How the Pokemon Company achieved GDPR compliance with minimal Gloom

Regulations such as GDPR mean that when it comes to compliance issues the Pokemon Company can't afford to take any Chanseys, and really had to catch them all

Share

Augmented reality game Pokemon Go was something of a surprise hit when it launched in 2016, racking up 800 million downloads to date.

That incredible scale carries with it a massive data lake of personally identifiable information for the Pokemon Company International though, including sensitive data about children. When combined with regulations such as GDPR, this creates a whole melee of potential compliance issues, which the company can't afford to take any Chanseys with, and really has to catch them all.

pokemon go istock

The Pokemon Company runs a multi-tenant AWS shop and its platforms contain information including geolocation data, dates of birth and email addresses - not to mention other single sign on authentication methods through the likes of Google.

To deal with these compliance issues John Visneski, director of information security and data protection officer at the Pokemon Company, turned to cloud native machine data analytics vendor Sumo Logic to harden the company's defences, and it was super effective.

In the United States the Children's Online Protection Privacy Act (COPPA) requires strict data protection policies. Along with GDPR, the Pokemon Company International (which manages the franchise in a number of territories in the western world) viewed the regulation requirements as an opportunity to evolve their security teams into something even stronger. It had previously gone "all-in" on being a tech company and running as much of its workloads in the cloud as possible, as well as adhering to modern devops practices.

Visneski, who prior to this role served in the US Air Force with the Chief of Staffs at the Pentagon and whose security colleagues have backgrounds as federal agents and in the NSA, explained that the Pokemon Company's infrastructure is all based on AWS. In the past couple of years the organisation stood up a devops shop, extended its privacy team, improved online services, and Visneski helped to create the information security team.

The developers at the company were previously doing most of the security "ad-hoc".

"The online services folks were doing their best and then working with AWS, because AWS obviously has a lot of really smart folks in the security space," he says. "But really the idea was building out a true information security department with a vision and a strategy... Everything from our security architecture to hiring out a team, to vendor management, to bringing on new vendors, sorting through different sorts of capabilities and different sorts of toolsets, and building out a vision and strategy to make us a first class cloud security shop."

Just before GDPR came into action, Visneski was named data protection officer, and he believes that there is a vital need for organisations to converge their privacy and security capabilities. In his experience issues on both sides end up lost in translation where security professionals are trying to communicate problems in non-technical terms, while the privacy teams might be speaking in legalese. A broad integration of Sumo Logic, he says, helped to break down these silos.

"We have all these really great tools, all these really great alerts, all these sorts of things," he says, "but how do we wrap our arms around data visibility? How do we aggregate logs, how do we really start leveraging the tools in such a way that we can automate as much as we can? So that the humans involved, my security analysts, can concentrate on what they do best - which is provide context into those situations."

Staff were all "really excited" because of how well Sumo Logic integrated into the company's environment, and they were particularly impressed with the visibility that it offered. They chose to sign up to the company's security information and event management services as well as Investigation Workflows, and there are plans to partner with the vendor to build a new security operations centre.

Changing the vendor-client relationship

It's this level of collaboration that not only set Sumo Logic apart from other companies but, according to Visneski, signals a departure from the old client-vendor relationship into something that's more mutually beneficial, with both businesses maintaining a vested interest in the success of each other. A concept that's not as Farfetch'd as it might first appear.

"I think the vendor-customer relationship has evolved over the last decade or so, it used to be that a customer like us or a big customer with a healthy budget used to be able to go to a vendor like Sumo and say, hey, this is how much money I want to spend," says Visneski. "Give me the world - make sure that your best engineers are here - asking for features that don't exist that are out of scope or impossible... I think that relationship has changed and it has pivoted more towards strategic, substantive business relationships where a customer like me, I only want to do business with vendors that have a vested interest in seeing me be successful.

"And on the flipside I would hope that a vendor like Sumo Logic only wants to do business with customers that have a vested interest in them being successful. When you start taking that approach, especially with the foundational elements of your security programme, and you embrace the transparency that needs to happen back and forth - it improves your security posture."

He adds that having an idea of Sumo Logic's roadmap (and conversely Sumo Logic understands the direction that the Pokemon Company is moving in) helps both parties achieve mutual success.

"That's really how you achieve that speed at scale in the security space," Visneski says. "Because I'm not trying to catch up with what's new, we have a good enough relationship to figure out what the future looks like together."

And the partnership has also been beneficial for other business areas outside of the security team - with staff in finance and the devops team all appreciating the visibility that it provides over a Tangela of solutions in complex environments.

"We started to see this growth outside of the security space, but with our security team being sort of that integrated agent across the organisation, what that gives us is visibility," he says. "When a security incident happens you might not get an alert through your primary toolset - we use Crowdstrike - we might not get the alert through Crowdstrike first. It might be a customer service ticket that comes in.

"But our security team, because we've used Sumo to integrate so many data feeds not just in the security space but in other places, can start to see indicators across our entire environment that could be really helpful if there's an incident," says Visneski. "The same thing goes for our devops folks, our network operations folks, where some of the indicators that might not be in their initial toolset but something somewhere else. Because we've rolled out Sumo so broadly it really is a rising tide that's lifting all ships, which has just been fantastic for us."

"Recommended For You"

Chef sidles up to security for bringing automated compliance to devops Box CEO Aaron Levie calls for global data protection agreement