proteja su información sensible en ambientes no-productivos
TRANSCRIPT
Proteja su información sensible en ambientes no-productivos
Failure Story – A Real Life Insider Threat 28 yr. old Software Development Consultant
Employed by a large Insurance Company in Michigan
Needed to pay off Gambling debts
Decided to sell Social Security Numbers and other identity information pilfered from company databases on 110,000 Customers
Attempted to sell data via the Internet
– Names/Addresses/SS#s/birth dates
– 36,000 people for $25,000
Flew to Nashville to make the deal with…..
The United States Secret Service (Ooops)
Results:
Sentenced to 5 Years in Jail
Order to pay Sentry $520,000
Agenda
■ Non-Production environments at risk
■ What is data masking?
■ InfoSphere Optim Data Masking Solution – Static data masking for test environments– Programmable data masking for applications
■ InfoSphere Optim Test Data Management Solution
■ Maximize business value
The Easiest Way to Expose Private Data …Internally with the Test Environment
70% of data breaches occur internally (Gartner)
Test environments use personally identifiable data
Standard Non-Disclosure Agreements may not deter a disgruntled employee
What about test data stored on laptops? What about test data sent to
outsourced/overseas consultants? How about Healthcare/Marketing Analysis
of data? Payment Card Data Security Industry
Reg. 6.4.3 states, “Production data (real credit card numbers) cannot be used for testing or development”
* The Solution is Data De-Identification *
Vulnerable non-production environments at riskMost ignore security in non-production environments
70% of organizations surveyed use live customer data in non-production
environments (testing, Q/A, development)Database Trends and Applications. Ensuring Protection for Sensitive Test Data
50% of organizations surveyed have no way
of knowing if data used in test was compromised
The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis
52% of surveyed organizations outsource development
The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis
$194
per recordcost of a data breach
The Ponemon Institute. 2012 Cost of Data Beach Study
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and Privacy
What is data masking?Understand &
DefineMonitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and Privacy
DefinitionMethod for creating a structurally similar but inauthentic version of an organization's data. The purpose is to protect the actual data while having a functional substitute for occasions when the real data is not required.
RequirementEffective data masking requires data to be altered in a way that the actual values cannot be determined or reengineered, functional appearance is maintained.
Other Terms UsedObfuscation, scrambling, data de-identification
Commonly masked data typesName, address, telephone, SSN/national identity number, credit card number
Methods– Static Masking: Extracts rows from production databases, obfuscating data
values that ultimately get stored in the columns in the test databases– Dynamic Masking: Masks specific data elements on the fly without touching
applications or physical production data store
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and PrivacyStart privacy early
Model-driven privacyDefine data policies and standards once, execute consistently across the lifecycle–Naming Use standard words, acronyms and naming
patterns–Meaning Associate words with shared meaning through
business glossaries (InfoSphere Business Glossary)–Values Define appropriate values or ranges for
attributes–Privacy Specify standards for masking rules and
associate them with specific attributes
Link standards to business requirements Discover and elaborate explicit and implicit relationships for understanding business objectsReuse across multiple models and databases Share, reuse, or extend the policies and standards across tools Generate reports for audit (Data privacy compliance, Requirements traceability)
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and PrivacyIBM InfoSphere Optim Data Masking Solution
• Protect sensitive information from misuse and fraud
• Prevent data breaches and associated fines
• Achieve better information governance
• Protect confidential data used in test, training & development systems
• Mask data on screen in applications
• Implement proven data masking techniques
• Support compliance with privacy regulations
• Solution supports custom & packaged ERP applications
Requirements
Benefits
De-identify sensitive informationwith realistic but fictional data
Personal identifiable information is masked with realistic but
fictional data
JASON MICHAELSJASON MICHAELS ROBERT SMITHROBERT SMITH
9
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and PrivacyMask complete business objects across
heterogeneous databases & applications
Referentially-intact subsets of data across related tables & applications, including metadata.
DBAView
Overall historical “snapshot” of business activity, representing an application data record – e.g. payment, invoice, customer
BusinessView
Federated access to related business objects across the enterprise
CRM on Oracle database
ERP / Financials on DB2
Custom Inventory Mgmt on DB2
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and PrivacyMask data in applications
Programmatically mask
Patient InformationPatient Information
Patient No. SSN
Name
Address
City State Zip
Patient No. SSN
Name
Address
City State Zip
112233 123-45-6789
Amanda Winters
40 Bayberry Drive
Elgin IL 60123
Patient No 123456SSN 333-22-4444Name Erica SchaferAddress 12 Murray CourtCity AustinState TXZip 78704
Ensure valid business need to know to sensitive data Mask data in real time to respond to suspicious activities
Promote role based approach to data access
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and PrivacyMask data in reports
Programmatically mask
Mask data in reports to generate specialized views targeted for different recipient based on job role or functional area
Customer Number 123456Purchase Order 333-22-4444Name Erica SchaferAddress 12 Murray CourtCity AustinState TXZip 78704
CFO Business reports
Marketing team reports
Reports for business partners
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and PrivacyStatically mask data in non-production
databases
Patient No 123456SSN 333-22-4444Name Erica SchaferAddress 12 Murray CourtCity AustinState TXZip 78704
Patient No 112233SSN 123-45-6789Name Amanda WintersAddress 40 Bayberry DriveCity ElginState ILZip 60123
Statically mask
Mask data in non-production databases such as test and development Improve security of non-production environments
Facilitate faster testing processes with accurate test data Support referential integrity
Mask custom and packaged ERP/CRM applications
Propagating Masked Data
Key propagation
–Propagate values in the primary key to all related tables
–Necessary to maintain referential integrity
Cust ID Item # Order Date27645 80-2382 20 June 200427645 86-4538 10 October 2005
Customers Table
Orders Table
Cust ID Name Street08054 Alice Bennett 2 Park Blvd19101 Carl Davis 258 Main27645 Elliot Flynn 96 Avenue
Masking with Key Propagation
Cust ID Item # Order Date27645 80-2382 20 June 200427645 86-4538 10 October 2005
Customers Table
Orders Table
Cust ID Name Street08054 Alice Bennett 2 Park Blvd19101 Carl Davis 258 Main27645 Elliot Flynn 96 Avenue
Original Data
Cust ID Item # Order Date10002 80-2382 20 June 200410002 86-4538 10 October 2005
Customers Table
Orders Table
Cust ID Name Street10000 Auguste RenoirMars2310001 Claude MonetVenus2410002 Pablo PicassoSaturn25
De-Identified Data
Referential integrity is maintained
15
IBM InfoSphere Optim Test Data Management Solution
Requirements
Benefits
• Deploy new functionality more quickly and with improved quality
• Easily refresh & maintain test environments
• Protect sensitive information from misuse & fraud with data masking
• Accelerate delivery of test data through refresh
• Create referentially intact, “right-sized” test databases
• Automate test result comparisons to identify hidden errors
• Protect confidential data used in test, training & development
• Shorten iterative testing cycles and accelerate time to market
Create “right-size” production-like environments
for application testing
Test Data Management
100 GB
25 GB
50 GB
25 GB
2TB
Development
Unit Test
TrainingIntegration Test
-Subset -Mask
Production or Production Clone
InfoSphere Optim TDM supports data on distributed platforms (LUW) and z/OS.
Out-of-the-box subset support for packaged applications ERP/CRM solutions as well as :
Other
-Compare-Refresh
Test Data Management and creating a Gold Master
Test Database50 GB
Training Database75 GB
Dev Database25 GB
Production Database1200GB
“Masked” DBGold Master
600 GB
• Build all test environments from clone• Mask data in place on Gold Master
to de-identify • Subset clone to right-size data• Compare data with “Gold” to identify
defects• Refresh test data with “Gold” to get
latest data for testing
Subset& Mask
Subset/Compare/Refresh
Subset/Compare/Refresh
Subset/Compare/Refresh
Test Data Management without Gold Master
Test Database50 GB
Training Database75 GB
Dev Database25 GB
A/RProduction
Database900 GB
CRM Production
Database1200GB
Subset/Mask
CompareRefreshSubset/Mask
Subset/Mask
Compare
Refresh
• Bring together entire business objects across data sources
• Mask data as moved to non-production environments
• Subset to right-size data• Compare data with original to identify defects• Refresh test data with original to get latest
data for testing
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and Privacy
Maximizing business value with InfoSphere Optim Data Masking – Unique solution capabilities
Support database and application data masking– Ensures application integrity and database integrity – Preset pack of masking routines rules as well as the
ability to create customized routines– Integration into the software development lifecycle– Support for all leading databases and applications
Help establish business content for masking policies
– Support for Information Lifecycle Management projects– Enterprise-wide rule definition
Arek OyDeploys a pension earnings and accrual system in 30 months
The benefits: • Improved development and testing efficiencies, enabling Arek Oy
to promote faster deployment of new pension application functionality and enhancements
• Protected confidential data to strengthen public confidence and support TyEL compliance requirements.
The need: Pension laws (TyEL) in Finland changed radically in 2007. In response, Arek Oy had to develop and deliver a tested and reliable Pension Earnings and Accrual System within 30 months. Arek Oy had to protect confidential employee salary and pension information in multiple non-production (development and testing) environments. Failure to satisfy requirements would result in loss of customer good will and future business opportunities.
The solution: Using IBM InfoSphere Optim subsetting capabilities rather than cloning large production databases made it possible for Arek Oy staff to create robust, realistic test databases that supported faster iterative testing cycles. In addition, InfoSphere Optim offered proven capabilities for performing complex data masking routines, while preserving the integrity of the pension data for development and testing purposes.
“We see Optim as an integral part of our development solution set. Optim’s data masking capabilities help ensure that we can protect privacy in our development and testing environments.”
— Katri Savolainen, Project Manager, Arek Oy
Solution components:• IBM InfoSphere Optim Data Masking
Solution• IBM InfoSphere Optim Test Data
Management Solution
Arek Oy Case Study
LawsonDevelops compliance process while improving performance
The benefits: • Provided testing teams with immediate access to data• Streamlined compliance by masking nonproduction data• Improved performance by archiving rarely used data• Established data retention policies to meet compliance requirements
The solution: The IBM InfoSphere Optim portfolio was used to develop a comprehensive data management approach including: archiving, sub-setting, masking and decommissioning to meet compliance mandates all while improving performance.
The need: • Manage multiple test environments to ensure the highest quality
testing for the lowest possible cost • Adhere to recent legislation on proper use of data in nonproduction
environments including testing, development and QA• Develop an enterprise wide approach for protecting sensitive data—
such as social security numbers, salary information and direct deposit account numbers
• Archive rarely used production data to meet retention requirements while improving performance
Lawson develops a comprehensive data management approach to facilitate application delivery, ensure compliance and improve performance. They leveraged the InfoSphere Optim family of products to meet their goals.
Solution components:• IBM InfoSphere Optim Data Growth
Solution• IBM InfoSphere Optim Test Data
Management Solution• IBM InfoSphere Optim Data Masking
Solution
Detailed case study with IBM BP BTRG
Large US Insurance CompanyMasks data to support HIPAA compliance
The benefits: • Established a single, scalable approach to enterprise data masking• Automatically identified sensitive data across the enterprise• Helped drive HIPAA compliance
The solution: IBM InfoSphere Optim applies a range of masking techniques to transform sensitive information with both prepackaged data masking routines and options for customization. InfoSphere Optim transforms complex data elements while retaining their contextual meaning.
The need: • Establish enterprise-wide data privacy rules to ensure HIPAA
compliance• Obfuscate diverse data types including: credit card information,
personal health information and personally identifiable information• Protect data in over 45,000 tables while ensuring the appropriate
relationships are maintained to preserve application logic across custom and packaged applications
• Understand all sensitive data types across a complex, heterogeneous enterprise no matter where they resides
Large US insurance company drives HIPAA compliance by masking sensitive data across the enterprise with IBM InfoSphere Optim.
Solution components:• IBM InfoSphere Optim Data
Masking Solution• IBM Lab Services
Detailed case study with IBM BP BTRG
Success: Data Privacy
Application:
– Multiple interrelated retail transaction processing applications
Challenges:
– Comply with Payment Card Industry (PCI) regulations that required credit card data to be masked in the testing environment
– Implement a strategy where Personally Identifiable Information (PII) is de-identified when being utilized in the application development process
– Obtain a masking solution that could mask data across the enterprise in both Mainframe and Open Systems environments
Solution:
– IBM Optim Data Privacy Solution™
Client Value:
– Satisfied PCI requirements by giving this retailer the capability to mask credit data with fictitious data
– Masked other PII, such as customer first and last names, to ensure that “real data” cannot be extracted from the development environment
– Adapted an enterprise focus for protecting privacy by deploying a consistent data masking methodology across applications, databases and operating environments
About the Client:$300 Billion RetailerLargest Company in the WorldLargest Informix installation in the world
¡Muchas Gracias!
Narciso PeñaRegional Software Specialist
Tel. (809) 566-5161E-mail: [email protected]