Kaleido – Case Study

Kaleido – Case Study

Region: QC, Canada

Kaleido is a leader in modern education savings plan programs. Their products give families a differentiated set of risk-bound investment options that precisely satisfy goals while remaining compliant with strict government regulations.

Pain

At the core of Kaleido’s mission is trust. Customers entrust Kaleido with their hard-earned money, as well as all the sensitive personal and financial data required to make and manage RESP investments. This includes customer banking information and social insurance numbers. Regulators also expect Kaleido to safeguard personal data, and those requirements are only getting stricter. Law 25, passed in 2021 by the Quebec government, requires a yearly audit and a centralized sensitive data inventory. This made getting data privacy right more financially consequential than ever.

Kaleido’s rising data privacy challenges are also driven by other dynamics.

Internally, a growing customer base has increased the breadth and depth of data collected, and specific department-specific reporting and documentation requests have increased complexity across the lifecycle. Previously, finding this data was a mostly manual exercise, involving time-consuming shell scripts and CSVs that were a headache for recipients to read.

“We used to batch manual tasks to target specific files on specific servers. But as the data grew, we required a more precise way to find files, even if we didn’t have file names, sometimes targeting specific types of patterns like social insurance numbers. The government has also set new requirements, and we have to meet them.”

Externally, Kaleido and other financial services providers worried about the rise in cybercrime that came with COVID, and new risks introduced by remote work and other uncertainty. As threat hunting and mitigation got harder, executives committed to being proactive and staying out of the headlines. They asked François Lamontagne, Director of IT, and the rest of IT: We don’t want that to happen to us. What more can we do?

Leaders realized it could all put current security and compliance systems and strategies to the test. To ensure Kaleido could get—and stay—in front of rapidly evolving security and compliance requirements, a smarter approach was needed.

Solution

As the team considered how best to transform their data governance, they had two objectives. Kaleido wanted to meaningfully modernize sensitive data management across the organization, but they also needed to quickly achieve compliance with the specific rules and requirements of Law 25. This meant they needed:

  1. An integrated, scalable data inventory system that finds, tags, and sorts sensitive data
  2. A centralized, contextualized data view across connected networks, applications, clouds, and workstations
  3. An automated way to find and destroy personally identifiable data after a contract gets signed
  4. Data to remain encrypted and anonymized, with information never leaving the Kaleido environment or being seen by third-party tools
  5. Automated reports that could be provided directly to auditors

An early discussion with a company director brought Qohash into the conversation.

“As soon as the team walked through the product, something clicked. The combination of powerful, fast discovery, and robust context-rich reporting made for the ideal platform on which to modernize.”

With Recon installed, automated scanning and reporting workloads immediately saved time for teams and increased responsiveness to stakeholder requests for information. Lamontagne shared: “We’d receive a request for all sensitive data created within a specific timeframe. Previously, I ran a script, formatted it in Notepad, and used Command-Line with this big blob of text. Now, with Recon, we target a key chain we want to scan and go.”

The increased speed and simplicity of scanning, plus the precise granularity of search results, helps ensure data governance stakeholders— and regulators—get up-to-the-minute visibility into sensitive data and its movement.

Results

Recon has enabled Kaleido to dramatically simplify PII fundamentals by replacing time consuming manual processes with a unified, automated search and reporting tool that’s easy to configure, customize, and scale. Two unique Recon features continue to stand out to the team.

First, Recon’s powerful, intuitive graphical user interface not only makes searches faster but returns useful, context-rich results. Additionally, the ability to scan specific data elements, rather than simply searching through files, was also a game changer. The team can, for example, scan for patterns matching potential VISA card numbers, getting access to both the number, the associated string context, and a “likelihood” score that shows the confidence level of Recon’s results.

As Lamontagne explains,

“We tried to find another tool and couldn’t find anything that did what Qohash does.”

The benefits of moving to Recon were easily—and dramatically—measurable. “A task that would take me an hour and a half, now takes 15 minutes.”

The increased efficiency and convenience have done more than just reduce the time required to complete important compliance tasks. It’s also improved data security and compliance by increasing visibility. Lamontagne explains:

“Before, I ran scans quarterly. Now, with options for recurring scans that are easy for me to schedule, we scan weekly and feel more confident about security.”

This also translates into a greater level of responsiveness to all data stakeholders, including customers and regulators.

As the business grows, and the regulatory environment changes, Kaleido will continuously face new challenges to how they store, manage, and secure sensitive customer and financial data. The fundamental gains accomplished through Recon adoption will continue to multiply over time, no matter where market or regulatory demands go next.

“The protection of our customers’ personal information is at the heart of our organization. We will put everything in place to keep it secure.”

Latest posts

Ethical Hacking Lifecycle: From Planning to Reporting
Blogs

Ethical Hacking Lifecycle: From Planning to Reporting

Read the blog →