The risks for businesses associated with storing and processing the personal data of their customers are growing as data volumes continue to increase and regulators sharpen their claws over data protection. But those risks are of course just another startup opportunity.
So step forward out of stealthy shadows BigID which has been quietly working on a plan to build an enterprise privacy management platform since last fall — with the aim of helping other companies better understand their customer data-related risks.
It’s building a SaaS tool to improve visibility of customer data, flagging up where it’s stored, who’s accessing it and so on. Core idea being that you can’t protect what you don’t know about, says co-founder Dimitri Sirota.
He argues there are growing reasons for businesses to care about customer data privacy risks given, for example, Europe’s incoming new general data protection directive which greatly increasing the penalties companies can face for data breaches.
And even beyond move towards stricter data protection legislation, he asserts there’s growing customer awareness about data breaches, and threats from class action litigation, meaning enterprises are being incentivized on various front to get their data governance house in order. Which is where BigID wants to come in.
“The most important assets a company has are the digital identity assets of their customers and right now they don’t really have a good system for managing those assets. For understanding where they are, how at risk they are, and how they’re getting used. They do for their laptops, they do for their mobile phones, but they don’t for their digital personal information assets — and that’s what we’re solving,” Sirota tells TechCrunch.
While BigID is not itself planning to sell after-the-fact security solutions to its b2b customers after they’ve got to grips with their data assets and figured out what they want to do to lock stuff down, Sirota couches the platform as a “preventative solution” — in the sense that they’re selling organizations “visibility into what’s radioactive, and what needs attending to” when it comes to customer data holdings.
“What we found… is that if you have a particular point of view in how to best interdict that particular activity, ten other companies will have a differing point of view… [but] what they all have in common is that they just need better understanding and knowledge around what’s at risk, and how to best track compliance,” he says.
“So for the time being we’re going after all customers — the need that they all have — to give them a better understanding as to their posture around privacy and personal data protection. And then… they have the option to figure out how to secure it. And what’s good about that for us is it’s a lot easier of a sell.”
The co-founders, who have a background in identity management — including Sirota having sold a prior startup, Layer 7 Technologies, to CA Technologies, after which he worked as CA’s head of security strategy for two years — begun working on the idea for BigID last fall.
Today they are announcing a $2.1 million seed round to get their platform to market, with a slated aim of launching in September. Investors in the round include enterprise focused seed funds Genacast Ventures, BOLDstart Ventures, and Deep Fork Capital.
Right now Sirota says they are in talks with companies to start running pilots, so haven’t yet started beta testing.
So how exactly will BigID be able to surface all the relevant at risk data for its customers? Sirota says the core tech is a big data mining system with some added algorithmic “secret sauce”.
“We mine primary data sources — i.e. databases — but there’s been technologies that crawl data sources for a number of years. On top of that we mine secondary data sources like logs and DMP [data management platforms]. And essentially we get a perspective on where that information resides. Again we get other attributes around that information, in terms of how long it’s been there, since it’s been last touched, whether it’s in the DMP or not,” he explains.
From there BigID’s platform will generate what he dubs “three kinds of maps” for its users: an identity map/identity graph, a risk profile around that map, and a usage view/activity view around how the data is getting accessed.
“Essentially we’re a big data solution but with a very specificity around personal information,” he adds. “The traditional solutions for [data] discovery have a very high false positive rate. But we’re leveraging the fact that most organizations have one, two, three sources of definitive or authoritative information about you… it could be in a CRM, it could be in a directory, it could be in a relational database but you start off with something. And so we leverage that to essentially bootstrap the system.
“So we don’t start off with zero knowledge. We start off with some very specific knowledge and then we have algorithms to essentially expand, find additional copies of information and expand additional — not just instances, but additional attributes.”
The BigID platform will be offered as an on premise solution for what the team envisages will be the majority of its customers (larger enterprises) although Sirota says it does also plan to offer the tool as a cloud service for smaller businesses that don’t want to manage the platform themselves.
“We’re not creating another database of all the personal information,” he says, when asked why its customers should trust BigID to handle their data. “It’s a toolset that they use, think of it as a private cloud that they run internal to their own datacenter, that gives them better visibility, understanding of risk and compliance.
“It’s not so much that they have to trust us with their data — we’re basically facilitating the people that they already trust, or supposedly trust, to do a better job, to be able to answer questions they have around their information and be able to do that quickly — and we think that’s important.”