ALTR Brief: Snowflake Cybersecurity Investigation

HumanN Utilizes Data Consumption Intelligence to Better Govern Customer Data

People have long searched for the keys to improved health and vitality, from exercise to superfoods. In the 1990s a new key appeared on the scene when a little understood gas began to be recognized for its importance as a chemical messenger in the body. Dubbed the “miracle molecule,” Nitric Oxide’s importance as a biological signaling molecule led to the awarding of the Nobel Prize in 1998.   

Recognizing the possibilities in N-O, HumanN was founded in 2009, and it didn’t take long for the company’s interest in cardiovascular health, aided by blood flow and circulation, to become a passion. By consulting with the top scientists, doctors, registered dietitians, and healthcare thought leaders, HumanN is committed to bringing the best functional foods and supplements to every human across every phase of life, helping every individual live up to the immense potential in the human body. 

HumanN has seen a phenomenal response to its vision and has experienced extraordinary results over the last few years, demonstrated by its inclusion in INC’s list of fastest growing companies for the sixth consecutive year in 2020. That expansion has been partly fueled by the company’s data-driven strategy across product development, customer outreach, and logistics.  

As a fast-moving tech company led by successful former tech executives, HumanN quickly realized it needed to optimize its data governance to support its growth and began looking for a partner that could match its pace of innovation.  

“We needed a modern, no-code SaaS solution that we could get to business value in days, not the traditional, heavyweight expensive enterprise offering that takes months or years to deploy,” said Joel Kocher, CEO, HumanN. “Our business moves at lightning speed, and we found a soul-mate in ALTR across all dimensions: elegant technology, customer centric, modern and affordable.” 

A Cloud-Based Innovator Needs Visibility into Data Usage and Patterns  

As a science and product development company, HumanN collects and utilizes data in customer research and in developing and testing new products. Demographic data, prospects lists, and retargeting information are employed when communicating about products to prospective customers. And as a consumer packaged goods company (CPG), customer data including names, addresses and contact information is utilized throughout the order, shipment, fulfillment processes, both direct to consumers as well as other channel sales.  

As expected of an innovative start up, the company operates in the cloud, utilizing today’s modern tools. This means data spans across the cloud infrastructure – including Snowflake data platform and Tableau for reporting, Oracle Netsuite ERP, Shopify and Amazon eCommerce, MSFT Office 365 for internal communications, Softeon and Saddle Creek logistics services, and about twenty more tools.   

“It’s important to get the message out about what our product can deliver to our consumers — to both potential consumers and our active customer base,” Jacob Sulpice, Data Engineer, HumanN. “Engagement is a big part of our core business strategy, and customer data is critical to that.”

Because HumanN handles so much customer personally identifiable information (PII), the company’s first concern was visibility into data usage. “We have outbound data streams to direct email marketing campaigns or SMS marketing or social media analytics,” Sulpice said. “We wanted to make sure we had a good handle on where our sensitive data is going externally and which users are accessing it internally.”  

Beyond that, the company wanted to build a baseline for usage. “We wanted to understand what ‘good access’ might look like so we could then start creating controls based on those patterns,” Sulpice said. “If we have an outside system that we’re expecting to grab data every Monday at 6 am but we suddenly see that it’s trying to pull the data on a Wednesday afternoon, we want to be aware of that.”  

The company’s leadership was also concerned about complying with GDPR and other regulatory requirements around PII to avoid potential fines and damage to customer trust. And the company’s streamlined data team needed a solution that integrated with their cloud-based ecosystem, was easy to implement, and provided a quick time to value. ALTR offered the ideal solution.  

“Holding all this PII data places a responsibility on HumanN to ensure that it’s being viewed responsibly and only by people who should have access to it. That was our primary business driver for bringing ALTR on,” Sulpice said.  

13 Days from Kickoff to Sensitive Data Discovery and Classification 

ALTR started with an in depth PII audit, analysis, classification project to scan through the data originating from throughout the company’s data ecosystem and stored on HumanN’s Snowflake cloud data warehouse. Almost 4,000 data columns were classified with about 2,000 columns containing likely PII – names, addresses, email addresses, phone numbers. Overall, around 900,000 distinct PII records were found in the data store from 28 distinct data sources within 13 days of project kickoff.

“The audit was really useful because we have data from sales channels, marketing channels and more all coalescing together into the Snowflake master data system,” said Sulpice. “ALTR’s classification project helped us find and denote the sensitive data within that mass of various kinds of data.”  

This sensitive data represented a risk to the company both from a privacy and security perspective. Leaks of personal data could lead to regulatory fines or civil litigation while data theft could mean a potential economic exposure of $90M total at a cost of $100 per record. HumanN decided to move forward with ALTR’s cloud-integrated solution for data consumption governance.  

Data Consumption Insight in Less than One Month 

With no infrastructure to implement and no code required, the ALTR solution was able to pivot quickly from finding sensitive data to observing sensitive data consumption. The HumanN team then ran the ALTR solution for 27 days in order to establish a normal month of usage. At the end of that time, Sulpice was able to look at spikes in data access by role and identify a baseline metric for normal activity such as daily data pulls to Tableau. Using that baseline, he plans to put thresholds, alerts and limits in place when requests are made that are outside normal activity. These thresholds could be different based on who or what is accessing the data – an internal request might just generate an anomaly while an external one might be blocked.  

This visibility into consumption also underscored an issue he had previously identified: lack of clarity caused by using the same role for multiple purposes. For example, a superuser role for the database was used by BI tools to extract data, by sales channels to import data, and the database admins to do queries and make changes to the database.  

“It was obfuscating any meaning attached to the consumption,” Sulpice explained. “We needed to break that role out into data import, data export and admin roles. This allows us to bifurcate the activity and place custom rules and thresholds around those activities.”  

ALTR calls this “purpose-based access control”: instead of setting up access based on “who a user is,” access is controlled based upon “why they need it.” The concept of “why they need it” also includes “how much they need.” With the visibility into what normal activity looks like, Sulpice can customize access based on what and how much data is necessary to complete the task. And when access is based on normal activity, outlier activity can easily be identified.  

“Without ALTR, I didn’t have a good way to quickly see what tables are being accessed in near real-time,” Sulpice said. “Getting an alert that someone has tried to access a million customer records is key. This can give us a heads up that there’s malicious activity, but also an early warning on runaway processes. That can save us a whole lot of headaches.”

Putting Humans First 

The partnership between innovative companies has proved a success. “The ALTR team has been absolutely great,” Sulpice said. “They’ve been really engaged, and we’ve had direct support whenever we needed it.”   

ALTR’s data consumption governance solution now enables HumanN to ensure they’re making the best use of data responsibly, across research, marketing, fulfillment, customer support and more, to deliver the best products and experiences to their customers.  

“Everything we do at HumanN is driven by our desire to help people—to push harder, to achieve greater and finish stronger. We’re constantly innovating and evolving in order to better meet that goal,” said Kocher. “We’ve taken the same proactive approach to protecting our customers’ data. In fact, we treat our customers’ data with the same respect we treat the humans behind the data. Our adoption of ALTR is another step in that direction.”