Case Study – Reducing Attack Surface, and Limiting Risk and Liability Using TozStore
Companies in the online human resources, recruiting, and applicant tracking industry provide software services to make it easy to post job openings online, manage applicants, and to manage the overall employee hiring workflow. The nature of this business requires companies to have access to significant amounts of personal information from applicants.
The Tozny team has deep expertise in privacy, security, cryptography, and identity management. Our products and services support the commercial market, as well as federal clients in the DoD, DARPA, DHS, and NIST.
Tozny worked with a company in this market that provides software to organizations of various sizes to simplify and streamline their full-cycle recruitment and hiring process. Clients use this platform to host their applicant tracking software, and collect, analyze, and store applicant data. By customizing each deployment based on the client’s need, data collected by the software can include sensitive information such as Social Security Numbers, addresses, banking information, and other Personally Identifiable Information (PII). In order to safely and securely collect and store applicants’ data, the company was looking for a solution to encrypt that data at the point of creation or entry by the user without compromising the user experience.
The company collects and passes this sensitive PII to its clients (the businesses that use their solutions), but does not itself need to access or process it. That provided them with an opportunity to utilize Tozny’s TozStore platform to ensure that they handle only encrypted data and never have access to the user’s private information. TozStore is a commercial SaaS platform for end-to-end control of stored structured and unstructured data using strong encryption. TozStore can be embedded in an app, web page, or server to ensure that the data owner maintains complete control of the data from the point of creation, through transmission, storage, analysis, and finally expiration and deletion – i.e., for the entire lifecycle of the data.
By using TozStore to reduce its attack surface, the company doesn’t see the collected sensitive data thus limiting their own data management risk and liability, and limiting further proliferation of applicants’ data.
How It Works
The process was to collect the user’s PII directly from the user in their browser, encrypt that data immediately in the browser with a key controlled by the user, and then share the data with the company’s client. The PII is stored encrypted in TozStore while the non-sensitive data is transmitted as normal to the company’s database. The company’s client can then retrieve the PII and decrypt it without any intermediate servers needing to access the plain text version of the sensitive data. This approach improves security by 1) keeping data encrypted for its entire lifecycle, and 2) keeping plain text data from being transmitted, stored, and processed by servers that do not need access to the data.