Keeping Private Data Private Avoiding your 15 Minutes on CNN Tony Cannizzo | President Silos-Connect Technologies
May 11, 2015
Keeping Private Data Private
Avoiding your 15 Minutes on CNN
Tony Cannizzo | PresidentSilos-Connect Technologies
Identity Management◦ Authorization (Roles)◦ Authentication (Users)
Admin Control◦ Separation of Duties (SoD)◦ Configuration and Change Management
Auditing / Monitoring◦ Who is Accessing What, When, Where and How◦ Identify Unusual User Behaviors
Encryption◦ Protect Stored Data (Backups, Drives)◦ Protect Data in Transit (Network, Wireless)
Data Masking◦ Protect Test Data◦ Protect Production Data
Comprehensive Data Security
Data Masking in Production
80% of high-cost security incidents occur when data from inside the organization gets out
Most data leakage occurs by accident or because of poor business processes
Whether accidental or malicious, security breaches from inside the company aren't addressed by the bulk of security dollars spent on technology that addresses the perimeter of the network.
Gartner:
They don’t talk about the 3-foot thick granite wallsor the 22-ton blast-proof doors
They worry about
who is watching the GOLD!
When they talk about Fort Knox
Survival: Protect the Business Legal: Required by law
Masking protects sensitive data while simultaneously enabling users to have the appropriate data access to complete business processes.
Why Mask Data?
What Was the Original Purpose? To give Dev/Test teams realistic test data to
work with, and not expose Production data. Concept came up in reaction to the
limitations of other test data generation strategies:◦ Cloned Production Databases◦ Image Copies from Backup◦ Selective Subset◦ Random Test Data Generators◦ Iterative Executions of Applications◦ Keyed in from Scratch
Testing with Production Data
Readily available
RI is already established
Will eventually need to run volume test anyway
“If it runs against production . . .
. . . it will run against anything” (Right?)
• Heavy on records - “Lite” on test cases
• Too Large for Multiple Copies
• Test executions take longer to run
• Confidential & Sensitive data values in a Non-secured environment
BENEFITS DOWNSIDE
How Real is THIS?
HA! My son is
a SYSDBA.
You better not do surgery on
ME!
Encryption ◦ Protects data at rest, or while in transit◦ Data must be Decrypted to be used◦ Does not prevent abuse at the final destination◦ Can often be identified because it is encrypted
Hackers will target encrypted or marked data as it says “I am valuable data”
Masked Data◦ Protects data in-motion and in-use◦ Never gets un-masked◦ If it can’t be seen, it can’t be abused
Same as Encryption?
Payment Card Information Data Security Standard Cardholder Information
◦ Primary Account Number (PAN)◦ Cardholder Name◦ Service Code◦ Expiration Date
Authentication Data ◦ Full Magnetic Stripe Data◦ CAV2/CVC2/CVV2/CID ◦ PIN/PIN Block No
IP address/Mac address Application/Service User accounts/groups Ensure that each entity only has access to own cardholder data
environment
What Needs to be Masked: PCI DSS
Names Geo Subdivisions smaller than a State
◦ Street Address◦ City◦ County◦ Precinct◦ Zip Code
Except the first 3 digits, if greater than 20,000 people
If less than 20,000 people change first three digits to ‘000’
All elements of date (except Year) directly related to an individual ◦ Up to 89 years of age:
Date of Birth Admission Date Discharge Date Date of Death
◦ Over 89 years of age: All elements of date INCLUDING Year
indicative of such age Such dates and elements may be
aggregated into a single category of “90&Older”
What Needs to Be Masked: HIPAA• Telephone Numbers• Fax Numbers• Email addresses• Social Security Numbers (or other
National or International Identifiers)• Medical Record Numbers• Health Plan Beneficiary Numbers• Account Numbers• Certificate/License Numbers• Vehicle Identification Numbers including
Serial Numbers and License Plate Numbers
• Device Identifiers and Serial Numbers• Web Universal Resource Locators (URL’s
and IP Addresses)• Biometric Identifiers including Finger
Prints and Voice Prints• Full-face photographic images and any
comparable images• Any other unique identifying number,
characteristic or code
Data MaskingAvailable Methods
Masking Build Mapping Table
◦ orig_value◦ mask_value
Disable Constraints Rename Table Recreate & Reload
from renamed table and mapping table
Enable Constraints Collect Statistics Drop Renamed Table
and Mapping Table
Oracle Data Masking Pack
Clone
CloneClone Production Database to Staging
Area
Export/ImportExport Masked DatabaseImport Database into Test
Import
Extract from Source◦ Subset with Selection Criteria ◦ Optional but recommended
Mask Extracted Data◦ During Extract?◦ During Load?
Load to Target◦ Test, QA, Etc.◦ Load?◦ Insert/Updates?
ETL Solutions
Loadable
File
Prod
Extra
ct
DevTest
Load
Ins/Upd
Takes Longer to runMasks Loadable File
Exposes Loadable FileEasier to Refresh
Data substitution ◦ replacing a value in the column with fictionalized data
Truncating, hiding or nullifying◦ which replaces column values with NULL or ‘****”
Randomization ◦ replacing the value with random data
Skewing ◦ which alters the numeric data by a random variance
Scrambling◦ Smart Functions created in PL/SQL
Character substring masking ◦ Shows a portion of the actual value and hides the rest
Shuffling◦ Uses values from other rows
Algorithms for Masking Sensitive Data
Remember, this is Static Data Masking◦ Values are physically stored in the tables/columns◦ One size may not fit all
Look Out For:◦ Mutually-exclusive test cases◦ Referential Integrity◦ Data Distribution◦ Cardinality◦ Frequency/Duration of Extracts◦ Frequency/Variety of Target Environments◦ Be sure to delete all copies of Un-masked Extracts
Key Considerations
Data Masking at the Presentation Layer
SELECT ACCT_NUM = 3072-100924-90212 SELECT TRUNCATE(ACCT_NUM)= XXXX-XXXXXX-X0212
The Next Frontier Works in Production as well as Dev/Test Database retains original values Selectively mask data in real time Transparent to clients, applications,
databases Implemented on SQL*Net protocol layer Acts as SQL*Net proxy / Oracle Listener Catches inbound SQL statement protocol
packets Apply security policies as pre-defined rules
Dynamic Data Masking
Scenarios for Dynamic Data
Masking
Selective Data Masking
Application Support / Help Desk
Application Mis-Use
Application User
QA Team Capturing Scripts
Privileged User Control
This User has SYSDBA
26
And so does this one…Mask ‘salary’ values in all tables
Hide ‘job name’ in all tables
Scramble ‘name’ in all tables
Quick Example of ourRules Editor◦ Matches Any SQL
◦ Masking Actions
How Did You Do That?
28
Dynamic Data Masking
OracleDatabase
Application\ WebDev. tools, SQL*plus, DBlinks etc., User rules apply ‘Rewrite’ or Block
actions on incoming SQL requests
Original SQL:select ..,name,..from..
Rewrite Rule replaced:select .., ‘****’,..from..
ActiveBase Security
Before After
Rule
NameTigerNelsonRogersRosen
NameBellCaveLennonLenin
Original SQL:
After Rule:
NameTi***Ne***Ro***Ro***
After Rule:
NameTigerNelsonRogersRosen
Name
After Rule:
Scrambling Rules: Hiding Rules: Masking Rules:
NameTigerNelsonRogersRosen
Select name,..from..
Select scrmbl(name)..Select substr(name,1,2)||’***’ select ..,’’,..from..
Result: Result: Result:
After Rule:
Blocking Rules:
Returned message:You are not allowed to access this personal information!
Example:
Original SQL:Select name,..from..
Original SQL:Select name,..from..
Original SQL:Select name,..from..
User Profiles – NOT just based on DB Privilege level
Employee vs Contractor Local vs Offshore Developer vs DBA End-user vs IT StaffOther Actions: Block the request Send alert to business and/or notification to user Quarantine - block sessions and new connections from the
same machine or user for ‘X’ minutes Apply delays between each subsequent request Kill session(s) Log audit trail of activity
More than Just Masking Data
30
Toad, DBArtisan, SQL*Plus, etc.
Restrict parallel load: - allow up to four parallel servers for all Toad requests- or dynamically remove the parallelism from the request
Block specific DB activities from either authorized or unauthorized users: locks, drop table, drop synonym, drop grant
Selectively preventing DML, DCL, DDL commands from unauthorized users
Automatically redirect requests to the REPORT DB when request includes certain conditions
Enforce Dev Tool Usage Policies
31
UserUser
ApplicationApplication
PerformanceModule
Applies SQL Hints / Rewrite for improving performance
Blocks / defers ‘request-from-hell’for safe guarding production
Redirects report /ad-hocto replication / history DB
ActiveBase Modules Overview
Allocates Database Serverresources to processes according
to transaction importance
Manual Operator
Prioritization module(DB server)
ActiveBase in-line Proxy modules:
Automatic - Rules
OracleDatabase
Server
SecurityModule
Masks personal informationfor outsourced support and IT
Blocks offensive Requests /SQL injection / CPU risks
Scrambles / Encrypts confidential & personal fields
Tuning Robot
AB*Performance Rule Examples
THANK YOU!
Tony Cannizzo | President
Silos-Connect Technologies
[email protected] 580 3451
Soon to be:
Dynamic Database Solutions
Questions, Comments, Jokes?
DynamicDB
Oracle Data MaskingOptional Backup Slides
Copy production data to other environments◦ Dev◦ Test◦ Staging
Irreversible process◦ Replaces sensitive data with realistic-looking◦ But scrubbed data based on masking rules◦ The original data cannot be retrieved, recovered
or restored.
OEM 10g Data Masking Pack
Format Library for Out-of-the-Box formats◦ Credit Card Numbers◦ Phone Numbers◦ National Identifiers
SSN (US) National Ins Number (UK)
Mask Formats built on Mask Primitives◦ Random Numbers◦ Random Digits◦ Random Dates◦ Constants
Masking Functions◦ Shuffle: column values used in different rows
Useful when the range of values in a column is not known User-defined Formats
◦ Defined using PL/SQL◦ Example – complexly formulated account numbers can be generated using fictitious
values but providing functionality for the application Deterministic Masks
◦ For maintaining RI when masking across application environments◦ Consistent mask in CRM/ERP and DW
Centralized Mask Formats
A Built-in Search Function on Data Dictionary◦ Helps identify all tables and columns containing
SPI◦ Maps to appropriate mask formats
Related Application Column Capability◦ Automatically identifies RI based on Foreign Keys
that are maintained in the Data Dictionary◦ Application-defined relationships that are not
maintained in the Data Dictionary can be added
Portable Masking Definition
Assign multiple mask formats to a column dependent on specific conditions◦ Example: Multi-national HR System and National
Identifiers depending on Country of employee: If employee is US, use SSN mask If employee is UK, use National Insurance mask If employee is Canadian, use Social Insurance mask
Condition-based Masking
For multiple related columns within a row◦ Example: Must have a valid address
City for State Zip for City
Compound Masking
City State
Zip
Prod Atlanta GA 30303
Test New York NY 10002
XML File containing all masking definitions◦ Created via the Export Masking Definition
capability◦ Can be loaded into other databases◦ Can be used to restore the original masking
definitions if a mask definition is improperly altered
Application Masking Template
Define Mask Formats Assign Masking Definitions to the Application Masking Template Run a Series of Validation Steps to insure the script can run without
errors◦ One step checks RI, Uniqueness Constraints, Column Lengths, Data Types, etc.
Generate the PL/SQL-based Masking Script Create a fully-loaded database as a target for the Masking Script Transfer Masking Script to target database Execute the Masking Script
◦ CREATES a Masked Replacement for the Original TABLE◦ REPLACES the Table containing sensitive data with an identical table containing
masked data maintaining the original database’s: Constraints Referential Integrity Associated Access Structures (i.e. Indexes, Partitions, Permissions, etc.)
◦ Executes in Parallel◦ Disables Database Logging◦ Then DROP’s the original table containing sensitive data
AFTER the Masking Process is completed.
Steps in the Masking Process
NOTE: Target TABLE contains the actual production values until the masking process is
completed!!!
ODMP integrates with OEM Database Cloning◦ Separate from the Standalone Process◦ Can Add Data Masking to the Clone Process
Point the PRD Database to a Staging Environment Specify the Masking Definitions to be run AFTER Cloning Cloned Database is brought up in RESTRICTED mode to
prevent non-administrative access to the database Executes the Masking Script Then opens the database for unrestricted use
ONLY UPON VERIFYING THAT THE MASKING PROCESS HAS COMPLETED SUCCESSFULLY.
Secure Clone-and-Mask Workflow
The most secure approach.◦ Clone the production database to a Staging Area◦ Mask it ◦ Then Export/ Import it to another Database in the Test Region◦ This automatically drops the masking table and the unmasked
data files
Less Secure Approach◦ You can clone the production database to a mask staging
area, then make the staging area the new test region. ◦ The masked database contains the original data in
unused blocks and in the free list. ◦ You can only purge this information by
exporting/importing the data to another database.
ODMP: Key Considerations