Data masking - addressing PII exposure risks in the cloud

50 %
50 %
Information about Data masking - addressing PII exposure risks in the cloud
Technology

Published on January 22, 2014

Author: ygenchik

Source: slideshare.net

Description

exposing PII in the cloud - why we become non-compliant, and how to avoid it.
How masking fits into the SDLC and Data flow architectures.
Masking with SSIS in Azure.

ELIMINATING COMPLINCE RISKS DATA MASKING WITH AZURE

SECURITY THREATS INTENTIONAL (FRAUD) Ponemon institute study of 60 large organizations Cost of cybercrime rose 26% to 11.6 Mil per company The most costly: • Distributed Denial of Service (DDS) • Web-based attacks • Malicious Insiders SEI Study Of the 80 of internal fraud cases, 34 % involved Personally Identifiable Information UNINTENTIONAL Innocent insider is being set up by outsider with malicious code Insider negligence or accidental disclosure ( loss of laptop) The theft of an unencrypted laptop from an employee's car resulted in a breach affecting more than 61,000 patients in 2010 in Cincinnaty 22.01.2014 Data courtesy of www.inforisktoday.com Hush Hush info@mask-me.net 213.631.1854 2

IT RESPONDS BY TIGHTENING SECURITY Separation of environments Tightened controls Standards, policies, audits, drills, security framework Due to increased security processes, development slows down DEVELOPMENT LOOKS SOMEWHERE ELSE : CLOUD = EASY PROVISIONNING = SPEED TO MARKET SECURI TY 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 3

IS CLOUD RISK FREE? Avoiding The Hidden Costs of The Cloud (Symantec) Of 3,236 companies : 40% exposed confidential info 25% suffered account takeover and digital theft 40% loss of data 23% fined for privacy violation IT RESTRICTIONS 22.01.2014 PRESSURE TO DEVELOP AT BREAKNECK SPEED Hush Hush PUBLIC CLOUD BECOMES DEVELOPMENT SANDBOX info@mask-me.net SECURTY BREACHES IN CLOUD –SLAs 213.631.1854 HOW DO WE PROTECT DATA? 4

DOES IT MEAN WE SHOULD AVOID CLOUD DEVELOPMENT? LETS TAKE A CLOSER LOOK AT DEVELOPMENT PROCESSES AND DATA FLOWS ACROSS ENVIRONMENTS 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 5

BIG PICTURE : DIFFERENT COMPANIES –DIFFERENT NEEDS STARTUP There is no data in organization. Development speed is high. Developers create their own data with “insert” statements. 0 DEVELOPED ORGANIZATION Data in other systems and in production. It is used to populate development environments. Speed of development slows down. New Projects – add files and data feeds Continuous Development – adds its own production data Maintenance – no new features, no “inserts” any more Migration – only production data, moving on 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 6

NEW DEVELOPMENT When we start from Scratch, there is nothing and we can initially treat everything as if databases were code. Your Application Your Database Copyright 2005 / Scott W. Ambler 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 7

NEW DEVELOPMENT We create data with “INSERT” statements, saving them as code in Source Control. Cloud – no Cloud makes no difference. Yes, promote to production Yes, promote to Staging Yes, promote to the QA SANDBOX: Create master data and test cases. test NO errors? QA: Move new master data Run test cases NO errors? Staging / UAT: Move New Master data, test for deployment Do UAT NO errors? Production Now, users are “testers” Create a DDL and DML script in the source control CLEAR ALL THE TEST CASES LEAVE MASTER DATA ERRORS ERRORS ERRORS 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 8

TO INFINITY AND BEYOND : IN PRODUCTION Big day being behind, we are in production • • • • Lots of transactions Database size reaches GB, TB, PT – think Amazon, we all want our business be there We scale in various ways, yet the CRUD logic is the same Master data matures and gets into DB via GUI WE BECOME THE “DEVELOPED ORGANIZATION” WITH EXISTING SYSTEMS AND CONTINUOUS DEVELOPMENT 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 9

THE USUAL WAY OF DOING DATA CYCLE Transactional Data Yes, promote to production Master Data Yes, promote to Staging Yes, promote to the QA SANDBOX: Create master data and test cases. test NO errors? Create a DDL script in the source control Create DML Scripts - optional QA: Move new master data Run test cases NO errors? Staging/UAT:Move New Master data, test for deployment Do UAT NO errors? DATABASE Production Now, users are “testers” ERRORS Back Up CLEAR ALL THE TEST CASES LEAVE MASTER DATA ERRORS BACK UP ERRORS Truncate Transactional Data 22.01.2014 Hush Hush info@mask-me.net BACK UP with Reduced data set 213.631.1854 Mask Sensitive Data Apply code 10

NEW DEVELOPMENT – EXISTING ORGANIZATION PRODUCTION SYSTEMS DIFFERENCE ETL MASK Yes, promote to production Yes, promote to Staging Yes, promote to the QA SANDBOX: Create master data and test cases. test NO errors? QA: Move new master data Run test cases NO errors? Staging / UAT: Move New Master data, test for deployment Do UAT Create a DDL and DML script in the source control NO errors? Production Now, users are “testers” CLEAR ALL THE TEST CASES LEAVE MASTER DATA ERRORS ERRORS ERRORS 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 11

WE NEED TO MASK BEFORE WE DEVELOP ! BUMMER! COMPLIANCE!!! SO WHAT IS THE CATCH? MASKING IS DEVELOPMENT ACTIVITY AND TAKES TIME THAT IS WHY IT IS OFTEN “FORGOTTEN” IN THE BEGINNING OF THE CYCLE, MAKING YOUR ORGANIZATION INSTANTLY NON-COMPLIANT CURRENT SOLUTIONS USUALLY WORK ON A GOLDEN DB COPY OF EXISTING SYSTEMS 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 12

SOLUTION :: YET ANOTHER WAY :: MASKING IN ETL PRODUCTION SYSTEMS ETL MASK Transactional Data Yes, promote to production Yes, promote to Staging Master Data Yes, promote to the QA Create a DDL script in the source control Create DML Scripts - optional SANDBOX: Create master data and test cases. test NO errors? QA: Move new master data Run test cases NO errors? Staging/UAT:Move New Master data, test for deployment Do UAT NO errors? DATABASE Production Now, users are “testers” ERRORS Get Delta CLEAR ALL THE TEST CASES LEAVE MASTER DATA ERRORS ETL Package ERRORS Move Staging Move To Sandbox Mask Sensitive Data Move To QA Apply a Transform To Accommodate DDL change 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 13

YET ANOTHER WAY : ETL SLA constraints on backup/load – you might not have priviledge with your provider You need instant deltas of production data for development You have ETL already established You want masking be part of your already established ETL • Requirements of GLBA, HIPAA, PSS/DSA • Part of SDLC in Relational and in BI, with transforms • Files • Feeds from other production systems Benefits of HushHush • No significant upfront investment • No learning curve • Part of development toolbox 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 14

ETL WITH AZURE AZURE FILES DATABASE FTP VM ETL MASK ETL MASK VM DATABASE STORAGE 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 15

DATA FLOW WITH ETL MASKING EXAMPLE 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 16

PERILS OF ENVIRONMENTS: DATA HOMOGNEITY ACROSS ENVIRONMENTS • How close should environments be in terms of data? SANDBOXAND INTEGRATION ENVIRONMENTS • • • hold the least amount of data. A rule of thumb: data set sufficient enough for developing functional requirements. Pros: speeds up development, cons: can’t accommodate all the test cases and needs constant data set assessments. The QA/Staging should hold complete data set to allow for UAT and for performance and regression testing. Break Fix environment holds data set and schema as close to production as possible to allow for speedy production issues resolutions. 22.01.2014 Hush Hush info@mask-me.net PHYSICAL CONSTRAINTS 213.631.1854 17

PERILS OF ENVIRONMENTS CONT.: ENVIRONMENT SLAs is development around the clock with international development team, 24/7 or only happens in one place with 8 hours development day/time? RATE OF REFRESHES depends on whether we do continuous deployments or scheduled releases DATA RETENTION how much and often transactional data gets purged? SCHEMA MANAGEMENT Schema/data in source control? Are deployments automated including data? Are there specific structures that support metadata? 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 18

DATA LOAD SOLUTION STRATEGIES CONSTRAINTS Operational requirements for • data availability • data consistency • performance • data integrity ARCHITECTURAL PATTERNS • • Backup/Load ETL Solutions (different kinds) IN-CLOUD PATTERN - NEW • VM Provisioning/IMAGE Development Requirements for: • development time • skill sets Environmental • Monetary (space and processors) • Political (we just do not want to use third party) 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 19

QA/STAGING/BREAK FIX ENVIRONMENTS BE AWARE ! Backup/Load takes time. Count on it. Refactoring takes time. Count on it. ETL takes time. Count on it. Masking has its own architectures. Chose the one appropriate. 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 20

USED TOOLS AND OTHER TOOLS THAT HELP What I used: SQL Server, SSMS, SSIS, Data Quality Services, TFS, VS, Visio If you do not have VS and TFS: • Red Gate: SQL Compare, SQL Data Compare,SQL Data Generator, SQL Source Control • Embarcadero: E/R Studio, DB Change Manager Masking: HUSHHUSH Masking components for ETL architectures (http://mask-me.net) 22.01.2014 Hush Hush info@mask-me.net 213.631.1854 21

Add a comment

Related presentations

Related pages

Data Masking | LinkedIn

Data masking - addressing PII exposure risks in the cloud . 1,871 Views. axismikel. DMsuite Static & Dynamic Data Masking Overview. ... Cloud Security ...
Read more

What is personally identifiable information (PII ...

Personally identifiable information (PII) ... FDIC releases guidance on digital copier security and printer risks; Data masking best ... Search Cloud ...
Read more

Identifiable Information (PII)

reduce PII exposure and risk. ... PII data composed of individuals‘ names, ... and addressing administrative concerns.
Read more

SAP Data Masking Tools - Documents

Data masking - addressing PII exposure risks in the cloud ... Data Masking Counter Attack to Identity Theft Paul Preston Data Masking: ...
Read more

SSIS Data Masking

Hush Hush is a data masking software that de-identifies ... Empowers on-premises and in-cloud data exchange while securing PII. ... Addressing Risks
Read more

Data masking - Wikipedia, the free encyclopedia

Data masking or data obfuscation is the process of hiding original data with random characters or data. ... Data masking and the cloud
Read more

Data Masking Software and Solutions from IRI

... array of static data masking functions, and data in transit ... Cloud; DW/BI; Data Masking; ... of a data breach, and support the risk and ...
Read more

Pii | LinkedIn

Pii. Articles, experts, jobs, and more: get all the professional insights you need on LinkedIn. ... Risk Management (72 members) Where they went to university.
Read more

Data Masking Best Practice White Paper - Oracle

Data Masking Best Practice 9 Oracle Data Masking Pack ... SUITE DATA MASKING TEMPLATE SENSITIVE ATTRIBUTE PII ... data is at risk, ...
Read more