Security, Privacy, Compliance

Transcription

1 Security, Privacy, Compliance Tech-Security Conference Chicago, IL January 19, 2012 Vitaly Dubravin, CTO f r o m i n f o r m a t i o n t o i n t e l l i g e n c e

2 Premium IT Services Boutique Information Management Specialists Insuring better governance, easing compliance and improving security. Information Security and Compliance Data Warehousing and Business Intelligence Expert IT staffing for with BI, DW and Data security 2012 GRT Corporation 2

3 Exponential Data Growth "The toxic terabyte: How data-dumping threatens business efficiency." (Global Technical Services whitepaper) 2012 GRT Corporation 3

4 Recent Data Leaks Source: GRT Corporation 4

5 Sony Disaster Source: GRT Corporation 5

6 Emerging Enterprise Technologies Known benefits : Instant distribution Destination unknown Global coverage Too readily available 2012 GRT Corporation 6

7 What? 2011 Data Breach Investigations Report Who is behind data breaches? 92 % 92 % stemmed from external agents (+22%) 17 % implicated insiders (-31%) <1 % resulted from business partners (-10%) 9 % involved multiple parties (-18%) securityblog.verizonbusiness.com What commonalities exist? 83 % of victims were targets of opportunity (<>) 92 % of attacks were not highly difficult (+7%) 50 % How do breaches occur? 50 % utilized some form of hacking (+22%) 49 % incorporated malware (+10%) 29 % Involved physical attacks (+14%) 17 % resulted from privilege misuse (-31%) 11 % employed social tactics (-17%) 76 % of all data was compromised from servers (-22%) 86 % were discovered by a third party (+25%) 96 % of breaches were avoidable through simple or intermediate controls (<>) 76 % 89 % of victims subject to PCI-DSS had not achieved compliance (+10%) 2012 GRT Corporation 7

8 How Much Does Personal Information Cost? Your information is being sold by data brokers to companies and agencies everyday Address - $0.50 Past Address - $9.95 Marriage/Divorce - $7.95 Education Background - $12.00 Employment History - $13.00 Phone Number - $0.25 Unpublished Phone Number - $17.50 Cell Phone Number - $10.00 Social Security Number - $8.00 Credit History - $9.00 Bankruptcy Information - $26.50 Business Ownership - $9.95 Shareholder - $1.50 Felony - $16.00 Lawsuit History $2.95 Sex Offender - $13.00 Drivers License - $3.00 Voter Registration - $0.25 Source: Source: GRT Corporation 8

9 Who Can Access Your Medical Records? Source: GRT Corporation 9

10 Complexity of Legislative Response 2012 GRT Corporation 10

11 Payment Card Industry Data Security Standard 2012 GRT Corporation 11

12 Consequences of Data Leaks Risk factors associated with data leaks and unauthorized access: Civil Lawsuits Legal Fines Personal Risks Loss of Clients 2012 GRT Corporation 12

13 Traditional Security Measures Access Tokens, Digital Certificates VPNs, DMZs Physical Access Restrictions Firewalls with Intrusion Detection Sensitive Fields Encryption User Identity Management Security Audits Security Policy Management Role-based Access Rules Backup Protection 2012 GRT Corporation 13

14 Data Losses as a result of Business Processes Data Snapshots for Offshore Development Legacy LOB Applications Test Datasets for System Upgrade Data Exports for 3rd-party Marketing Agency Not Yet Addressed Regulatory Requirements Training Facility Databases Homegrown Data Protection Solution Bugs in Application Security 2012 GRT Corporation 14

15 Data Privacy is NOT a Moonlight Project Management significantly underestimates Data Privacy complexity DBAs spend an average 4-6 weeks per source implementing in-house data masking solutions source: Camouflage Software, Inc 2012 GRT Corporation 15

16 What is Data Masking? Data masking is the process of obscuring (masking) specific data elements within data stores. It ensures that sensitive data is replaced with realistic but not real data. (Wikipedia) 2012 GRT Corporation 16

17 Use Case Total Comp Project Ron needs new Total Comp report for his team and asked Rochelle to make a template for it. Corporate Policy: Managers can not retrieve compensation details for people with a higher salary grade. Rochelle Li IT Lead Ron Reddy Dpt. Mgr GRT Corporation 17

18 Use Case Total Comp Project Ron s full view Rochelle s masked view 2012 GRT Corporation 18

19 Three Pillars of Data Masking Discovery Masking Subsetting 2012 GRT Corporation 19

20 Automated Discovery Automated search & classification Repeatable process Significant time and cost savings Increases accuracy, reducing human error Facilitates compliance, reduces risk Reduces manual effort Integrates with data masking Prepackaged Templates (PCI, HIPAA, etc.) 2012 GRT Corporation 20

21 Subsetting Reduces data footprint, storage and bandwidth Repeatable process Advanced filtering capabilities Increases accuracy, reducing human error Graphically view and configure rules Significant time and cost savings Integrates with data masking Maintains application and database integrity 2012 GRT Corporation 21

22 Data Masking High quality data, realistic data Facilitates compliance, reduces risk Maintains application and database integrity Increases accuracy, reducing human error Earlier detection of application defects Significant time and cost savings Repeatable process Reduces QA effort 2012 GRT Corporation 22

23 Available Data Transformations Generators Account Numbers, Birth Dates, Credit Card Expiry Dates, Credit Card Numbers, Social Security Numbers Data Load Names, Part Numbers, Street Addresses, Table Filter Custom Addresses, Free Form Text, XML Documents Mutators Account Numbers, Birth Dates, Credit Card Expiry Dates, Names, Street Addresses Algorithmic Enumeration, Salaries, Serial Numbers, Telephone Numbers 2012 GRT Corporation 23

24 Static Data Masking Source Data Masked Data 2012 GRT Corporation 24

25 Dynamic Data Masking in the Enterprise 2012 GRT Corporation 25

26 Dynamic Data Masking Proxy Internals 2012 GRT Corporation 26

27 Data Masking Implementation Impediments Show Stoppers Application Integrity Database Integrity More Challenges to Consider: Relationship Discovery Transformation Repeatability Centralized Rule Definition Multiplatform Support 2012 GRT Corporation 27

28 Data Masking DIY Project Easy minutes to install Discovery using predefined templates Includes library of prebuilt transformations Hard: Masking strategy Transformation tuning Custom transformations Complex dependencies Best practices 2012 GRT Corporation 28

29 Why Data Masking? "The entire point of data masking is to protect yourself from your own employees," says Joseph Feiman, a security analyst at Gartner Research. "Attacks are coming from the outside, yes, that's true, but also from the inside. And it's hard to tell which type is more serious." 2012 GRT Corporation 29

30 Q&A Thank You GRT Corporation GRT Corporation 30