Using least privilege to configure customer data access

The principle of least privilege is a familiar concept mandating any user or program should only have access to information that is necessary to perform a particular task. With Segment using a flexible Access Management paradigm, you can ensure users in your workspace abide by this principle.

Segment is committed to providing customers with best-in-class privacy tools for first-party data. "Karma," one of Segment's four core values, provided the early foundation for our focus and commitment to first-party data. This commitment was followed with privacy products to help customers comply with the GDPR in 2018 and CCPA in 2019. In September 2019, we introduced the Segment Privacy Portal to automatically detect and monitor all personally identifiable information (PII)—social security numbers, birthdays, addresses, etc.—in your Segment data. 

We believe data privacy is a right. Your customers probably do, too. Today, we are excited to announce a new feature to help you respect consumer privacy preferences: PII Access.

PII Access enables limits on PII visibility for any workspace user while allowing them to continue to use various Segment features (such as configuring integrations, defining new Personas Audiences, and building new Source Functions). As of today, all PII is automatically masked to all workspace users unless explicitly granted access by the workspace owners. This allows your company to raise the bar on end-user data protection while harnessing Segment's full power to achieve your business priorities. 

Using PII Access, you can selectively control which users or groups of users see PII. By default, workspace members do not have PII Access, and any PII in the Segment app will automatically be masked for them. PII Access supports controlling PII visibility for internal teams, as well as potentially any external parties supporting your Segment instrumentation—truly abiding by the policy of least privilege to restrict access to end-user data.

Debugger with PII data masked

Gartner predicts, "By year-end 2022, more than 1 million organizations will have appointed a privacy officer (or data protection officer)." This executive-level leadership shift brings increased scrutiny to new dedicated internal privacy teams focused on defining privacy and compliance strategies. These teams not only prioritize reacting to legislation like GDPR and CCPA, but also create stricter-than-ever compliance standards to protect end-user data. These privacy standards become the new table-stakes for organizations around the world.

Segment helps you use data to deeply understand your customers, while simultaneously making it easier to respect their privacy. With tools like PII Access available, companies do not have to choose between personalization and privacy.

Level up your customer data security posture

Segment limits PII visibility by default. Workspace members use the Segment app without accessing sensitive customer data. 

End-user data privacy from internal users is not enough. It's also imperative to protect your customer data from external bad actors. Segment provides companies best-in-class security features designed to protect their customers' personal information flowing through the Segment app. To level up your security posture within Segment instrumentation, follow these recommendations.

Segment Privacy & Security Best Practices:

1. Add an extra layer of security between your end-user data and external bad actors. Configure SSO in your workspace using any SAML-based Identity Provider (IDP). If you don't enable SSO, you should enable MFA for all users in your workspace.

2. Enable your Privacy Portal to automatically gain insight into what sensitive data you're feeding from your sources into your Segment workspace and destinations. Segment provides a list of common default matchers to make it easy to begin evaluating the amount of customer PII flowing from your sources through the Segment app with a data inventory. For any custom PII or non-PII data, you can include it in the Privacy Portal data inventory by configuring custom matchers. Once included, set rules to block that data from specific downstream endpoints or mask it throughout the Segment app.

3. Grant workspace members access to only the specific resources they require, such as sources and Personas spaces.

Following these recommendations and limiting your users' access to only data necessary for their work helps you embrace the principle of least privilege access for customer data.

Where is PII in the Segment app?

Segment workspace members can see event data payloads (in the Source Debugger, Source Functions errors, and Destinations Event Delivery) and customer data in Personas spaces. User access to event-stream data proves incredibly useful for debugging and investigating data violations, while customer data in Personas helps users generate insights about audiences. However, not all of the users of these features need to see customer data. Many of those users shouldn't see it. Unnecessary exposure to customer data in a workspace may raise compliance and data privacy concerns.

Workspace owners already can create guardrails by defining specific user permissions using the Identity and Access Management (IAM) portal. This feature allows workspace owners to assign individual user permissions for certain parts of the app and thus control which users have access to PII or not. 

Before PII Access, to limit access to PII data when working with external vendors and contractors, workspace owners needed to restrict access to parts of the Segment app. This required unique sets of rules to the Segment permissions model and made some functionality unavailable.

While this solution is effective at protecting PII, it meant users without access to specific functionality were unable to complete full end-to-end workflows in the Segment app. 

PII Access simplifies the Segment permissions model. When managing user permissions, Segment workspace owners will see a new setting that controls visibility to any PII in the Segment app.

Grant PII Access disabled by default

This new permission model, along with the improved PII detection tools, allows you to block PII data without hiding functionality from your workspace users. Now, you can invite users to your workspace without them having access to end-user data. Those users will see masked values in place of PII—allowing them to safely navigate the areas of the Segment app they need to access.

What does masking mean?

Masking is a method of obscuring that data while preserving its general format.

Below, we have a customer name that needs to be obscured; we'll apply PII masking to it in a moment, and discuss the results.

{ "name": "Bob the Builder" }

When this value is masked, it becomes:

{ "name": "B*** t*** B***" }

This format, with all of its *** asterisks may look funny at first, but it conveys the shape of the data without exposing any PII!

Detect all the shapes and forms of PII 

Masking is straightforward when you can quickly tell the data is a name or an email. Segment offers default matchers such as social security number,  password, token, credit card, email, address, and more. You can view a complete list of default matchers in the Segment Docs.

In practice, however, customer data of all types vary across industries and regions. There are no global rules on how to format data, so customer data takes shape in a myriad of ways across Segment implementations. There is no thorough approach to prescribe how to identify what PII is and the form it takes. To solve that problem, you have the tools in Segment to configure what PII looks like for your customers.

Imagine that Company A has set up analytics.js on its website and connected it to its favorite destination. A track event comes through the pipeline, and it contains various contextual fields.

{  "name": "Human Being",  "email": "on.the@inter.net",  "nickname": "Hugh Bean" }

With Segment's default matchers, name and email are automatically detected as PII and masked accordingly. 

{  "name": "H*** B***",  "email": "o***.t***@i***.n***",  "nickname": "Hugh Bean" }

Now, since PII takes many shapes and forms, Company A has identified nickname as a sensitive, customer-identifying field.

Company A's executive leadership mandates any nickname must be masked to meet their internal privacy compliance goals. Any vendor tools that lack this ability cannot be used.

No need to worry, Company A is using Segment and can tell their execs all of the customer-identifying fields are masked!

Flexible PII masking 

You can use custom matchers—a feature of the Privacy Portal that enables you to classify PII in whichever shapes it takes in your workspace—for masking data in the Segment app.

Nickname custom matcher

Using these custom matchers, nickname is classified as PII, and it is masked for all workspace members without PII Access. No matter which Segment feature you're using, and no matter what your equivalent nickname fields may be, you can create your own custom matchers and prevent users from seeing the data they shouldn't. 

{  "name": "H*** B***",  "email": "o***.t***@i***.n***",  "nickname": "H*** B***" }

How does Segment use masking?

To protect your data, Segment internal privacy teams have masked all detected customer PII for all Segment employees without permission to see it.

At Segment, we enable world-class customer experiences and customer-focused growth with good data. For us, privacy and proper data governance isn't, and shouldn't be, a nice-to-have state; it is a requirement. It should be at the forefront of what each of our customers, from the smallest to the largest, has access to when using our product.

With PII Access, we unlock new capabilities for you to use the Segment app, and the good news is that all the data is protected by default. This feature is now Generally Available for all Segment customers. If you're curious to get more details, head out to the docs or your workspace access management page. If you're new to Segment and want to learn more, you can request a personalized demo.