Figure 2 – Files that contain sensitive data can be automatically encrypted by PK Protect
PK Discovery will scan all of your data sources simultaneously, using a single discovery query. It scans accurately, reliably, and at scale, leveraging a range of techniques that include pattern recognition, regular expressions, proximity matching, natural language processing, and machine learning. The inclusion of the latter is particularly notable, as a major problem with discovering sensitive data is that you can get a lot of false positives (and, less frequently but no less seriously, negatives). Machine learning has been incorporated into the product to address this issue by intelligently detecting false results, learning initially from sample data or from examples of false positives. Remediation workflows for false positives are also provided, as are various methods for addressing false negatives. Discovery results are displayed via customisable dashboards.
Following on from PK Discovery, PK Classification provides either manual or automated, policy-driven data classification, essentially determining and flagging the type of (sensitive) data that has been discovered. The classification process, notably, can apply to data stored in documents as well as more traditional sources. Third party tagging and classification systems can also be incorporated into – and orchestrated from – the PK Protect suite, meaning that if you already have a system that works you don’t need to give it up to buy into PKWARE’s offering.
PK Masking provides static and dynamic data masking on structured that exists either in-place or in-transit, and a low estimate puts the number of masking options at more than thirty. Unstructured data masking is supported via (either full or partial) redaction, and covers more than twenty file types that include images and emails. Similarly, PK Encryption offers file, email, and back-office encryption, and features both AES and format-preserving encryption as well as support for MIP (Microsoft Information Protection), HYOK (Hold Your Own Key) methodologies, and DKE (Double Key Encryption).
We have already mentioned that PK Privacy covers data retention and policy management. For the former, it offers DSAR (Data Subject Access Request) support and automation via the creation of an indexed inventory of individual identifies and any associated data. The actual processing of requests there is accomplished using a scheduling facility that allows requests to be run on a batch basis. Both hard and soft delete options are available in response to deletion requests. Enterprise-level data retention workflows are also provided.
For policy management, on the other hand, PK Privacy allows you to manage organisational policies that then feed into, orchestrate, and automate other PK Protect functionality. Data classification, for instance, uses your policies to determine what kind of tag (if any) to apply to your sensitive data, allowing you to manage multiple different types of sensitivity. Likewise, policies can be used to drive encryption, masking, and/or redaction, determining the encryption/masking algorithm and various other options in a consistent and centralised manner, allowing you to protect your sensitive data automatically, en masse, and persisting over any kind of data movement or copy process. Audit and monitoring capabilities provide policy-driven monitoring in real-time, and record who accessed data, when, where, and what they did with it. Many relevant policies (for GDPR, CCPA, PCI, HIPAA and so on) are provided out of the box, and you can also create your own. Alerts are available and actionable, display is via a persona-based dashboard, and monitoring capabilities include breach reporting.
Finally, it is worth bearing in mind that the discovery, masking, encryption, and classification capabilities described above can also be applied to endpoints using PEM. Moreover, each endpoint is equipped with an agent that is in communication with the central PK Protect installation. When a policy is changed as part of, say, PK Encryption, the change can be rapidly propagated to every agent, and thus every endpoint. This allows you to alter policies at the enterprise-level by making only a single, central change, and see the results come into effect immediately.