TrueVault announced on Aug. 16 that it is expanding its namesake platform to help organizations keep personally identifiable information safe and in compliance with multiple regulations, including the European Union's General Data Protection Regulation and the upcoming California Consumer Privacy Act.
The TrueVault platform provides an API by which PII can be hidden from plain sight, making it more difficult for an attacker to exploit. With TrueVault, PII is tokenized in a manner that looks to isolate and secure critical information that is subject to compliance requirements.
"We're expanding to cover all personal data regulations, and we're expanding use cases beyond just health care to anywhere that data lives, including data warehouses and machine learning data sets," Jason Wang, founder and CEO of TrueVault, told eWEEK.
Founded in 2013, TrueVault previously focused just on health care information and compliance with the Health Insurance Portability and Accountability Act (HIPAA). The EU's GDPR, which came into effect on May 25, put specific requirements on organizations to ensure that PII is protected. CCPA is a similar effort and is set to come into effect on Jan. 1, 2020.
TrueVault provides its customers with a secure place to store PII that is collected, according to Wang. The use case is similar to how organizations use third-party payment processing systems like Stripe, where credit card information is not handled by the merchant, making it easier to be compliant with Payment Card Industry Data Security Standard (PCI-DSS) requirements.
The TrueVault platform is a cloud-based offering. Wang said that data warehouses typically ingest data directly, regardless of whether the data has PII in it or not. With TrueVault, the data is first filtered, with all the PII striped out and replaced with a tokenized placeholder for the removed record. The PII is then safely stored in TrueVault, he said.
"Every record is individually encrypted, and every time the record is updated, we re-encrypt the data again," Wang said.
In addition, TrueVault layers in authentication and access control on top of the encrypted data, he said. So before any PII can be retrieved from TrueVault, the user needs to be authenticated based on role and context to further verify access. Data encryption key management is typically a concern and a challenge, but Wang said TrueVault manages all the keys on behalf of customers to make the platform more usable.
"When we talk to customers, they tell us they don't want to own the keys and they really want to completely externalize the liability to a third-party vendor like TrueVault," he said.
The ability to search on encrypted data is typically a challenge for many organizations. Wang said TrueVault has a secure search API that enables an organization to search for data that they have stored.
TrueVault is positioning its platform to help organizations meet compliance requirements for PII. Wang explained that as part of the onboarding process for a new customer, TrueVault asks what compliance regulations the customer is trying to meet.
"We help organizations to determine what personally identifiable information needs to be in TrueVault and how to set up their infrastructure so they can be in compliance," he said.
What TrueVault generally recommends to customers is to pseudo-anonymize all their personal data, according to Wang. He added that the goal is to de-couple identity from behavior, where the customer handles the behavior data and TrueVault stores the identity.
There are multiple vendors, including Baffle and Enviel, among others, that provide encryption platforms for data in use. Wang said TrueVault is focused on PII compliance requirements. He added that typically in new engagements, customers are evaluating whether or not they should build a secure PII data storage capability on their own.
Currently, TrueVault helps organizations protect PII, Wang said. Looking forward, he said TrueVault is looking to help organizations also discover what PII they already have.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.