Exploit the Power of Enterprise Data Management
Download
Report
Transcript Exploit the Power of Enterprise Data Management
Securing Your Data and Your Brand:
A Data Privacy Case Study
Eric Offenberg, CIPP, Product Marketing Manager
Tim Smith, Technical Product Manager
Princeton Softech
© 2007 Princeton Softech, Inc.
Agenda
About Protecting Privacy
What’s at Stake?
About Data Breaches
The Easiest Way to Expose Private Data
Considerations for a Privacy Project
Success Stories
About Princeton Softech
No part of this presentation may be reproduced or transmitted in any form by any means,
electronic or mechanical, including photocopying and recording, for any purpose without the
express written permission of Princeton Softech, Inc.
© 2007 Princeton Softech, Inc.
2
Disclaimer
This presentation is intended to provide general background
information, not regulatory, legal or other advice. Princeton
Softech, Inc. cannot and does not provide such advice.
Readers are advised to seek competent assistance from
qualified professionals in the applicable jurisdictions for the
types of services needed, including regulatory, legal or other
advice.
© 2007 Princeton Softech, Inc.
3
The Corporate View of Data Privacy
Read all about it…
- Data breaches
- Identity Theft
Laws are multiplying
- PCI
- GLBA
- HIPAA
- Data Breach Notification Acts
6 Data Breaches per F1000 company
per year is the Industry Norm*
Data Privacy Projects are still more
reactive then proactive
Development, Backup and Testing
environments remain vulnerable!
Bottom Line…Companies are having
trouble securing sensitive data!
* Source: IT Compliance Group, 2007
© 2007 Princeton Softech, Inc.
4
Common Legislative Themes
Government regulations protect consumers
- USA: HIPAA, Gramm-Leach-Bliley Act (GLB), California
Security Breach Notice Statute
- European Union: Personal Data Protection Directive 1998
- UK: Data Protection Act of 1998
- Australia: Privacy Amendment Act of 2000
- Canada: Personal Information Protection and Electronic
Documents Act
- PCI Data Security Standard (including new state laws)
© 2007 Princeton Softech, Inc.
5
IT is Becoming the Target
US Senate Bill Holds IT Managers Responsible for Privacy Breaches
By Scott M. Fulton, III, BetaNews
February 8, 2007, 8:09 PM
A bill introduced in the US Senate on Tuesday by Judiciary Committee Chairman
Patrick Leahy (D - Vermont), along with one independent and one Republican
backer, aims to strengthen security requirements for all private databases
accessible online that may hold personal information. Reintroducing language
that had been stalled since 2005, if passed, the bill could hold IT managers
accountable and responsible for security breaches where personal
information is pilfered.
© 2007 Princeton Softech, Inc.
6
What’s at Stake?
Fines and penalties
Loss of customer loyalty
Loss of revenue
Share price erosion
Negative publicity
“Brand equity” damage
Damage to company reputation
Increased operations costs
To date, personal information for at least 53
million US citizens has been lost, stolen or
compromised
© 2007 Princeton Softech, Inc.
7
Primary Benefits of Protecting Data
Assurance of integrity for company brand and image (46%)
Reduced concern about electronic theft (33%)
Less concern about data leakage and public news reports
(30%)
Reduction and/or avoidance of litigation and cost (27%)
* Source: IT Compliance Group Benchmark Study 2/07
© 2007 Princeton Softech, Inc.
8
Where do F1000 Corporations Stand today?
© 2007 Princeton Softech, Inc.
9
How Personal Data Was Lost
Lost Electronic
Backup
19%
Third Party
Outsource
Breach
21%
Misplaced
Paper
9%
Inside
Job/Malicious
Code
9%
© 2007 Princeton Softech, Inc.
Lost Laptop or
other device
35%
Hackers
7%
10
Consumer Reaction
Banking Customer Survey (Ponemon Institute)
Considered
Terminating
Service
40%
Concerned
27%
Terminated
Service
19%
Not
Concerned
14%
© 2007 Princeton Softech, Inc.
11
Cost to Company per Missing Record: $182
Lost
Productivity,
$30
$7
$13
$4
Loss of
Customers,
$98
$3
Incident
Response,
$54
Over 100 million records lost at a cost of
$16 Billion.
© 2007 Princeton Softech, Inc.
$24
$1
Free/Discounted Services
Notifications
Legal
Audit/Accounting Fees
Call Center
Other
12
Data Breach Examples
Company
Financial Impact
FTC Fine = $15M
$7-9M (not including litigation)
$10M and 3rd party audits every
other year for 20 years
3rd party audits every other year for
20 years
Kaiser Permanente
© 2007 Princeton Softech, Inc.
State of CA fine $200,000 for a
breach affecting 150 customers
13
What is Done to Protect Data Today?
Production “Lockdown”
- Physical entry access controls
- Network, application and database-level security
- Multi-factor authentication schemes (tokens,
biometrics)
Unique challenges in Development and Test
- Replication of production safeguards not sufficient
- Need “realistic” data to test accurately
© 2007 Princeton Softech, Inc.
14
The Easiest Way to Expose Private Data …
Internally with the Test Environment
70% of data breaches occur internally
(Gartner)
Test environments use personally
identifiable data
Standard Non-Disclosure Agreements
may not deter a disgruntled employee
What about test data stored on laptops?
What about test data sent to
outsourced/overseas consultants?
Payment Card Data Security Industry
Reg. 6.3.4 states, “Production data
(real credit card numbers) cannot be
used for testing or development”
* The Solution is Data Masking *
© 2007 Princeton Softech, Inc.
15
What is Data Masking?
AKA depersonalization, desensitization, or data scrubbing
Technology that helps conceal real data
Scrambles data to create new, legible data
Retains the data's properties, such as its width, type, and
format
Common data masking algorithms include random, substring,
concatenation, date aging
Used in Non-Production environments as a Best Practice to
protect sensitive data
© 2007 Princeton Softech, Inc.
16
The Top 3 Reasons Why Insiders Steal Data
1. Greed
2. Revenge
3. Love
Source: US Attorney General’s Office, Eastern PA District
© 2007 Princeton Softech, Inc.
17
How is Risk of Exposure being Mitigated?
No laptops allowed in the building
Development and test devices
- Do not have USB
- No write devices (CD, DVD, etc.)
Employees sign documents
Off-shore development does not do the testing
The use of live data is ‘kept quiet’
© 2007 Princeton Softech, Inc.
18
Protecting Test Environments
Forrester Research:
“…IT’s own access to customer and
personnel data must be examined –
strictly speaking, none should
actually be necessary. Test data
must be “anonymized…. ” [sic]
Information Week:
“The search for consumer data and
its uses doesn't stop at large
production databases -- it extends
to application test data and Web
applications.”
© 2007 Princeton Softech, Inc.
19
Encryption is not Enough
DBMS encryption protects DBMS theft and hackers
Data decryption occurs as data is retrieved from the DBMS
Application testing displays data
- Web screens under development
- Reports
- Date entry/update client/server devices
If data can be seen it can be copied
- Download
- Screen captures
- Simple picture of a screen
© 2007 Princeton Softech, Inc.
20
Strategic Issues for Implementing Data Privacy
© 2007 Princeton Softech, Inc.
Data Masking Considerations
Establish a project leader/project group
Determine what you need to mask
Understand Application and Business Requirements
Top Level Masking Components
Project Methodology
© 2007 Princeton Softech, Inc.
22
Data Privacy in Application Testing
Extract a relationally intact subset
from production database(s)
INSERT/
UPDATE
CUSTOMERS
-- ---- ---- ---- ------- ----- ---- ---- ---- ------- ----
-----
-----
ORDERS
------ -- --------- --------- -- --------- --------- -- --------- --------- -- --------- ----
DETAILS
------
----------------
----------------
----------------
-------------------------------
----------------
TESTDB
CUST
-- ---- ---- ---- ------- ----
ORD
-- ---- ---- ---- ------- ----
Transform / mask
sensitive data
Extract
File
DETL
-- ---- ---- ---- ------- ----- ---- ---- ---- ------- ----
QADB
Load
Files
CUST
-- ---- ---- ---- ------- ----
ORD
-- ---- ---- ---- ------- ----
LOAD
DETL
-- ---- ---- ---- ------- ----- ---- ---- ---- ------- ----
Data transformation functions:
Propagation of masked primary keys to dependent foreign keys
Random number generation
Hard-code literals, special registers such as date, time
Substring and concatenation of values
Sequencing numeric fields (or parts of concatenated fields)
Arithmetic calculations
Lookup tables
Access to client-defined exit routines to apply complex algorithms
© 2007 Princeton Softech, Inc.
23
Data Masking Consideration – Step 1
Establish a Project Leader/Group
- Many questions to be answered/decisions to
be made
- Project Focus
- Inter-Departmental Cooperation
- Use for additional Privacy Projects
© 2007 Princeton Softech, Inc.
24
Data Masking Consideration – Step 2
Determine what you need to mask
- Customer Information
- Employee Information
- Company Trade Secrets
- Other
© 2007 Princeton Softech, Inc.
25
Data Masking Consideration – Step 3
Understand Application and
Business Requirements
- Where do applications exist?
- What is the purpose of the
application(s)?
- How close does replacement data
need to match the original data?
- How much data needs to be
masked?
© 2007 Princeton Softech, Inc.
26
Data Masking Consideration – Step 4
Masking Components (Top Level)
Masking is not simple!
- Many DBMS
- Legacy Files
- Multiple platforms
Needs to fit within
existing processes
Not a point solution –
consider the
enterprise
Not a one time
process
© 2007 Princeton Softech, Inc.
27
Component A - Consistency
Masking is a repeatable process
Subsystems need to match originating
The same mask needs to be applied across the
enterprise
- Predictable changes
- Random change will not work
Change all ‘Jane’ to ‘Mary’ again and again
© 2007 Princeton Softech, Inc.
28
Example: First and Last Name
Direct Response Marketing, Inc.
is testing its order fulfillment
system
To fictionalize customer names,
use the a random lookup function
to pull first and last names
randomly from the Customer
Information table:
- “Gerard Depardieu” becomes
“Ronald Smith”
- “Lucille Ball” becomes “Elena
Wu”
© 2007 Princeton Softech, Inc.
29
Example: Bank Account Numbers
First Financial Bank’s account numbers are
formatted “123-4567” with the first three
digits representing the type of account
(checking, savings, or money market) and
the last four digits representing the customer
identification number
To mask account numbers for testing, use
the actual first three digits, plus a sequential
four-digit number
The result is a fictionalized account number
with a valid format:
- “001-9898” becomes “001-1000”
- “001-4570” becomes “001-1001”
© 2007 Princeton Softech, Inc.
30
Propagating Masked Data
Customers Table
Cust ID
Name
Street
08054
Alice Bennett
2 Park Blvd
19101
Carl Davis
258 Main
27645
Elliot Flynn
96 Avenue
Orders Table
Cust ID Item #
Order Date
27645
80-2382
20 June 2004
27645
86-4538
10 October 2005
© 2007 Princeton Softech, Inc.
Key propagation
-Propagate values in the
primary key to all related
tables
-Necessary to maintain
referential integrity
31
Masking with Key Propagation
Original Data
De-Identified Data
Customers Table
Cust ID
Name
Customers Table
Street
08054
Alice Bennett
2 Park Blvd
19101
Carl Davis
258 Main
27645
Elliot Flynn
96 Avenue
Orders Table
Cust ID
Referential
integrity is
maintained
Name
Street
10000
Auguste Renoir
Mars23
10001
Claude Monet
Venus24
10002
Pablo Picasso
Saturn25
Orders Table
Cust ID Item #
Order Date
Cust ID Item #
Order Date
27645
80-2382
20 June 2004
10002
80-2382
20 June 2004
27645
86-4538
10 October 2005
10002
86-4538
10 October 2005
© 2007 Princeton Softech, Inc.
32
Component B - Context
Client Billing Application
DB2
SS#s
SS#s
157342266
157342266
132009824
132009824
Data is masked
SSN#s
134235489
323457245
© 2007 Princeton Softech, Inc.
A single mask will affect
‘downstream’ systems
Column/field values must still pass
edits
- SSN
- Phone numbers
- E-mail ID
Zip code must match
- Address
- Phone area code
Age must match birth date
SSN#s
Masked fields
are consistent
134235489
323457245
33
Component C - Flexibility
Laws being interpreted
New regulations being considered
Change is the only certainty
ERPs being merged
Masking routines will change,
frequently
Quick changes will be needed
© 2007 Princeton Softech, Inc.
34
Data Masking Consideration – Step 5
Project Methodology
Determine Base Directives
Compile Data Sources List
Design Transformation Strategy
Develop Transformation Process
Implement Testing Strategy
.
© 2007 Princeton Softech, Inc.
35
The Market Need
Corporations have a duty to protect confidential customer information
and have gained an understanding that vulnerabilities exist both in the
Production and Test Environments
Companies have begun implementing basic privacy functionality but
are requiring more specific and application aware masking
capabilities that can be applied across applications
- IT organizations require that development databases provide
realistic and valid test data (yet not identifiable) after it is masked.
This includes: Valid social security #’s, credit card #’s, etc.
- Enterprises require the option to mask data consistently
across several different applications, databases, and platforms
© 2007 Princeton Softech, Inc.
36
Success with Optim™
- “ Today we don’t care if we lose a laptop”
- Large Midwest Financial Company
- “ The cost of a data breach is exponentially more expensive
than the cost of masking data”
- Large East Coast Insurer
- “ This corporation is the only large retailer to state full
compliance with PCI regulations”
- News article about the largest retailer in the world
© 2007 Princeton Softech, Inc.
37
Success: Data Privacy
About the Client:
$300 Billion Retailer
Largest Company in the World
Largest Informix installation in the world
W06
Application:
Client Value:
- Multiple interrelated retail transaction
- Satisfied PCI requirements by giving
processing applications
this retailer the capability to mask
Challenges:
credit data with fictitious data
- Comply with Payment Card Industry (PCI)
- Masked other PII, such as customer
regulations that required credit card data to be
first and last names, to ensure that
masked in the testing environment
“real data” cannot be extracted from
the development environment
- Implement a strategy where Personally
Identifiable Information (PII) is de-identified
- Adapted an enterprise focus for
when being utilized in the application
protecting privacy by deploying a
development process
consistent data masking methodology
across applications, databases and
- Obtain a masking solution that could mask data
operating environments
across the enterprise in both Mainframe and
Open Systems environments
Solution:
- Princeton Softech Optim™
© 2007 Princeton Softech, Inc.
38
How does Optim Protect Privacy?
Princeton Softech Optim provides the fundamental
components of test data management and enables
organizations to de-identify, mask and transform sensitive
data across the enterprise
Companies can apply a range of transformation techniques
to substitute customer data with contextually-accurate but
fictionalized data to produce accurate test results
By masking personally-identifying information, Optim protects
the privacy and security of confidential customer data, and
supports compliance with local, state, national,
international and industry-based privacy regulations
© 2007 Princeton Softech, Inc.
39
Concluding Thought #1
“It costs much less to protect sensitive data than it does to
replace lost customers and incur damage to the image of the
organization and its brand—an irreplaceable asset in most
cases.”
IT Compliance Group Benchmark Study 2/07
© 2007 Princeton Softech, Inc.
40
Concluding Thought #2
“We're not going to solve this by making data hard to steal.
The way we're going to solve it is by making the data hard to
use.”
Bruce Schneier, author of "Beyond Fear: Thinking Sensibly About
Security in an Uncertain World"
© 2007 Princeton Softech, Inc.
41
For further information:
Eric Offenberg
Product Marketing Manager
[email protected]
609-627-5648
© 2007 Princeton Softech, Inc.
42