 Hello, my name is Jan. I'm currently the chief architect at Borneo and Here to the right you can see a picture of myself with my daughter on Borneo a couple of years ago one of our family vacations So Borneo is a Startup based in Singapore, but our large part of our engineering team is actually based in India We have been building what we call the guardrails of the data economy since 2019 and What do we what do we mean by guardrails of the new data economy? so both myself as well as our CEO and founder Pritvi have been working at large-scale startups like Yahoo Facebook and Uber prior to Founding prior to starting Borneo and at these places We saw firsthand how you know these companies were amassing large amounts of user data and The inherent value in that data But also conversely the risk associated with that data. So for example, you know sensitive data User data got leaked, you know, we can potentially harm the reputation of the company and the road user trust These companies were you know comparatively big and had large security teams and had you know the resources and You know the skills to to build our custom solutions to protect the data of their users and You know make sure that it was protected adequately but Really what we have set as our mission, you know at Borneo is to kind of build tools That empower companies of any size to protect their customer data and prove user trust So while with the you know move to the cloud every company nowadays is a data company, you know Collecting large and rapidly growing sets of data Model startups have the same sets of resources skills or tools To build their own custom security solutions and oftentimes this leads to what we call privacy debt Where you know potentially sensitive data is collected, but it's not secured adequately, you know, the right security measures are not often put in place and This can lead to data breaches. It can lead to you know other mismanagement of the data which in turn can cause You know erosion of user trust, you know, especially if some of that data comes public So the solution that we have built at Borneo are basically allow our customers to gain real-time visibility first of all into their data sets So at the heart of Borneo is basically what we call our inspection engine Inspection engine is capable of ingesting large amounts of data from various sources through a set of Connectors and is able to inspect that data and to detect Any kinds of sensitive information. So we call this like sensitive info types So examples would be passport numbers or credit card numbers bank account numbers But also just personal names postal addresses Already any other kind of personally identifiable information PII or Financial information or also health care or medical related data So, um, you know gaining visibility is oftentimes the first step to Understand where sensitive data is stored and you know, what is the right way to protect such sensitive data? So with the help of Borneo Security teams can can more easily meet their customer data privacy obligations even with limited resources Today, I wanted to talk about one example of, you know, how Bonnie was able to help a customer of ours with a particular Data or privacy data challenge So this customer as a large Indian fintech startup, they have been around for several years They offer their own prepaid credit cards as well as nowadays digital wallets and Because they have things such sensitive for mention information They have to comply with what's called the payment card industry data security standards or short PCI DSS So that is a large or a set of you know Security best practices and security measures that any company that wants to process credit card data needs to comply with And you know depending on the volume of your transactions you may have to undergo annual Audits to prove that you are complying with these regulations Um, but what really you know similar challenges apply to any other kinds of regulation be it the general data protection regulation in Europe the GDPR or similar laws in California CCPA PDP here in Singapore or the upcoming regulation around sensitive data in India as well So when it comes to Managing compliance with such regulations We can really break down that process into Three kind of high-level steps, and I like to you know to call them de scope de risk and document So the first step in this process really is to identify Which systems you know that make up your data infrastructure? Really handle the data that falls under this regulation. So in the case of PCI DSS This would be cat holder data So the actual credit card number the expiry date as well as the three digit or four digit verification code in the cat holder name So any system that stores or processes cat holder data We need to be considered in scope for PCI DSS and would have to comply with the numerous Security requirements, so there are about like 200 plus security controls that are specified as part of PCI data security standards So, you know that then is the second step So in order to mitigate the risk of handling such sensitive data Now you have to implement all of these security measures to ensure that This data is stored and processed securely and it's not abused and Last not least it's not enough to just implement the required security measures. You also have to document You know if and how all of these security measures have been implemented or other compensating controls So especially these last two steps, you know can be quite resource-intensive Tasks depending on the size of the cat holder data environment so really this first step of de-scoping is imperative because You know any system that you know, you can prove not to contain any cat holder data Would not fall under the scope of PCI DSS and therefore, you know would not require The same, you know level of security controls to be put in place You know as best if another PSI PCI DSS So really de-scoping is Crucial in this process but once again You have to be able to document to a PCI auditor for example You know that You know the systems that you want to take out of scope that they really do not contain any counter or data So This Indian fintech company we're working with we're already processing credit card data So they were already compliant with these PCI DSS, but they were processing such data in an on-prem system which they had built over the years and In order to solve You know growing set of new use cases, you know and to you know make use of all the benefits that the public cloud brings They are rapidly expanding the operations into the cloud And now the the challenge that we're facing is that They had to be able to Prove to their PCI auditors as part of their annual You know audit requirements that all of that new data infrastructure in the AWS cloud Did not contain any credit card data and was therefore out of scope for you know PCI compliance because otherwise they would have to you know Implement you know all of the same security measures across all of the cloud infrastructure, which would have been a very you know Involved process So they started by you know looking at their primary data stores in the cloud which was a leader RDS my SQL instances and We're using Borneo to inspect the data in these my SQL instances and So basically what happens is Borneo will You know ingest data from every single table in each of these RDS instances And we'll inspect that data to determine what Sensitive information if any you know is stored. So basically I will determine for each column What is the info type of that column so that could be could be an email address or it could be An IP address or it could be a timestamp or you know, of course, it could of course be a credit card number and expiry date or you know even validation CVV code So that's exactly what you know, this team wanted to prove that their RDS my SQL instances do not contain such data so You know after you know Performing the scan which took just you know a couple of days They had all the data all the metadata about all of the sensitive info types and were able to slice and dice that You know see exactly which of these tables were containing sensitive information and then in the end also produce a report detailed report about the kinds of sensitive information contained in these RDS instances and You know These reports actually did show that there was no credit card data in any of these my SQL instances So without they were able to go to the PCI auditors and convince them, you know, that these systems Were out of scope for PCI DSS compliance But unfortunately not all was good because they had also used Borneo to scan their S3 buckets So they had you know dozens of S3 buckets and storing, you know hundreds of thousands of terabytes of data in them and Unfortunately, you know within a few hours of starting these sample scans Borneo had detected some credit card numbers and In one of these buckets So that was the problem because now, you know They had they knew that they had credit card data and at least one of their S3 buckets and then you need to find out why and You know clean up that data because none of these buckets were supposed to contain any cut over data So when when Borneo first detected credit card data, it's immediately raised in alerts and also filed Ticket in the customers JIRA and so this ticket contained quite a bit of context already like specifically which file Or which set of files had contained the data so it looked like these were some application logs that ended up in S3 But these files were quite large. So as you can maybe see in the screenshot, you know, just as one example that was a Wallet log file which contained more than four gigabytes of data So the initially the engineering team, you know was struggling a bit to pinpoint exactly where in this File, you know, the credit card numbers were, you know, found Since Borneo had not detected a lot of credit card numbers, you know enough to be a problem, but not really There are a large amount But still So to In order to pinpoint the system the problem the source of the problem What the team did next is they again use Borneo to do a much more detailed full bucket scan So initially they had only run sample scans, which just knows, you know sample a small set of data from each bucket To just get a general idea of what kind of sensitive information might be included in the bucket But now they were running a full bucket scan and These scans are generated a very detailed result of, you know, a list of findings With with every single token that was detected including the line number as well as some other information about the context like, you know some keywords that were found close to the To the match token and that indicated the type of match As well as like column names in the case of like CSV files, for example and These detailed findings helped the engineering team to locate the credit card numbers in the files and then Based on the specific log entries to also determine the root cause of what was causing the credit card numbers to To get locked. So as you can see here in this screenshot What had happened is that one of the systems was expecting credit card numbers to be passed as an integer number but instead the system was receiving the numbers as a formatted string and That was causing a number format exception and You know, it looks like this was some sort of like error message from from an ORM system or something like that. So The engineering team was able to pinpoint that and suppress these kinds of logs going forward. So, you know Going forward these logs will no longer contain credit card data So all of this work had actually been done, you know as part of a trial that this company was running with Borneo In total it took about three weeks And you know the main outcome for our customer was that they were able to fast track their PCI compliance So Borneo was able to generate these reports and detail this the findings within days Whereas otherwise it might have taken the team weeks to produce required documentation to convince their PCI auditors to Take their AWS cloud infrastructure out of scope for PCI compliance Since then the team has you know entered into or has started using Borneo's commercial version and regularly using Borneo It's kind of a general Privacy observability tool to monitor their data environment in the cloud So they have by now established a baseline. So they have a good idea of what information Is expected and you know every single data store and whenever Borneo finds any sensitive information That does not match their established baseline Borneo will generate an alert either send them an alert in Slack or raise a ticket in Jira and You know with very minimal efforts the security team can you know stay on top of their data security Even as the application Engineering teams are adding new resources, you know, Borneo will automatically detect new Resources new data stores as I mean added and automatically start monitoring them Going forward what this team is now thinking about is how can they take this This privacy observability and kind of apply it to their One entire application development lifecycle. So instead of just detecting such issues where sensitive data is ending up in locks Only, you know, once once it hits production Why not scan? the locks of you know preproduction systems like a staging work your environment or even in development environments and Look for such sensitive data on there so that issues can be detected early and Remediated before they become a production issue So we like to call this application data privacy management And it's it's just one of a suite of solutions that Borneo offers So from privacy observability to solutions for data investigations, for example, once you have detected a breach and want to know the impact of it as well as, you know PCI GDPR CCPA compliance solutions As well as a next-gen DLP. So in addition to monitoring Your Cloud infrastructure Borneo also has a set of connectors for enterprise applications like Slack and GDPR Sorry, Slack or Jira or Google Drive And so one you can also monitor data on being exchanged through these enterprise applications and Can look for sensitive data as well as application secrets or passwords, for example, and you know alert the Either the security team or the compliance officers, you know depending on the specific use case. I Hope this gave you a good idea of What it takes to kind of Achieve PCI compliance at a very high level and how Borneo can help with this as well as with other data security challenges So thanks all for listening and happy to answer any questions you might have about Borneo about the tech stack Also, we are hiring for our team in India So if any of you are looking for new opportunities to work with, you know, large data sets and Exciting set of technical challenges Feel free to reach out Hi folks, so I'm sure you had a chance to catch up on Jan Hacking's talk about How Borneo has a single platform for data security privacy and governance is helping Hyper growth Companies across the globe, especially folks who are managing a lot of data deal with this new problem of you know increasing volume of data and Value and velocity of data and how we are taking our learnings Practitionally learnings for the last, you know, two decades and bringing it in a product form to a lot A lot of companies and practitioners. I think Borneo's vision has always been to Build very easy to use accessible technologies to help secure user trust, right? And what I mean by that is help companies not just govern the massive volume of user data They're collecting or to also help use it in a, you know, safe and compliant manner I think the next part of our journey is The previous couple of years was based on taking this product to market getting the learnings from mid to large companies Right some of the global names in tech I think the next part of a journey is that how can we take these learnings and Bring it on to the masses and then what I mean my masses is to the rest of the smaller companies who maybe Don't have enough security people in the company to use products like this or don't even have budgets So one of the key things we are launching is we are launching an open source initiative where we are taking part of our platform and Getting it out in a in a traditional open source Format right which is Which which means that it's open source license everyone can download and start using it for free Right the idea there is I think like I said when we started the company our mission was to become the guardrails of the data economy and The goal here is to make sure that you know, how we take our learnings and product and kind of really make it for the masses I'm super excited about, you know, the second phase of the journey and Looking forward to getting as much feedback and support from Other security practitioners compliance practitioners out there Feel free to reach out to me at PR at Borneo.io or through our website If you have any feedback or you know to help us make the product better or even help us understand the problem better, right? because I think We had a few hypotheses, but usually we are a company that loves to listen learn and then build based on what our customers or what the audience wants Thanks again, and thanks for Haskeek for this opportunity for letting me share what we are trying to do on a journey I'm super excited and Just trying to you know, everybody is a company working really hard to make the life of our customers and security practitioners easy every day