PKWARE PK Protect

The PK Protect suite includes two principal offerings: PK Protect Endpoint Manager (PEM) and PK Protect Data Store Manager (DSM). Both offerings are equipped with a collection of subproducts – namely PK Discovery, PK Masking, PK Encryption, and either PK Privacy (covering policy management and data retention, only available in DSM) or PK Classification (only available in PEM) – that serve to find and protect your sensitive data, as well as extensive reporting functionality, including dashboards, access monitoring, auditing and so on. The chief difference between them is that PEM operates on endpoints and user devices while DSM operates on databases, data lakes, cloud sources, packaged applications, and so on. The latter is also able to work with structured, semi-structured and unstructured data.

Figure 1 – Prebuilt discovery templates in PK Protect

Customer Quotes

“[PKWARE] was a perfect match for us, with the ability to scale globally and solve different use cases, providing us with the insights and capabilities to manage our data going forward.”
Western Union

“[PKWARE] provides industry standard algorithms for data masking and encryption. Data is not ported across the network, as the data masking and encryption happen at the source server. Hence, it zeroes down the data-loss related issues. And the application UI is user-friendly, the development effort is almost seamless, and it is very easy to do the configurations and task creations.”
Great Eastern Assurance

PK Discovery will scan all of your data sources simultaneously, using a single discovery query. It scans accurately, reliably, and at scale, leveraging a range of techniques that include pattern recognition, regular expressions, proximity matching, natural language processing, and machine learning. The inclusion of the latter is particularly notable, as a major problem with discovering sensitive data is that you can get a lot of false positives (and, less frequently but no less seriously, negatives). Machine learning has been incorporated into the product to address this issue by intelligently detecting false results, learning initially from sample data or from examples of false positives. Remediation workflows for false positives are also provided, as are various methods for addressing false negatives. Discovery results are displayed via customisable dashboards.

Figure 2 – Files that contain sensitive data can be automatically encrypted by PK Protect

Following on from PK Discovery, PK Classification provides either manual or automated, policy-driven data classification, essentially determining and flagging the type of (sensitive) data that has been discovered. The classification process, notably, can apply to data stored in documents as well as more traditional sources. Third party tagging and classification systems can also be incorporated into – and orchestrated from – the PK Protect suite, meaning that if you already have a system that works you don’t need to give it up to buy into PKWARE’s offering.

PK Masking provides static and dynamic data masking on structured that exists either in-place or in-transit, and a low estimate puts the number of masking options at more than thirty. Unstructured data masking is supported via (either full or partial) redaction, and covers more than twenty file types that include images and emails. Similarly, PK Encryption offers file, email, and back-office encryption, and features both AES and format-preserving encryption as well as support for MIP (Microsoft Information Protection), HYOK (Hold Your Own Key) methodologies, and DKE (Double Key Encryption).

We have already mentioned that PK Privacy covers data retention and policy management. For the former, it offers DSAR (Data Subject Access Request) support and automation via the creation of an indexed inventory of individual identifies and any associated data. The actual processing of requests there is accomplished using a scheduling facility that allows requests to be run on a batch basis. Both hard and soft delete options are available in response to deletion requests. Enterprise-level data retention workflows are also provided.

For policy management, on the other hand, PK Privacy allows you to manage organisational policies that then feed into, orchestrate, and automate other PK Protect functionality. Data classification, for instance, uses your policies to determine what kind of tag (if any) to apply to your sensitive data, allowing you to manage multiple different types of sensitivity. Likewise, policies can be used to drive encryption, masking, and/or redaction, determining the encryption/masking algorithm and various other options in a consistent and centralised manner, allowing you to protect your sensitive data automatically, en masse, and persisting over any kind of data movement or copy process. Audit and monitoring capabilities provide policy-driven monitoring in real-time, and record who accessed data, when, where, and what they did with it. Many relevant policies (for GDPR, CCPA, PCI, HIPAA and so on) are provided out of the box, and you can also create your own. Alerts are available and actionable, display is via a persona-based dashboard, and monitoring capabilities include breach reporting.

Finally, it is worth bearing in mind that the discovery, masking, encryption, and classification capabilities described above can also be applied to endpoints using PEM. Moreover, each endpoint is equipped with an agent that is in communication with the central PK Protect installation. When a policy is changed as part of, say, PK Encryption, the change can be rapidly propagated to every agent, and thus every endpoint. This allows you to alter policies at the enterprise-level by making only a single, central change, and see the results come into effect immediately.

Before Dataguise was acquired by PKWARE, we were considerably impressed with its combination of security and privacy capabilities, its broad range of supported data sources, and its implementation of machine learning to address false positives. We are glad to say that this has not diminished with its acquisition: in fact, its integration into PK Protect has clearly created something that is stronger than its previous incarnation, as its techniques for discovery and protection can now readily be applied to endpoints.

This is a big deal. By discovering sensitive data on endpoints, you can find – and thence remediate – all copies of your sensitive data, even if some or all of them reside on user PCs. This is particularly pertinent for spreadsheets and other End-User Computing (EUC) assets, which can frequently get shared around between end users irrespective of the (often highly sensitive) contents within. The products ability to discover and remediate on emails (automatically, as they are sent out) may also be useful for this, given that it acts as the primary means for end users to share the files in the first place.

The Bottom Line

PKWARE, like Dataguise before it, should be identified as a leader in the market for identifying and protecting sensitive data, especially on endpoints but also in general.