API-Driven Security

Financial Human Resources (FHR) is a worldwide leader in on‐demand financial management and human capital management based in California.

The Challenge

How to onboard customer data securely and efficiently? FHR has a virtual clean room to receive new customer data required for onboarding. The data can be anything from spreadsheets and PDF files with employee information, scans of driver licenses, social security cards, voided checks, and a wide range of other human resource and financial information. For compliance reasons, FHR cannot store the raw data in the FHR datacenter. Instead, the customer uploads the data to an SFTP location. A team of professional service members uses virtual machines to enter the customer data into the FHR datacenter manually. The challenge for SecureCircle was to introduce security into the customer data onboarding process while not creating any additional IT overhead.

The Solution

All of the administrative functions admins can configure in the admin UI can be executed via API. FHR integrated the SecureCircle admin APIs into existing workflows to create a completely automated experience.

When FHR closes a new customer, the customer’s status in Salesforce changes to an onboarding state. FHR already uses this change of state to start a variety of tasks automatically. For example, an SFTP location for the new customer is created with credentials. Salesforce now triggers the SecureCircle API to create a new customer Circle, assigns professional service members and virtual cleanroom devices to the Circle, and establishes a policy to automatically secure all data uploaded to the SFTP folder.

By creating multiple Circles, FHR can assure that professional service members do not upload data from Customer-A into the Customer-B database. Each virtual machine in the data cleanroom can only access one customer & one Circle at a time. The virtual machine assigned to Customer-A has access to the onboarding data with the
/Customer-A folder of the SFTP site. The virtual machine cannot even access data from Customer-B since the virtual machine doesn’t have permissions to access data in
Customer-B Circle. QSI evaluated many encryption and data loss prevention solutions before selecting SecureCircle. The alternative solutions could not protect any file type and impacted QSI employees with workflow changes.

FHR utilizes the network policy to restrict allowed applications from sending decrypted data to unwanted IP addresses. Within the data cleanroom, professional service employees use a file transfer application to retrieve data from the SFTP server. SecureCircle network rules enforce that file transfer applications can only transfer data from the SFTP server to the cleanroom’s virtual machine.

In the past, FHR would restart all virtual machines to the time-zero starting point to keep data off the virtual machines at night. The compliance requirement is that data not be accessible during non-work hours. With SecureCircle, the files and virtual machines could remain in place. Since the encryption keys for the data are stored on an HSM, taking the HSM offline at night would result in all the data on the cleanroom’s virtual machines to be inaccessible. SecureCircle allows FHR to save hours in productivity. Professional service members can resume right where they left off the day before without retrieving the SFTP server’s data and starting from scratch.

After the professional services team onboards the new customer data, the customer status is changed in Salesforce to a production state. It triggers the SecureCircle API to delete the customer onboarding Circle. Deleting a Circle will remove all encryption keys from the database, and all the data within the virtual data room are better than deleted. It would now take a supercomputer to try to hack into the data.

The Outcome

FHR utilized the SecureCircle to secure their data so data can never leave the company through malicious or accidental threats. Customer data can be thoroughly segregated, ensuring that professional service members don’t upload HR or financial data to the wrong customer. Professional service members’ productivity improved due to removing daily startup steps such as downloading data from the SFTP server each day. And finally, the entire workflow has been automated into existing workflows such as Salesforce, so there is no need for an additional IT admin console. Existing dashboards manage all of the SecureCircle functionality utilizing SecureCircle APIs. SecureCircle transparently secures data from internal and external threats, including accidental sharing, lost/stolen devices, shadow IT, and rogue employees.

About SecureCircle

SecureCircle’s Data Access Security Broker (DASB) delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. At SecureCircle, we believe frictionless data security drives business value for our customers. Instead of relying on complex reactive measures, we simply secure data persistently in transit, at rest, and even in use. End users operate without obstacles, while data is continuously secured against breaches and insider threats.

API Driven Security