Database%20Security%20for%20Privacy

1
Database Security for Privacy

• Sudha Iyer
• Principal Product Manager
• Oracle Corporation

2
Agenda

• Business Drivers for Security/Privacy
• Privacy Security Dynamics
• Role of Databases in Privacy
• Security Technologies for the Privacy
  Professional
• Privacy Compliance An Example

3
Business Drivers
4
State of Security United States

• 90 of respondents detected computer security
  breaches within the last twelve months.
• 80 of respondents acknowledged financial losses
  due to computer breaches.
• 455,848,000 in quantifiable losses
• 170,827,000 theft of proprietary information
• 115,753,000 in financial fraud
• 74 cited their Internet connection as a frequent
  point of attack
• 33 cited internal systems as a frequent point of
  attack

Source 2002 CSI/FBI Computer Crime and
Security Survey
5
Regulations Landscape

• Finance
• Gramm-Leach-Bliley, Sarbanes Oxley
• Health
• HIPAA
• Pharmaceutical
• FDA CFR Part 11
• All Industries
• SB 1386, Basel II
• Education and Childrens Protection
• COPPA, FERPA

6
European Security Directives

• Royal Decree 994/1999 (Spain)
• Security regulation for files containing personal
  data
• European Telecommunication Directive
• Security of personally-identifiable information
  contains limitations on collection, use and
  access to data
• Outside EU and US,
• Australia, Hong Kong New Zealand Chile
  Argentina Canada, TaiwanKoreaSouth Africa

7
What is Privacy?

• For the customer/employee/partner
• Right to exert control over collection and use of
  their personal data by others
• Appropriate management and collection of
  information about any named individual
• PII personally-identifiable information
• Depends on the business
• Depends on the context

8
Common Myths about Privacy

• Security violates individuals Privacy
• Airport security rummaging through your luggage
• Adding security is a perfect recipe for Big
  Brother behavior
• Anonymity is the best prescription for Privacy
• E.g.., All the virus spreads through email
  address books
• On the Web if you dont login, they dont know
  you

9
Privacy Lawmaker/Consumer View
The best thing about the Internet is they dont
know youre a dog. Tom Toles. Buffalo News,
April 4, 2000.
10
Privacy Headline/Direct Marketing View
Youre a four-year-old German Shephard-Schnauser
mix, likes to shop for rawhide chews, 213 visits
to Lassie website, chatroom conversation 8-29-99
said third Lassie was the hottest, downloaded
photos of third Lassie 10-12-99, e-mailed them
to five other dogs whose identities are
11
Privacy Security Dynamics
12
Do you need Security for Privacy?

• For example- How do you want your Traffic
  Violations tracked?
• The question is not whether or not it will be
  tracked.

13
The Privacy/Security Dynamic

• Privacy and Security not mutually exclusive
• Security is a Building Block for Privacy

Privacy
Provide Choice
Grant Access
Define Use, Retention Disclosure Policies
Provide Notice, Specify Usage
Confidentiality Integrity Availability
14
Is there too much Security, ever?

• Security of your enterprise is as good as your
  Weakest Link
• Weak Password Policy
• Open Firewall Ports
• No Access Control policies
• No system of Least Privileges
• Social Engineering
• Defense in Depth is a good strategy
• Security is not a binary operator

15
Databases Place in Privacy
16
Privacy Relevance for a Database

• Database is simply, a Collection of information
• For Many Businesses,
• Network of collection of information
• Data Warehousing
• Data Mining
• Applications from Sales Leads Tracking, Order
  Entry to Employee e-learning initiatives

HR
Financials
WWW
17
Common Privacy Principles for database
applications

• Collected fairly and lawfully
• Adequate, relevant and not excessive
• Purpose limitation
• Accurate and up-to-date
• Not kept for longer than necessary
• Not transferred to inappropriate people,
  organizations and locations
• Secure appropriate technical and organizational
  measures

18
Databases Role in Privacy

• Can any Database make your business Privacy
  Compliant?
• No, not alone
• You Must
• Define privacy policies
• Enforce Security
• Audit for Compliance
• Security is necessary, but alone not sufficient
  for privacy

19
Top Privacy Challenges for Database Applications

• Unified Identity
• Privacy Issues
• Does it have the capability to compartmentalize
  profiles?
• Is there a choice to reveal certain profiles for
  intranet and internet Services?
• Testing new applications with Real World Data
• Developing test data is a tedious task.
• Scramble production data for test use.
• Instant Messenger Usage
• How long are the records archived?
• Everything you say is on record

20
Security Primer for Privacy Professionals
21
1 Secure By Design, Secure by Development

• Home Grown Applications
• Standardize User identification
• Design an access control model that does not have
  a backdoor
• Identify Normal and Abnormal activities
• Define security policies for data retention, data
  sharing and privacy of PII
• Audit for compliance
• Rely on Standards as often as possible
• For Commercial Off the Shelf Software
• Demand Standards Compliance
• Demand they comply with your security policies
• Demand Secure by Default

22
2 Secure Deployment

• Communicate early and often with the IT staff
• Harden your database
• Secure by Default
• Understand the competing issues
• High availability, High Performance
• Ease of Use concerns
• Know your users .
• Well Formed Applications require authentication
• Web Sites dont but, they can collect data
  automatically
• Time of arrival, how long you stayed, Your IP
  Address, Domain, Pages visited etc.,

23
3 User Authentication

• Strong Authentication Choices
• Token Cards
• Pubic Key Infrastructure (SSL)
• Kerberos

Establish Strong Password Policies Communicate
the Password Selection Criteria to users
24
4 Access Control

• Select, Insert, Update and Delete Primary
  Operations
• Grant access based on user identity or users
  membership to a specific group
• Example Expense Reporting is by user, HR
  Manager View of your department is by membership
  to a group HR Managers
• Provide only data that is needed.
• Row Level Security

25
5 Auditing

• Goal must be compliance and Not Invasion of
  Privacy
• This is not Spy ware
• For example to establish the exposure to comply
  with CA Law - SB 1386
• Non-repudiation of a transaction
• Audit Selectively
• high valued data or transaction

26
6 Centralized Administration

• DBAs Manage Database Resources and Users
• Central administration of users in a standard
  LDAP directory improves manageability
• Questions to ask
• Access Control Policies on the Directory Entry
  (specifically the PII)
• How do Applications preserve User Identity across
  tiers

27
7 Encryption

• California Senate Bill 1386
• Legislation on Identity Theft
• Applies to all organizations with information
  about California residents
• In effect since July 2003
• Notification of security breach of personal data
• Protects combinations of Name and
• SSN
• CCN with PIN
• Drivers License Number

28
California Senate Bill 1386

• Legislation on Identity Theft
• Applies to all organizations with information
  about California residents
• In effect since July 2003
• Notification of security breach of personal data
• Protects combinations of Name and
• SSN
• CCN with PIN
• Drivers License Number

29
Implications of CA SB 1386

• Notification
• Organization must notify consumers if their PII
  has been compromised
• No notification required if data is encrypted
• Does not specify methods or implementations
• Does not specify algorithms
• Is a simple substitution cipher good enough?
• e.g., AB, 12

30
Encryption Basics
Jane Smiths CCN is 4408 3380 7002 2652
Jane Smiths CCN is 4408 3380 7002 2652
Encrypt
Decrypt
ud5nh!ntD4gobQatq

• Algorithms used to encrypt and decrypt data
• Protects data by changing plaintext to a cipher
• Strength of security system depends on key
  management

31
Encryption with Public Key Infrastructure (PKI)
Mathematically linked
Private key
Public key

• Two mathematically-related, yet separate keys
• Your Private Key secret, not shared, stored
  encrypted
• Your Public Key shared, published in a public
  location
• A Certificate Authority issues you a certificate
  and Public key

32
Questions for Encryption Solution Providers

• How will the technology support
• Key Management
• Key Recovery
• Back Ups and Restore
• Fail Over
• Transparency (no disruption to existing
  operations)
• Identity Spoofing

33
Encryption Solutions

• Protect Data Integrity and Confidentiality
• Over the Wire
• Browser to Application Server
• Client to Server ( Application Server to
  Database)
• Stored Data Encryption
• Credit Card Theft etc.

34
Privacy Compliance An example
35
Business challenges - Area 1

• How can I consolidate multiple data sources in
  one same database?
• How can I share the information in my data
  warehouse with partners and customers?
• How can I ensure that my data warehouse obeys
  laws and regulations regarding data privacy?
• Example, public access to aggregate census data
  is allowed, but accessing individual profiles
  isnt
• authorized access to a childs education record
• Technology can assist in
• Authentication, Authorization and Fine Grained
  Access Control

36
Business Challenges Area 2

• Goal
• Deliver research data in a hosted environment to
  subscribers in a timely, cost-effective manner
• Security Technology can assist in privacy
• Separate proprietary information between each
  company
• Row Level Access
• Within each company, users require different
  levels of access
• Authorization

37
A