Protecting Sensitive Data Using Informatica s Test Data Management Solution Denise Jeffries Director Data Warehouse

Size: px

Start display at page:

Download "Protecting Sensitive Data Using Informatica s Test Data Management Solution Denise Jeffries Director Data Warehouse"

Rafe Austin
6 years ago
Views:

2 Protecting Sensitive Using Informatica s Test Management Solution Denise Jeffries Director Warehouse Karen Hsu Director Product Marketing 2

3 Agenda Trends & Challenges Privacy Best Practices Methodology BBVA Compass Informatica Persistent Masking Summary 3

4 Must Be Protected Devastating Costs Of A Breach Ponemon Institute 2012 The cost of a breach averages $5.5 million 50% of cases involve malicious insider 73% of DBA s can view all data, increasing risk of breach 4

Security Challenges are Growing Key Takeaways from leading analysts Analyst Analyst Estimates 15% of attacks occur without the enterprise ever knowing that such an attack took place 50% say

5 Security Challenges are Growing Key Takeaways from leading analysts Analyst Analyst Estimates 15% of attacks occur without the enterprise ever knowing that such an attack took place 50% say sensitive data has been compromised or stolen by malicious insider such as a privileged user 66% say their organizations find it difficult to comply with privacy data protection regulations 5

6 Must Be Protected Privacy Regulations Expending & More Enforceable Source: 2010 Breach Investigation Report, Verizon Risk Team in conjunction with United States Secret Service 6

7 Best Practices for Enterprise Privacy Quickly discover sensitive data throughout enterprise Identify fields table relationships Discover consistent data masking policies Classify data types assign risk mitigation policy Validate protected data prove compliance Reduce hardware manual costs reuse subset policies reuse global data masking policies Business/IT collaboration 7

8 Sensitive Requirements Discover 8

9 Discover Sensitive Classify Based on Patterns Discover 9

10 Discover Sensitive Identify Sensitive Fields Table Relationships 10

11 Rules Reusable Subset Masking Policies Discover Perform data subset using entities with filter criteria Choose which masking policies to use 11

12 Subset for Nonproduction Filter Production base Discover Time, Functional or Geographic Slice Time Savings Here Space Savings Here 10 TB Production base 30TB Subset 10 TB 10 TB 10 TB 10 TB 12

13 Protect Sensitive Test Mask Nonproduction Discover Permanently alter sensitive data such as credit cards, address information, or names Variety of Techniques: Shuffle Employee ID s Substitute Names Constant for City Special Credit Card Technique ID Name City Credit Card 0964 Mike John Wilson Smith Fresno Plano Jerry Mark Morrow Jones Andy Rob Davis Sers Jeff Josh Richards Phillips Modesto Fresno Hartford Fresno Fresno Tampa

14 Protect Sensitive Test Accelerate implementation with Masking Packs Predefined rules policies for masking sensitive data in specific segments Assign data masking policies to columns you want to mask Edit data masking rule within a policy to define masked output 14

15 Protect Sensitive Test Purpose-Built UI On Industry Leading Platform Discover Purpose built user interface Abstract policy definition Powerful engine to hle bulk processing Most comprehensive connectivity Generate 15

16 Connectivity to Any Platform Broad Application, base Support Discover Informatica Test Management Subset Masking Application Aware Accelerators Oracle e-business PeopleSoft Siebel SAP Universal Connectivity Oracle SQL Server DB2 UDB Teradata Sybase DB2 z/os VSAM Other 16

17 Validate Effectiveness of Masking Program Discover 17

18 Pervasive Privacy Differentiation Mask any type of data, including semistructured unstructured Rapid implementation maintenance with purpose built interface application aware accelerators High performance scalability Integrated platform with powerful engine Most comprehensive connectivity 18

19 BBVA Compass Informatica Persistent Masking What it is, how to do it Denise Jeffries Director Warehouse 19

20 Legislative Security Drivers Key Point Personally identifiable information (PII) is defined as information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. US Legislation Health Information Privacy Accountability Act -- Office for Civil Rights U.S. Department of Health Human Services protects the privacy of individually identifiable health information. Financial Services Modernization Act (GLB), 15 U.S. Code stipulates protections of financial customers non-public personal information. Final Rule on Privacy of Consumer Financial Information, 16 Code of Federal Regulations, Part 313 further defines GLB 504a. Fair Credit Reporting Act (FCRA), 15 U.S. Code u Fair Debt Collections Practices Act (FDCPA), 15 U.S.C Massachusetts General Law Chapter 93H its new regulations 201 CMR Non-US Legislation European Directive of 1995 (EU) was enacted to protect people's fundamental rights freedoms in particular their right to privacy with respect to the processing of personal data. Protection Act of 1998 (UK) further stipulates that Entities holding personal information are required to have adequate security measures in place, physical logical. 20

21 Obfuscation versus Masking Obfuscation allows connections by using a library to replace values Masking obliterates the data ob fus cate äb-fə-skāt; äb-fəs-kāt verb Inflected Form(s): ob fus cat ed; ob fus cat ing Etymology: Late Latin obfuscatus, past participle of obfuscare, from Latin ob- in the way + fuscus dark brown more at ob-, dusk 1a: darken b: to make obscure <obfuscate the issue> 2: confuse <obfuscate the reader> intransitive verb to be evasive, unclear, or confusing ob fus ca tion \äb-(fəs-kā-shən\ noun ob fus ca to ry \äb-fəs-kə-to r-ē\ adjective mask mæsk, mɑsk/ Show Spelled[mask, mahsk] noun 1. a covering for all or part of the face, worn to conceal one's identity. 2. anything that disguises or conceals; disguise; pretense: His politeness is a mask for his fundamentally malicious personality. 21

22 Discover Sensitive BBVA Compass process Work with legal to define sensitive data Involve a number internal teams BBVA Compass identified sensitive fields as Names Addresses Zip Codes Phone Numbers Addresses Dates Tax Information Number (TIN) Social Security Number (SSN) Free-flow Text or Comment Fields 22

23 Discover Discover Sensitive 23

24 Discover Masking Rules Informatica s Masking Assists BBVA Compass to meet Federal mates that regulate the privacy of confidential or sensitive data by masking it so it can be replicated to a non-production environment for development, testing, training purposes. The obfuscation process masks customer data that has been identified as sensitive. 24

25 High Level Overview of Obfuscation Process Discover 25

26 Discover Masking Methodology The flow of the masking process Extract all records from the master source. Obfuscate data using the data masking transformation. Perform any transformations that may use a combination of obfuscated data, such as concatenations or string replacements of masked data. Build cross-references from masked data write data in a test master target file. 26

27 Discover Masking Dictionaries dictionaries used in masking process: 1. First Name Dictionary 2. Last Name Dictionary 3. Address Dictionary 4. Company Name Dictionary 27

28 Discover Example of Masking: Names Customer names company are assigned new identities from the First Name, Last Name Company Name masking dictionaries Dictionaries each contain approximately 80,000 possible names With more than 80,000 customers on file, there is repetition of names or addresses with different customer account numbers. First Name Last Name Company Account John Smith Acme John Smith Boulder John Smith Crystol NOTE: Masked first names are not tied to the source name s gender. In other words, Jane Doe may end up as John Smith when masked. 28

29 Discover Reusable Masking Policy MPLT_STREET_MASKING_ADDRESS 29

30 Discover Reusable Address Masking Policy Accepts a customer real street address name as an input, obfuscates the name against the Address Dictionary, generates the obfuscated Street, City, State, Zip Country as output. STREET name is used as an input the same is passed on to the exp_anchor transformation then passed to the exp_md5_to_numberstring where expressions such as trimming the spaces on both sides of the string determining if the inputstring is empty or is all spaces are applied. If the inputstring is determined to be empty or is all spaces, then the address is computed to the default A. Next, the MD5 value of the trimmed inputstring is computed to get a unique 32-character string of hexadecimal digits using the MD5 function. Next, a REPLACECHR function is used to on the MD5 string output to replace case sensitive A with 1, B with 2, C with 3 so on until F for 6, to ensure that the output is all numbers. Next, the output string is passed through the data masking transformation then passed to the expression exp_mod where it is converted to a decimal a MOD function is used to calculate the remainder of the division of the converted decimal value the $$VarAddrBase variable in the mapping. The remainder is increased by 1. The output column (out_randid3) is used as a lookup on the LKPADDRESS flatfile (dictionary) transformation using the condition SNO=out_RANDID3 the column with a matched lookup condition are moved to the expression expoutput where the final cleansing of the data is completed. The output column is moved to exp_all_caps where all the columns are converted to Uppercase using the UPPER function the STREET, CITY, STATE, ZIP COUNTRY column are moved on to the OUTPUT transformation of the mapplet. 30

31 Discover 31

32 Next Steps Contact Follow Up Information Contact Denise Jeffries Phone: Karen Hsu Visit our website for more information resources Solutions > Application ILM > Privacy Related Resources White Paper Best Practices for Ensuring Privacy in Production Non-Production Systems Upcoming Events Gartner Security Risk Conference June in Washington D.C., USA RSA Europe October 9-11 in London, United Kingdom 32

33 Thank You 33

Oracle Data Masking and Subsetting

Oracle Data Masking and Subsetting Frequently Asked Questions (FAQ) S E P T E M B E R 2 0 1 6 Product Overview Q: What is Data Masking and Subsetting? A: Data Masking or Static Data Masking is the process