Post on 29-May-2020
transcript
ImpervaCamouflageDataMasking
Reducetheriskofnon-complianceandsensitivedatatheftSensitivedataisembeddeddeepwithinmanybusinessprocesses;itisthefoundationalelementinHumanRelations,sales,andstrategicanalysissystems.Thebusinesscannotfunctionwithoutenablingaccesstothisinformation.Theproblemisthatthisinformationisequallyvaluabletothebadguys–hackers,disgruntledormisguidedinsidersandcompetitors.Complianceregulationsrecognizethevalueofsomeofyoursensitivedata,includingpersonallyidentifiableinformation,butyourorganizationhasvastamountsofsensitiveinformationthatisnotsubjecttoregulation.Yourchallengeistoprotectallofthesensitiveinformationanddemonstratecompliancewiththeapplicableregulationinacost-effectivemannerthatfitsyourbusiness’sprocessesandresources.
TheImpervadatasecurityportfolioispurpose-builttoprovideyouwithsecurityandcompliancecapabilitiesthatmeetaddressabroadrangeofusecasesacrossdatabases,files,useractivity,BigDataandcloud-basedsystems.TheImpervaCamouflageDataMaskingsolutionwillreduceyourriskprofilebyreplacingsensitivedatawithrealisticfictionaldata.Thefictionaldatamaintainsreferentialintegrityandisstatisticallyaccurateenablingtesting,analysisandbusinessprocessestooperatenormally.Theprimaryuseofthismaskingisfordatainnon-productionsystems,includingtestanddevelopmentsystemsordatawarehousesandanalyticaldatastores.Anothersetofcandidatesfordatamaskingisbusinessenablersthatrequiredatatoleavethecountryorcompanycontrol,suchasoff-shoreteamsoroutsourcedsystems.TheImpervaCamouflageDataMaskingsolutionwillnotonlyprotectdatafromtheft,itwillhelpensurecompliancewithregulationsandinternationalpoliciesdictatingdataprivacyandtransport.
• Discoveranddocumentsensitivedataanddatarelationshipsacrosstheenterprise
• Reducethevolumeofsensitivedatainnon-productionsystems
• Facilitatedatatransportforoutsourcingorcompliancewithinternationalprivacyregulations
• Enableuseofproductiondataindevelopmentandtestingwithoutputtingsensitivedataatrisk
• Trackchangesandgeneratecompliancereportsateachdatarefresh
• Preventsensitivedatalossfromnon-productionsystems
DataMasking:AbaselinedatasecuritymeasureLikeothertraditionalsecuritytoolsdevelopedtoaddressaspecificchallenge,datamaskingisevolvingbeyondthetraditionalusecaseinapplicationdevelopmentandtestingtobecomeastrategicelementinanintegratedsecurityinfrastructure.TheGartnerMarketGuideforData-CentricAuditandProtectioncategorizesdatamaskingasakeydataprotectioncapabilitythatshouldbepartofanorganization’sdatasecuritygovernance“shortlist”.1Thereasonissimple:datamaskingpreventsaccesstosensitivedatawhileenablingtesting,analysis,andbusinessprocesses.
Whenevaluatingdatamasking,youwilllikelyinvestigatebothdynamicandstaticmasking.Staticdatamaskingisprimarilyusedonnon-productiondatabasesandispermanent;dynamicmaskingisusedonproductiondatabasesandistemporary.Whileeachmaskingservesapurpose,staticdatamaskingissignificantlyeasierandfastertodeployandmanagelong-term.Staticmaskinghasnoimpactontheproductionsystemperformance;thereisnoriskofcorruptingtheproduction
1GartnerReport:G00276042;MarketGuideforData-CentricAuditandProtection,December15,2015,
data.TheImpervaCamouflageDataMaskingsolutionisastaticdatamaskingtoolthatpermanentlyprotectsdataandreducesexposuretocompliancerequirements.
DataMaskingBestPractices
Designingasustainablestaticdatamaskingsolutionrequiresanunderstandingofthesourcedataandthedependenciesonthatdatasetacrosstheorganization.ThisunderstandingwilldrivethemaskingpoliciesandintegrationofmaskingintotheexistingITandbusinessprocesses.Theresultingframeworksupportsarepeatableprocessthatminimizesresourcerequirements,reducesriskandimprovescompliancewithregulatoryrequirements.
Discover:Retrieveandanalyzesensitivedata
ThegoaloftheDiscoverphaseistoidentifydatathatneedstobemaskedinordertoprovidesufficientprotectionwithoutcompromisingdatautility.ThisstageinvolvesdocumentationofrequirementsandeducationontheimplicationsofmaskingnecessaryforthecreationofconfigurationsduringthePolicystageoftheDataMaskingBestPractice.Automateddiscoveryofsensitivedataisakeyfactorinminimizingdeploymenttimesandlong-termsuccess.
AssessandClassify:Establishcontextforsensitivedata
TheAccessandClassifyphaseareintendedtoestablishcriteriathatwillaidindetermininghowtomaskthedata.IncludingthecodificationofthecontextualinformationdeterminedduringtheDiscoverphase,thesensitivityofvariousdata,itsintendeduse(s),thetransformationrequirementsandanyinter-databasedependencies.
SetPolicy:Createdatamaskingconfigurations
ThegoalofthePolicyphaseistocreatedatamaskingconfigurationsbaseduponcustomer-specificfunctionalmaskingrequirementsdefinedinpriorphases.Includingplansandrequirementsforintegratingdatamaskingconfigurationsintotheoveralldatarefreshprocessfornon-productionenvironments.Thisphasealsoprovidesanopportunitytodevelopdatamaskingschedulesandestablishappropriatechangemanagementprocesses.Datamaskingsoftwarethatiseasy-to-use,flexibleandscalableiscriticalforaccommodatingvaryingandoftencomplexrequirements.
Deploy:Integratedatamaskingintheexistingprocesses
TheDeployphaseisintendedtotransitiondatamaskingintotherefreshprocessfornon-productionenvironmentstakingtheoverallbusinessprocess(es)intoaccount.ThisphaseentailsexecutingconfigurationsconstructedduringthePolicyphase.Reportautomationandpre-andpost-runscriptsoptionssupportawiderangeofancillaryprocessesandrequirements.
ManageandReport:Adapttochangingrequirementsandprovidevisibility
TheManageandReportphaseiswherethe“fitandvalue”ofthesolutionwillbecomeclear.Thisphaseincludeschangemanagement,jobmaintenance,configurationupdatesandcompliancereportsaboutdatarelationships,maskingtechniques,andmaskeddatabasestructures.
DataMaskingSimplifiedSomedatamaskingvendorswillhaveyoubelieveittakesyearsandmillionsofdollarstoimplementadatamaskingsolution.Thispresumptionsimplyisnottrue.TheImpervaCamouflageDataMaskingsolutionimplementationscanberunninginweeksormonthsfromstarttofinish,evenforthelargestFortune500organizations.Thesolutionprovideseaseofuse,scalability,andend-to-endfunctionalitythatensurerapidadoptionandlong-termvalue.
Alldatamaskingfunctionsincludingdatadiscovery,datamasking,managementandreportingareperformedfromtheImpervaCamouflageWorkbenchuserinterface,resultinginashorterlearningcurve.Thisefficientcentralizedmanagementcontrastsstarklywithothersolutionsthatutilizedisparateuserinterfacesfordifferentfunctionality.
Intelligentlyidentify,classifyandanalyzesensitivedataanddatarelationships
Thechallengeofdatadiscoveryoftenliesinthecomplexmixoflegacy,homegrownandthird-partyapplicationsthatrunyourorganization.Sometimestheoriginaldevelopersoflegacyapplicationshavemovedon,andadequatedocumentationisnon-existent.Manytimescommercialsoftwareisaproprietary“blackbox".Regardlessofwhetheryouneedtosecurein-houseorcommercialoff-the-shelfapplications,ImpervaCamouflagemakesiteasytoidentifysensitivedata.Organizationsthatunderstandthenatureoftheirsensitivedataandthecontextinwhichitresidescanthentakemeasurestoputappropriatedataprivacyandsecuritycontrolsinplace.
Howdatadiscoveryworks
Intelligentdiscoveryalgorithmsandahigh-performancearchitectureallowImpervaCamouflagetoscanbillionsofdatapointsforsensitivedataanddatarelationshipsthroughoutanenterprise,greatlyreducingtheneedformanualeffortandenablingamoreagileandefficientprocess.UsingthepredefinedpatterntemplatesandanycustomerspecifiedcustomrulesImpervalocatesandidentifiesawiderangeofsensitivedata,including:
• Creditcardnumbers • Socialsecuritynumbers/NationalId
• Birthdates • Names
• Bankcardnumbers • Addresses
• Healthcarecodes • Phonenumbers
• Identificationnumbers • Financialfields(salary,hourlyrate)
ImpervaCamouflageusesheuristicsandstatisticalanalysistoidentifysensitivedatarelationships.Comparingtheresultswithhistoricalresultsstoredinthecentralizedrepositorytodetectandauditchangestothesensitivedatalandscape.Dataanalysistoolsandreportsprovideriskmanagersandthebusinessstakeholderswiththevisibilitytothoroughlyassesssensitivedatariskandderiveactionableinsightsforimprovingtheorganization’sdatasecurityposture.
Understandyoursensitivedatalandscape
Byautomatingtheidentificationofdatarelationships,themanualeffortrequiredissignificantlyreduced,enablingamoreagileandefficientsensitivedataanalysisprocess.Italsoyieldsdataprofilesthataresnapshotsofdatabaseinformationataparticularpointintime.AFunctionalMaskingDocumentmaybegenerateddirectlyfromthedataprofile.
ThecomprehensiveoverviewreportoftheDiscoveryRunprovidesaneasytounderstand,andactionabledashboard-stylereportwithgraphs,tables,andrecommendationsthatareidealforsharingwithbusinessstakeholders.
Efficientlysetpolicy,configuremaskingrulesanddatarelationships
UsingImpervaCamouflagetocreaterealisticandfullyfunctionaldatarequiredforuseinnonproductionenvironmentsreducestheoverallamountofdatasubjecttocompliancewithprivacylegislationandorganizationalpolicies.Italsoeliminatesthecorrespondingriskassociatedwithdatalossintheeventofabreach.
ThecentralizedWorkbenchconsoleutilizesanumberofpredefinedtemplates,datatransformers,andclick-to-configureoptionsthatstreamlineeveryaspectofadatamaskingproject,including:
• Datadiscovery • Projectexecution(real-timeorbatch)
• Projectdefinition • Pre-andpost-processscripts
• Databaseandflatfile/mainframeconnectivity • SubsettingandETLmasking
• TranslationMatrix(Inter-databasedependencymanagement) • Reporting
• Maskingtargets • Projectsecurity
• Datatransformation • Systemandprojectpreferences
Click-to-ConfigureMaskingCapabilitiesandFunctionality
Databasedrivenconfiguration-WhenconfiguringanImpervaCamouflageproject,thevaluesdefinedandselectedduringtheconfigurationprocessareretrieveddirectlyfromthedatabaseorflatfile.
RelationalIntegrity-Ifprimarykey/foreignkeyrelationshipsaredefinedatthedatabaselevel,ImpervaCamouflagecanautomaticallyupdateallforeignkeyswhenmaskingaprimarykeyfield.Whenkey/foreignkeyrelationshipsaredefinedattheapplicationlevel,therelatedfieldscanbeconfiguredwithinImpervaCamouflagetocorrectlyupdateassociatedkeyfieldstomaintainrelationalintegrity.TheDatabaseTranslationMatrixallowsuserstomaintainconsistentdatarelationshipsacrossdifferentapplicationsandacrosstime.
RealisticFictionalData-Bymaskingdatausedinproductiondatabases,ImpervaCamouflageallowsthecreationoffullyfunctionalandrealisticdata.Oncemasked,thedataretainsitsrealismwithoutdisclosingitsoriginalproperties.
KeyDataTransformers-Thedatatransformersprovidethedatamaskinglogic.Impervaincludesmultipletransformers,coveringamultitudeoftransformationneeds.
RobustScriptingCapability–Inadditiontotheout-of-the-boxtransformers,ImpervaCamouflageprovidestheabilitytotransformdatabywritingcustomscripts.Thecustomscriptsoperatealoneorinconjunctionwithoneofthepre-definedtransformers.ScriptsarewrittenusingtheGroovyscriptinglanguagethatallowsforsignificantflexibilityincreatingcustommaskingfunctions.
ExternalDataSources–Inadditiontothedefaultprojectconnection,otherdataconnectionscanbeconfiguredforuseinretrievingexternalupdatevalues.
EnhancedMasking–ImpervaCamouflageprovidessupportforadvancedandcomplexmaskingrequirementswithadvancedfiltereddatamasking(subsetting)anddatagrouping.
CentralizedManagementandReporting
ThecentralizedmanagementandreportingcapabilityofImpervaCamouflagereducesthetimerequiredtocreateandmanagedatamaskingprojects.Predefinedreporttemplatesautomatecompliancereportingrequirementsandprovidevisibilityintodatause,risk,andprotection.
CommandLineAPIforBatchProcessing–ImpervaCamouflageisenterprisefriendly,supportingcommandlineexecutionoftasksforintegrationwithautomatedITanddatabasescripts.Theintegrationofthemaskingprocesswiththeprocessfortherefreshmentofdatainthenon-productionsystemsensuresconsistentapplicationofcomplianceandsecuritypolicies.
ReusableProjectFiles-AllmaskingactionsarestoredinaImpervaCamouflageprojectfileforfutureuse,modification,andprocessing.ThisfileisXML-based,allowingforeasymigrationofprojectfilesbetweenoperatingsystems.
ConsistentMasking–ImpervaCamouflageprovidestheabilitytocreatemappingtablesthatstoretheoriginalkeyvaluesastheyexistedinthedatabasebeforemasking,alongwiththenewkeyvalues.Activationofthisfeatureiscompletelyoptional(i.e.Impervadoesnotrequirethesetablesinanyway)andthesetablescanalsobesecuredorremovedbyadatabaseadministratorasappropriate.
MultithreadedDatabaseUpdates-Atruntime,thedatabaserefreshcanbeupdatedusingaconfigurablenumberofthreadstooptimizeperformanceinagivenenvironment.
ProjectSecurity–ImpervaCamouflageprovidesalayeredsecuritymechanismforprotectingtheprojectfileaswellasthesixprimaryconfigurationsectionswithintheproject.Independentsecurityenablementofeachsectionandtheprojectprovideflexibilitytomatchyourinternalgovernancepolicies.
VisibilityandReporting–Pre-definedreportsinclude:BeforeandAfterReport,ProjectConfigurationReport,ImpactedObjectReport,HistoricalProjectRunReport.Automaticreportgenerationisapreferencesettingwithineachmaskingproject.Inadditiontothepredefinedreports,thereareanumberofinteractivetoolsandprogressmonitorsthatimprovetheoveralluserexperienceandtaskefficiency.
SummaryImpervaCamouflageDataMaskingreducestheamountofsensitivedatastoredwithinyourenvironmentwhilemaintainingtheintegrityandvalidityoftheinformationforuseinsupportingbusinessprocessesandtestenvironments.Thesmallersensitivedatafootprinttranslatesintohardsavingswhenyouconsiderthepotentialriskandsecurityrequirementsthatnon-maskeddatainthesesystemswouldpose.
ToLearnmorevisitImperva.comorcall+1(866)926-4678
© 2015, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula and Skyfence are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks or registered trademarks of their respective holders. Tech-Name-Date-rev#