How to Use a PII Scanner to Protect Sensitive Data

Protecting your customer's Personally Identifiable Information (PII) is critical to earning and keeping their trust. Unfortunately, it's easy for this information to leak even when you have stringent security measures in place. In this article, I'll discuss implementing a PII scanner to redact sensitive data at scale across your organization.

Why do you need a PII scanner?

If you have customers, you likely deal with PII. PII is any information someone can use to identify an individual via either direct or indirect means.

This includes, but is not limited to:

• Someone's full name
• A unique identification number (a national ID, such as a US social security number; a driver's license number; credit card number, etc.)
• Address, phone, or email
• Personal characteristics, including fingerprints or handwriting
• Biometric information
• Unique property identifiers, such as Vehicle Identification Numbers (VIN)

Losing even a single customer's PII information can have devastating personal consequences. Thieves can use PII to impersonate victims and steal their identity. They may even use such information to blackmail the victims.

‎You may already have procedures in place for protecting PII. For example, you use encrypted Web communications and control internal access to sensitive databases.

However, customers - and even staff - may also inadvertently expose PII through line of business tools. A customer may naively send their credit card information in an email message. Or a new customer service rep might ask a customer for their social security number over Slack.

Leaking PII through these tools can risk your compliance with various laws and standards, including PCI-DSS and HIPAA. But deleting or redacting such information by hand isn't scalable.

That's where a PII scanner comes in. A PII scanner can automatically find and instantly redact PII across your organization. It can find and safely store PII in various business tools, including email, cloud storage, support tickets, and system logs.

Setup a PII scanner

Let's see how you would set up a PII scanner for your organization. I'll use Strac as an example.

Configure a PII scanner to find sensitive data

The first step is to tell your PII scanner whether you want to detect or redact. Strac supports a simple drop-down option that lets you switch between Detect and Redact modes. ‎

Use Detect mode to preview your changes and examine their impact on your line of business tools. Then, switch to Redact mode when you're sure you have your PII scanner fully configured.

Next, configure the categories of data your company seeks to redact.

‎A robust PII scanner will provide a pre-configured list of elements across a set of broad categories. Here, we see that Strac, out of the box, can detect information such as:

• Asset information
• Contacts
• Content moderation (profanity)
• Device tracking information (device IDs)
• Financial account information
• ID information
• Secrets (access/secret keys, API keys, other developer secrets)

In the screenshots and videos above, I'm setting global configuration options. Slack also supports setting individual configurations for the line of business products we monitor, including Microsoft 365, Slack, ZenDesk, Google Workspace, and more.

Discover your organization's sensitive data

The next step is to discover what sensitive data you have in your organization. A PII scanner should provide a single pane of glass from which you can review and assess, not just which data you've found, but on which applications customers or employees are sharing it.

In the above clip, I can use the Strac dashboard to sort sensitive information detection by several filters, including data elements, author, and channel. I can see exactly how the data was sent (email, Slack channel, direct message, etc.). I can also see what type of secrets my organization is leaking and learn where our key problems lie. ‎

You may also want to run proactive tests to ensure the scanner picks up elements you suspect might leak. For example, if you have a problem with developers sharing sensitive API key secrets via Slack, try sending a message in your commonly used API key formats. Then, check your dashboard to confirm the PII scanner detected it.

(Warning: Do not use actual sensitive information in these tests! Instead, configure a set of mock data that doesn't correspond to real credentials or user information.)

Redact sensitive information at scale with Strac

Once you've perfected your filters, you can switch from Detect to Redact mode. Strac will then move from detecting sensitive information to removing it from the channel entirely and uploading it to a secure location.

PII scanner tools like Strac mean you can protect your customers - and your company - automatically and at scale. Strac is a machine learning security company powered by ex-Amazonians who collectively spent over 40 years building payment infrastructure for Amazon.

Want to dive deeper into Strac's features and capabilities? Book a demo today to see what we can do for you.