STEALTHbits Sensitive Data Discovery

As far as sensitive data discovery is concerned, this is a part of the company’s Data Access Governance solution, namely the StealthAUDIT product. It supports discovery against a comprehensive list of file systems, SharePoint and OneDrive, Exchange, Dropbox, Oracle and Microsoft SQL Server. On the company’s roadmap for release in early 2020 is support for Amazon S3, Box, Azure SQL and PostgreSQL. There is no support for NoSQL databases and, as can be seen, relational database support is limited. That said, STEALTHbits provides an App Catalog that provides connectors to sources not natively supported by the platform. These include connectors to PostgreSQL, MySQL, Salesforce, Office 365, Azure and others. There are facilities provided to develop your own connectors.

Fig 01 – STEALTHbits product suite

Sensitive data is discovered using various approaches but is primarily based on regular expressions (see Figure 2), keywords or both in combination. In addition, there is support for various checksum-based algorithms plus more than 350 pre-configured (customisable) criteria sets (see Figure 2). For relational data the software inspects the data rather than simply relying on column names. You can sample the data if appropriate. On the product’s roadmap are facilities such as distance measures (for example, a postal code must appear close to the name of city or town), custom validation routines, the use of metadata for context, and support for confidence levels.

Fig 02 – Discovering sensitive data using regular expressions

From an architectural perspective, STEALTHbits is typically implemented using proxy servers, as this enables better scalability than other approaches. The software also supports a focus on changes since you last ran a scan. There are facilities for raising alerts based on these changes.

Going beyond discovery per se, in order to comply with regulations such as GDPR or CCPA you not only need to know where personal data is stored but who owns it, who else has access to it and how they are using it. STEALTHbits is particularly strong in this area with comprehensive capabilities within its Data Access Governance solution. This includes not just its own reporting capabilities but also integration with products such as Tableau and Power BI. However, while STEALTHbits is strong when it comes to controlling access to and security over sensitive data it does not provide any masking or encryption capabilities to support anonymisation of personal data. It does offer integration with Microsoft Azure Information Protection for encryption purposes but for masking more generally you will need to make use of the company’s API support to access a third-party masking solution.

STEALTHbits’ background, as far sensitive data discovery is concerned, is primarily with respect to unstructured data and its security. For many years this has been the area of biggest concern around sensitive data. However, GDPR and CPPA are game changers: they have moved concern for the protection of sensitive (personal) data beyond unstructured data and into the realms of relational and NoSQL databases. This has resulted in data management vendors entering this space with much broader and more detailed support for structured data sources than is typically offered by STEALTHbits and its traditional competitors. Conversely, these companies do not have the strengths that STEALTHbits can offer with respect to unstructured data and, furthermore, they do not typically offer the sort of auditing and security capabilities that STEALTHbits does. Looking forward, users are going to want a single solution not two. The question, therefore, is whether STEALTHbits can expand its structured support – both in terms of breadth and capability – faster that the data management vendors can do the reverse?

The bottom line

If your priority is unstructured data then STEALTHbits is a vendor you should be talking to. If your issue with sensitive data is more about where it is and who has access to it and how, as opposed to masking or encrypting it then, again, you would do well to consider STEALTHbits.