About Harvard Business School
Harvard Business School (HBS) is the graduate business school of Harvard University, a private research university in Boston, Massachusetts. It is consistently ranked among the top business schools in the world and offers a full-time MBA program, management-related doctoral programs, and executive education programs.
“SDP equips us to understand where data is flowing from the endpoints and from the applications, so we can catch it in the event it’s going to a wrong spot. Or if there’s truly a leak, it helps us to understand what is happening and take appropriate action.”
–Chris Pringle, ISO, Harvard Business School
Challenge
Harvard Business School (HBS) has been a long-standing, Spirion customer, using legacy, on-premises Sensitive Data Manager (SDM) to manage endpoints and sensitive data leakage on campus. Their initial goal in deploying SDM was to deliver a self-service model for their community of faculty and staff to make them aware of personally identifiable information (PII) that may reside on their computers and take proper action. This end-user-driven model of sensitive data protection served HBS well over the years.
However, with the pandemic and the school’s accelerated transformation to offering more classes online, as well as the recent surge in new privacy regulations around the globe—including South America and China—HBS decided they had reached the limits of their on-premises SDM environment and ability to move into cloud services. A key limitation for HBS was the SDM requirement that users be on the campus network for it to function appropriately. If users were remote, they had to VPN into the school’s network. While HBS had been in the cloud for years, it needed to recalibrate how to best manage the exploding growth of sensitive data that has proliferated across their cloud environment.
Solution
HBS migrated to Sensitive Data Platform (SDP) to “expand our capabilities to support a hybrid environment, not just locally on campus, but globally while also meeting privacy compliance needs,” says Chris Pringle, Information Security Officer and Managing Director of IT Compliance at Harvard. “SDP’s SaaS-based model is a service that we can spread across our highly distributed community without requiring that they be on our campus network.”
SDP also better aligns with their vision of sensitive data protection as an automated utility service, the goal of which is to remove the burden of sensitive data protection from the user and make it an automated service, “so we can work smarter, not harder,” Chris explains.
As part of this modernized approach, HBS was eager to automate how they classified data for sensitivity and other context. HBS was classifying data manually, an approach that relied upon spreadsheets and processes. They understood that for data classification to be accurate, scalable, and consistent, they needed to move to an automated approach. “Putting automation around data classification and alerting would enable us to be much more proactive than reactive,” Pringle says. “SDM equipped us with a strong, albeit reactive, position. We could only review something after the fact. Now, Spirion Sensitive Data Platform puts us in proactive position, ready to take real-time actions appropriately.” Additionally, by making the switch to SDP and leveraging software-as-a-service, Pringle and his team were able to get rid of infrastructure on the back end and have it managed, so that they can focus on more strategic security initiatives. “I look at it as cost savings from resource side, so we can work smarter and engage resources from our team or other teams on areas that are much more important,” Pringle explains.
Results
While securing endpoints forms the baseline for the school’s sensitive data protection program, SDP affords them an extensible future. The school is beginning to grow beyond endpoint protection to scan other disparate structured, unstructured, and cloud data sources. Pringle appreciates SDP’s ability to grow with the business by providing extensive connectivity to a wide range of data repositories, making it adaptable to manage data and data movement.
He and his team understand the complexity that goes around sensitive data protection and are taking measured steps to evolve and expand their use of SDP—including implementing automated classification, remediation, and data privacy so they can better respond to Data Subject Access Requests (DSARs). “SDP equips us to understand where data is flowing from the endpoints and from the applications, so we can catch it in the event it’s going to a wrong spot. Or if there’s truly a leak, it helps us understand what is happening and take appropriate action,” Pringle explains.
Asked about his advice for others when migrating to Sensitive Data Platform, Pringle responds that organizations walk before they run because there is so much functionality available with SDP. “You cannot eat the elephant with one bite,” he says. “Start your consumption with your baseline requirements before you move to the next level in your data protection journey.”