what data is passing through our systems, and I am excited to be displaying these at RSA.
As part of the company’s overall commitment to delivering a cloud security analytics platform for today’s new world of modern applications and cloud, we will be releasing these privacy dashboards to customers in a beta program this summer.Privacy & GDPR dashboards will be available to customers as of summer 2018.
Stay tuned for more developments coming from the Sumo Logic team and be sure to stop by our booth at RSA next week (North Hall 4516) to say hi and to check out a demo of the privacy dashboards.
We will also be showing our latest cloud security analytics platform capabilities, including cloud security investigation workflow that allows customers to identify and resolve complex investigations across the full application stack and cloud infrastructure in minutes as well as enhanced threat intelligence visibility with Crowdstrike and Amazon Web Services (AWS) GuardDuty integrations.
If you want read more about Jen Brown’s insights on what it means to be a DPO, and how she has helped Sumo Logic and other organizations improve their GDPR and overall privacy readiness plans, check out her article in Dark Reading.
Come to our RSA GDPR Pre-Party
Lastly, if you want to further explore the GDPR galaxy, register for Sumo Logic’s pre-RSA party for a flash Q&A with Jen Brown and myself! It’ll be a great networking opportunity and we’ll also have a bourbon tasting, appetizers, an expert security lounge with sneak peeks of Sumo Logic’s new cloud security analytics solution, and GDPR survival swag.