Keeping Private Data Private

Keeping Private Data Private

Avoiding your 15 Minutes on CNN

Tony Cannizzo | PresidentSilos-Connect Technologies

Identity Management◦ Authorization (Roles)◦ Authentication (Users)

Admin Control◦ Separation of Duties (SoD)◦ Configuration and Change Management

Auditing / Monitoring◦ Who is Accessing What, When, Where and How◦ Identify Unusual User Behaviors

Encryption◦ Protect Stored Data (Backups, Drives)◦ Protect Data in Transit (Network, Wireless)

Data Masking◦ Protect Test Data◦ Protect Production Data

Comprehensive Data Security

Data Masking in Production

80% of high-cost security incidents occur when data from inside the organization gets out

Most data leakage occurs by accident or because of poor business processes

Whether accidental or malicious, security breaches from inside the company aren't addressed by the bulk of security dollars spent on technology that addresses the perimeter of the network.

Gartner:

They don’t talk about the 3-foot thick granite wallsor the 22-ton blast-proof doors

They worry about

who is watching the GOLD!

When they talk about Fort Knox

Survival: Protect the Business Legal: Required by law

Masking protects sensitive data while simultaneously enabling users to have the appropriate data access to complete business processes.

Why Mask Data?

What Was the Original Purpose? To give Dev/Test teams realistic test data to

work with, and not expose Production data. Concept came up in reaction to the

limitations of other test data generation strategies:◦ Cloned Production Databases◦ Image Copies from Backup◦ Selective Subset◦ Random Test Data Generators◦ Iterative Executions of Applications◦ Keyed in from Scratch

Testing with Production Data

Readily available

RI is already established

Will eventually need to run volume test anyway

“If it runs against production . . .

. . . it will run against anything” (Right?)

• Heavy on records - “Lite” on test cases

• Too Large for Multiple Copies

• Test executions take longer to run

• Confidential & Sensitive data values in a Non-secured environment

BENEFITS DOWNSIDE

How Real is THIS?

HA! My son is

a SYSDBA.

You better not do surgery on

ME!

Encryption ◦ Protects data at rest, or while in transit◦ Data must be Decrypted to be used◦ Does not prevent abuse at the final destination◦ Can often be identified because it is encrypted

Hackers will target encrypted or marked data as it says “I am valuable data”

Masked Data◦ Protects data in-motion and in-use◦ Never gets un-masked◦ If it can’t be seen, it can’t be abused

Same as Encryption?

Payment Card Information Data Security Standard Cardholder Information

◦ Primary Account Number (PAN)◦ Cardholder Name◦ Service Code◦ Expiration Date

Authentication Data ◦ Full Magnetic Stripe Data◦ CAV2/CVC2/CVV2/CID ◦ PIN/PIN Block No

IP address/Mac address Application/Service User accounts/groups Ensure that each entity only has access to own cardholder data

environment

What Needs to be Masked: PCI DSS

Names Geo Subdivisions smaller than a State

◦ Street Address◦ City◦ County◦ Precinct◦ Zip Code

Except the first 3 digits, if greater than 20,000 people

If less than 20,000 people change first three digits to ‘000’

All elements of date (except Year) directly related to an individual ◦ Up to 89 years of age:

Date of Birth Admission Date Discharge Date Date of Death

◦ Over 89 years of age: All elements of date INCLUDING Year

indicative of such age Such dates and elements may be

aggregated into a single category of “90&Older”

What Needs to Be Masked: HIPAA• Telephone Numbers• Fax Numbers• Email addresses• Social Security Numbers (or other

National or International Identifiers)• Medical Record Numbers• Health Plan Beneficiary Numbers• Account Numbers• Certificate/License Numbers• Vehicle Identification Numbers including

Serial Numbers and License Plate Numbers

• Device Identifiers and Serial Numbers• Web Universal Resource Locators (URL’s

and IP Addresses)• Biometric Identifiers including Finger

Prints and Voice Prints• Full-face photographic images and any

comparable images• Any other unique identifying number,

characteristic or code

Data MaskingAvailable Methods

Masking Build Mapping Table

◦ orig_value◦ mask_value

Disable Constraints Rename Table Recreate & Reload

from renamed table and mapping table

Enable Constraints Collect Statistics Drop Renamed Table

and Mapping Table

Oracle Data Masking Pack

Clone

CloneClone Production Database to Staging

Area

Export/ImportExport Masked DatabaseImport Database into Test

Import

Extract from Source◦ Subset with Selection Criteria ◦ Optional but recommended

Mask Extracted Data◦ During Extract?◦ During Load?

Load to Target◦ Test, QA, Etc.◦ Load?◦ Insert/Updates?

ETL Solutions

Loadable

File

Prod

Extra

ct

DevTest

Load

Ins/Upd

Takes Longer to runMasks Loadable File

Exposes Loadable FileEasier to Refresh

Data substitution ◦ replacing a value in the column with fictionalized data

Truncating, hiding or nullifying◦ which replaces column values with NULL or ‘****”

Randomization ◦ replacing the value with random data

Skewing ◦ which alters the numeric data by a random variance

Scrambling◦ Smart Functions created in PL/SQL

Character substring masking ◦ Shows a portion of the actual value and hides the rest

Shuffling◦ Uses values from other rows

Algorithms for Masking Sensitive Data

Remember, this is Static Data Masking◦ Values are physically stored in the tables/columns◦ One size may not fit all

Look Out For:◦ Mutually-exclusive test cases◦ Referential Integrity◦ Data Distribution◦ Cardinality◦ Frequency/Duration of Extracts◦ Frequency/Variety of Target Environments◦ Be sure to delete all copies of Un-masked Extracts

Key Considerations

Data Masking at the Presentation Layer

SELECT ACCT_NUM = 3072-100924-90212 SELECT TRUNCATE(ACCT_NUM)= XXXX-XXXXXX-X0212

The Next Frontier Works in Production as well as Dev/Test Database retains original values Selectively mask data in real time Transparent to clients, applications,

databases Implemented on SQL*Net protocol layer Acts as SQL*Net proxy / Oracle Listener Catches inbound SQL statement protocol

packets Apply security policies as pre-defined rules

Dynamic Data Masking

Scenarios for Dynamic Data

Masking

Selective Data Masking

Application Support / Help Desk

Application Mis-Use

Application User

QA Team Capturing Scripts

Privileged User Control

This User has SYSDBA

26

And so does this one…Mask ‘salary’ values in all tables

Hide ‘job name’ in all tables

Scramble ‘name’ in all tables

Quick Example of ourRules Editor◦ Matches Any SQL

◦ Masking Actions

How Did You Do That?

28

Dynamic Data Masking

OracleDatabase

Application\ WebDev. tools, SQL*plus, DBlinks etc., User rules apply ‘Rewrite’ or Block

actions on incoming SQL requests

Original SQL:select ..,name,..from..

Rewrite Rule replaced:select .., ‘****’,..from..

ActiveBase Security

Before After

Rule

NameTigerNelsonRogersRosen

NameBellCaveLennonLenin

Original SQL:

After Rule:

NameTi***Ne***Ro***Ro***

After Rule:

NameTigerNelsonRogersRosen

Name

After Rule:

Scrambling Rules: Hiding Rules: Masking Rules:

NameTigerNelsonRogersRosen

Select name,..from..

Select scrmbl(name)..Select substr(name,1,2)||’***’ select ..,’’,..from..

Result: Result: Result:

After Rule:

Blocking Rules:

Returned message:You are not allowed to access this personal information!

Example:

Original SQL:Select name,..from..

Original SQL:Select name,..from..

Original SQL:Select name,..from..

User Profiles – NOT just based on DB Privilege level

Employee vs Contractor Local vs Offshore Developer vs DBA End-user vs IT StaffOther Actions: Block the request Send alert to business and/or notification to user Quarantine - block sessions and new connections from the

same machine or user for ‘X’ minutes Apply delays between each subsequent request Kill session(s) Log audit trail of activity

More than Just Masking Data

30

Toad, DBArtisan, SQL*Plus, etc.

Restrict parallel load: - allow up to four parallel servers for all Toad requests- or dynamically remove the parallelism from the request

Block specific DB activities from either authorized or unauthorized users: locks, drop table, drop synonym, drop grant

Selectively preventing DML, DCL, DDL commands from unauthorized users

Automatically redirect requests to the REPORT DB when request includes certain conditions

Enforce Dev Tool Usage Policies

31

UserUser

ApplicationApplication

PerformanceModule

Applies SQL Hints / Rewrite for improving performance

Blocks / defers ‘request-from-hell’for safe guarding production

Redirects report /ad-hocto replication / history DB

ActiveBase Modules Overview

Allocates Database Serverresources to processes according

to transaction importance

Manual Operator

Prioritization module(DB server)

ActiveBase in-line Proxy modules:

Automatic - Rules

OracleDatabase

Server

SecurityModule

Masks personal informationfor outsourced support and IT

Blocks offensive Requests /SQL injection / CPU risks

Scrambles / Encrypts confidential & personal fields

Tuning Robot

AB*Performance Rule Examples

THANK YOU!

Tony Cannizzo | President

Silos-Connect Technologies

[email protected] 580 3451

Soon to be:

Dynamic Database Solutions

Questions, Comments, Jokes?

DynamicDB

Oracle Data MaskingOptional Backup Slides

Copy production data to other environments◦ Dev◦ Test◦ Staging

Irreversible process◦ Replaces sensitive data with realistic-looking◦ But scrubbed data based on masking rules◦ The original data cannot be retrieved, recovered

or restored.

OEM 10g Data Masking Pack

Format Library for Out-of-the-Box formats◦ Credit Card Numbers◦ Phone Numbers◦ National Identifiers

SSN (US) National Ins Number (UK)

Mask Formats built on Mask Primitives◦ Random Numbers◦ Random Digits◦ Random Dates◦ Constants

Masking Functions◦ Shuffle: column values used in different rows

Useful when the range of values in a column is not known User-defined Formats

◦ Defined using PL/SQL◦ Example – complexly formulated account numbers can be generated using fictitious

values but providing functionality for the application Deterministic Masks

◦ For maintaining RI when masking across application environments◦ Consistent mask in CRM/ERP and DW

Centralized Mask Formats

A Built-in Search Function on Data Dictionary◦ Helps identify all tables and columns containing

SPI◦ Maps to appropriate mask formats

Related Application Column Capability◦ Automatically identifies RI based on Foreign Keys

that are maintained in the Data Dictionary◦ Application-defined relationships that are not

maintained in the Data Dictionary can be added

Portable Masking Definition

Assign multiple mask formats to a column dependent on specific conditions◦ Example: Multi-national HR System and National

Identifiers depending on Country of employee: If employee is US, use SSN mask If employee is UK, use National Insurance mask If employee is Canadian, use Social Insurance mask

Condition-based Masking

For multiple related columns within a row◦ Example: Must have a valid address

City for State Zip for City

Compound Masking

City State

Zip

Prod Atlanta GA 30303

Test New York NY 10002

XML File containing all masking definitions◦ Created via the Export Masking Definition

capability◦ Can be loaded into other databases◦ Can be used to restore the original masking

definitions if a mask definition is improperly altered

Application Masking Template

Define Mask Formats Assign Masking Definitions to the Application Masking Template Run a Series of Validation Steps to insure the script can run without

errors◦ One step checks RI, Uniqueness Constraints, Column Lengths, Data Types, etc.

Generate the PL/SQL-based Masking Script Create a fully-loaded database as a target for the Masking Script Transfer Masking Script to target database Execute the Masking Script

◦ CREATES a Masked Replacement for the Original TABLE◦ REPLACES the Table containing sensitive data with an identical table containing

masked data maintaining the original database’s: Constraints Referential Integrity Associated Access Structures (i.e. Indexes, Partitions, Permissions, etc.)

◦ Executes in Parallel◦ Disables Database Logging◦ Then DROP’s the original table containing sensitive data

AFTER the Masking Process is completed.

Steps in the Masking Process

NOTE: Target TABLE contains the actual production values until the masking process is

completed!!!

ODMP integrates with OEM Database Cloning◦ Separate from the Standalone Process◦ Can Add Data Masking to the Clone Process

Point the PRD Database to a Staging Environment Specify the Masking Definitions to be run AFTER Cloning Cloned Database is brought up in RESTRICTED mode to

prevent non-administrative access to the database Executes the Masking Script Then opens the database for unrestricted use

ONLY UPON VERIFYING THAT THE MASKING PROCESS HAS COMPLETED SUCCESSFULLY.

Secure Clone-and-Mask Workflow

The most secure approach.◦ Clone the production database to a Staging Area◦ Mask it ◦ Then Export/ Import it to another Database in the Test Region◦ This automatically drops the masking table and the unmasked

data files

Less Secure Approach◦ You can clone the production database to a mask staging

area, then make the staging area the new test region. ◦ The masked database contains the original data in

unused blocks and in the free list. ◦ You can only purge this information by

exporting/importing the data to another database.

ODMP: Key Considerations