Click here do download Presentation (ppt)
Transcript of Click here do download Presentation (ppt)
Securing Enterprise Data
September 13th, 2007
Farhan Mohammad – Sr. Sales Engineer
2
Introduction to Applimation
Data growth management software company
Focus on enterprise applications
Unified, integrated product suite
Founded in 1998 150 + customers using
Informia Solutions
3
Presentation Agenda
• Overview of data privacy
– Definitions
– Terminology
• Use cases/business drivers for data masking
– Production/non-production?
– Motivations
• Data privacy solution best practices
– Functionality
– Features
4
What is Data Privacy?
Data privacy refers to the evolving relationship between technology and the legal right to, or expectation of, privacy in the collection and sharing of data.
5
Sensitive Information – Definition
• Non-public private information (NPPI) – details about an individual
• Information protected by government regulations
• Information protected by industry regulations
• Intellectual property
• Anything classified as confidential or private
6
Why the focus on data privacy?
• Data breaches
– Legal consequences
– Loss of trust (customers, vendors, partners, etc.)
– Negative publicity
– Damage to reputation
• Government Regulations
– Federal Information Security Management Act of 2002
– Gramm-Leach-Bliley Act
– Personal Data Protection Directive (EU)
– HIPAA
– Data Protection Act (UK)
7
U.S. Data Breaches
• There have been over 100 million individual data breaches since ChoicePoint (Feb 2005)
• Plague all verticals, but most common in:
– Education: University of Notre Dame (1/8/07)
– Gov’t: Wisconsin Department of Revenue (12/29/06)
– Finance/banking: Moneygram (1/12/07)
• Mostly malicious actions
– Hacking or stealing systems with information
8
Privacy Regulations – More Detail
Regulation Example Text
HIPAA
“Under the Privacy Rule, health plans, health care clearinghouses, and certain health care providers must guard against misuse of individuals' identifiable health information and limit the sharing of such information.”
Gramm-Leach Bliley Act
“The law requires that financial institutions protect information collected about individuals”
Data Protection Act (UK)
“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
PCI
“…keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.”
9
How much of your data is confidential?
Confidential Data Stats
24%
17%
21%
26%
4%
8%
0%
5%
10%
15%
20%
25%
30%
1% to 10% ofour data isconfidential
11% to 25% ofour data isconfidential
26% to 50% ofour data isconfidential
51% to 75% ofour data isconfidential
More than 75%of our data isconfidential
Don't know
SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.
10
Why is data privacy required?
• Production environment security model to control access
• Non-production environment security is opened up to enable development and testing
Non-production business drivers
– Development
– Testing
– Support
– Outsourcing
11
Example – Prod vs Non-Prod
Production Non-Production
12
What is Data Masking?
Protecting sensitive information by hiding or altering data so that an original value is unknowable.
Also known as:
– De-identifying
– Protecting
– Camouflaging
– Data masking
– Data scrubbing
Data Privacy Software – Data Masking Best Practices
14
Best Practice # 1 – Enterprise Solution
Single installation
Connect to multiple databases
Single Masking Engine
Unified Architecture
Reusable and repeatable policies
Supported database platforms
Oracle
SQL Server
DB2 LUW
DB2 zOS
Sybase
MySQL
15
Best Practice # 2 – Built in Masking Methods
Substitute
Randomize
Shuffle
Nullify
Scramble
Skew
Encrypt
Custom SQL
Mathematical Formulae
16
Example - Skew Method
Taking an existing value and altering it within a defined range
SkewType
OriginalValue
SkewRange
Masked Value
Percentage $48,000 +/- 20% $42,105
Integer 564 +/- 100 623
Date 8/12/2007 +/- 180 days 1/22/2008
17
Example - Substitute Method
Emp ID Name City ST Zip
0964 John Smith Plano TX 75025
9388 Mark Jones Modesto CA 95356
2586 Rob Davis Hartford CT 06111
7310 Jeff Richards Tampa FL 33617
Emp ID Name City ST Zip
0964 Joe Marks Topeka KS 66618
9388 Gary Franks Billings MT 59102
2586 David Sanger Tucson AZ 85704
7310 Dan Lister Detroit MI 48216
18
Best Practice # 3 – Easy to Use / Learn
• Navigation Tree – modules and rule sets• Designer Canvas – Drag and drop; auto discovery• Rule Creator – group rules logically
19
Best Practice # 4 - Content
Substitute - Replace existing values with new values that follow the format of the originalMale and Female Names
Last names
Male and female titles/suffixes
Credit card numbers – Visa, MasterCard, Amex
Country, state, county, town names
Zip codes
Phone numbers
Email addresses
20
Best Practice # 5 - Data Format Validation
Ensuring that the structure of a piece of data is maintained after masking
Type of Data Pattern
MasterCard Number Prefix 51 – 55 Length 16
Visa Number Prefix 4 Length 13, 16
American Express Number Prefix 34, 37 Length 15
Social Security Number123-45-6789, first three digits are geographical
Telephone Numbers (123) 456-7890
21
Best Practice # 6 - Data Consistency
Intra-RowDifferent fields within a row are related
Example: Age and birth date
Intra-TableRows within a table are related
Example: Multiple assignments for a single employee stored in one table
Inter-TableRows in different tables are related
Example: Changing the employee number may have cascading effects
22
Additional Best Practices
# 7 - Relational integrity
# 8 - Policy simulation
# 9 - Auditability
23
Best Practice # 10 – Application Awareness
What is sensitive?
Where is it?
How to mask it?
What’s it related to?
24
Example – Application Awareness
PeopleSoft HCM Module
Functional Name Field Mask Type Related Fields
Job Evaluation Criteria
JOB_POINTS_TOTAL ShuffleJOB_KNOWHOW_POINTS
JOB_ACCNTAB_POINTS
JOB_PROBSLV_POINTS
Salary Ranges MID_RT_ANNUAL Skew
MIN_RT_HOURLY
MID_RT_HOURLY
MAX_RT_HOURLY
MIN_RT_MONTHLY
MID_RT_MONTHLY
MAX_RT_MONTHLY
MIN_RT_ANNUAL
MAX_RT_ANNUAL
Name NAME Substitute
LAST_NAME_SRCH
FIRST_NAME_SRCH
LAST_NAME
FIRST_NAME
MIDDLE_NAME
NAME_DISPLAY
NAME_FORMAL
25
Summary – Data Masking Best Practices
1. Enterprise solution
2. Built-in Data Masking Methods
3. Easy to use / learn
4. Content
5. Data Format Validation
6. Data Consistency
7. Relational Integrity
8. Policy Simulation
9. Auditability
10. Application Awareness (Accelerators)
26
Informia Secure and Oracle
Applimation is an Oracle Certified Advantage Partner, and has developed application specific data masking “accelerators” for the Oracle E-Business Suite.
The Informia Secure accelerators streamline the data masking effort by providing functionality focused data masking algorithms. The application data has been analyzed to identify likely data fields and potential masking algorithms defined. The user can then choose the specifics.
27
Informia Secure and Oracle
Accelerator Example
– Client wishes to mask the name field.
– Client selects Name for masking.
– Behind the scenes, Informia Secure knows the related fields to also mask, such as First Name, Last Name, etc.
– Client chooses the method, e.g. Substitution.
– Informia Secure executes the data masking by
• selecting replacement values from a substitution table
• inserting the replacement values into the primary table
• creating new values for the related fields on the table
• cascading the new value set to other tables using these fields
28
Creating a Secure Oracle Instance
Careful planning is needed to properly create a secure Oracle E-Business Suite environment. The following items should be defined upfront:
– Goals for data masking
– Uses of the secured environment
– Level of functionality to maintain.
– Level of data integrity to maintain
– Users of the secured environment and their access levels.
29
Creating a Secure Oracle Instance
Goals for data masking– Protect confidential personal information, such as
social security number, addresses, phone.
– Protect confidential employment information, such as salary, employee review data.
Uses of the secured environment– Development – Online & Batch
– Testing – Configuration, Online, Batch, Production
– Training & Demonstrations
30
Creating a Secure Oracle Instance
Level of Functionality to maintain
– Which modules will be used in the secure environment?
– To what level does the functionality need to function.
Level of data integrity to maintain
– Current Data
– Historical Data
– Intermodule relationships
Users of the secured environment and their access levels.
– Types of user: functional users, technical users.
– Access levels: expanded user menu access, “back door” (SQL) access.
31
Creating a Secure Oracle Instance
Using Applimation Informia Secure, you can easily create a secure Oracle E-Business Suite environment that protects your data, while allowing you to productively use your secure environment to meet your business needs.
32
Questions……