Case Study – Using TozStore to Enable User’s Control of Their Own Data
Hueya is a cybersecurity software company specializing in products and services that secure the human endpoint. From social media security and digital risk monitoring, to phishing simulations and cyber awareness training, Hueya takes a holistic and human centric approach to cybersecurity to empower people to proactively take control of their online identity, secure their digital world, and make more informed decisions about what they share and click.
The Tozny team has deep expertise in privacy, security, cryptography, and identity management. Our products and services support the commercial market, as well as federal clients in the DoD, DARPA, DHS, and NIST.
Hueya and Tozny engaged in a pilot to address privacy and security improvement to the way Hueya collected and managed their user’s Personally Identifiable Information (PII).
In order to protect their clients’ digital lives, Hueya collects and stores clients’ PII. Hueya’s software scans their clients’ social media accounts, analyzes their risk, makes adjustments, and continuously monitors those accounts on behalf of their clients. In the process of scanning their clients’ accounts, Hueya collects and stores PII that was previously stored in plaintext in a relational database, and retrieved when a user requests a relevant page. Being a company with a strong focus on privacy, Hueya was committed to finding a way to store and retrieve the sensitive information discovered during PII scanning without compromising the privacy and security of their clients’ data.
Hueya worked with Tozny to integrate Tozny’s TozStore product, a commercial toolkit for end-to-end control of stored structured and unstructured data using strong encryption. TozStore can be embedded in an app, web page, or server to ensure that the data owner maintains complete control of the data from the point of creation, through transmission, storage, analysis, and finally expiration and deletion – i.e., for the entire lifecycle of the data.
By deploying Tozny’s TozStore product, Hueya was able to move away from plaintext PII storage. Hueya’s objective was to be able to encrypt users’ data without creating a custom local encryption method, and for the customer data collected to be encrypted by and for the user only.
Tozny’s solution puts the control of the data back into users’ hands, allowing Hueya to remain true steward of its clients’ privacy.
How It Works
Tozny’s solution utilized the TozStore SDK during the Hueya PII data ingest process. During the ingest process, clients typically create and update their data with the Hueya service by authenticating with a standard OAuth2 protocol. This grants Hueya an authentication token, which is used to retrieve sensitive PII from OAuth providers (e.g., Facebook, LinkedIn, Instagram, and Twitter). Responses from these providers can contain data such as: email, birthdates, employment history, education, etc. Typically, it’s a JSON response object. These objects are stored in normal database fields.
Hueya integrated with Tozny’s TozStore to secure the PII ingest process. The updated approach encrypts user’s social media data for its entire lifecycle. This is accomplished by storing the client key and user identifier in Hueya’s database, while all sensitive data is stored in TozStore. The Hueya server delivers the client key and unique identifier to the browser, allowing the user to directly retrieve the encrypted social media data and decrypt in the browser.
This diagram depicts the data flow for Hueya. Note that the plain text data for user data is handled once by the Python Application, but never again after that by Hueya’s servers, which was one of their design goals.