Tech-Security Conference Chicago, IL
January 19, 2012
Security, Privacy, Compliance
Premium IT Services Boutique
Insuring better governance, easing compliance and improving security.
Information Security and Compliance
Data Warehousing and Business Intelligence
Expert IT staffing for with BI, DW and Data security
Information Management Specialists
Exponential Data Growth
"The toxic terabyte: How data-dumping threatens business efficiency." (Global Technical Services
Recent Data Leaks
Sony Disaster
Emerging “Enterprise” Technologies
Known “benefits”:
• Instant distribution • Destination unknown • Global coverage
2011 Data Breach Investigations Report securityblog.verizonbusiness.com
What?
92
%
76
%
50
%
Who is behind data breaches?
92% stemmed from external agents (+22%)
17% implicated insiders (-31%)
<1% resulted from business partners (-10%)
9% involved multiple parties (-18%)
How do breaches occur?
50% utilized some form of hacking (+22%)
49% incorporated malware (+10%)
29% Involved physical attacks (+14%)
17% resulted from privilege misuse (-31%)
11% employed social tactics (-17%) What commonalities exist?
83% of victims were targets of opportunity (<>)
92% of attacks were not highly difficult (+7%)
76% of all data was compromised from servers (-22%)
86% were discovered by a third party (+25%)
96% of breaches were avoidable through simple
or intermediate controls (<>)
89% of victims subject to PCI-DSS had not
How Much Does Personal Information Cost? Address - $0.50 Past Address - $9.95 Marriage/Divorce - $7.95 Education Background - $12.00 Employment History - $13.00 Phone Number - $0.25
Unpublished Phone Number - $17.50
Cell Phone Number - $10.00
Social Security Number - $8.00
Source: http://www.turbulence.org
Your information is being sold by data brokers to companies and agencies everyday
Credit History - $9.00 Bankruptcy Information - $26.50 Business Ownership - $9.95 Shareholder - $1.50 Felony - $16.00 Lawsuit History – $2.95 Sex Offender - $13.00 Drivers License - $3.00 Voter Registration - $0.25 Source: http://dilbert.com/strips/comic/2010-10-14/
Who Can Access Your Medical Records?
Consequences of Data Leaks
Civil Lawsuits Legal Fines
Personal Risks Loss of Clients
Risk factors associated with data leaks and
unauthorized access:
Traditional Security Measures Physical Access Restrictions Firewalls with Intrusion Detection Sensitive Fields Encryption Backup Protection Access Tokens, Digital Certificates User Identity Management VPNs, DMZs Security Policy Management Role-based Access Rules Security Audits
Data Losses as a result of Business Processes
Data Snapshots for Offshore Development
Test Datasets for System Upgrade Training Facility Databases Data Exports for 3rd-party Marketing Agency Legacy LOB Applications Bugs in Application Security “Not Yet” Addressed
Regulatory Requirements
Homegrown Data Protection Solution
Data Privacy is NOT a Moonlight Project
Management significantly underestimates
Data Privacy complexity
DBAs spend an average 4-6 weeks per
source implementing “in-house data
What is Data Masking?
Data masking is the process of
obscuring (masking) specific data
elements within data stores.
It ensures that sensitive data is
replaced with realistic but not real
data.
Use Case – Total Comp Project
Ron Reddy Dpt. Mgr.
Rochelle Li IT Lead
Ron needs new Total Comp report for his team and asked Rochelle to make a template for it.
Corporate Policy: Managers can not retrieve compensation details for people with a higher salary grade.
Use Case – Total Comp Project
Ron’s full view
Rochelle’s
Three Pillars of Data Masking
Automated search & classification
Reduces manual effort
Prepackaged Templates (PCI, HIPAA, etc.)
Integrates with data masking
Significant time and cost savings Repeatable process Facilitates compliance, reduces risk Increases accuracy, reducing human error
Maintains application and database integrity Significant time
and cost savings
Advanced filtering capabilities Reduces data footprint,
storage and bandwidth
Integrates with data masking
Graphically view and configure rules Increases accuracy,
reducing human error
Subsetting
Repeatable process
Maintains application and database integrity
Significant time and cost savings
Earlier detection of application defects Reduces QA effort Repeatable process Facilitates compliance, reduces risk Data Masking Increases accuracy, reducing human error
High quality data, realistic data
Available Data Transformations
Generators
Account Numbers, Birth Dates, Credit Card Expiry Dates, Credit Card Numbers, Social Security Numbers
Mutators
Account Numbers, Birth Dates, Credit Card Expiry Dates,
Names, Street Addresses
Algorithmic
Enumeration, Salaries, Serial Numbers, Telephone Numbers
Custom
Email Addresses, Free Form Text, XML Documents
Data Load
Names, Part Numbers, Street Addresses, Table Filter
Static Data Masking
Show Stoppers
Data Masking Implementation Impediments
More Challenges to Consider:
Relationship Discovery
Transformation Repeatability
Centralized Rule Definition
Multiplatform Support
Application Integrity
Database Integrity
Data Masking DIY Project
Easy
15-20 minutes to install Discovery using
predefined templates
Includes library of prebuilt transformations Hard: Masking strategy Transformation “tuning” Custom transformations Complex dependencies Best practices
Why Data Masking?
"The entire point of data masking is to protect yourself
from your own employees,"
says Joseph Feiman, a security analyst at Gartner Research.
"Attacks are coming from the outside, yes, that's true,
but also from the inside. And it's hard to tell which type is more serious."
