Best Practices inApplication Data Masking

Paul Capobianco Sales Engineering

2

Introduction to Applimation

Data growth management software company

Focus on enterprise applications

Unified, integrated product suite

Founded in 1998 150 + customers using

Informia Solutions

3

Premier Informia Customers

City of Chicago

4

Presentation Agenda

• Overview of data privacy

– Definitions

– Terminology

• Use cases/business drivers for data masking

– Production/non-production?

– Motivations

• Informia Secure overview

– Functionality

– Features

5

What is Data Privacy?

Data privacy refers to the evolving relationship between technology and the legal right to, or expectation of, privacy in the collection and sharing of data.

6

Sensitive Information – Definition

• Non-public private information (NPPI) – details about an individual

• Information protected by government regulations

• Information protected by industry regulations

• Intellectual property

• Anything classified as confidential or private

Open to common sense interpretation

7

Why the focus on data privacy?

• Data Breaches (becoming tomorrow’s Front page news)– Legal consequences

– Loss of trust (customers, vendors, partners, etc.)

– Negative publicity

– Damage to reputation

– COST

• Government Regulations– Federal Information Security Management Act of 2002

– Gramm-Leach-Bliley Act

– Personal Data Protection Directive (EU)

– HIPAA

– Data Protection Act (UK)

8

Privacy Laws – All Different

United States Privacy Rules

Designed to embarrass organizations that properly secure sensitive information i.e. (bank acct info or employee payroll records)

European Privacy Rules

Must adhere and confirm to European Union privacy mandates.

9

Why the focus on data privacy?

• THE COST!

Penalties for data breaches include:

– Fines

– Brand Damage

– Expenses associated with notifying affected individuals

• (ESG estimates between $25-$150 per notification)

In Europe and other countries non compliance leads to:

• Executive Dismissal

• Government Sanctions

10

Privacy Regulations – More Detail

Regulation Example Text

HIPAA

“Under the Privacy Rule, health plans, health care clearinghouses, and certain health care providers must guard against misuse of individuals' identifiable health information and limit the sharing of such information.”

Gramm-Leach Bliley Act

“The law requires that financial institutions protect information collected about individuals”

Data Protection Act (UK)

“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

PCI

“…keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.”

11

Industry Regulations

• Payment Card Industry Standard– Comprised of Visa, MasterCard, Discover, American Express and JCB

– Intended to improve the overall level of security for payments globally

– Vendor incentives to comply with PCI include brand protection and financial, legal, and regulatory risk reduction

Being updated again – now expiration date must be hidden

• HIPAA Security Rule– Applies to insurance companies, providers (hospitals)

– Audits starting to reveal gaps

12

Inconsistent Data Breach Laws in the U.S.

Data Breach Law Breakdown by each state

(as of February 2007)

• 34 states with breach laws– Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii,

Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin

• 8 states considering passing breach legislation– Maryland, Massachusetts, Michigan, Missouri, Oregon, South Carolina, Virginia, West

Virginia

• 8 states with no imminent plans for breach laws – Alabama, Alaska, Iowa, Kentucky, Mississippi, New Mexico, South Dakota, Wyoming

13

The Federalization of Privacy Regs in the U.S.

• 2 key bills passed out of the House of Representatives (H.R.) – Both were cleared from the books at the conclusion of the 109th U.S. Congress– No comparable bills have been proposed by the 110th U.S. Congress to date

• H.R.4127 - Data Accountability and Trust Act– Requires the Federal Trade Commission to establish rules for the security of

personal information– Provides dual enforcement by state and federal authorities

• H.R.3997 – Financial Data Protection Act– Customer notification is only required if breached information is ‘reasonably

likely to be misused’– Provides security freezes to victims of ID theft only– Preempts state laws in order to protect the confidentiality of information– Enforcement by federal authorities only

14

U.S. Data Breaches

• There have been over 100 million data breaches since ChoicePoint (Feb 2005)

• Plague all verticals, but most common in:– Education: University of Notre Dame (1/8/07)

– Gov’t: Wisconsin Department of Revenue (12/29/06)

– Finance/banking: Moneygram (1/12/07)

• Mostly malicious actions

– Hacking or stealing systems with information

15

Confidential Data Stats

24%

17%

21%

26%

4%

8%

0%

5%

10%

15%

20%

25%

30%

1% to 10% ofour data isconfidential

11% to 25% ofour data isconfidential

26% to 50% ofour data isconfidential

51% to 75% ofour data isconfidential

More than 75%of our data isconfidential

Don't know

How much of your data is confidential?

SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.

16

Confidential Data Stats

How much of your database data is confidential?

31%

40%

54%

20%

30%

50%

0

10

20

30

40

50

60

Database Electronic documents E-mail and attachments Other data (e.g. Webpages, multimedia files,

etc.)

Mean Median

SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.

17

Security Threats – From Where?

External Security Threats

– IT has spent MOST money on external security

– Firewalls

– Password protection

– System Auditing on connections

– Computer room access

– Tracking cards for building access

18

Security Threats – From Where?

Internal Security ThreatsThis is where a majority of breaches now taking place

– Who has access to primary database applications?

– Who has access to test and development databases

– Is there sensitive / confidential information in these primary / test databases?

• What measures are you taking to protect against internal security and privacy threats?

19

Rationalizing an investment

$ Insert your favorite data breach here (TJX, Fidelity, HP)

$ Over 10 information security and privacy Bills are currently being debated in U.S. Congress

Basically it will be mandated eventually

$ Only 34% of organizations have deployed database encryption solutions

20

Subsetting / Masking / Scrambling / Encryption

How is this accomplished today on Oracle Apps, PeopleSoft and Siebel?

1. DBA’s run their own scripts

- Requires up-to-date understanding of application

- Requires maintenance after upgrades and family packs

- What about cross-module data sharing ? Is this covered?

- Things change

- Are you sure?

- Will you bet your CIO’s career on it?

2. Consulting companies create custom scripts

- Costly, require maintenance and same issues as above

3. Most do Nothing – clones and test/dev copies have it all!

21

Subsetting / Masking / Scrambling / Encryption

There are 2 processes used today to help manage the size and security to mitigate the security risk.

1. Subsetting- Creates a smaller or partial copy of Prod database for test

- Smaller copy ensures less sensitive data

- Saves on subsequest copies – saves on disk

- Developers still have some valid data however

2. Data Masking- Smaller Production data becomes anonymous data

- Still ensures referential integrity at EVERY data level

- Variety of masking methods should be available

- Solution should be application-aware (O-Apps & PSoft)

- Also automated, flexible and supported

Informia Secure – Product OverviewWhat can companies do?

23

Informia Secure - Introduction

Secure enables data privacy by providing robust data masking functionality.

What is Data Masking?

Protecting sensitive information by hiding or altering data so that an original value is unknowable.Also known as:

– De-identifying

– Protecting

– Camouflaging

– Data masking

– Data scrubbing

24

Why is data privacy required?

• Production environment Security model to control access

• Non-production environment Security is opened up to enable development and testing

Non-production business drivers

– Development

– Testing

– Support

– Outsourcing

25

Substitute – Prepackaged Data Sets

The ability to replace existing values with new values that follow the format of the originalMale and Female Names

Last names

Male and female titles/suffixes

Credit card numbers – Visa, MasterCard, Amex

Country, state, county, town names

Zip codes

Phone numbers

Email addresses

26

Substitute Method - Example

Emp ID Name City ST Zip

0964 John Smith Plano TX 75025

9388 Mark Jones Modesto CA 95356

2586 Rob Davis Hartford CT 06111

7310 Jeff Richards Tampa FL 33617

Emp ID Name City ST Zip

0964 Joe Marks Topeka KS 66618

9388 Gary Franks Billings MT 59102

2586 David Sanger Tucson AZ 85704

7310 Dan Lister Detroit MI 48216

27

Data Masking Concepts

Relational integrity

Policy simulation

Auditability

Format validation

Data consistency

28

Questions……