Database Confidentiality

1
Database Confidentiality

• A Comprehensive Solution

Team Mag 5 Valerie B., Derek C., Jimmy C., Julia
M., Mark Z.
2
The Business Problem

• 44 states have enacted laws that if the companies
  lose customer or employee data they can be held
  liable
• In our most recent HR audit we discovered the
  following flaws
• Data is stored in an unsecured manner
• Lack of compliance with Corporate Data Privacy
  Policy
• Varying interpretations of how the Data Privacy
  Policy Applies
• Transfer of unsecured data to various vendors
• Lack of control of data usage and access

3
Why you need to worry about data confidentiality

• Auditors increasingly concerned with personally
  identifiable data.
• US Sarbanes Oxley Act
• Global companies need to worry about Safe Harbor
  for global data.
• Increased awareness of identity theft.
• Health Information
• Use technology instead of only policy to protect
  data.
• Proactive instead of responsive measures after
  data has been exposed already.

4
Pros and Cons of Other Solutions
Solution Description Pros Cons
Data Obfuscation (Masking, Scrambling) Fake or Scrambled data set for use by design and implementation teams Can be very expensive good fake data can range in cost from 200,000 to 1 Million
Encryption of Data Allows personally identifiable data to be scrambled if intrusion takes place. Adds overhead and possible performance issues.
Database Intrusion/Extrusion Prevention Looks for SQL Injections, Bad access commands and odd outbound data Can eat into over head and cause performance issues also expensive. Needs very specific criteria to set up.
Data Leak Prevention Catches any data that is being sent out of the system Does not protect data in the actual data warehouse.
5
Risk/Benefit Analysis
6
Our Suggested Solution Vormetric Data Security
7
Why is this better that other solutions?

• Improved over basic encryption with high speed
  128/256 bit file based encryption which resolves
  the performance issues with other encryption
  solutions.
• Improved database intrusion detection because it
  is context aware. It knows all the users and
  their access hours and abilities.
• Improved data leak prevention since it prevents
  the unencrypted data from even being accessed let
  alone removed from system.

8
(No Transcript)
9
Pricing Senario

• Vormetric appliance for production  39,900.00
• Vormetric appliance for development 29,000.00
• Unix / Windows Server Agent License for
  production 6,250.00
• Windows Server Agent License for
  development 3,125.00
• Oracle Database server agent License for
  Production 6,000.00
• Oracle Database server agent License for
  Dev 3,000.00
• Total cost for this HR Project? 88,175.00
• These costs are significantly less than the
  200,000 to 1 Million dollar pricing per data set
  for other solutions that are available.
• The Cost to Risk ratio is good as a data
  loss/compromise can cost millions in legal fees
  and lost customer or employee confidence.

10
Risk/Benefit Analysis

• Concerns about encryptions impact on performance?
• Data Security Expert delivers high-speed
  file-level encryption of stored data using a FIPS
  140-2 certified AES (128/256-bit) algorithm.
• Concerns about data beyond the database level?
• Data Security Expert provides file-level
  encryption because the underlying files in which
  data is stored is the primary point of attack.
• Concerns about Administrator Access to Data?
• Data Security Experts separation of duties
  feature further restricts access to data by
  allowing system administrators and root users to
  maintain the system and backup data, without
  being able to view the sensitive data.

11
Risk/Benefit Analysis

• Concerns about Authorized users taking
  Unauthorized Actions?
• Context-aware control means that Data Security
  Expert grants access only to authorized users
  performing authorized operations on authorized
  applications during specific time windows.
• Concerns about being able to report on which
  users have accessed the system?
• The system logs any attempted access to any data
  by any user not only authorized access requests,
  but all attempts to circumvent authorized access
  channels.
• Concerns about legal regulations?
• The system is entirely auditable to comply with
  Sarbanes-Oxley, Gramm-Leach-Bliley Act (GLBA),
  HIPAA, CA SB 1386, the EU Data Protection Act,
  Visas CISP and the PCI requirements, and other
  mandates regarding the handling and protection of
  information.

12
Business Impact

• This will secure all HR related data on all
  levels with minimal performance impact
• Database/OS
• Backup
• Data Transfers
• Will allow users to access own HR data securely
  and blocks access to all unauthorized users
• Administrators can work on system without seeing
  confidential data

13
Cross Industry Legal Application

• HIPAA - Confidentiality and integrity controls
  for patient health information (PHI)
• GLBA - Privacy and protection for sensitive
  personally identifiable information
• PCI-DSS - Broadest solution for encryption, key
  management, access control, and audit that
  uniquely removes roadblocks for compliance with
  PCI encryption requirements
• SOX - Integrity, access and audit controls for
  financial data plus trade secret protection to
  reduce risk of Sarbanes-Oxley material events
• State Breach Notification Laws - Transparent,
  cost effective encryption to eliminate data
  breach notification requirements