IBM is set to announce the release of its new Guardium Analyzer security tool on June 5 to help organizations identify and protect sensitive personal information that might be subject to the European Union's (EU) General Data Protection Regulation (GDPR).
GDPR is all about keeping personal end-user information private, but not all organizations always know where sensitive information is stored within their organization. The new Guardium Analyzer tool is a Software-as-a-Service (SaaS) offering designed to identify and classify personal information that an organization is storing within databases.
"IBM Security Guardium Analyzer is a new stand-alone service that is built specifically for GDPR compliance, and is the first software-as-a-service offering in the Guardium data security and protection portfolio," Leslie Wiggins, Product Manager at IBM Data Security, told eWEEK. "While it is a completely new product, we applied best practices from our existing data security portfolio during the development of the service."
GDPR enforcement officially began on May 25, though an IBM study released on May 6 reported that the majority of organizations would not be compliant with the deadline. Wiggins commented that despite the deadline, many companies are still fairly early on in their journey to GDPR compliance.
"Finding and classifying sensitive the data that falls under GDPR jurisdiction is one of the early steps needed on the roadmap to GDPR compliance, yet this is also one of the biggest challenge areas for companies," Wiggins said. "Having a tool that allows companies to efficiently find and keep track of this data on an ongoing basis not only meets a big demand that we see in the market currently but will also be an important part of compliance efforts in the long term."
Part of the Guardium Analyzer tool is a technology that IBM refers to as a next generation classification engine. Wiggins explained that historically, the IBM Security Guardium Data Protection portfolio has used a combination of catalog-based search, plus data sampling search. She added that the next-generation classification engine that IBM is using for data classification in Guardium Analyzer is based on a different technology that was developed by IBM Research and that has been used in other existing IBM products, including IBM Watson offerings.
"The new classification engine in Guardium Analyzer extracts data from a table, crawls it, and finds patterns that have been identified as personal or sensitive personal data," Wiggins said. "The service also uses specific pre-built patterns developed for GDPR personal and sensitive data –for example, faith, personal identification numbers, and other qualifiers."
From a GDPR auditing perspective, Wiggins said that Guardium Analyzer is able to find and assess the quantity of GDPR-relevant data in different databases. She noted that based on risk scoring, a prioritized list of databases that may be most at risk of failing a GDPR audit is presented to the users, with specific remediation recommendations to help them reduce risk.
"This is a fundamental step to support the Data Protection Impact Assessment component of GDPR, but Guardium Analyzer also provides a foundation for Records of Processing Activities requirement—for example, by showing which countries GDPR-relevant data is located in," Wiggins said.
Delivered as software as a service
A a cloud-based service, Guardium Analzyer is remotely scanning an organization's data. Wiggins emphasized that Guardium Analyzer does not move any personal or sensitive personal data to the cloud and no GDPR-relevant data is processed in or transmitted to the Guardium Analyzer cloud service.
"To scan the databases for GDPR-relevant data and for database vulnerabilities, Guardium Analyzer uses a data connector called the IBM Security Guardium Data Connector," Wiggins said. "The Data Connector allows clients to connect to their databases to do that scanning, though nothing is installed on the actual database servers."
Wiggins explained that the Data Connector scans for GDPR-relevant data and vulnerabilities within the databases, but only the metadata and insights from the data are sent to the cloud-based Guardium Analyzer dashboard. She added that all communication with Guardium Analyzer is initiated by the Data Connector and the Data Connector itself does not accept incoming requests from the outside world.
At this point, Guardium Analyzer is targeted for GDPR compliance, although Wiggins noted that in the future, the tool could potentially be extended for other compliance needs.
"The data classification engine may be customized, so if clients have specific, reliable data classification patterns or rules that they would like to import and add to Guardium Analyzer, they could enrich the service to support additional regulations," she said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.