Significant
50,000+
Minimized
Overview
Francis Crick Institute is a biomedical research center in London that opened in 2015. The institute is a partnership between six of the world’s leading biomedical research organizations - Cancer Research UK, Imperial College London, King’s College London (KCL), the Medical Research Council, University College London (UCL), and the Wellcome Trust. The institute has over 1,500 scientists and staff to understand why disease develops and to find new ways to diagnose, prevent, and treat a range of illnesses − such as cancer, heart disease, stroke, infections, and neurodegenerative diseases.
Gareth Butler, Senior Infrastructure Architect, and Paul Hajisavvi, Senior Systems Administrator, at Francis Crick Institute are responsible for IT infrastructure and support the underlying technology that drives the business. That includes helping manage sensitive data risk. “The General Data Protection Regulation (GDPR) formalized a lot of requirements previously under the UK’s Data Protection Act and gave users more rights over their own personally identifiable information (PII),” said Butler. “Thus, our organization needed to establish a baseline of what PII data we had and where it was located. With Rubrik Sonar, we get that clarity and can now provide management – with confidence – the information needed for audits or regulatory bodies.
With Rubrik Sonar, we get that clarity and can now provide management – with confidence – the information needed for audits or regulatory bodies.
Challenges
- Time-consuming manual processes that decreased productivity
- Lack of global visibility across entire environment, resulting in blind spots
- Inability to continuously monitor sensitive data exposure via a central dashboard
Results
- Significant time savings for search queries (mins vs. hours to weeks)
- Identified over 50,000 files with at-risk data
- Minimized exposure risk with identification of unauthorized repositories of financial data
Challenges
GDPR was a major driver for Francis Crick Institute to begin their data governance journey. “When GDPR came in, many organizations were not prepared. Our conversations around preparing for GDPR focused on gaining clarity in what sensitive data we have. We conducted an initial assessment at that time, but how do we monitor all the hundreds of servers we are running?” said Hajisavvi. “Anyone can store PII data anywhere, and we can potentially be exposed if access is granted to external parties, such as to personal data or to employee data. We wanted to ensure we are always protected and understand what we have and where at all times.”
When GDPR came in, many organizations were not prepared. We conducted an initial assessment at that time, but how do we monitor all the hundreds of servers we are running? We wanted to ensure we are always protected and understand what we have and where at all times.
Solutions
Increasing confidence in compliance by eliminating manual processes
Prior to deploying Sonar, Francis Crick did not have a solution in place to discover and classify what types of PII data it had. “It was a manual approach. It would be very difficult to gather the same information we see today with Sonar. We had a number of audits over the years and could say where we expected PII data on particular systems, such as HR systems. However, with Sonar, we can now automate a lot of those processes,” said Butler. “Prior to Sonar, we would have to wade through lots of documents to find the specific data we wanted. With Sonar, we now have both the macro and micro view of our sensitive data and can pinpoint a specific location within a file without wasting time sifting through hundreds of documents.”
Francis Crick Institute is using Sonar’s pre-defined templates and analyzers to scan for UK PII data. They have seen success in identifying locations with sensitive data, such as national insurance numbers, patents, and passport numbers. “Sonar highlighted areas where we knew we had PII data, giving us confidence in the baseline we have already established and in the product’s performance. Moving forward, it will flag anything that may be unauthorized so that we can investigate and remediate,” said Butler.
“One example is Sonar showed that a web server used for uploading documents, such those used in procurement, was holding on to those documents in an upload folder. That was an alarm bell and highlighted thousands of documents that might be at risk. We were able to recommend mitigation steps to the server owner in order to minimize that exposure risk,” said Hajisavvi.
Sonar highlighted areas where we knew we had PII data, giving us confidence in the baseline we have already established and in the product’s performance. Moving forward, it will flag anything that may be unauthorized so that we can investigate and remediate.
The Results