How Automated Remediation Enables Proactive Data Protection at Scale

October is shaping up to be a big month for Sentra! From coast to coast, our team will be meeting with security leaders to share insights on securing sensitive data - no matter where it travels.

‍

If you’re attending one of these top cybersecurity conferences, we’d love to connect and show you how Sentra helps organizations embrace innovation while keeping data secure. Here’s where you can find us this month:

Hou.Sec.Con: September 30–October 1, Houston, TX

We’re kicking off in Texas at Hou.Sec.Con, one of the region’s most anticipated security conferences. It’s a hub for IT and cybersecurity professionals looking to explore new ways to defend against today’s evolving threats.

Stop by and learn how Sentra helps organizations protect sensitive data across cloud environments.

Trace3 Evolve: September 30–October 3, Las Vegas, NV

Next up is Trace3 Evolve, where IT leaders and innovators gather to discuss the future of enterprise technology. With cloud adoption accelerating, conversations around data security, compliance, and innovation are more important than ever.

Meet our team to see how Sentra makes securing sensitive data simple and scalable.

GuidePoint GPSEC Security Forum: October 3, Dallas, TX

We’re heading back south to attend GuidePoint GPSEC Security Forum in Dallas which will bring together industry leaders, cybersecurity experts, and technology innovators for a full day of impactful conversations, networking, and hands-on learning. This conference will dive into today’s most pressing security challenges through dynamic keynote speakers, engaging breakout sessions, and a bustling vendor fair. 

Whether you're dealing with data sprawl, compliance complexity, or risk visibility, Sentra will be on-site to show how their platform helps reduce risk and strengthen security posture without slowing innovation.

GrrCON: October 2–3, Grand Rapids, MI

Heading north, we’ll be at GrrCON, a favorite for security practitioners, researchers, and executives alike. Known for its community-driven feel, this event fosters knowledge-sharing and collaboration.

Let’s chat about modern approaches to cloud data security and how to mitigate risk without slowing innovation.

Innovate Cybersecurity Summit: October 5–7, Scottsdale, AZ

We’re excited to join the Innovate Cybersecurity Summit, where industry leaders explore solutions to today’s toughest challenges in data protection and cyber defense.

Learn how Sentra empowers organizations to gain visibility into their sensitive data and take proactive steps to secure it.

FS-ISAC Scottsdale: October (Dinner & Meetings)

We will be in Scottsdale during FS-ISAC, a premier financial services cybersecurity community event.

Sentra will be hosting a private dinner where attendees can connect in an intimate setting. We’ll also be available for 1:1 meetings to discuss how Sentra helps financial institutions protect sensitive data and comply with complex regulatory requirements.

‍

This is a great chance to meet our team and hear how we partner with organizations to balance innovation and data protection.

Gartner Symposium: October 20–23, Orlando, FL

One of the year’s biggest IT events, the Gartner Symposium brings together CIOs, CISOs, and technology leaders to discuss the future of digital business.

‍

Sentra will be on-site at Booth #748, where our team will showcase how a data-first security approach empowers organizations to innovate confidently while ensuring sensitive information remains protected. Stop by to connect with our experts and learn how Sentra helps enterprises stay secure in the cloud era.

NYC Google Event: October 21, New York, NY

We’ll also be in New York City at the Google Event, connecting with forward-thinking organizations adopting cutting-edge cloud technologies.

Discover how Sentra seamlessly integrates with Google Cloud to protect sensitive data wherever it lives.

InfoSec World: October 27–29, Lake Buena Vista, FL

We’re wrapping up the month at InfoSec World, a leading cybersecurity event bringing together professionals from across industries.

Stop by to learn how Sentra helps organizations strengthen data security strategies and stay ahead of regulatory demands.

GuidePoint GPSEC Security Forum: October 29, Philadelphia, PA

We’re closing out October at the GuidePoint GPSEC Security Forum in Philadelphia. This annual event brings together security professionals, technology partners, and thought leaders for a full day of collaboration and learning.

Hosted at Convene at Commerce Square, the forum will run from 8:00 a.m. to 5:00 p.m. ET and features a rich agenda, including:

‍

• A keynote from a leading cybersecurity expert
  
• Breakout sessions exploring today’s most pressing security challenges
  
• A panel of CISOs sharing practical strategies and real-world insights
  
• A showcase of more than 70 technology vendors driving innovation in security
  
  

The day wraps up with a networking reception, providing attendees with the opportunity to connect with peers, exchange ideas, and continue important conversations in a more relaxed setting. Sentra is proud to participate in this event and contribute to the dialogue on securing sensitive data in an increasingly complex landscape.

Why These Events Matter

Cybersecurity is a team sport. By joining these events, Sentra isn’t just sharing our vision for protecting sensitive data, we’re also listening, learning, and collaborating with the community to address the most pressing challenges in cloud security.

‍

From data discovery and classification to continuous monitoring and protection, Sentra helps organizations embrace innovation without compromising on security.

Connect with Sentra This October

Will you be at one of these events? Let’s meet!

‍

Schedule a meeting with Sentra or visit our team at any of the conferences listed above. We’d love to show you how we can help your organization protect sensitive data and move faster with confidence.

‍

See you on the road this October!

<blogcta-big>

Introduction

Cloud-first travel platforms handle massive volumes of customer data every day, from booking details to payment information. With petabytes of data spread across hundreds of  cloud accounts, the stakes couldn’t be higher: customer trust, regulatory pressure (PCI DSS, GDPR), and business reputation are always on the line.

‍

This is the story of how a global travel platform took action to ensure the highest level of customer data protection and set out to gain complete visibility and full control of its data estate, securing petabytes of sensitive information across 600+ cloud accounts in just 30 days.

At a Glance: Securing Petabytes at Scale

The Challenge

• 100s of PBs of sensitive customer data
  
• 600+ cloud accounts, 150K+ data stores
  
• Manual tagging, blind spots, reactive DLP
  
• Compliance risks (PCI DSS, GDPR)
  
  

The Solution

• Sentra’s agentless DSPM platform
  
• Automated discovery & AI-driven classification
  
• Real-time data mapping and compliance alignment
  
• Partnership-driven support and fast deployment
  
  

The Results

• Full visibility across petabytes of data in 30 days
  
• Streamlined governance across 600+ cloud accounts
  
• Dramatic reduction in  false positives & alert fatigue
  
• Stronger compliance with PCI DSS & GDPR
  
• Data security transformed into a strategic advantage
  
  

The Challenge: Data Visibility at Scale

The travel tech company’s cloud footprint had grown rapidly, now its security practices needed to be brought up to speed. Relying on legacy Data Loss Prevention (DLP) tools left the security team in a reactive posture. Alerts were triggered only after data had already left the environment. In the high velocity world of digital travel, “too late” is not an acceptable outcome.

‍

Manual tagging compounded the problem. It was slow, resource-intensive, inconsistent across teams, and prone to human error. With more than 600 cloud accounts and hundreds of petabytes of data in motion, the organization sought a reliable way to answer the most fundamental security questions:

‍

• What sensitive data do we have?
  
• Where is it stored?
  
• Who has access to it?

Answers to these three foundational questions would enable them to lock down exposure risk, misconfigurations, and regulatory noncompliance for sensitive customer information, including payment card data and personal identifiers.

Sentra Data Security: Scalable, Accurate, Agentless

After evaluating a wide mix of DLP and DSPM vendors, the company selected Sentra for its ability to deliver scale, accuracy, and scan efficiency.

‍

• Agentless discovery allowed rapid deployment across the entire multi-cloud environment without adding operational friction.
  
• AI-driven classification replaced error-prone manual tagging, enabling sensitive data to be labeled consistently and accurately.
  
• Regulatory mapping ensured risks were tied directly to frameworks such as PCI DSS and GDPR, making compliance reviews easier and faster.
  
• Smart scanning lowered cloud compute costs and provided more timely results.
  
  

Just as importantly, Sentra’s customer success and engineering teams worked closely with the company. Rapid support and the ability to deliver custom features strengthened the partnership and accelerated adoption.

Implementation: Tackling Complexity Head-On

Securing hundreds of petabytes across over 600 cloud accounts, over 150K data stores, and 25K data storage locations was no small feat. The implementation involved coordination with six internal stakeholder teams.

Sentra’s engineering team collaborated directly with the customer to fine-tune scanning for high-memory formats and optimize scanning cycles. This ensured that even as the environment expanded, sensitive data could still be discovered, classified, and secured in near real time.

‍

Despite the scope and complexity, deployment was completed on schedule. Within weeks, the company moved from chasing alerts to uncovering exposures proactively. Manual tagging errors were eliminated, and governance workflows became more consistent across business units.

Real Business Impact: From Reactive to Proactive

The shift in outcomes was dramatic. Within months, the security team achieved the visibility they sought. Instead of reacting to alerts, they were proactively discovering risks and preventing incidents before they escalated.

‍

Key results included:

• Discovery of sensitive data that had previously gone unnoticed
  
• Streamlined governance across 600+ cloud accounts
  
• Automated classification that reduced false positives and alert fatigue
  
• Improved compliance posture with PCI DSS and GDPR
  
  

As one security engineering manager put it:

‍

“The Sentra speed and support really stood out. We were able to quickly transform our approach from reactive alerts to proactive discovery. We’re not just detecting potential risks anymore; we’re gaining a comprehensive inventory of our data landscape across hundreds of petabytes, enabling us to truly protect our most critical assets.”

Sentra for Travel Tech: Setting the Pace

For travel technology companies, customer trust and agility are everything. Every transaction, every booking, every passenger record carries sensitive information that must be protected. At this scale, manual processes and reactive tools simply cannot keep up.

‍

By adopting Sentra’s cloud-native DSPM platform, this global travel leader gained real-time visibility into its vast, fast-moving data estate. Booking and flight details, payment card data, and personal identifiers could now be classified automatically and governed consistently without slowing the pace of innovation.

What had once been a compliance bottleneck became a strategic advantage.

Bottom Line: Data Security is a Competitive Edge

The journey of this global travel platform illustrates what’s possible when scale, automation, and accuracy come together. In just 30 days, the company moved from dangerous blind spots to full visibility and control over petabytes of sensitive data.

‍

But this is about more than one company’s success story. In the AI-powered economy, where data volumes are exploding and regulatory demands are intensifying, innovation speed without security is a liability. The leaders of the next decade will be those who can combine agility with trusted data security.

‍

Sentra’s DSPM platform gives organizations the ability to:

‍

• Discover and classify sensitive data automatically
  
• Map risks directly to compliance frameworks
  
• Move from reactive alerts to proactive governance
  
• Scale confidently across complex, cloud-first environments
  
  

This is about more than just compliance. For consumer industries like travel and hospitality, retail, financial services, and any enterprise that runs on data, it’s about protecting customer trust, unlocking innovation, and gaining a true competitive edge.

‍

Discover how Sentra can help your organization secure its cloud data estate at scale.

<blogcta-big>

NYDFS Steps Up Enforcement

The New York State Department of Financial Services (NYDFS) has long been one of the most influential regulators in the financial sector, but over the past two years, it’s made one thing crystal clear: cybersecurity is no longer a back-office IT concern, it’s a regulatory priority.

‍

In response to growing threats, increasing reliance on third-party services, and persistent operational risks, NYDFS has tightened its expectations around how financial institutions protect sensitive data. And it’s backing that stance with real financial consequences.

‍

Just ask PayPal or OneMain Financial, two major firms hit with multimillion-dollar penalties for cybersecurity lapses. These weren’t headline-grabbing breaches or ransomware attacks, they were the result of basic control failures, delayed reporting, and repeated gaps in governance.

‍

What do a $2M fine for PayPal and a $4.25M penalty for OneMain have in common?

‍
Weak cybersecurity practices, and a regulator that’s no longer willing to wait for companies to catch up.

The Recent Crackdowns: PayPal and OneMain

a. PayPal – $2M Civil Penalty (January 2025)

‍

In January 2025, NYDFS announced a $2 million penalty against PayPal for violations of its cybersecurity regulations under Part 500. The enforcement focused on failures to report a cybersecurity event in a timely manner and gaps in maintaining certain required controls.

‍

The incident involved unauthorized access to over 34,000 user accounts, exposing sensitive personal data including tax IDs and financial information. NYDFS emphasized that PayPal’s delayed reporting and lack of specific security measures put both consumers and the broader financial ecosystem at risk.

‍

What it signals: No company - not even a digital-native fintech giant is immune from enforcement. The bar is rising, and NYDFS is expecting organizations to report, respond, and remediate swiftly and transparently.

‍

b. OneMain Financial – $4.25M Fine (May 2023)

‍

In May 2023, NYDFS fined OneMain Financial $4.25 million after discovering systemic cybersecurity deficiencies, including improperly stored passwords, insufficient multi-factor authentication, and inadequate third-party risk management.

‍

Even more concerning: many of these issues were identified in earlier audits and hadn’t been fully addressed. NYDFS made it clear that repeated inaction wouldn’t be tolerated.

‍

What it signals: It’s not just about responding to one-off incidents — regulators are watching for long-term security maturity. Ongoing hygiene, policy enforcement, and consistent control testing are now table stakes.

What’s Changing: NYDFS 2.0 (Part 500 Amendments)

These enforcement actions aren’t just about past violations, they’re a preview of what’s to come.

‍

With the rollout of the NYDFS Second Amendment to Part 500, also known as NYDFS 2.0, covered entities, especially those classified as Class A companies are facing a new set of enforceable expectations.

‍

Key new requirements include:

• Annual independent audits of cybersecurity programs
  
• Mandatory multi-factor authentication (MFA) for all systems
  
• Stronger access control policies, including role-based access
  
• Board-level or senior executive oversight of cybersecurity governance
  

Full enforcement kicks in on November 1, 2025. At that point, these aren’t just checkboxes, they’re compliance requirements with real financial and reputational risk for falling short.

‍

The message is clear: NYDFS is no longer satisfied with written policies and best-effort intentions. It's expecting demonstrated outcomes, measurable control, and leadership accountability.

The Broader Message: Enforcement Is the New Default

NYDFS isn’t the only regulator stepping up, but it’s arguably the most proactive, and most willing to act. These recent fines signal a broader shift across the industry: compliance is no longer about having good intentions or written policies. Regulators are now focused on evidence of execution, real controls, timely reporting, and provable outcomes.

‍

In other words, enforcement is the new default. This shift reframes cybersecurity from a purely technical issue to a board-level governance challenge. It's not enough for IT or security teams to manage risk in isolation. Executive leadership, legal, and compliance functions all need to be aligned — and accountable.

If your organization is treating cybersecurity as just a tech responsibility, you’re behind.

What Organizations Should Do Now

The message from regulators is clear, and now is the time to act.

‍

Here are four practical steps your team can take to stay ahead:

‍

• Audit your current posture against NYDFS Part 500. Focus especially on:
  
  • Incident reporting timelines
    
  • MFA coverage
    
  • Access controls
    
  • Third-party risk assessments
    
    
• Prioritize visibility across your environment
  You can’t protect what you can’t see. Ensure you have continuous insight into where sensitive data lives, who can access it, and how it moves across cloud, SaaS, and on-prem systems.
  
  
• Document everything
  Have clear records of your policies, security controls, vendor assessments, incident response processes, and risk decisions. If you had to prove your compliance tomorrow, could you?
  
  
• Benchmark your controls against recent enforcement
  If PayPal and OneMain were fined for these issues, ask yourself:
  ‍How would our program hold up under similar scrutiny?
  
  

Final Thoughts: Read the Signals Now, Not After a Fine

The writing is on the wall - NYDFS is raising the bar, and other regulators are likely to follow. This is your opportunity to get ahead of the curve, rather than scrambling after the fact.

‍

Take these fines as what they are: a warning shot and a roadmap. Organizations that prepare now - with tighter controls, better visibility, and cross-functional ownership won’t just avoid penalties. They’ll be more resilient, more trusted, and better equipped to lead in a high-risk landscape.

‍

If you’re not sure where to start, use these enforcement cases as a prompt for an internal review. And if you want to go deeper, we’ve put together a compliance checklist that can help you assess where you stand.

‍

Better to find the gaps now before NYDFS does.

<blogcta-big>

‍