1 / 28

Best Practices in Application Data Masking

Best Practices in Application Data Masking. Paul Capobianco Sales Engineering. Introduction to Applimation. Data growth management software company Focus on enterprise applications Unified, integrated product suite Founded in 1998 150 + customers using Informia Solutions.

kristen-clossick
Télécharger la présentation

Best Practices in Application Data Masking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Best Practices inApplication Data Masking Paul Capobianco Sales Engineering

  2. Introduction to Applimation • Data growth management software company • Focus on enterprise applications • Unified, integrated product suite • Founded in 1998 • 150 + customers using Informia Solutions

  3. Premier Informia Customers City of Chicago

  4. Presentation Agenda • Overview of data privacy • Definitions • Terminology • Use cases/business drivers for data masking • Production/non-production? • Motivations • Informia Secure overview • Functionality • Features

  5. What is Data Privacy? Data privacy refers to the evolving relationship between technology and the legal right to, or expectation of, privacy in the collection and sharing of data.

  6. Sensitive Information – Definition • Non-public private information (NPPI) – details about an individual • Information protected by government regulations • Information protected by industry regulations • Intellectual property • Anything classified as confidential or private Open to common sense interpretation

  7. Why the focus on data privacy? • Data Breaches (becoming tomorrow’s Front page news) • Legal consequences • Loss of trust (customers, vendors, partners, etc.) • Negative publicity • Damage to reputation • COST • Government Regulations • Federal Information Security Management Act of 2002 • Gramm-Leach-Bliley Act • Personal Data Protection Directive (EU) • HIPAA • Data Protection Act (UK)

  8. Privacy Laws – All Different United States Privacy Rules Designed to embarrass organizations that properly secure sensitive information i.e. (bank acct info or employee payroll records) European Privacy Rules Must adhere and confirm to European Union privacy mandates.

  9. Why the focus on data privacy? • THE COST! Penalties for data breaches include: • Fines • Brand Damage • Expenses associated with notifying affected individuals • (ESG estimates between $25-$150 per notification) In Europe and other countries non compliance leads to: • Executive Dismissal • Government Sanctions

  10. Privacy Regulations – More Detail

  11. Industry Regulations • Payment Card Industry Standard • Comprised of Visa, MasterCard, Discover, American Express and JCB • Intended to improve the overall level of security for payments globally • Vendor incentives to comply with PCI include brand protection and financial, legal, and regulatory risk reduction Being updated again – now expiration date must be hidden • HIPAA Security Rule • Applies to insurance companies, providers (hospitals) • Audits starting to reveal gaps

  12. Inconsistent Data Breach Laws in the U.S. Data Breach Law Breakdown by each state (as of February 2007) • 34 states with breach laws • Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin • 8 states considering passing breach legislation • Maryland, Massachusetts, Michigan, Missouri, Oregon, South Carolina, Virginia, West Virginia • 8 states with no imminent plans for breach laws • Alabama, Alaska, Iowa, Kentucky, Mississippi, New Mexico, South Dakota, Wyoming

  13. The Federalization of Privacy Regs in the U.S. • 2 key bills passed out of the House of Representatives (H.R.) • Both were cleared from the books at the conclusion of the 109th U.S. Congress • No comparable bills have been proposed by the 110th U.S. Congress to date • H.R.4127 - Data Accountability and Trust Act • Requires the Federal Trade Commission to establish rules for the security of personal information • Provides dual enforcement by state and federal authorities • H.R.3997 – Financial Data Protection Act • Customer notification is only required if breached information is ‘reasonably likely to be misused’ • Provides security freezes to victims of ID theft only • Preempts state laws in order to protect the confidentiality of information • Enforcement by federal authorities only

  14. U.S. Data Breaches • There have been over 100 million data breaches since ChoicePoint (Feb 2005) • Plague all verticals, but most common in: • Education: University of Notre Dame (1/8/07) • Gov’t: Wisconsin Department of Revenue (12/29/06) • Finance/banking: Moneygram (1/12/07) • Mostly malicious actions • Hacking or stealing systems with information

  15. 30% 26% 24% 25% 21% 20% 17% 15% 8% 10% 4% 5% 0% 1% to 10% of 11% to 25% of 26% to 50% of 51% to 75% of More than 75% Don't know our data is our data is our data is our data is of our data is confidential confidential confidential confidential confidential Confidential Data Stats How much of your data is confidential? SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.

  16. Confidential Data Stats How much of your database data is confidential? SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.

  17. Security Threats – From Where? External Security Threats • IT has spent MOST money on external security • Firewalls • Password protection • System Auditing on connections • Computer room access • Tracking cards for building access

  18. Security Threats – From Where? Internal Security Threats This is where a majority of breaches now taking place • Who has access to primary database applications? • Who has access to test and development databases • Is there sensitive / confidential information in these primary / test databases? • What measures are you taking to protect against internal security and privacy threats?

  19. Rationalizing an investment • Insert your favorite data breach here (TJX, Fidelity, HP) • Over 10 information security and privacy Bills are currently being debated in U.S. Congress Basically it will be mandated eventually • Only 34% of organizations have deployed database encryption solutions

  20. Subsetting / Masking / Scrambling / Encryption How is this accomplished today on Oracle Apps, PeopleSoft and Siebel? • DBA’s run their own scripts • Requires up-to-date understanding of application • Requires maintenance after upgrades and family packs • What about cross-module data sharing ? Is this covered? • Things change • Are you sure? • Will you bet your CIO’s career on it? • Consulting companies create custom scripts • Costly, require maintenance and same issues as above • Most do Nothing – clones and test/dev copies have it all!

  21. Subsetting / Masking / Scrambling / Encryption There are 2 processes used today to help manage the size and security to mitigate the security risk. • Subsetting • Creates a smaller or partial copy of Prod database for test • Smaller copy ensures less sensitive data • Saves on subsequest copies – saves on disk • Developers still have some valid data however • Data Masking • Smaller Production data becomes anonymous data • Still ensures referential integrity at EVERY data level • Variety of masking methods should be available • Solution should be application-aware (O-Apps & PSoft) • Also automated, flexible and supported

  22. Informia Secure – Product Overview What can companies do?

  23. Informia Secure - Introduction Secure enables data privacy by providing robust data masking functionality. What is Data Masking? Protecting sensitive information by hiding or altering data so that an original value is unknowable. Also known as: • De-identifying • Protecting • Camouflaging • Data masking • Data scrubbing

  24. Why is data privacy required? • Production environment Security model to control access • Non-production environment Security is opened up to enable development and testing Non-production business drivers • Development • Testing • Support • Outsourcing

  25. Substitute – Prepackaged Data Sets The ability to replace existing values with new values that follow the format of the original • Male and Female Names • Last names • Male and female titles/suffixes • Credit card numbers – Visa, MasterCard, Amex • Country, state, county, town names • Zip codes • Phone numbers • Email addresses

  26. Substitute Method - Example

  27. Data Masking Concepts • Relational integrity • Policy simulation • Auditability • Format validation • Data consistency

  28. Questions……

More Related