Data security is a critical issue for any organization that handles personally identifiable information (PII). Processes such as ETL, which handle large quantities of data from a wide variety of sources, are particularly vulnerable to data breaches, due to the increased attack surface.

The good news is that by choosing the right ETL platform, data security becomes a whole lot simpler. In this article, we’ll discuss everything you need to know: why ETL data security is so important, the various data security standards that you should know about, and the ways in which Xplenty ETL takes pains to protect your data.

 

The Need for ETL Data Security

Personal information—including names, contact information, addresses, Social Security numbers, and payment card details—is highly valuable for malicious actors who can exploit it or sell it to the highest bidder, and the target is only getting larger. According to Statista, in 2019 there were a total of 1,506 data breaches recorded in the U.S., with more than 164 million records exposed.

The recent past has seen a slate of extremely high-profile data breaches, including:

  • The July 2019 Capital One breach, which exposed more than 100 million customer accounts and credit card applications.
  • The September 2019 Zynga breach, which exposed the email addresses, usernames, and passwords of more than 172 million unique user accounts.
  • The 2020 Marriott breach, which could have exposed the personal details of up to 5.2 million people who were guests at the hotel chain.

Data breaches can be highly damaging to the future of your business—not only in the immediate aftermath as you struggle to deal with and recover from the issue but also to your long-term reputation. Customers who entrusted you with their personal and private information will be more reluctant to extend that same trust in the future, while investors and shareholders will see you as a riskier prospect. Small businesses, in particular, are vulnerable to data breaches: 60 percent of smaller companies close their doors permanently within 6 months of a breach.

Good data security is especially important for data integration methods such as ETL (extract, transform, load), which combines information from a variety of disparate sources and loads it into a centralized data warehouse. Data must be protected both while “in transit” (i.e. being sent over a public or private network) and while “at rest” (i.e. stored in a location such as a database or data warehouse). In addition, you need to maintain careful control over which individuals have clearance and permissions to participate in the ETL process.

What Are Data Security Standards?

A data security standard is a set of policies, procedures, and practices that dramatically lower the risk of a data breach. When an organization fulfills a given set of criteria, it is said to be compliant with that data security standard. Compliance with a certain standard is often a requirement for organizations to operate in a particular industry or handle a particular type of data.

There are a variety of data security standards that have been created for different situations and types of organizations. The most common data security standards are:

  • SOC 2: The SOC 2 data security standard was created for companies who store private business and customer information on cloud-based servers. SOC 2 compliance requires passing a comprehensive audit that assesses your processes based on five factors: data security, availability, processing integrity, confidentiality, and privacy.
  • HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) governs the use of personally identifiable information (PII) in the healthcare industry. Policies for HIPAA compliance include allowing only authorized personnel access to PII, logging accesses and other activity, protecting PII from inappropriate alteration or destruction, and protecting against attacks on an electronic network.
  • PCI-DSS: The Payment Card Industry Data Security Standard (PCI-DSS) affects any organization that “accepts, transmits, or stores cardholder data.” PCI-DSS consists of 12 requirements, from installing a firewall to encrypting payment card information across public networks.
  • GDPR: The European Union’s General Data Protection Regulation (GDPR) regulates how companies that operate in the EU process individuals’ personal data. In particular, the GDPR states that upon discovering a data breach, organizations must promptly report it to the appropriate data protection regulators.
  • CCPA: Similar to the GDPR, the California Consumer Privacy Act (CCPA) protects the privacy rights of personal data for residents of the state of California.

4 Ways Xplenty Protects Your ETL Data Security

Xplenty’s ETL platform takes the privacy and security of our customers’ data very seriously. Below are four ways that Xplenty protects your ETL data security:

1) Compliance with Data Security Standards

The Xplenty platform is compliant with all of the data security standards previously discussed: SOC 2, HIPAA, PCI-DSS, GDPR, and CCPA. Xplenty is also compliant with the following data security standards:

  • Sarbanes-Oxley Act (SOX) for U.S. publicly traded companies and accounting firms.
  • Federal Information Security Management Act of 2002 (FISMA) for U.S. federal agencies.
  • Good Practice Guide 13 (GPG13) for UK government systems.

2) Physical Security

Xplenty’s physical infrastructure uses Amazon Web Services (AWS), which is hosted and managed within Amazon data centers. To learn about AWS physical security practices, check out this page. Amazon data centers have been accredited for the following security standards:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

 

3) Network Security

Xplenty takes special care to enforce data security over networks. These practices include:

  • Firewalls restrict access to internal systems from external networks and between internal systems.
  • All access is denied by default; only explicitly allowed ports and protocols are enabled.
  • Host-based firewalls prevent customer applications from creating localhost connections over the loopback network interface and can place additional limits on inbound and outbound connections if necessary.

4) Data Encryption

Xplenty uses SSL/TLS encryption on all of our websites and microservices. Sensitive data, such as connection credentials, is also always encrypted whenever it is “at rest” in the Xplenty platform.

For More Information

To learn more about our best-in-class security practices, check out Xplenty’s security page. Want to give Xplenty’s robust, secure, and user-friendly ETL platform a try for yourself? Schedule a call with our team today for a chat about your business needs and objectives, or to start your risk-free 14-day trial of the Xplenty platform.