Best Practices in Application Data Masking

Paul Capobianco Sales Engineering

Introduction to Applimation

 Data growth management software company  Focus on enterprise applications  Unified, integrated product suite   Founded in 1998 150 + customers using Informia Solutions 2

Premier Informia Customers

City of Chicago

3

Presentation Agenda

• • • Overview of data privacy – Definitions – Terminology Use cases/business drivers for data masking – Production/non-production?

– Motivations Informia Secure overview – Functionality – Features 4

What is Data Privacy?

Data privacy refers to the evolving relationship between technology and the legal right to, or expectation of, privacy in the collection and sharing of data.

5

Sensitive Information – Definition

• N on p ublic p rivate i nformation (

NPPI

) – details about an individual • Information protected by government regulations • Information protected by industry regulations • Intellectual property • Anything classified as confidential or private

Open to common sense interpretation

6

Why the focus on data privacy?

• • Data Breaches (becoming tomorrow’s Front page news) – Legal consequences – Loss of trust (customers, vendors, partners, etc.) – Negative publicity – Damage to reputation – COST Government Regulations – Federal Information Security Management Act of 2002 – Gramm-Leach-Bliley Act – Personal Data Protection Directive (EU) – HIPAA – Data Protection Act (UK) 7

Privacy Laws – All Different

United States Privacy Rules Designed to embarrass organizations that properly secure sensitive information i.e. (bank acct info or employee payroll records) European Privacy Rules Must adhere and confirm to European Union privacy mandates.

8

Why the focus on data privacy?

•

THE COST!

Penalties for data breaches include: –

Fines

–

Brand Damage

–

Expenses associated with notifying affected individuals

• (ESG estimates between $25-$150 per notification) In Europe and other countries non compliance leads to: •

Executive Dismissal

•

Government Sanctions

9

Privacy Regulations – More Detail

Regulation HIPAA Example Text “Under the Privacy Rule, health plans, health care clearinghouses, and certain health care providers must guard against misuse of individuals' identifiable health information and limit the sharing of such information.” Gramm-Leach Bliley Act “The law requires that financial institutions protect information collected about individuals” Data Protection Act (UK) “Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” PCI “…keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.” 10

Industry Regulations

•

Payment Card Industry Standard

– Comprised of Visa, MasterCard, Discover, American Express and JCB – Intended to improve the overall level of security for payments globally – Vendor incentives to comply with PCI include brand protection and financial, legal, and regulatory risk reduction Being updated again – now expiration date must be hidden •

HIPAA Security Rule

– Applies to insurance companies, providers (hospitals) – Audits starting to reveal gaps 11

Inconsistent Data Breach Laws in the U.S.

Data Breach Law Breakdown by each state (as of February 2007) • 34 states with breach laws – Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, Wisconsin • 8 states considering passing breach legislation – Maryland, Massachusetts, Michigan, Missouri, Oregon, South Carolina, Virginia, West Virginia • 8 states with no imminent plans for breach laws – Alabama, Alaska, Iowa, Kentucky, Mississippi, New Mexico, South Dakota, Wyoming 12

The Federalization of Privacy Regs in the U.S.

•

2 key bills passed out of the House of Representatives (H.R.)

– Both were cleared from the books at the conclusion of the 109 th U.S. Congress – No comparable bills have been proposed by the 110 th U.S. Congress to date •

H.R.4127 - Data Accountability and Trust Act

– Requires the Federal Trade Commission to establish rules for the security of personal information – Provides dual enforcement by state and federal authorities •

H.R.3997 – Financial Data Protection Act

– Customer notification is only required if breached information is ‘reasonably likely to be misused’ – Provides security freezes to victims of ID theft only – Preempts state laws in order to protect the confidentiality of information – Enforcement by federal authorities only 13

U.S. Data Breaches

•

There have been over 100 million data breaches since ChoicePoint (Feb 2005)

•

Plague all verticals, but most common in:

– Education: University of Notre Dame (1/8/07) – Gov’t: Wisconsin Department of Revenue (12/29/06) – Finance/banking: Moneygram (1/12/07) •

Mostly malicious actions

– Hacking or stealing systems with information 14

Confidential Data Stats

How much of your data is confidential?

SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.

30% 25% 20% 15% 10% 5% 0% 8% 24% 17% 21% 26% 1% to 10% of our data is confidential 11% to 25% of our data is confidential 26% to 50% of our data is confidential 51% to 75% of our data is confidential More than 75% of our data is confidential 4% Don't know 15

Confidential Data Stats

types would your organization classify as confidential? (Percent

How much of your database data is confidential?

SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006 .

60 50 40 30 20 10 0 54% 50% 40% 30% 31% 20% 24% 10% Database Electronic documents E-mail and attachments Other data (e.g. Web pages, multimedia files, etc.) Mean Median 16

Security Threats – From Where?

External Security Threats

– IT has spent MOST money on external security – Firewalls – Password protection – System Auditing on connections – Computer room access – Tracking cards for building access 17

Security Threats – From Where?

Internal Security Threats This is where a majority of breaches now taking place

– Who has access to primary database applications?

– Who has access to test and development databases – Is there sensitive / confidential information in these primary / test databases?

• What measures are you taking to protect against internal security and privacy threats?

18

Rationalizing an investment

$ Insert your favorite data breach here ( TJX, Fidelity, HP ) $ Over 10 information security and privacy Bills are currently being debated in U.S. Congress Basically it will be mandated eventually $

Only 34% of organizations have deployed database encryption solutions

19

Subsetting / Masking / Scrambling / Encryption How is this accomplished today on Oracle Apps, PeopleSoft and Siebel?

1.

-

DBA’s run their own scripts Requires up-to-date understanding of application Requires maintenance after upgrades and family packs What about cross-module data sharing ? Is this covered?

Things change Are you sure? Will you bet your CIO’s career on it?

2. Consulting companies create custom scripts

-

Costly, require maintenance and same issues as above 3. Most do Nothing – clones and test/dev copies have it all!

20

Subsetting / Masking / Scrambling / Encryption There are 2 processes used today to help manage the size and security to mitigate the security risk.

1. Subsetting

-

Creates a smaller or partial copy of Prod database for test Smaller copy ensures less sensitive data Saves on subsequest copies – saves on disk Developers still have some valid data however 2. Data Masking

-

Smaller Production data becomes anonymous data Still ensures referential integrity at EVERY data level Variety of masking methods should be available Solution should be application-aware (O-Apps & PSoft) Also automated, flexible and supported

21

Informia Secure – Product Overview

What can companies do?

Informia Secure - Introduction

Secure enables data privacy by providing robust data masking functionality.

What is Data Masking?

Protecting sensitive information by hiding or altering data so that an original value is unknowable.

Also known as: – De-identifying – Protecting – Camouflaging – Data masking – Data scrubbing 23

Why is data privacy required?

• • Production environment control access  Security model to Non-production environment  Security is opened up to enable development and testing Non-production business drivers – Development – Testing – Support – Outsourcing 24

Substitute – Prepackaged Data Sets

The ability to replace existing values with new values that follow the format of the original  Male and Female Names  Last names  Male and female titles/suffixes  Credit card numbers – Visa, MasterCard, Amex  Country, state, county, town names  Zip codes  Phone numbers  Email addresses 25

Substitute Method - Example

Emp ID Name 0964 John Smith 9388 2586 7310 Mark Jones Rob Davis Jeff Richards City Plano Modesto CA 95356 Hartford CT 06111 Tampa ST Zip TX 75025 FL 33617 Emp ID Name 0964 Joe Marks 9388 Gary Franks 2586 7310 City Topeka Billings David Sanger Tucson Dan Lister Detroit ST KS Zip 66618 MT 59102 AZ MI 85704 48216 26

Data Masking Concepts



Relational integrity



Policy simulation



Auditability



Format validation



Data consistency

27

Questions……

28