Role - Engineering Lead - Data Security Architect
Led the design and deployment of a unified data security framework for structured and unstructured data across the client's hybrid infrastructure. Focused on real-time data discovery, classification and loss prevention, encryption and auditability to support regulatory requirements and enterprise data governance.
Tools:
1. Data Discovery & Classification - MS Purview for automated scanning of SQL, file shares, Azure Blob
2. Varonis deployed for AD-integrated permission mapping and activity-based risk prioritization across NAS, SharePoint and Windows File Servers.
2. DLP - Trellix DLP (network, endpoint and email channels), MIP for automatic sensitivity labeling via Office apps and AIP scanner for file shares.
3. Cloud Data Protection -
i. AWS Macie for S3-based PII/PHI classification and auto-remediation actions using EventBridge and Lambda.
ii. Azure Defender for Storage and Azure Information Protection for classification and threat alerts
iii. Google Cloud DLP API - Integrated into data pipelines to scan BigQuery datasets and Cloud Storage objects before ingestion.
Encryption and Masking:
1. Hashicorp Vault used to manage encryption keys for workloads across Kubernetes clusters and virtual machines.
2. Informatica Dynamic Data Masking - Deployed inline with SQL server and Oracle to mask data at query time based on user roles.
3. Titus: For persistent file labeling and classification that travelled with the data across endpoints and email.
Identity and Policy Automation
1. SailPoint IdentityNow - To enforce least privilege access to high-sensitivity datasets and automate access review cycles.
2. ServiceNow integrated with data access workflows for exception handling and audit trail generation.
Monitoring & Inc. Response
1. MS Sentinel, Splunk
Results : 1. Mapped and classified > 95% of enterprise data stores (on-prem and cloud)
2. Reduced DLP violations 3. Operationalization of GDPR Art. 30 records, PCI DSS.
