2 © hexaware technologies. all rights reserved. 2 agenda data masking - the needdata theft -...

www.hexaware.com • 2© Hexaware Technologies. All rights reserved. © Hexaware Technologies. All rights reserved. www.hexaware.com • 2

Agenda

Data Masking - The need

Data theft - Statistics

Objectives & Benefits

Features

Masking Techniques

Q&A


Increasing number

of regulations &

policies governing

Data privacy

Exposing sensitive

information while

sharing

non-production data

during Outsourcing

Unauthorized

access of confidential

data by insiders

Legal consequences

due to data theft by

insiders and external

vendors

Business Challenges/Risks

Data Masking – The Need


Data Masking – The Need

Secure Zone • Production environment

• Strict access restrictions

Potential Risk Area • Non - Production environment

• Looser access controls

• Vulnerable to security attacks


Statistics - The ‘Insider Threat’

Insider Threat to Compliance and Privacy

• 90% of major corporations detected security breaches

• 70% of corporations detected unauthorized access by insiders

• Myth: Hackers cause most security breaches

• Fact: “Disgruntled employees and other insiders accounted for more than

70% of the cyber attacks”

Reference – Computer World


Security Layers

Network Security

Network Security

Network Security

Network Security

Application Security




OS Security

OS Security

OS Security

OS Security

Unauthorized Insider Access

Data


Privacy Compliance Legislations

Organizations today face a growing number of regulations that mandate the accuracy, protection and privacy of data across the enterprise

1995 2002 2004

UK Data Protection Act

(1998)All companies doing

business in UK

European Data Privacy Directive

(1998)All companies doing business in Europe

handling PII

HIPAA(1996)

Healthcare & Insurance

All U.S. businesses handling medical records

Canadian – Personal Information Protection And Electronic Documents Act (2001)

All companies doing business in Canada

AUS Privacy Act (2000)

All companies doing business in AUS

Sarbanes Oxley

All U.S. public companies and private foreign issuers

Gramm-Leach Bliley (1999)

Banks and financial services companies doing business in U.S.


Examples of sensitive data

1. Patient name2. Medical record numbers3. Health Plan Beneficiary

Numbers

Health Care/Medical

1. Grades2. Student Financial

Numbers3. Financial Aid/Grants

University

1. Funding/Sponsorship information

2. Human subject information

Research

1. SSN2. Name3. Date of Birth4. Contact Information5. Pay components6. Bank Account Number7. Credit Card Number

Employee Information

Sector-wise Sensitive Information

Common Sensitive Information


Objectives & Business Benefits

Protection of employee data

Adherence to data privacy legislations

Create de-identified

production database copies

Opens the avenue for

Outsourcing – Results in cost

reduction

De-identify sensitive data for internal

use

Reduces the overhead of

implementing internal security

access policies

Availability of realistic data post-masking

High quality data is

available for testing – Delivery

excellence

ObjectivesBusiness Benefits

Akiva

Application data integrity

No impact on existing functionality

of Application – No

additional cost


Where does Akiva fit in?

Unmasked data Masked dataCopy of Production

EMPLID – LU2947NAME - Tom FabrisSSN - 643-75-9912Email - employee@ company.com

Vendor

zone

EMPLID – FN1355NAME - Kevin PetersonSSN - 231-28-1046Email - kevin.peterson@ domain.com

Copy of Production

Production database

Client zone

Akiva


Application-centred masking

Akiva understands the complete Application Architecture

• Masking is performed after taking into consideration, the Business Processes and functionality in the Application

• Akiva is customizable - to suit custom built or home-grown Enterprise applications

• Akiva guarantees consistency post-masking


Features

Multi-threadingSupports parallel execution to reduce runtime

Key field maskingSupports masking of all key fields without any impactFlexibilityAbility to choose any sensitive data across the enterprise

Reusability Masking configurations can be reused for multiple runs

Preview maskingSee a preview of the masked data before actual masking

Batch ProcessingAkiva can be run from the command line as a batch process

Masking AlgorithmsUser can mask in numerous ways using inbuilt algorithms in Akiva

Subset maskingMasks only a selected set of tables

Platform and DatabaseSupports Unix and Windows platforms and runs on Oracle database


Features...Continued

Data IntegrityNo impact on Business Processes

User interfaceSimple, intuitive and user-friendly web interface

Flat File maskingFacilitates flat file masking

Database Level SecuritySecurity permissions of Akiva are same as those privileged by the database

Realistic DataData post-masking is realistic and fully functional

Ability to handle CustomizationTakes care of customizations in the application while masking

Mask it your wayCreate your own masking algorithm


Algorithm • Scramble• Sequence number generator• Pattern generator• Combo Shuffle• Generic shuffle• Blank out• Replacement• SSN generator• Luhn generator• Rule based algorithm• Country based name lookup

Additional functions • Scheduler• Profiling• Multi threading• Schedule monitor• Masking preview• Key field masking

Features


Masking Techniques 2

ShuffleReplace sensitive values with meaningful, readable data

Before Masking

Obrien, Kandy

ObrienKandyLZ001

Peterson, Kevin

Peterson

KevinKU002

Adams, John

AdamsJohnKU001

NameLast Name

First Name

EMP ID

After Masking

Pearson, Emily

PearsonEmilyLZ001

Gilberto, Samuel

GilbertoSamuel

KU002

Bonner, Rob

BonnerRobKU001

NameLast Name

First Name

EMP ID

Sample fieldsEmployee Name information, Address details

Masking Techniques


BlankoutSimply replaces a field with a value of “ ” or 0

Sample fieldsEmployee Address details, Phone Number

Before Masking

614/834-1247LZ001

847/729-5711KU002

608/831-0103KU001

Phone NumberEMP ID

After Masking

LZ001

KU002

KU001

Phone NumberEMP ID

Masking Techniques


ReplacementSimply replaces a field with a supplied static value

Sample fieldsEmail Address, Phone Number

Before Masking

[email protected]

[email protected]

[email protected]

Email AddressEMP ID

After Masking

[email protected]

[email protected]

[email protected]

Email AddressEMP ID

Masking Techniques


Masking Techniques 2

LookupReplace employee names and addresses choosing from an inbuilt repository of over 200,000 names

Before Masking

Obrien, Kandy

ObrienKandy

LZ001

Peterson, KevinPetersonKevinKU002

Adams, JohnAdamsJohnKU001

NameLast Name

First Name

EMP ID

After Masking

Julia, AngelineJuliaAngeline

LZ001

Conrad, MichaelConradMichaelKU002

McKinley,LarryMcKinleyLarryKU001

NameLast Name

First Name

EMP ID Sample fields

Employee Name information, Address details

Masking Techniques


SSN GeneratorGenerate valid US Social Security Numbers for all employees

Sample fieldsSSN, NATIONAL_ID

Before Masking

304-25-9151LZ001

152-08-2397KU002

002-01-0001KU001

SSNEMP ID

After Masking

513-01-0087LZ001

513-01-0421KU002

513-01-0270KU001

SSNEMP ID

Masking Techniques


Luhn GeneratorGenerate numbers satisfying Luhn checksum condition

Sample fieldsCredit Card Number

Before Masking

5588 3201 2345 6783LZ001

4302 1519 0076 5981KU002

4552 7204 1234 5677KU001

Credit Card NumberEMP ID

After Masking

4119 6175 2805 4704LZ001

5219 4473 6058 2919KU002

5490 1234 5678 9128KU001

Credit Card NumberEMP ID

Masking Techniques


Before Masking

FN3056LZ001

FN1149KU002

FN5297KU001

DEP_IDEMP ID

After Masking

PU0102LZ001

PU0101KU002

PU0100KU001

DEP_IDEMP ID

Sequence Number GeneratorGenerate alphanumeric sequences in order

Masking Techniques


Random Number GeneratorGenerate numbers in random

Before Masking

855.47LZ001

309.12KU002

753KU001

COMPRATEEMP ID

After Masking

138.59LZ001

670.05KU002

527.34KU001

COMPRATEEMP ID

Masking Techniques


Pattern GeneratorGenerates a set of numbers based on user-defined pattern

Before Masking

917LZ001

242KU002

121KU001

MEMBERSHIP_IDEMP ID

After Masking

716LZ001

501KU002

253KU001

MEMBERSHIP_IDEMP ID

A SAMPLE PATTERNRequirementMEMBERSHIP_ID - 3 digit numbers satisfying the condition

(Hundredth digit + Tenth Digit ) > Units Digit

ExampleA valid number is 253, (2+5) > 3An invalid number is 129, (1+2) < 9

StepsThe requirement can be interpreted and broken down into the following steps (Digits are numbered from left to right).

Step 1: S1 = Digit 1 + Digit 2

Step 2: S2 = S1 > Digit 3

Masking Techniques


Rule based maskingConsistently masks the database based on rules/custom masking algorithms defined by the user.

SAMPLE RULE 2 – FIELD RELATIONSHIP DEFINITION

RequirementMask all the pay details of employees

Define Relationship between fieldsNP – Net PayGP – Gross PayBP – Basic PayHRA – House Rent AllowanceDA – Dearness Allowance

Step 1: NP = GP - Tax

Step 2: Tax = 20% GP

Step 3: GP = BP + HRA + DA

Step 4: HRA = 50% BP

Step 5: DA = 10% BP

SAMPLE RULE 1 – CUSTOM MASKING ALGORITHM

RequirementDecrease the Compensation Rate Code field value by a fixed percentage.

Define custom masking algorithmCOMPRATE – Compensation Rate Code field

Step 1: Step 1 = 30% of COMPRATE

Step 2: COMPRATE = Step 1

Masking Techniques


Rule based masking sample data

Before Masking

14080

13473.2

12800

NP

17600

16841.6

16000

GP

5500110011000LZ001

52631052.610526KU002

5000100010000KU001

HRADABPEMP ID

Masking Techniques

After Masking

72089.6

70183.6

69529.6

NP

90112

87729.6

86912

GP

28160563256320LZ001

274155483.154831KU002

27160543254320KU001

HRADABPEMP ID


[email protected]

Thank You

2 © hexaware technologies. all rights reserved. 2 agenda data masking - the needdata theft -...

Documents

privacy of data

hexaware technologies

data privacy legislations

examples of sensitive

agenda data masking

uk data protection act

need slide

security attacks