Redacting data in Zendesk

In our last blog about knowing your data, we talked about data ownership as a central piece of the data protection puzzle. Data Ownership is so critical to data security because our data footprints have continually expanded across various clouds, data stores, and, increasingly, SaaS tools. And as more tools are incorporated into processes, and integrated with other systems, sensitive customer and employee data can sprawl uncontrollably, making it paramount to monitor what data is stored in each system. When we talk to privacy and security leaders about what keeps them up at night, the lack of visibility into the data stored in SaaS tools is always near the top of the list.

There are many levels of risk when it comes to data protection in SaaS, depending on data ownership, how integrated the tool is with other production systems, who controls the data sent to that tool, and who has access to that data. In some cases, there isn’t much opportunity for PII and other sensitive data to make its way into external tools. Think of an outbound marketing tool like, say, Outreach. You need to store some personal data there, like names, emails, phone numbers, and the companies your prospective customers work at. But that data is either manually added by employees, or it’s syncing in from a CRM like Salesforce. Certainly a tool like Outreach comes with some data risk, but the inflow and outflow of PII is largely limited to a handful of structured data fields. You'd never find a passport number, bank account number, or blood type in Outreach.

On the other hand, there are some tools that allow companies much less control over what PII they collect, store, and display to employees, creating a dangerous unknown for security teams. On this side of the spectrum would be products that collect text-based data from employees and customers alike. Zendesk, the leading customer support product on the market, is a prime example of a SaaS tool that carries substantial risk for collecting, storing and displaying sensitive and personal data on a huge scale. Companies have almost no control over what information their customers and employees post, and many consumers fail to recognize the risk of sharing phone numbers, credit card information, home addresses, health information, and other data they should not be sharing in support tickets.

And as data breaches grow in frequency and scope, tools like Zendesk can be a key target for attacks. Just this month, a data breach was reported at mSpy, which exposed ten years worth of customer support tickets stored in Zendesk, impacting millions of customers. And while details of how the breach occurred remain fuzzy, the fallout may be enormous due to the contents of the tickets, including customer and employee names, email addresses, locations, IP addresses, and more. Had they been using Teleskope, mSpy could have easily redacted PII from ticket content, comments, and attachments, drastically reducing the scope of the attack.‍

Zendesk is well aware that their platform introduces serious data security risk, and in response to repeated pleas from customers has tried to address it by introducing a native redaction feature. But this technology is outside of Zendesk’s core competency, and the solution they have delivered does little to meet customer needs. Zendesk’s redaction is manual, meaning users with specific permissions have to manually highlight text they find within tickets or comments that should be removed. This is a deeply flawed solution, as it requires someone to stumble upon the violation, recognize it needs to be addressed, and report it or manually redact it. And sifting through thousands of tickets is inaccurate, unrealistic and unsustainable. Zendesk’s redaction feature also does not support redaction in attachments, can’t be applied to tickets created from external sources, and cannot proliferate redactions to integrated tools. Ultimately, Zendesk’s redaction feature is a partial solution which creates more work for tool admins, and does little to assure security and privacy teams that policies are being consistently enforced.

That’s why companies trust Teleskope to enforce data security and privacy policies in SaaS tools like Zendesk. With Teleskope’s Policy Maker, built on top of our proprietary data classification pipeline, you can enforce highly specific policies to ensure sensitive customer data is never stored and shared. Our intuitive UI lets you choose the tools you want to be covered by a policy, set a simple trigger like “a credit card number was found”, add additional filters like “ticket status = resolved”, and indicate whether you’d like Teleskope to redact that data automatically, or to include a human in the loop, who can approve the action. We’ll keep a log of policy actions, so you can track what’s being discovered and redacted, and from where.

Teleskope is on a mission to protect your data, wherever it is. Our integration list is growing, with similar features available in Google Workspace (Drive, Docs, Slides, Sheets etc.), Microsoft Onedrive, Slack, Jira and Salesforce. Are there other SaaS tools that you worry are storing PII? Let us know!