Logo Qohash


National Parks Conservation Association

Industry: Non-profit

Region: DC, United States

NPCA achieves PCI compliance in the cloud

National Parks Conservation Association logo

The National Parks Conservation Association (NPCA) is the only independent, nonpartisan member-based organization devoted exclusively to advocating on behalf of America’s National Parks System.


NPCA is well-known as a leading advocate in safeguarding America’s national parks. Lesser known is the extensive due diligence the company undertakes to safeguard the personal data of its members.

Operating independently for over a century, NPCA relies on donations from members to drive forward their mission of protecting national parks. As a non-profit, getting cyber security right and maintaining customer trust is everything. In fact, it’s essential to staying in business. According to Ramadji Doumnande, Director of IT Operations and Security at NPCA:

“You don’t want to become the headline. Our organization relies on people’s generosity. If there’s a massive breach, people will not donate. With that type of reputational damage, the organization’s future would be in jeopardy.”


As part of NPCA’s data governance strategy, in March 2020, Ramadji began shifting the company from a hybrid model to a cloud-based environment. The initial adoption of Azure and Office 365, followed by Exchange Online, SharePoint Online and more, enabled NPCA employees to easily shift to 100% remote work at the start of the COVID pandemic.

To complete the migration, two major components remained: file servers and data from the Finance department. Moving critical data amassed by the finance team required special attention and controls.


Visibility into PCI data both on-premises and in the cloud was paramount to maintaining a strong security posture. According to Ramadji:

“Moving into the cloud meant that we needed new technology and processes to take control of the data. We needed a bulletproof way to ensure people could not store critical data on platforms that we do not have visibility into.”



Ramadji selected Qostodian Recon to protect NPCA’s data in the cloud.

Ramadji had been using an alternative data discovery solution, on top of risk management tools that came out of the box with NPCA’s Microsoft investment. However, after experiencing Recon’s lightning fast, fully contextualized scanning results, he made the switch. Recon now functions as an added layer of defense alongside Microsoft’s tools.


According to Ramadji, alternative options felt heavy and complex in comparison to Recon.

“Recon simplifies the complex task of discovering, classifying and investigating sensitive data. The UI is easy to use. The install takes two clicks. Yet, despite being lightweight, it delivers fully contextualized results faster than alternatives. The result is that I’m able to make decisions–and close investigations–more quickly.”


Ramadji is also able to remediate with greater speed by taking action directly within the tool. “I can see every user that has a particular credit card number, for example. If I see that credit card number in a folder where it doesn’t belong, I can move it or delete it.” Ramadji can also view all duplicates in his environment and exclude them. “You don’t have to carry that data into the cloud to add to your storage costs,” he says.



“What keeps me up at night is thinking I didn’t take every possible step to mitigate risk. The threat landscape is evolving so fast. It’s difficult to keep pace with everything coming my way. With Recon in place, I can do it all. I was able to see the value of the data I had left on-premises, while also continuing to drive compliance in the cloud.”


Now, Ramadji maintains visibility and control across all cloud-based applications. Operating with zero blindspots is essential. “I need people to understand that cybersecurity is critical. I spend a lot of time communicating the potential effects of downloading sensitive data and storing it in public places.”


“Yet, there’s inevitably a segment of users who are out of compliance with our policies and guidelines. Recon helps me spot these users, and quickly take action so that not only are we compliant, but we save ourselves from a potentially disastrous situation.”

Read the latest on sensitive data risk management

proactive incident management
What is Proactive Incident Management?
machine learning for computer security
The Dos and Don'ts of Machine Learning in Computer Security
which scenario might indicate a reportable insider threat
Insider Threat Indicators in Your Organization
Logo Qohash
By initiative
Regulatory compliance:
Find, classify and inventory all sensitive data, across every data source
Data breach prevention:
Monitor sensitive data 24/7, track data lineage, and enforce policies at endpoints
Microsoft 365
One easy-to-use platform to secure sensitive data on Windows workstations and M365
By regulation
Law 25
Why Qohash
Defy legacy limitations
What our customers say about us

Contact us​