1 / 42

Securing Your Data and Your Brand: A Data Privacy Case Study

Learn about the importance of protecting privacy, the risks of data breaches, and considerations for a privacy project. Discover success stories and how Princeton Softech can help.

lesliei
Download Presentation

Securing Your Data and Your Brand: A Data Privacy Case Study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Your Data and Your Brand: A Data Privacy Case Study Eric Offenberg, CIPP, Product Marketing Manager Tim Smith, Technical Product Manager Princeton Softech

  2. Agenda • About Protecting Privacy • What’s at Stake? • About Data Breaches • The Easiest Way to Expose Private Data • Considerations for a Privacy Project • Success Stories • About Princeton Softech No part of this presentation may be reproduced or transmitted in any form by any means, electronic or mechanical, including photocopying and recording, for any purpose without the express written permission of Princeton Softech, Inc.

  3. Disclaimer This presentation is intended to provide general background information, not regulatory, legal or other advice. Princeton Softech, Inc. cannot and does not provide such advice. Readers are advised to seek competent assistance from qualified professionals in the applicable jurisdictions for the types of services needed, including regulatory, legal or other advice.

  4. The Corporate View of Data Privacy • Read all about it… • Data breaches • Identity Theft • Laws are multiplying • PCI • GLBA • HIPAA • Data Breach Notification Acts • 6 Data Breaches per F1000 company per year is the Industry Norm* • Data Privacy Projects are still more reactive then proactive • Development, Backup and Testing environments remain vulnerable! • Bottom Line…Companies are having trouble securing sensitive data! * Source: IT Compliance Group, 2007

  5. Common Legislative Themes • Government regulations protect consumers • USA: HIPAA, Gramm-Leach-Bliley Act (GLB), California Security Breach Notice Statute • European Union: Personal Data Protection Directive 1998 • UK: Data Protection Act of 1998 • Australia: Privacy Amendment Act of 2000 • Canada: Personal Information Protection and Electronic Documents Act • PCI Data Security Standard (including new state laws)

  6. IT is Becoming the Target US Senate Bill Holds IT Managers Responsible for Privacy Breaches By Scott M. Fulton, III, BetaNews February 8, 2007, 8:09 PM A bill introduced in the US Senate on Tuesday by Judiciary Committee Chairman Patrick Leahy (D - Vermont), along with one independent and one Republican backer, aims to strengthen security requirements for all private databases accessible online that may hold personal information. Reintroducing language that had been stalled since 2005, if passed, the bill could hold IT managers accountable and responsible for security breaches where personal information is pilfered.

  7. What’s at Stake? • Fines and penalties • Loss of customer loyalty • Loss of revenue • Share price erosion • Negative publicity • “Brand equity” damage • Damage to company reputation • Increased operations costs To date, personal information for at least 53 million US citizens has been lost, stolen or compromised

  8. Primary Benefits of Protecting Data • Assurance of integrity for company brand and image (46%) • Reduced concern about electronic theft (33%) • Less concern about data leakage and public news reports (30%) • Reduction and/or avoidance of litigation and cost (27%) * Source: IT Compliance Group Benchmark Study 2/07

  9. Where do F1000 Corporations Stand today?

  10. How Personal Data Was Lost

  11. Consumer Reaction Banking Customer Survey (Ponemon Institute)

  12. Cost to Company per Missing Record: $182 Over 100 million records lost at a cost of $16 Billion.

  13. Data Breach Examples

  14. What is Done to Protect Data Today? • Production “Lockdown” • Physical entry access controls • Network, application and database-level security • Multi-factor authentication schemes (tokens, biometrics) • Unique challenges in Development and Test • Replication of production safeguards not sufficient • Need “realistic” data to test accurately

  15. The Easiest Way to Expose Private Data …Internally with the Test Environment • 70% of data breaches occur internally (Gartner) • Test environments use personally identifiable data • Standard Non-Disclosure Agreements may not deter a disgruntled employee • What about test data stored on laptops? • What about test data sent to outsourced/overseas consultants? • Payment Card Data Security Industry Reg. 6.3.4 states, “Production data (real credit card numbers) cannot be used for testing or development” * The Solution is Data Masking *

  16. What is Data Masking? • AKA depersonalization, desensitization, or data scrubbing • Technology that helps conceal real data • Scrambles data to create new, legible data • Retains the data's properties, such as its width, type, and format • Common data masking algorithms include random, substring, concatenation, date aging • Used in Non-Production environments as a Best Practice to protect sensitive data

  17. The Top 3 Reasons Why Insiders Steal Data • Greed • Revenge • Love Source: US Attorney General’s Office, Eastern PA District

  18. How is Risk of Exposure being Mitigated? • No laptops allowed in the building • Development and test devices • Do not have USB • No write devices (CD, DVD, etc.) • Employees sign documents • Off-shore development does not do the testing • The use of live data is ‘kept quiet’

  19. Protecting Test Environments Forrester Research: “…IT’s own access to customer and personnel data must be examined – strictly speaking, none should actually be necessary. Test data must be “anonymized…. ” [sic] Information Week: “The search for consumer data and its uses doesn't stop at large production databases -- it extends to application test data and Web applications.”

  20. Encryption is not Enough • DBMS encryption protects DBMS theft and hackers • Data decryption occurs as data is retrieved from the DBMS • Application testing displays data • Web screens under development • Reports • Date entry/update client/server devices • If data can be seen it can be copied • Download • Screen captures • Simple picture of a screen

  21. Strategic Issues for Implementing Data Privacy

  22. Data Masking Considerations • Establish a project leader/project group • Determine what you need to mask • Understand Application and Business Requirements • Top Level Masking Components • Project Methodology

  23. TESTDB INSERT/ CUST -- ---- ---- ---- ------- ---- UPDATE ORD -- ---- ---- ---- ------- ---- DETL ExtractFile -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- QADB CUST LoadFiles -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- LOAD DETL -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- Data Privacy in Application Testing Extract a relationally intact subset from production database(s) CUSTOMERS -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- Transform / mask sensitive data ORDERS -- -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ---- DETAILS -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- • Data transformation functions: • Propagation of masked primary keys to dependent foreign keys • Random number generation • Hard-code literals, special registers such as date, time • Substring and concatenation of values • Sequencing numeric fields (or parts of concatenated fields) • Arithmetic calculations • Lookup tables • Access to client-defined exit routines to apply complex algorithms

  24. Data Masking Consideration – Step 1 • Establish a Project Leader/Group • Many questions to be answered/decisions to be made • Project Focus • Inter-Departmental Cooperation • Use for additional Privacy Projects

  25. Data Masking Consideration – Step 2 • Determine what you need to mask • Customer Information • Employee Information • Company Trade Secrets • Other

  26. Data Masking Consideration – Step 3 • Understand Application and Business Requirements • Where do applications exist? • What is the purpose of the application(s)? • How close does replacement data need to match the original data? • How much data needs to be masked?

  27. Data Masking Consideration – Step 4Masking Components (Top Level) • Masking is not simple! • Many DBMS • Legacy Files • Multiple platforms • Needs to fit within existing processes • Not a point solution – consider the enterprise • Not a one time process

  28. Component A - Consistency • Masking is a repeatable process • Subsystems need to match originating • The same mask needs to be applied across the enterprise • Predictable changes • Random change will not work • Change all ‘Jane’ to ‘Mary’ again and again

  29. Direct Response Marketing, Inc. is testing its order fulfillment system To fictionalize customer names, use the a random lookup function to pull first and last names randomly from the Customer Information table: “Gerard Depardieu” becomes “Ronald Smith” “Lucille Ball” becomes “Elena Wu” Example: First and Last Name

  30. First Financial Bank’s account numbers are formatted “123-4567” with the first three digits representing the type of account (checking, savings, or money market) and the last four digits representing the customer identification number To mask account numbers for testing, use the actual first three digits, plus a sequential four-digit number The result is a fictionalized account number with a valid format: “001-9898” becomes “001-1000” “001-4570” becomes “001-1001” Example: Bank Account Numbers

  31. Customers Table Cust ID Name Street 08054 Alice Bennett 2 Park Blvd 19101 Carl Davis 258 Main 27645 Elliot Flynn96 Avenue Cust ID Item # Order Date 2764580-2382 20 June 2004 27645 86-4538 10 October 2005 Orders Table Propagating Masked Data • Key propagation • Propagate values in the primary key to all related tables • Necessary to maintain referential integrity

  32. Cust ID Name Street 08054 Alice Bennett 2 Park Blvd 19101 Carl Davis 258 Main 27645 Elliot Flynn96 Avenue Cust ID Name Street 10000 Auguste Renoir Mars23 10001 Claude Monet Venus24 10002Pablo PicassoSaturn25 Cust ID Item # Order Date 1000280-2382 20 June 2004 10002 86-4538 10 October 2005 Cust ID Item # Order Date 2764580-2382 20 June 2004 27645 86-4538 10 October 2005 Masking with Key Propagation Original Data De-Identified Data Customers Table Customers Table Referential integrity is maintained Orders Table Orders Table

  33. Component B - Context Client Billing Application • A single mask will affect ‘downstream’ systems • Column/field values must still pass edits • SSN • Phone numbers • E-mail ID • Zip code must match • Address • Phone area code • Age must match birth date DB2 Data is masked Masked fields are consistent

  34. Component C - Flexibility • Laws being interpreted • New regulations being considered • Change is the only certainty • ERPs being merged • Masking routines will change, frequently • Quick changes will be needed

  35. Data Masking Consideration – Step 5Project Methodology • Determine Base Directives • Compile Data Sources List • Design Transformation Strategy • Develop Transformation Process • Implement Testing Strategy • .

  36. The Market Need • Corporations have a duty to protect confidential customer information and have gained an understanding that vulnerabilities exist both in the Production and Test Environments • Companies have begun implementing basic privacy functionality but are requiring more specific and application aware masking capabilities that can be applied across applications - IT organizations require that development databases provide realistic and valid test data (yet not identifiable) after it is masked. This includes: Valid social security #’s, credit card #’s, etc. - Enterprises require the option to mask data consistently across several different applications, databases, and platforms

  37. Success with Optim™ • “ Today we don’t care if we lose a laptop” - Large Midwest Financial Company • “ The cost of a data breach is exponentially more expensive than the cost of masking data” - Large East Coast Insurer • “ This corporation is the only large retailer to state full compliance with PCI regulations” - News article about the largest retailer in the world

  38. Application: Multiple interrelated retail transaction processing applications Challenges: Comply with Payment Card Industry (PCI) regulations that required credit card data to be masked in the testing environment Implement a strategy where Personally Identifiable Information (PII) is de-identified when being utilized in the application development process Obtain a masking solution that could mask data across the enterprise in both Mainframe and Open Systems environments Solution: Princeton Softech Optim™ Client Value: Satisfied PCI requirements by giving this retailer the capability to mask credit data with fictitious data Masked other PII, such as customer first and last names, to ensure that “real data” cannot be extracted from the development environment Adapted an enterprise focus for protecting privacy by deploying a consistent data masking methodology across applications, databases and operating environments Success: Data Privacy About the Client: $300 Billion Retailer Largest Company in the World Largest Informix installation in the world W06

  39. How does Optim Protect Privacy? • Princeton Softech Optim provides the fundamental components of test data management and enables organizations to de-identify, mask and transform sensitive data across the enterprise • Companies can apply a range of transformation techniques to substitute customer data with contextually-accurate but fictionalized data to produce accurate test results • By masking personally-identifying information, Optim protects the privacy and security of confidential customer data, and supports compliance with local, state, national, international and industry-based privacy regulations

  40. Concluding Thought #1 “It costs much less to protect sensitive data than it does to replace lost customers and incur damage to the image of the organization and its brand—an irreplaceable asset in most cases.” IT Compliance Group Benchmark Study 2/07

  41. Concluding Thought #2 “We're not going to solve this by making data hard to steal. The way we're going to solve it is by making the data hard to use.” Bruce Schneier, author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World"

  42. For further information: Eric Offenberg Product Marketing Manager erico@princetonsoftech.com 609-627-5648

More Related