1 / 16

Protection of Relations Within Large Datasets

Protection of Relations Within Large Datasets. Mgr. Boleslav Bobčík, T-Systems Czech Republic, a.s. Let’s Start With Basic Facts …. Assets : valuable data contained in information systems Two families of threats targeted at data :

zia
Télécharger la présentation

Protection of Relations Within Large Datasets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protection of Relations Within Large Datasets Mgr. Boleslav Bobčík, T-Systems Czech Republic, a.s. Protection of Relations Within Large Datasets

  2. Let’s Start With Basic Facts… • Assets: valuable data contained in information systems • Two families of threats targeted at data: • Active threats– modification, unauthorized alteration, destruction • Passive threats – unauthorized copying, eavesdropping, data leaks • Concerns with data leak detection • Easy to create a copy of data • The original data are unaffected by copying Protection of Relations Within Large Datasets

  3. Data And Their Context • Isolated (standalone) data • Low value • Their occurrence in information systems is rather rare • Context of data • Relations between data records: substantial part of assets’ value • Reason for relational DBMS popularity • Usual target of attackers Protection of Relations Within Large Datasets

  4. Information System VulnerabilitiesHow the Architects Imagine Things... Protection of Relations Within Large Datasets

  5. Information System VulnerabilitiesHow the System Actually Looks... Protection of Relations Within Large Datasets

  6. Information System Vulnerabilities – Exploited • Sony PlayStation® Network • April 2011 • External attacker • Stolen 77 million records • Direct damage: $171 million • Indirect damage: ??? • Lessons learned? • SonyPictures.com data breach • June 2011 • Goold Health Systems • January 2013 • Loss of backup media with patient data • 6000 Medicaid records including personal and payment data • Gatineau Townhall, Canada • January 2013 • Loss of student loans data • 583 thousands records Protection of Relations Within Large Datasets

  7. Usual Approaches To Data Protection • Securing the perimeter • Objective: prevent access of unauthorized people • Authentication/authorization • Problems • Threat of rogue insiders • Data taken out of the perimeter are „defenseless“ • Data encryption • Objective: protect static representation of data • Database-level encryption • Data accessible only for authorized users • Problems • Often „All-or-Nothing“ solution • Cryptographic key management • Data recovery risks Protection of Relations Within Large Datasets

  8. Alternative Approach • Securing the relations between data • Idea (based on relational database theory) • Divide the data into „context domains“ • Link the records across domain boundaries with secure identifiers • Secure identifier construction • Initial data structure • Encrypted with domain-related key • Result: seemingly random sequence of bits • All identifier transformations performed in secure environment Protection of Relations Within Large Datasets

  9. Data Before Secure Identifier Application Protection of Relations Within Large Datasets

  10. Data After Secure Identifier Application ? Protection of Relations Within Large Datasets

  11. ... But We Can Go Further Protection of Relations Within Large Datasets

  12. Aspects Of Successful Deployment • Applications in legacy information systems • Invasive change, impact depends on architecture of the IS • Intentional break of normal relationship implementation • Unable to utilize standard database query techniques • Possible solutions: NoSQL technologies, proxy drivers • Large datasets are necessary • Avoiding the brute-force threats • Reduced data throughput • Security level is a compromise between data protection and other parameters (performance, price, ease of use…) Protection of Relations Within Large Datasets

  13. Benefits Of Protected Relationships • Data access control • Context domains have isolated data character • Easy to manage access to individual domains • Secure identifier operations performed by a separate subsystem • Dependency between data and physical device prevents data theft • Additional security layers can be included • Breach recovery mechanism • Compromised identifiers can be replaced Protection of Relations Within Large Datasets

  14. Similar Approaches • PCI/DSS • Data tokenization • Opaque (uninterpretable) values substituting sensitive data • Format-preserving Encryption • Less-known / rarely used method • IS ORG – personal identifier translator • Internal component of Czech eGovernment system • No public interface Protection of Relations Within Large Datasets

  15. Final Remarks • Present and future trends • Advances in system integration – new vulnerabilities • Cybercrime (esp. „identity theft“) on the rise • Increasing adversary professionalization (e.g. Chinese PLA Unit 61398) • Data protection legislation(EU – „General Data Protection Regulation“, expected adoption in 2014) • Conclusion: new information systems should consider protection of the data as well as data relations • Secure identifier system is a useful part of the security landscape Protection of Relations Within Large Datasets

  16. Thank You for Your Attentionboleslav.bobcik@t-systems.cz

More Related