SlideShare ist ein Scribd-Unternehmen logo

Keeping Private Data Private

Als PPTX, PDF herunterladen
Dobler Consulting
Dobler Consulting

The document discusses keeping private data private through various data security techniques. It focuses on data masking, which involves replacing sensitive data with realistic but non-sensitive substitutes. Various methods for data masking are described, including data substitution, truncation, randomization, and dynamic or real-time masking. The document emphasizes that data masking helps enable testing and analytics while protecting sensitive production data.

1 von 44
Keeping Private Data Private Avoiding your 15 Minutes on CNN Tony Cannizzo | PresidentSilos-Connect Technologies
Identity Management Authorization (Roles) Authentication (Users) Admin Control Separation of Duties (SoD) Configuration and Change Management Auditing / Monitoring Who is Accessing What, When, Where and How Identify Unusual User Behaviors Encryption Protect Stored Data (Backups, Drives) Protect Data in Transit (Network, Wireless) Data Masking Protect Test Data Protect Production Data Comprehensive Data Security
Data Masking in Production
80% of high-cost security incidents occur when data from inside the organization gets out Most data leakage occurs by accident or because of poor business processes Whether accidental or malicious, security breaches from inside the company aren't addressed by the bulk of security dollars spent on technology that addresses the perimeter of the network. Gartner:
They don’t talk about the 3-foot thick granite wallsor the 22-ton blast-proof doors They worry about who is watching the GOLD! When they talk about Fort Knox
Survival:Protect the Business Legal: Required by law Masking protects sensitive data while simultaneously enabling users to have the appropriate data access to complete business processes. Why Mask Data?
What Was the Original Purpose? To give Dev/Test teams realistic test data to work with, and not expose Production data. Concept came up in reaction to the limitations of other test data generation strategies: Cloned Production Databases Image Copies from Backup Selective Subset Random Test Data Generators Iterative Executions of Applications Keyed in from Scratch
Testing with Production Data BENEFITS DOWNSIDE ,[object Object]
Too Large for Multiple Copies
Test executions take longer to run
Confidential & Sensitive data values in a Non-secured environmentReadily available RI is already established Will eventually need to run volume test anyway “If it runs against production . . .. . . it will run against anything”(Right?)
How Real is THIS? You better not do surgery on ME! HA! My son is a SYSDBA.
Encryption Protects data at rest, or while in transit Data must be Decrypted to be used Does not prevent abuse at the final destination Can often be identified because it is encrypted Hackers will target encrypted or marked data as it says “I am valuable data” Masked Data Protects data in-motion and in-use Never gets un-masked If it can’t be seen, it can’t be abused Same as Encryption?
What Needs to be Masked: PCI DSS Payment Card Information Data Security Standard Cardholder Information Primary Account Number (PAN) Cardholder Name Service Code Expiration Date Authentication Data Full Magnetic Stripe Data CAV2/CVC2/CVV2/CID PIN/PIN Block No IP address/Mac address Application/Service User accounts/groups Ensure that each entity only has access to own cardholder data environment
Names Geo Subdivisions smaller than a State Street Address City County Precinct Zip Code Except the first 3 digits, if greater than 20,000 people If less than 20,000 people change first three digits to ‘000’ All elements of date (except Year) directly related to an individual Up to 89 years of age: Date of Birth Admission Date Discharge Date Date of Death Over 89 years of age: All elements of date INCLUDING Year indicative of such age Such dates and elements may be aggregated into a single category of “90&Older” What Needs to Be Masked: HIPAA ,[object Object]
Fax Numbers
Email addresses
Social Security Numbers (or other National or International Identifiers)
Medical Record Numbers
Health Plan Beneficiary Numbers
Account Numbers
Certificate/License Numbers
Vehicle Identification Numbers including Serial Numbers and License Plate Numbers
Device Identifiers and Serial Numbers
Web Universal Resource Locators (URL’s and IP Addresses)
Biometric Identifiers including Finger Prints and Voice Prints
Full-face photographic images and any comparable images
Any other unique identifying number, characteristic or code,[object Object]
Oracle Data Masking Pack Clone Import Masking Build Mapping Table orig_value mask_value Disable Constraints Rename Table Recreate & Reload from renamed table and mapping table Enable Constraints Collect Statistics Drop Renamed Table and Mapping Table CloneClone Production Database to Staging Area Export/Import Export Masked Database Import Database into Test
Extract from Source Subset with Selection Criteria Optional but recommended Mask Extracted Data During Extract? During Load? Load to Target Test, QA, Etc. Load? Insert/Updates? ETL Solutions Prod Takes Longer to run Masks Loadable File Extract Loadable File Exposes Loadable File Easier to Refresh Ins/Upd Load Test Dev
Data substitution replacing a value in the column with fictionalized data Truncating, hiding or nullifying which replaces column values with NULL or ‘****” Randomization replacing the value with random data Skewing which alters the numeric data by a random variance Scrambling Smart Functions created in PL/SQL Character substring masking Shows a portion of the actual value and hides the rest Shuffling Uses values from other rows Algorithms for Masking Sensitive Data
Remember, this is Static Data Masking Values are physically stored in the tables/columns One size may not fit all Look Out For: Mutually-exclusive test cases Referential Integrity Data Distribution Cardinality Frequency/Duration of Extracts Frequency/Variety of Target Environments Be sure to delete all copies of Un-masked Extracts Key Considerations
Data Masking at the Presentation Layer ,[object Object]
SELECT TRUNCATE(ACCT_NUM)= XXXX-XXXXXX-X0212,[object Object]
Scenarios for Dynamic Data Masking
Selective Data Masking Application Support / Help Desk
Application Mis-Use Application User
QA Team Capturing Scripts
Privileged User Control
This User has SYSDBA
And so does this one… Mask ‘salary’ values in all tables Hide ‘job name’ in all tables Scramble ‘name’ in all tables 26
Quick Example of ourRules Editor Matches Any SQL Masking Actions How Did You Do That?
Dynamic Data Masking ApplicationWebDev. tools, SQL*plus, DBlinks etc., ActiveBase Security User rules apply ‘Rewrite’ or Block actions on incoming SQL requests Oracle Database Before After Example: Rewrite Rule replaced: select .., ‘****’,..from.. Rule Original SQL: select ..,name,..from.. Hiding Rules: Blocking Rules: Scrambling Rules: Masking Rules: Original SQL: Original SQL: Original SQL: Original SQL: Select name,..from.. Select name,..from.. Select name,..from.. Select name,..from.. After Rule: After Rule: After Rule: After Rule: Select scrmbl(name).. Select substr(name,1,2)||’***’ select ..,’’,..from.. Returned message: You are not allowed to access this personal information! Result: Result: Result: 28
User Profiles – NOT just based on DB Privilege level ,[object Object]

Empfohlen

Dynamic Data Masking - Breakthrough Innovation in Application Security
Dynamic Data Masking - Breakthrough Innovation in Application SecurityDynamic Data Masking - Breakthrough Innovation in Application Security
Dynamic Data Masking - Breakthrough Innovation in Application SecurityDobler Consulting
 
Data masking a developer's guide
Data masking a developer's guideData masking a developer's guide
Data masking a developer's guideSriramachandra Murthy
 
Policy based access control
Policy based access controlPolicy based access control
Policy based access controlElimity
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage PreventionMicrosoft TechNet - Belgium and Luxembourg
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Data centric security key to cloud and digital business
Data centric security key to cloud and digital businessData centric security key to cloud and digital business
Data centric security key to cloud and digital businessUlf Mattsson
 
Oracle-Security_Executive-Presentation
Oracle-Security_Executive-PresentationOracle-Security_Executive-Presentation
Oracle-Security_Executive-Presentationstefanjung
 

Empfohlen

Dynamic Data Masking - Breakthrough Innovation in Application Security
Dynamic Data Masking - Breakthrough Innovation in Application SecurityDynamic Data Masking - Breakthrough Innovation in Application Security
Dynamic Data Masking - Breakthrough Innovation in Application SecurityDobler Consulting
 
Data masking a developer's guide
Data masking a developer's guideData masking a developer's guide
Data masking a developer's guideSriramachandra Murthy
 
Policy based access control
Policy based access controlPolicy based access control
Policy based access controlElimity
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage PreventionMicrosoft TechNet - Belgium and Luxembourg
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Data centric security key to cloud and digital business
Data centric security key to cloud and digital businessData centric security key to cloud and digital business
Data centric security key to cloud and digital businessUlf Mattsson
 
Oracle-Security_Executive-Presentation
Oracle-Security_Executive-PresentationOracle-Security_Executive-Presentation
Oracle-Security_Executive-Presentationstefanjung
 
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodInternational Journal of Engineering Inventions www.ijeijournal.com
 
20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet SiteNicola_Milone
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Consulting
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and securityNeeharika Nidadavolu
 
Slate: A Centralized Clearance Search Management System
Slate: A Centralized Clearance Search Management SystemSlate: A Centralized Clearance Search Management System
Slate: A Centralized Clearance Search Management SystemGreyB
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guidebupbechanhgmail
 
Identity Management
Identity ManagementIdentity Management
Identity ManagementVenkatesh Jambulingam
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ definedEnterprise Technology Management (ETM)
 
Umer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
Privacy and Auditing in Clouds
Privacy and Auditing in CloudsPrivacy and Auditing in Clouds
Privacy and Auditing in CloudsTyrone Grandison
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Ulf Mattsson
 
Data masking insights and actions
Data masking insights and actionsData masking insights and actions
Data masking insights and actionsRed Gate Software
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Microsoft Norge AS
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 
Data Driven Security in SSAS
Data Driven Security in SSASData Driven Security in SSAS
Data Driven Security in SSASMike Duffy
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity ManagementDon Lovett
 
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Michael Boman
 
Dynamic Database Solutions - Mitigating Performance Degradations
Dynamic Database Solutions - Mitigating Performance DegradationsDynamic Database Solutions - Mitigating Performance Degradations
Dynamic Database Solutions - Mitigating Performance DegradationsDobler Consulting
 

Weitere ähnliche Inhalte

Was ist angesagt?

20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet SiteNicola_Milone
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Consulting
 
Slate: A Centralized Clearance Search Management System
Slate: A Centralized Clearance Search Management SystemSlate: A Centralized Clearance Search Management System
Slate: A Centralized Clearance Search Management SystemGreyB
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guidebupbechanhgmail
 
Umer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
Privacy and Auditing in Clouds
Privacy and Auditing in CloudsPrivacy and Auditing in Clouds
Privacy and Auditing in CloudsTyrone Grandison
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Ulf Mattsson
 
Data masking insights and actions
Data masking insights and actionsData masking insights and actions
Data masking insights and actionsRed Gate Software
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Microsoft Norge AS
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 
Data Driven Security in SSAS
Data Driven Security in SSASData Driven Security in SSAS
Data Driven Security in SSASMike Duffy
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity ManagementDon Lovett
 

Was ist angesagt? (20)

Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
 
20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet Site
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and security
 
Slate: A Centralized Clearance Search Management System
Slate: A Centralized Clearance Search Management SystemSlate: A Centralized Clearance Search Management System
Slate: A Centralized Clearance Search Management System
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
 
Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guide
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ defined
 
Umer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid Thesis Abstract
Umer Khalid Thesis Abstract
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
 
Privacy and Auditing in Clouds
Privacy and Auditing in CloudsPrivacy and Auditing in Clouds
Privacy and Auditing in Clouds
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014
 
Data masking insights and actions
Data masking insights and actionsData masking insights and actions
Data masking insights and actions
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 
Data Driven Security in SSAS
Data Driven Security in SSASData Driven Security in SSAS
Data Driven Security in SSAS
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity Management
 

Andere mochten auch

Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Michael Boman
 
Dynamic Database Solutions - Mitigating Performance Degradations
Dynamic Database Solutions - Mitigating Performance DegradationsDynamic Database Solutions - Mitigating Performance Degradations
Dynamic Database Solutions - Mitigating Performance DegradationsDobler Consulting
 
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 2
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 2A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 2
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 2Dobler Consulting
 
Sybase to oracle_conversion
Sybase to oracle_conversionSybase to oracle_conversion
Sybase to oracle_conversionSam Varadarajan
 
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 1
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 1A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 1
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 1Dobler Consulting
 

Andere mochten auch (8)

Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08
 
Dynamic Database Solutions - Mitigating Performance Degradations
Dynamic Database Solutions - Mitigating Performance DegradationsDynamic Database Solutions - Mitigating Performance Degradations
Dynamic Database Solutions - Mitigating Performance Degradations
 
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 2
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 2A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 2
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 2
 
Sybase to oracle_conversion
Sybase to oracle_conversionSybase to oracle_conversion
Sybase to oracle_conversion
 
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 1
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 1A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 1
A Practitioner's Guide to Successfully Migrate from Oracle to Sybase ASE Part 1
 
Sybase To Oracle Migration for Developers
Sybase To Oracle Migration for DevelopersSybase To Oracle Migration for Developers
Sybase To Oracle Migration for Developers
 
JMeter Intro
JMeter IntroJMeter Intro
JMeter Intro
 
Sybase To Oracle Migration for DBAs
Sybase To Oracle Migration for DBAsSybase To Oracle Migration for DBAs
Sybase To Oracle Migration for DBAs
 

Ähnlich wie Keeping Private Data Private

Optim test data management for IMS 2011
Optim test data management for IMS 2011Optim test data management for IMS 2011
Optim test data management for IMS 2011evgeni77
 
Security Quick Tour
Security Quick TourSecurity Quick Tour
Security Quick TourActive Base
 
Ibm Optim Techical Overview 01282009
Ibm Optim Techical Overview 01282009Ibm Optim Techical Overview 01282009
Ibm Optim Techical Overview 01282009lucascibm
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionUlf Mattsson
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery ToolsAntonio Rolle
 
Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016George Walters
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxGenericName6
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft CloudEuropean Collaboration Summit
 
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009Ulf Mattsson
 
Microsoft Azure Rights Management
Microsoft Azure Rights ManagementMicrosoft Azure Rights Management
Microsoft Azure Rights ManagementDavid J Rosenthal
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesCamilo Fandiño Gómez
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the CloudGWAVA
 
Office 365 Security, Privacy and Compliance - SMB Nation 2015
Office 365 Security, Privacy and Compliance - SMB Nation 2015Office 365 Security, Privacy and Compliance - SMB Nation 2015
Office 365 Security, Privacy and Compliance - SMB Nation 2015Robert Crane
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Ulf Mattsson
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep DiveConrad23
 
Organizational compliance and security SQL 2012-2019 by George Walters
Organizational compliance and security SQL 2012-2019 by George WaltersOrganizational compliance and security SQL 2012-2019 by George Walters
Organizational compliance and security SQL 2012-2019 by George WaltersGeorge Walters
 

Ähnlich wie Keeping Private Data Private (20)

Optim test data management for IMS 2011
Optim test data management for IMS 2011Optim test data management for IMS 2011
Optim test data management for IMS 2011
 
Security Quick Tour
Security Quick TourSecurity Quick Tour
Security Quick Tour
 
Ibm Optim Techical Overview 01282009
Ibm Optim Techical Overview 01282009Ibm Optim Techical Overview 01282009
Ibm Optim Techical Overview 01282009
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i Vulnerable
 
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
 
Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
 
Microsoft Azure Rights Management
Microsoft Azure Rights ManagementMicrosoft Azure Rights Management
Microsoft Azure Rights Management
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the Cloud
 
Office 365 Security, Privacy and Compliance - SMB Nation 2015
Office 365 Security, Privacy and Compliance - SMB Nation 2015Office 365 Security, Privacy and Compliance - SMB Nation 2015
Office 365 Security, Privacy and Compliance - SMB Nation 2015
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep Dive
 
Organizational compliance and security SQL 2012-2019 by George Walters
Organizational compliance and security SQL 2012-2019 by George WaltersOrganizational compliance and security SQL 2012-2019 by George Walters
Organizational compliance and security SQL 2012-2019 by George Walters
 

Keeping Private Data Private

  • 1. Keeping Private Data Private Avoiding your 15 Minutes on CNN Tony Cannizzo | PresidentSilos-Connect Technologies
  • 2. Identity Management Authorization (Roles) Authentication (Users) Admin Control Separation of Duties (SoD) Configuration and Change Management Auditing / Monitoring Who is Accessing What, When, Where and How Identify Unusual User Behaviors Encryption Protect Stored Data (Backups, Drives) Protect Data in Transit (Network, Wireless) Data Masking Protect Test Data Protect Production Data Comprehensive Data Security
  • 3. Data Masking in Production
  • 4. 80% of high-cost security incidents occur when data from inside the organization gets out Most data leakage occurs by accident or because of poor business processes Whether accidental or malicious, security breaches from inside the company aren't addressed by the bulk of security dollars spent on technology that addresses the perimeter of the network. Gartner:
  • 5. They don’t talk about the 3-foot thick granite wallsor the 22-ton blast-proof doors They worry about who is watching the GOLD! When they talk about Fort Knox
  • 6. Survival:Protect the Business Legal: Required by law Masking protects sensitive data while simultaneously enabling users to have the appropriate data access to complete business processes. Why Mask Data?
  • 7. What Was the Original Purpose? To give Dev/Test teams realistic test data to work with, and not expose Production data. Concept came up in reaction to the limitations of other test data generation strategies: Cloned Production Databases Image Copies from Backup Selective Subset Random Test Data Generators Iterative Executions of Applications Keyed in from Scratch
  • 8.
  • 9. Too Large for Multiple Copies
  • 10. Test executions take longer to run
  • 11. Confidential & Sensitive data values in a Non-secured environmentReadily available RI is already established Will eventually need to run volume test anyway “If it runs against production . . .. . . it will run against anything”(Right?)
  • 12. How Real is THIS? You better not do surgery on ME! HA! My son is a SYSDBA.
  • 13. Encryption Protects data at rest, or while in transit Data must be Decrypted to be used Does not prevent abuse at the final destination Can often be identified because it is encrypted Hackers will target encrypted or marked data as it says “I am valuable data” Masked Data Protects data in-motion and in-use Never gets un-masked If it can’t be seen, it can’t be abused Same as Encryption?
  • 14. What Needs to be Masked: PCI DSS Payment Card Information Data Security Standard Cardholder Information Primary Account Number (PAN) Cardholder Name Service Code Expiration Date Authentication Data Full Magnetic Stripe Data CAV2/CVC2/CVV2/CID PIN/PIN Block No IP address/Mac address Application/Service User accounts/groups Ensure that each entity only has access to own cardholder data environment
  • 15.
  • 18. Social Security Numbers (or other National or International Identifiers)
  • 23. Vehicle Identification Numbers including Serial Numbers and License Plate Numbers
  • 24. Device Identifiers and Serial Numbers
  • 25. Web Universal Resource Locators (URL’s and IP Addresses)
  • 26. Biometric Identifiers including Finger Prints and Voice Prints
  • 27. Full-face photographic images and any comparable images
  • 28.
  • 29. Oracle Data Masking Pack Clone Import Masking Build Mapping Table orig_value mask_value Disable Constraints Rename Table Recreate & Reload from renamed table and mapping table Enable Constraints Collect Statistics Drop Renamed Table and Mapping Table CloneClone Production Database to Staging Area Export/Import Export Masked Database Import Database into Test
  • 30. Extract from Source Subset with Selection Criteria Optional but recommended Mask Extracted Data During Extract? During Load? Load to Target Test, QA, Etc. Load? Insert/Updates? ETL Solutions Prod Takes Longer to run Masks Loadable File Extract Loadable File Exposes Loadable File Easier to Refresh Ins/Upd Load Test Dev
  • 31. Data substitution replacing a value in the column with fictionalized data Truncating, hiding or nullifying which replaces column values with NULL or ‘****” Randomization replacing the value with random data Skewing which alters the numeric data by a random variance Scrambling Smart Functions created in PL/SQL Character substring masking Shows a portion of the actual value and hides the rest Shuffling Uses values from other rows Algorithms for Masking Sensitive Data
  • 32. Remember, this is Static Data Masking Values are physically stored in the tables/columns One size may not fit all Look Out For: Mutually-exclusive test cases Referential Integrity Data Distribution Cardinality Frequency/Duration of Extracts Frequency/Variety of Target Environments Be sure to delete all copies of Un-masked Extracts Key Considerations
  • 33.
  • 34.
  • 35. Scenarios for Dynamic Data Masking
  • 36. Selective Data Masking Application Support / Help Desk
  • 38. QA Team Capturing Scripts
  • 40. This User has SYSDBA
  • 41. And so does this one… Mask ‘salary’ values in all tables Hide ‘job name’ in all tables Scramble ‘name’ in all tables 26
  • 42. Quick Example of ourRules Editor Matches Any SQL Masking Actions How Did You Do That?
  • 43. Dynamic Data Masking ApplicationWebDev. tools, SQL*plus, DBlinks etc., ActiveBase Security User rules apply ‘Rewrite’ or Block actions on incoming SQL requests Oracle Database Before After Example: Rewrite Rule replaced: select .., ‘****’,..from.. Rule Original SQL: select ..,name,..from.. Hiding Rules: Blocking Rules: Scrambling Rules: Masking Rules: Original SQL: Original SQL: Original SQL: Original SQL: Select name,..from.. Select name,..from.. Select name,..from.. Select name,..from.. After Rule: After Rule: After Rule: After Rule: Select scrmbl(name).. Select substr(name,1,2)||’***’ select ..,’’,..from.. Returned message: You are not allowed to access this personal information! Result: Result: Result: 28
  • 44.
  • 47. End-uservs IT StaffOther Actions: Block the request Send alertto business and/or notification to user Quarantine - block sessions and new connections from the same machine or user for ‘X’ minutes Apply delays between each subsequent request Killsession(s) Log audit trail of activity More than Just Masking Data
  • 48.
  • 49. Block specific DB activities from either authorized or unauthorized users: locks, drop table, drop synonym, drop grant
  • 50. Selectively preventing DML, DCL, DDL commands from unauthorized users
  • 51. Automatically redirect requests to the REPORT DB when request includes certain conditionsEnforce Dev Tool Usage Policies
  • 52. User ActiveBase Modules Overview Application ActiveBase in-line Proxy modules: Security Module Performance Module Masks personal informationfor outsourced support and IT Applies SQL Hints / Rewritefor improving performance Blocks offensive Requests /SQL injection / CPU risks Redirects report /ad-hocto replication / history DB Scrambles / Encrypts confidential & personal fields Blocks / defers ‘request-from-hell’for safe guarding production Tuning Robot Prioritization module(DB server) OracleDatabaseServer Allocates Database Server resourcesto processes according totransaction importance Manual Operator Automatic - Rules 31
  • 54. THANK YOU! Tony Cannizzo | President Silos-Connect Technologies tony@silos-connect.com 404 580 3451 Soon to be: Dynamic Database Solutions Questions, Comments, Jokes? DynamicDB
  • 55. Oracle Data Masking Optional Backup Slides
  • 56. Copy production data to other environments Dev Test Staging Irreversible process Replaces sensitive data with realistic-looking But scrubbed data based on masking rules The original data cannot be retrieved, recovered or restored. OEM 10g Data Masking Pack
  • 57. Format Library for Out-of-the-Box formats Credit Card Numbers Phone Numbers National Identifiers SSN (US) National Ins Number (UK) Mask Formats built on Mask Primitives Random Numbers Random Digits Random Dates Constants Masking Functions Shuffle: column values used in different rows Useful when the range of values in a column is not known User-defined Formats Defined using PL/SQL Example – complexly formulated account numbers can be generated using fictitious values but providing functionality for the application Deterministic Masks For maintaining RI when masking across application environments Consistent mask in CRM/ERP and DW Centralized Mask Formats
  • 58. A Built-in Search Function on Data Dictionary Helps identify all tables and columns containing SPI Maps to appropriate mask formats Related Application Column Capability Automatically identifies RI based on Foreign Keys that are maintained in the Data Dictionary Application-defined relationships that are not maintained in the Data Dictionary can be added Portable Masking Definition
  • 59. Assign multiple mask formats to a column dependent on specific conditions Example: Multi-national HR System and National Identifiers depending on Country of employee: If employee is US, use SSN mask If employee is UK, use National Insurance mask If employee is Canadian, use Social Insurance mask Condition-based Masking
  • 60. For multiple related columns within a row Example: Must have a valid address City for State Zip for City Compound Masking
  • 61. XML File containing all masking definitions Created via the Export Masking Definition capability Can be loaded into other databases Can be used to restore the original masking definitions if a mask definition is improperly altered Application Masking Template
  • 62.
  • 63. ODMP integrates with OEM Database Cloning Separate from the Standalone Process Can Add Data Masking to the Clone Process Point the PRD Database to a Staging Environment Specify the Masking Definitions to be run AFTER Cloning Cloned Database is brought up in RESTRICTED mode to prevent non-administrative access to the database Executes the Masking Script Then opens the database for unrestricted use ONLY UPON VERIFYING THAT THE MASKING PROCESS HAS COMPLETED SUCCESSFULLY. Secure Clone-and-Mask Workflow
  • 64.