Cyera Case Study:
ACV Auctions

ACV Auctions empowers dealers and commercial partners to buy, sell, and value vehicles, bringing new trust and transparency to the wholesale automotive industry. The company collects and stores data regarding dealers and their transactions in the Amazon Web Services (AWS) cloud. The company stores over 140 Terabytes of data, including thousands of dealership data records and millions of transaction records. This data is sensitive due to business, compliance, and privacy concerns, and ACV Auctions takes its responsibility for safeguarding that data seriously. As ACV expands into the business to consumer (B2C) market, the amount of sensitive personal information they manage will increase, along with both privacy requirements and regulatory scrutiny.

Trust and transparency are part of ACV Auctions’ mission, which makes it imperative for the security team to track the different types of data stored in cloud environments as well as always understand where that data is located. Cloud environments change rapidly, and the amount of data generated and collected continues to rise, increasing the challenges for ACV Auctions to manage and secure that data. ACV’s security team faces additional challenges ensuring that sensitive data is protected by appropriate security controls and stored in compliance with regulatory requirements. The security team is striving to improve their security posture, prioritize issues based on the impact of a data compromise, and get actionable information to quickly remediate issues related to unauthorized access to sensitive data.

That’s why ACV Auctions chose Cyera’s cloud data security platform to perform a data risk assessment on the ACV Auctions environment to help establish a baseline and ensure that the security team was well positioned to respond to any incidents in their large and expanding cloud environment. Cyera helped to ensure that:

1. All data across the cloud environment was securely stored and encrypted 
2. New dealers were added to the platform following the principles of least privilege access
3. Security controls were optimized to protect the business

Cyera worked collaboratively with the company’s security team to maximize ACV’s security posture and controls without impacting ongoing business operations. The risk assessment enabled ACV Auctions to quickly evaluate its current security posture and understand the controls that needed to be put in place. But ACV Auctions also needed continuous visibility of any new data stores or data across datastores and clouds to understand, manage, and secure their ever-changing cloud data landscape. 

“Cyera enables me to see where my data is, all of my data events, who is accessing the data, and what is being done with that data across all of my accounts and data stores. This enables me to secure my data and do a better job of troubleshooting and managing my data.” - Erik Bataller, Chief Information Security Officer at ACV Auctions

Improve security posture

Cyera’s rapid identification of potentially publicly accessible records, unencrypted information, and review of network configuration information dramatically improved ACV Auction’s overall security posture. Today, the company uses Cyera to detect all cloud data stores, classify the sensitive data inside of each store, and show the identities with access to that data. They use a least privileged access approach, limiting access of sensitive data to service accounts. Following the principles of zero trust architectures and least privileged access, ACV Auctions now limits data access to applications and accounts based on a well-defined business purpose for accessing data.

Increase context for incident response
ACV Auctions’ security operations center (SOC) team uses Cyera’s application programming interface (API) to gain critical context on the blast radius from a security incident. This helps establish the severity and priority for an incident, ensuring that incident response is rapid and targeted based on incident details, such as:

1. What sensitive data is present in the environment? Does the compromise potentially expose sensitive customer, partner, or employee data?
2. What sensitive data does a given identity/account have access to? If a brute force attack compromises an identity, what sensitive data does that identity have access to?
3. How might an incident create a compliance issue with a given privacy framework?

Minimize data and optimize costs

The principle of data minimization means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specific purpose. That data should only be retained for as long as is necessary to fulfill that purpose.

Data stores that no longer exist can comprise up to 30% of cloud storage volume. 56% of those data stores contain sensitive data.

Data minimization is also a critical aspect of cloud cost optimization. Because cloud resource consumption dictates price, reducing overconsumption and unnecessary storage costs helps ACV Auctions contain cloud costs. Cyera’s platform helps ACV Auctions discover, understand, and remediate overconsumption from:

• Stale data - by identifying the overall volume and number of sensitive records in sensitive data stores, helping data owners minimize the storage of data that is no longer in use, optimizing costs
• Ghost data - by identifying the compliance and security risks ghost data represents and eliminating snapshots of data stores that no longer exist
• Copy data - by identifying copies of backup data and eliminating it safely 

ACV Auctions relies on Cyera to understand its cloud data, meet compliance regulations, and manage cloud costs. "When we implemented Cyera, we immediately got a full picture of our cloud data landscape. Cyera showed us that we had a lot of ghost data that was not being accessed or used. Eliminating it will save us over $50,000 per year in cloud storage costs," said Erik Bataller, VP of Security at ACV Auctions. “Cyera also helps me show our executive team and other business stakeholders how we are managing, governing, and securing our data, and how we are keeping it private.” As cloud use increases and cloud data continues to proliferate, it is more important than ever for ACV Auctions to identify, protect, and eliminate data when appropriate to control costs and increase overall security.

‍

Cyera is the cloud data security company that gives businesses context and control over their cloud data. The company's mission is to empower security teams to enable innovation, securely. As the industry's most advanced cloud data protection platform, Cyera instantly provides companies a strong baseline for all security, risk management, and compliance efforts and ensures the entire organization operates with the same policies and guardrails. Backed by leading investors including Sequoia, Accel, and Cyberstarts, Cyera is defining the way companies do cloud data security. To learn more, visit www.cyera.io.