Francis Crick Institute uses Rubrik Sonar to manage sensitive data risk and GDPR compliance

March 17, 2021

Francis Crick Institute is a biomedical research center in London that opened in 2015. The institute is a partnership between six of the world’s leading biomedical research organisations – Cancer Research UK, Imperial College London, King’s College London (KCL), the Medical Research Council, University College London (UCL), and the Wellcome Trust. The institute has over 1,500 scientists and staff to understand why disease develops and to find new ways to diagnose, prevent, and treat a range of illnesses − such as cancer, heart disease, stroke, infections, and neurodegenerative diseases.

Gareth Butler, Senior Infrastructure Architect, and Paul Hajisavvi, Senior Systems Administrator, at Francis Crick Institute are responsible for IT infrastructure and support the underlying technology that drives the business. That includes helping manage sensitive data risk. “The General Data Protection Regulation (GDPR) formalised a lot of requirements previously under the UK’s Data Protection Act and gave users more rights over their own personally identifiable information (PII),” said Butler. “Thus, our organisation needed to establish a baseline of what PII data we had and where it was located. With Rubrik Sonar, we get that clarity and can now provide management – with confidence –the information needed for audits or regulatory bodies.”

INCREASING CONFIDENCE IN COMPLIANCE BY ELIMINATING MANUAL PROCESSES GDPR was a major driver for Francis Crick Institute to begin their data governance journey. “When GDPR came in, many organisations were not prepared. Our conversations around preparing for GDPR focused on gaining clarity in what sensitive data we have. We conducted an initial assessment at that time, but how do we monitor all the hundreds of servers we are running?” said Hajisavvi. “Anyone can store PII data anywhere, and we can potentially be exposed if access is granted to external parties, such as to personal data or to employee data. We wanted to ensure we are always protected and understand what we have and where at all times.”

Prior to deploying Sonar, Francis Crick did not have a solution in place to discover and classify what types of PII data it had. “It was a manual approach. It would be very difficult to gather the same information we see today with Sonar. We had a number of audits over the years and could say where we expected PII data on particular systems, such as HR systems. However, with Sonar, we can now automate a lot of those processes,” said Butler. “Prior to Sonar, we would have to wade through lots of documents to find the specific data we wanted. With Sonar, we now have both the macro and micro view of our sensitive data and can pinpoint a specific location within a file without wasting time sifting through hundreds of documents.”

Data exposure and risk

Francis Crick Institute is using Sonar’s pre-defined templates and analysers to scan for UK PII data. They have seen success in identifying locations with sensitive data, such as national insurance numbers, patents, and passport numbers. “Sonar highlighted areas where we knew we had PII data, giving us confidence in the baseline we have already established and in the product’s performance. Moving forward, it will flag anything that may be unauthorised so that we can investigate and remediate,” said Butler.

“One example is Sonar showed that a web server used for uploading documents, such those used in procurement, was holding on to those documents in an upload folder. That was an alarm bell and highlighted thousands of documents that might be at risk. We were able to recommend mitigation steps to the server owner in order to minimise that exposure risk,” said Hajisavvi.

RESULTS
• Significant time savings for search queries (mins vs. hours to weeks)
• Identified over 50,000 files with at-risk data
• Minimized exposure risk with identification of unauthorized repositories of financial data

Additional benefits include:
• Significant time savings for search queries: “If we need to surface a specific search, we can get results in minutes, if not seconds. Without Sonar, it could take hours, days, or even weeks.”
• Audit reporting: “We can now provide auditors with an automated report that shows exactly what types of sensitive data we have and where they are located via a central dashboard. No manual processes required.”
• No production impact: “Since Sonar runs on our existing backup data, we don’t need to deploy a new solution that looks intrusively into our production systems. It runs seamlessly in the background.”
• No learning curve: “We love how straightforward the user interface is. Additionally, the user experience is similar to Rubrik’s Cloud Data Management software, meaning we don’t need to spend more time learning or training our employees on a new software.

Rubrik sonar

Let’s Get Started
Q Associates is an independent specialist IT services provider offering secure, reliable cloud and infrastructure solutions tailored to every customer’s unique business requirements.

As the first UK Rubrik Authorised Support Partner, Q Associates is engaged across Rubrik’s complete portfolio of unified cloud, edge and on-premises data management and protection solutions. Our certified technical specialists have undergone the highest level of Rubrik training and are fully accredited to provide world-class Rubrik support and act as the first point of call to customers throughout the UK.

Talk to us about how Q Associates, in partnership with Rubrik, can create your digital-future with leading IT solutions.

Call 01635 248181
Email rubrik@qassociates.co.uk
Visit our Rubrik Partner webpage