Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | alice-price |
View: | 219 times |
Download: | 1 times |
2
Introduction to Applimation
Data growth management software company
Focus on enterprise applications
Unified, integrated product suite
Founded in 1998 150 + customers using
Informia Solutions
4
Presentation Agenda
• Overview of data privacy
– Definitions
– Terminology
• Use cases/business drivers for data masking
– Production/non-production?
– Motivations
• Informia Secure overview
– Functionality
– Features
5
What is Data Privacy?
Data privacy refers to the evolving relationship between technology and the legal right to, or expectation of, privacy in the collection and sharing of data.
6
Sensitive Information – Definition
• Non-public private information (NPPI) – details about an individual
• Information protected by government regulations
• Information protected by industry regulations
• Intellectual property
• Anything classified as confidential or private
Open to common sense interpretation
7
Why the focus on data privacy?
• Data Breaches (becoming tomorrow’s Front page news)– Legal consequences
– Loss of trust (customers, vendors, partners, etc.)
– Negative publicity
– Damage to reputation
– COST
• Government Regulations– Federal Information Security Management Act of 2002
– Gramm-Leach-Bliley Act
– Personal Data Protection Directive (EU)
– HIPAA
– Data Protection Act (UK)
8
Privacy Laws – All Different
United States Privacy Rules
Designed to embarrass organizations that properly secure sensitive information i.e. (bank acct info or employee payroll records)
European Privacy Rules
Must adhere and confirm to European Union privacy mandates.
9
Why the focus on data privacy?
• THE COST!
Penalties for data breaches include:
– Fines
– Brand Damage
– Expenses associated with notifying affected individuals
• (ESG estimates between $25-$150 per notification)
In Europe and other countries non compliance leads to:
• Executive Dismissal
• Government Sanctions
10
Privacy Regulations – More Detail
Regulation Example Text
HIPAA
“Under the Privacy Rule, health plans, health care clearinghouses, and certain health care providers must guard against misuse of individuals' identifiable health information and limit the sharing of such information.”
Gramm-Leach Bliley Act
“The law requires that financial institutions protect information collected about individuals”
Data Protection Act (UK)
“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
PCI
“…keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.”
11
Industry Regulations
• Payment Card Industry Standard– Comprised of Visa, MasterCard, Discover, American Express and JCB
– Intended to improve the overall level of security for payments globally
– Vendor incentives to comply with PCI include brand protection and financial, legal, and regulatory risk reduction
Being updated again – now expiration date must be hidden
• HIPAA Security Rule– Applies to insurance companies, providers (hospitals)
– Audits starting to reveal gaps
12
Inconsistent Data Breach Laws in the U.S.
Data Breach Law Breakdown by each state
(as of February 2007)
• 34 states with breach laws– Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii,
Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin
• 8 states considering passing breach legislation– Maryland, Massachusetts, Michigan, Missouri, Oregon, South Carolina, Virginia, West
Virginia
• 8 states with no imminent plans for breach laws – Alabama, Alaska, Iowa, Kentucky, Mississippi, New Mexico, South Dakota, Wyoming
13
The Federalization of Privacy Regs in the U.S.
• 2 key bills passed out of the House of Representatives (H.R.) – Both were cleared from the books at the conclusion of the 109th U.S. Congress– No comparable bills have been proposed by the 110th U.S. Congress to date
• H.R.4127 - Data Accountability and Trust Act– Requires the Federal Trade Commission to establish rules for the security of
personal information– Provides dual enforcement by state and federal authorities
• H.R.3997 – Financial Data Protection Act– Customer notification is only required if breached information is ‘reasonably
likely to be misused’– Provides security freezes to victims of ID theft only– Preempts state laws in order to protect the confidentiality of information– Enforcement by federal authorities only
14
U.S. Data Breaches
• There have been over 100 million data breaches since ChoicePoint (Feb 2005)
• Plague all verticals, but most common in:– Education: University of Notre Dame (1/8/07)
– Gov’t: Wisconsin Department of Revenue (12/29/06)
– Finance/banking: Moneygram (1/12/07)
• Mostly malicious actions
– Hacking or stealing systems with information
15
Confidential Data Stats
24%
17%
21%
26%
4%
8%
0%
5%
10%
15%
20%
25%
30%
1% to 10% ofour data isconfidential
11% to 25% ofour data isconfidential
26% to 50% ofour data isconfidential
51% to 75% ofour data isconfidential
More than 75%of our data isconfidential
Don't know
How much of your data is confidential?
SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.
16
Confidential Data Stats
How much of your database data is confidential?
31%
40%
54%
20%
30%
50%
0
10
20
30
40
50
60
Database Electronic documents E-mail and attachments Other data (e.g. Webpages, multimedia files,
etc.)
Mean Median
SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.
17
Security Threats – From Where?
External Security Threats
– IT has spent MOST money on external security
– Firewalls
– Password protection
– System Auditing on connections
– Computer room access
– Tracking cards for building access
18
Security Threats – From Where?
Internal Security ThreatsThis is where a majority of breaches now taking place
– Who has access to primary database applications?
– Who has access to test and development databases
– Is there sensitive / confidential information in these primary / test databases?
• What measures are you taking to protect against internal security and privacy threats?
19
Rationalizing an investment
$ Insert your favorite data breach here (TJX, Fidelity, HP)
$ Over 10 information security and privacy Bills are currently being debated in U.S. Congress
Basically it will be mandated eventually
$ Only 34% of organizations have deployed database encryption solutions
20
Subsetting / Masking / Scrambling / Encryption
How is this accomplished today on Oracle Apps, PeopleSoft and Siebel?
1. DBA’s run their own scripts
- Requires up-to-date understanding of application
- Requires maintenance after upgrades and family packs
- What about cross-module data sharing ? Is this covered?
- Things change
- Are you sure?
- Will you bet your CIO’s career on it?
2. Consulting companies create custom scripts
- Costly, require maintenance and same issues as above
3. Most do Nothing – clones and test/dev copies have it all!
21
Subsetting / Masking / Scrambling / Encryption
There are 2 processes used today to help manage the size and security to mitigate the security risk.
1. Subsetting- Creates a smaller or partial copy of Prod database for test
- Smaller copy ensures less sensitive data
- Saves on subsequest copies – saves on disk
- Developers still have some valid data however
2. Data Masking- Smaller Production data becomes anonymous data
- Still ensures referential integrity at EVERY data level
- Variety of masking methods should be available
- Solution should be application-aware (O-Apps & PSoft)
- Also automated, flexible and supported
23
Informia Secure - Introduction
Secure enables data privacy by providing robust data masking functionality.
What is Data Masking?
Protecting sensitive information by hiding or altering data so that an original value is unknowable.Also known as:
– De-identifying
– Protecting
– Camouflaging
– Data masking
– Data scrubbing
24
Why is data privacy required?
• Production environment Security model to control access
• Non-production environment Security is opened up to enable development and testing
Non-production business drivers
– Development
– Testing
– Support
– Outsourcing
25
Substitute – Prepackaged Data Sets
The ability to replace existing values with new values that follow the format of the originalMale and Female Names
Last names
Male and female titles/suffixes
Credit card numbers – Visa, MasterCard, Amex
Country, state, county, town names
Zip codes
Phone numbers
Email addresses
26
Substitute Method - Example
Emp ID Name City ST Zip
0964 John Smith Plano TX 75025
9388 Mark Jones Modesto CA 95356
2586 Rob Davis Hartford CT 06111
7310 Jeff Richards Tampa FL 33617
Emp ID Name City ST Zip
0964 Joe Marks Topeka KS 66618
9388 Gary Franks Billings MT 59102
2586 David Sanger Tucson AZ 85704
7310 Dan Lister Detroit MI 48216
27
Data Masking Concepts
Relational integrity
Policy simulation
Auditability
Format validation
Data consistency