1 / 13

Database Confidentiality

Database Confidentiality. A Comprehensive Solution. Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z. The Business Problem. 44 states have enacted laws that if the companies lose customer or employee data they can be held liable

july
Download Presentation

Database Confidentiality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Database Confidentiality A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

  2. The Business Problem • 44 states have enacted laws that if the companies lose customer or employee data they can be held liable • In our most recent HR audit we discovered the following flaws • Data is stored in an unsecured manner • Lack of compliance with Corporate Data Privacy Policy • Varying interpretations of how the Data Privacy Policy Applies • Transfer of unsecured data to various vendors • Lack of control of data usage and access

  3. Why you need to worry about data confidentiality • Auditors increasingly concerned with personally identifiable data. • US Sarbanes Oxley Act • Global companies need to worry about Safe Harbor for global data. • Increased awareness of identity theft. • Health Information • Use technology instead of only policy to protect data. • Proactive instead of responsive measures after data has been exposed already.

  4. Pros and Cons of Other Solutions

  5. Risk/Benefit Analysis

  6. Our Suggested Solution – Vormetric Data Security

  7. Why is this better that other solutions? • Improved over basic encryption with high speed 128/256 bit file based encryption which resolves the performance issues with other encryption solutions. • Improved database intrusion detection because it is context aware. It knows all the users and their access hours and abilities. • Improved data leak prevention since it prevents the unencrypted data from even being accessed let alone removed from system.

  8. Pricing Senario • Vormetric appliance for production : $39,900.00 • Vormetric appliance for development: $29,000.00 • Unix / Windows Server Agent License for production: $6,250.00 • Windows Server Agent License for development: $3,125.00 • Oracle Database server agent License for Production: $6,000.00 • Oracle Database server agent License for Dev: $3,000.00 • Total cost for this HR Project? $88,175.00 • These costs are significantly less than the 200,000 to 1 Million dollar pricing per data set for other solutions that are available. • The Cost to Risk ratio is good as a data loss/compromise can cost millions in legal fees and lost customer or employee confidence.

  9. Risk/Benefit Analysis • Concerns about encryptions impact on performance? • Data Security Expert delivers high-speed file-level encryption of stored data using a FIPS 140-2 certified AES (128/256-bit) algorithm. • Concerns about data beyond the database level? • Data Security Expert provides file-level encryption because the underlying files in which data is stored is the primary point of attack. • Concerns about Administrator Access to Data? • Data Security Expert’s “separation of duties” feature further restricts access to data by allowing system administrators and root users to maintain the system and backup data, without being able to view the sensitive data.

  10. Risk/Benefit Analysis • Concerns about Authorized users taking Unauthorized Actions? • “Context-aware” control means that Data Security Expert grants access only to authorized users performing authorized operations on authorized applications during specific time windows. • Concerns about being able to report on which users have accessed the system? • The system logs any attempted access to any data by any user –not only authorized access requests, but all attempts to circumvent authorized access channels. • Concerns about legal regulations? • The system is entirely auditable to comply with Sarbanes-Oxley, Gramm-Leach-Bliley Act (GLBA), HIPAA, CA SB 1386, the EU Data Protection Act, Visa’s CISP and the PCI requirements, and other mandates regarding the handling and protection of information.

  11. Business Impact • This will secure all HR related data on all levels with minimal performance impact • Database/OS • Backup • Data Transfers • Will allow users to access own HR data securely and blocks access to all unauthorized users • Administrators can work on system without seeing confidential data

  12. Cross Industry Legal Application • HIPAA - Confidentiality and integrity controls for patient health information (PHI) • GLBA - Privacy and protection for sensitive personally identifiable information • PCI-DSS - Broadest solution for encryption, key management, access control, and audit that uniquely removes roadblocks for compliance with PCI encryption requirements • SOX - Integrity, access and audit controls for financial data plus trade secret protection to reduce risk of Sarbanes-Oxley material events • State Breach Notification Laws - Transparent, cost effective encryption to eliminate data breach notification requirements

More Related