Significant

Time savings for search queries (mins vs. hours to weeks)

50,000+

Files identified with at-risk data

Minimized

Exposure risk of unauthorized repositories of financial data

Overview

Francis Crick Institute is a biomedical research center in London that opened in 2015. The institute is a partnership between six of the world’s leading biomedical research organizations - Cancer Research UK, Imperial College London, King’s College London (KCL), the Medical Research Council, University College London (UCL), and the Wellcome Trust. The institute has over 1,500 scientists and staff to understand why disease develops and to find new ways to diagnose, prevent, and treat a range of illnesses − such as cancer, heart disease, stroke, infections, and neurodegenerative diseases.

Gareth Butler, Senior Infrastructure Architect, and Paul Hajisavvi, Senior Systems Administrator, at Francis Crick Institute are responsible for IT infrastructure and support the underlying technology that drives the business. That includes helping manage sensitive data risk. “The General Data Protection Regulation (GDPR) formalized a lot of requirements previously under the UK’s Data Protection Act and gave users more rights over their own personally identifiable information (PII),” said Butler. “Thus, our organization needed to establish a baseline of what PII data we had and where it was located. With Rubrik Sonar, we get that clarity and can now provide management – with confidence – the information needed for audits or regulatory bodies.

With Rubrik Sonar, we get that clarity and can now provide management – with confidence – the information needed for audits or regulatory bodies.

Gareth Butler
Senior Infrastructure Architect

Challenges

  1. Time-consuming manual processes that decreased productivity
  2. Lack of global visibility across entire environment, resulting in blind spots
  3. Inability to continuously monitor sensitive data exposure via a central dashboard

Results

  1. Significant time savings for search queries (mins vs. hours to weeks)
  2. Identified over 50,000 files with at-risk data
  3. Minimized exposure risk with identification of unauthorized repositories of financial data

Challenges

GDPR was a major driver for Francis Crick Institute to begin their data governance journey. “When GDPR came in, many organizations were not prepared. Our conversations around preparing for GDPR focused on gaining clarity in what sensitive data we have. We conducted an initial assessment at that time, but how do we monitor all the hundreds of servers we are running?” said Hajisavvi. “Anyone can store PII data anywhere, and we can potentially be exposed if access is granted to external parties, such as to personal data or to employee data. We wanted to ensure we are always protected and understand what we have and where at all times.”

When GDPR came in, many organizations were not prepared. We conducted an initial assessment at that time, but how do we monitor all the hundreds of servers we are running? We wanted to ensure we are always protected and understand what we have and where at all times.

Gareth Butler
Senior Infrastructure Architect


 


Solutions

Increasing confidence in compliance by eliminating manual processes

Prior to deploying Sonar, Francis Crick did not have a solution in place to discover and classify what types of PII data it had. “It was a manual approach. It would be very difficult to gather the same information we see today with Sonar. We had a number of audits over the years and could say where we expected PII data on particular systems, such as HR systems. However, with Sonar, we can now automate a lot of those processes,” said Butler. “Prior to Sonar, we would have to wade through lots of documents to find the specific data we wanted. With Sonar, we now have both the macro and micro view of our sensitive data and can pinpoint a specific location within a file without wasting time sifting through hundreds of documents.”

Francis Crick Institute is using Sonar’s pre-defined templates and analyzers to scan for UK PII data. They have seen success in identifying locations with sensitive data, such as national insurance numbers, patents, and passport numbers. “Sonar highlighted areas where we knew we had PII data, giving us confidence in the baseline we have already established and in the product’s performance. Moving forward, it will flag anything that may be unauthorized so that we can investigate and remediate,” said Butler.

“One example is Sonar showed that a web server used for uploading documents, such those used in procurement, was holding on to those documents in an upload folder. That was an alarm bell and highlighted thousands of documents that might be at risk. We were able to recommend mitigation steps to the server owner in order to minimize that exposure risk,” said Hajisavvi.


 

Sonar highlighted areas where we knew we had PII data, giving us confidence in the baseline we have already established and in the product’s performance. Moving forward, it will flag anything that may be unauthorized so that we can investigate and remediate.

Gareth Butler
Senior Infrastructure Architect

The Results

 

Significant time savings for search queries

“If we need to surface a specific search, we can get results in minutes, if not seconds. Without Sonar, it could take hours, days, or even weeks.”

Audit reporting

“We can now provide auditors with an automated report that shows exactly what types of sensitive data we have and where they are located via a central dashboard. No manual processes required.”

No production impact

“Since Sonar runs on our existing backup data, we don’t need to deploy a new solution that looks intrusively into our production systems. It runs seamlessly in the background.”

No learning curve

“We love how straightforward the user interface is. Additionally, the user experience is similar to Rubrik’s Cloud Data Management software, meaning we don’t need to spend more time learning or training our employees on a new software.”