Securing Enterprise Data

1
Securing Enterprise Data

• September 13th, 2007
• Farhan Mohammad Sr. Sales Engineer

2
Introduction to Applimation

• Data growth management software company
• Focus on enterprise applications
• Unified, integrated product suite
• Founded in 1998
• 150 customers using Informia Solutions

3
Presentation Agenda

• Overview of data privacy
• Definitions
• Terminology
• Use cases/business drivers for data masking
• Production/non-production?
• Motivations
• Data privacy solution best practices
• Functionality
• Features

4
What is Data Privacy?

• Data privacy refers to the evolving relationship
  between technology and the legal right to, or
  expectation of, privacy in the collection and
  sharing of data.

5
Sensitive Information Definition

• Non-public private information (NPPI) details
  about an individual
• Information protected by government regulations
• Information protected by industry regulations
• Intellectual property
• Anything classified as confidential or private

6
Why the focus on data privacy?

• Data breaches
• Legal consequences
• Loss of trust (customers, vendors, partners,
  etc.)
• Negative publicity
• Damage to reputation
• Government Regulations
• Federal Information Security Management Act of
  2002
• Gramm-Leach-Bliley Act
• Personal Data Protection Directive (EU)
• HIPAA
• Data Protection Act (UK)

7
U.S. Data Breaches

• There have been over 100 million individual data
  breaches since ChoicePoint (Feb 2005)
• Plague all verticals, but most common in
• Education University of Notre Dame (1/8/07)
• Govt Wisconsin Department of Revenue (12/29/06)
• Finance/banking Moneygram (1/12/07)
• Mostly malicious actions
• Hacking or stealing systems with information

8
Privacy Regulations More Detail
9
How much of your data is confidential?
SOURCE ESG Research Report Protecting
Confidential Data, March, 2006.
Confidential Data Stats
10
Why is data privacy required?

• Production environment ? security model to
  control access
• Non-production environment ? security is opened
  up to enable development and testing

• Non-production business drivers
• Development
• Testing
• Support
• Outsourcing

11
Example Prod vs Non-Prod
12
What is Data Masking?

• Protecting sensitive information by hiding or
  altering data so that an original value is
  unknowable.
• Also known as
• De-identifying
• Protecting
• Camouflaging
• Data masking
• Data scrubbing

13
Data Privacy Software Data Masking Best
Practices
14
Best Practice 1 Enterprise Solution

• Single installation
• Connect to multiple databases
• Single Masking Engine
• Unified Architecture
• Reusable and repeatable policies

15
Best Practice 2 Built in Masking Methods

• Substitute
• Randomize
• Shuffle
• Nullify
• Scramble
• Skew
• Encrypt
• Custom SQL
• Mathematical Formulae

16
Example - Skew Method

• Taking an existing value and altering it within a
  defined range

17
Example - Substitute Method
18
Best Practice 3 Easy to Use / Learn

• Navigation Tree modules and rule sets
• Designer Canvas Drag and drop auto discovery
• Rule Creator group rules logically

19
Best Practice 4 - Content

• Substitute - Replace existing values with new
  values that follow the format of the original
• Male and Female Names
• Last names
• Male and female titles/suffixes
• Credit card numbers Visa, MasterCard, Amex
• Country, state, county, town names
• Zip codes
• Phone numbers
• Email addresses

20
Best Practice 5 - Data Format Validation

• Ensuring that the structure of a piece of data is
  maintained after masking

21
Best Practice 6 - Data Consistency
22
Additional Best Practices

• 7 - Relational integrity
• 8 - Policy simulation
• 9 - Auditability

23
Best Practice 10 Application Awareness
What is sensitive?
Where is it?
How to mask it?
Whats it related to?
24
Example Application Awareness
25
Summary Data Masking Best Practices

• Enterprise solution
• Built-in Data Masking Methods
• Easy to use / learn
• Content
• Data Format Validation
• Data Consistency
• Relational Integrity
• Policy Simulation
• Auditability
• Application Awareness (Accelerators)

26
Informia Secure and Oracle

• Applimation is an Oracle Certified Advantage
  Partner, and has developed application specific
  data masking accelerators for the Oracle
  E-Business Suite.
• The Informia Secure accelerators streamline the
  data masking effort by providing functionality
  focused data masking algorithms. The
  application data has been analyzed to identify
  likely data fields and potential masking
  algorithms defined. The user can then choose the
  specifics.

27
Informia Secure and Oracle

• Accelerator Example
• Client wishes to mask the name field.
• Client selects Name for masking.
• Behind the scenes, Informia Secure knows the
  related fields to also mask, such as First Name,
  Last Name, etc.
• Client chooses the method, e.g. Substitution.
• Informia Secure executes the data masking by
• selecting replacement values from a substitution
  table
• inserting the replacement values into the
  primary table
• creating new values for the related fields on
  the table
• cascading the new value set to other tables
  using these fields

28
Creating a Secure Oracle Instance

• Careful planning is needed to properly create a
  secure Oracle E-Business Suite environment. The
  following items should be defined upfront
• Goals for data masking
• Uses of the secured environment
• Level of functionality to maintain.
• Level of data integrity to maintain
• Users of the secured environment and their access
  levels.

29
Creating a Secure Oracle Instance

• Goals for data masking
• Protect confidential personal information, such
  as social security number, addresses, phone.
• Protect confidential employment information, such
  as salary, employee review data.
• Uses of the secured environment
• Development Online Batch
• Testing Configuration, Online, Batch,
  Production
• Training Demonstrations

30
Creating a Secure Oracle Instance

• Level of Functionality to maintain
• Which modules will be used in the secure
  environment?
• To what level does the functionality need to
  function.
• Level of data integrity to maintain
• Current Data
• Historical Data
• Intermodule relationships
• Users of the secured environment and their access
  levels.
• Types of user functional users, technical users.
  
• Access levels expanded user menu access, back
  door (SQL) access.

31
Creating a Secure Oracle Instance

• Using Applimation Informia Secure, you can easily
  create a secure Oracle E-Business Suite
  environment that protects your data, while
  allowing you to productively use your secure
  environment to meet your business needs.

32
Questions