Securing Enterprise Data

September 13th, 2007

Farhan Mohammad – Sr. Sales Engineer

2

Introduction to Applimation

Data growth management software company

Focus on enterprise applications

Unified, integrated product suite

Founded in 1998 150 + customers using

Informia Solutions

3

Presentation Agenda

• Overview of data privacy

– Definitions

– Terminology

• Use cases/business drivers for data masking

– Production/non-production?

– Motivations

• Data privacy solution best practices

– Functionality

– Features

4

What is Data Privacy?

Data privacy refers to the evolving relationship between technology and the legal right to, or expectation of, privacy in the collection and sharing of data.

5

Sensitive Information – Definition

• Non-public private information (NPPI) – details about an individual

• Information protected by government regulations

• Information protected by industry regulations

• Intellectual property

• Anything classified as confidential or private

6

Why the focus on data privacy?

• Data breaches

– Legal consequences

– Loss of trust (customers, vendors, partners, etc.)

– Negative publicity

– Damage to reputation

• Government Regulations

– Federal Information Security Management Act of 2002

– Gramm-Leach-Bliley Act

– Personal Data Protection Directive (EU)

– HIPAA

– Data Protection Act (UK)

7

U.S. Data Breaches

• There have been over 100 million individual data breaches since ChoicePoint (Feb 2005)

• Plague all verticals, but most common in:

– Education: University of Notre Dame (1/8/07)

– Gov’t: Wisconsin Department of Revenue (12/29/06)

– Finance/banking: Moneygram (1/12/07)

• Mostly malicious actions

– Hacking or stealing systems with information

8

Privacy Regulations – More Detail

Regulation Example Text

HIPAA

“Under the Privacy Rule, health plans, health care clearinghouses, and certain health care providers must guard against misuse of individuals' identifiable health information and limit the sharing of such information.”

Gramm-Leach Bliley Act

“The law requires that financial institutions protect information collected about individuals”

Data Protection Act (UK)

“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

PCI

“…keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.”

9

How much of your data is confidential?

Confidential Data Stats

24%

17%

21%

26%

4%

8%

0%

5%

10%

15%

20%

25%

30%

1% to 10% ofour data isconfidential

11% to 25% ofour data isconfidential

26% to 50% ofour data isconfidential

51% to 75% ofour data isconfidential

More than 75%of our data isconfidential

Don't know

SOURCE: ESG Research Report: Protecting Confidential Data, March, 2006.

10

Why is data privacy required?

• Production environment security model to control access

• Non-production environment security is opened up to enable development and testing

Non-production business drivers

– Development

– Testing

– Support

– Outsourcing

11

Example – Prod vs Non-Prod

Production Non-Production

12

What is Data Masking?

Protecting sensitive information by hiding or altering data so that an original value is unknowable.

Also known as:

– De-identifying

– Protecting

– Camouflaging

– Data masking

– Data scrubbing

Data Privacy Software – Data Masking Best Practices

14

Best Practice # 1 – Enterprise Solution

Single installation

Connect to multiple databases

Single Masking Engine

Unified Architecture

Reusable and repeatable policies

Supported database platforms

Oracle

SQL Server

DB2 LUW

DB2 zOS

Sybase

MySQL

15

Best Practice # 2 – Built in Masking Methods

Substitute

Randomize

Shuffle

Nullify

Scramble

Skew

Encrypt

Custom SQL

Mathematical Formulae

16

Example - Skew Method

Taking an existing value and altering it within a defined range

SkewType

OriginalValue

SkewRange

Masked Value

Percentage $48,000 +/- 20% $42,105

Integer 564 +/- 100 623

Date 8/12/2007 +/- 180 days 1/22/2008

17

Example - Substitute Method

Emp ID Name City ST Zip

0964 John Smith Plano TX 75025

9388 Mark Jones Modesto CA 95356

2586 Rob Davis Hartford CT 06111

7310 Jeff Richards Tampa FL 33617

Emp ID Name City ST Zip

0964 Joe Marks Topeka KS 66618

9388 Gary Franks Billings MT 59102

2586 David Sanger Tucson AZ 85704

7310 Dan Lister Detroit MI 48216

18

Best Practice # 3 – Easy to Use / Learn

• Navigation Tree – modules and rule sets• Designer Canvas – Drag and drop; auto discovery• Rule Creator – group rules logically

19

Best Practice # 4 - Content

Substitute - Replace existing values with new values that follow the format of the originalMale and Female Names

Last names

Male and female titles/suffixes

Credit card numbers – Visa, MasterCard, Amex

Country, state, county, town names

Zip codes

Phone numbers

Email addresses

20

Best Practice # 5 - Data Format Validation

Ensuring that the structure of a piece of data is maintained after masking

Type of Data Pattern

MasterCard Number Prefix 51 – 55 Length 16

Visa Number Prefix 4 Length 13, 16

American Express Number Prefix 34, 37 Length 15

Social Security Number123-45-6789, first three digits are geographical

Telephone Numbers (123) 456-7890

21

Best Practice # 6 - Data Consistency

Intra-RowDifferent fields within a row are related

Example: Age and birth date

Intra-TableRows within a table are related

Example: Multiple assignments for a single employee stored in one table

Inter-TableRows in different tables are related

Example: Changing the employee number may have cascading effects

22

Additional Best Practices

# 7 - Relational integrity

# 8 - Policy simulation

# 9 - Auditability

23

Best Practice # 10 – Application Awareness

What is sensitive?

Where is it?

How to mask it?

What’s it related to?

24

Example – Application Awareness

PeopleSoft HCM Module

Functional Name Field Mask Type Related Fields

Job Evaluation Criteria

JOB_POINTS_TOTAL ShuffleJOB_KNOWHOW_POINTS

JOB_ACCNTAB_POINTS

JOB_PROBSLV_POINTS

Salary Ranges MID_RT_ANNUAL Skew

MIN_RT_HOURLY

MID_RT_HOURLY

MAX_RT_HOURLY

MIN_RT_MONTHLY

MID_RT_MONTHLY

MAX_RT_MONTHLY

MIN_RT_ANNUAL

MAX_RT_ANNUAL

Name NAME Substitute

LAST_NAME_SRCH

FIRST_NAME_SRCH

LAST_NAME

FIRST_NAME

MIDDLE_NAME

NAME_DISPLAY

NAME_FORMAL

25

Summary – Data Masking Best Practices

1. Enterprise solution

2. Built-in Data Masking Methods

3. Easy to use / learn

4. Content

5. Data Format Validation

6. Data Consistency

7. Relational Integrity

8. Policy Simulation

9. Auditability

10. Application Awareness (Accelerators)

26

Informia Secure and Oracle

Applimation is an Oracle Certified Advantage Partner, and has developed application specific data masking “accelerators” for the Oracle E-Business Suite.

The Informia Secure accelerators streamline the data masking effort by providing functionality focused data masking algorithms. The application data has been analyzed to identify likely data fields and potential masking algorithms defined. The user can then choose the specifics.

27

Informia Secure and Oracle

Accelerator Example

– Client wishes to mask the name field.

– Client selects Name for masking.

– Behind the scenes, Informia Secure knows the related fields to also mask, such as First Name, Last Name, etc.

– Client chooses the method, e.g. Substitution.

– Informia Secure executes the data masking by

• selecting replacement values from a substitution table

• inserting the replacement values into the primary table

• creating new values for the related fields on the table

• cascading the new value set to other tables using these fields

28

Creating a Secure Oracle Instance

Careful planning is needed to properly create a secure Oracle E-Business Suite environment. The following items should be defined upfront:

– Goals for data masking

– Uses of the secured environment

– Level of functionality to maintain.

– Level of data integrity to maintain

– Users of the secured environment and their access levels.

29

Creating a Secure Oracle Instance

Goals for data masking– Protect confidential personal information, such as

social security number, addresses, phone.

– Protect confidential employment information, such as salary, employee review data.

Uses of the secured environment– Development – Online & Batch

– Testing – Configuration, Online, Batch, Production

– Training & Demonstrations

30

Creating a Secure Oracle Instance

Level of Functionality to maintain

– Which modules will be used in the secure environment?

– To what level does the functionality need to function.

Level of data integrity to maintain

– Current Data

– Historical Data

– Intermodule relationships

Users of the secured environment and their access levels.

– Types of user: functional users, technical users.

– Access levels: expanded user menu access, “back door” (SQL) access.

31

Creating a Secure Oracle Instance

Using Applimation Informia Secure, you can easily create a secure Oracle E-Business Suite environment that protects your data, while allowing you to productively use your secure environment to meet your business needs.

32

Questions……