Disable the ability to Export to CSV
We don't want all users to have to have the ability to export a Segment to CSV. Adding a permission.
-
Completely agree with Nick on this. Users should NEVER be allowed to download sensitive customer data into unprotected systems unless explicitly permissioned to do so.
Within the UI, we can at least control who gets let in and offered a user profile, what is their account scope, what is their role and what can users assigned to that role do and see. We can control who gets invited to SuccessBlocs and who is a collaborator, who gets added to specific SuccessTeams and what are the settings on that team, etc. Within the UI, we can also control how customer info gets protected via system infrastructure and implement standards like SSO, 2FA, data file encryption, and more.
However, the moment they go into a segment and are offered the ability to download a CSV, all of those protections vanish. One human error is all it takes to eliminate the multi-layered fortifications we've built directly into the tenant. That sensitive customer data is suddenly exposed and goes unprotected out into the wilderness. It can be shared in emails. It doesn't require passwords to unlock the file. Sure, there are GDPR, Works Council, DPP, and related considerations at play here, but this one is bigger and more foundational than that.
Adding a setting to allow for permissioning on CSV download capability seems like such a no-brainer that it's strange to me that we even need to ask for it, and even stranger that the product team would ask what is the reason.
-
If we could permission the CSV download link, then the individuals being granted this permission in our org would be limited to a tiny select few who have received additional training in data security, proper approvals and oversight for this expanded capability... limited to those who understand the relevant risks and methods of protecting sensitive data (not just any random one of our thousands upon thousands of CSMs or CEEs or sales people, for example).
An additional benefit of an authorization like this is how it would make following up on any potential breaches or leaks in the future far simpler (since the list of possible sources will have shrunk tremendously from thousands to mere tens).
You are, of course, correct though. Once the file is outside of Totango then it's outside of our control. That's precisely why we would like to limit who has the ability to pull CSV files from the system in the first place.
Sure, if someone is motivated and wants the data badly enough then they'll find a way (like taking screenshots, for example), but that's an edge case where nefarious intent is fairly obvious. With this, we're trying to protect those other 99.9% who simply might not know any better, and by doing so we're trying to better protect ourselves and (more importantly) our customers.
Appreciate your interest and willingness to better understand.
Please sign in to leave a comment.
Comments
7 comments