Data Protection. Plugging the gap Gary Comiskey 26 February 2010
Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at different levels of maturity -in silos, clusters and center of excellence models. Off shoring and outsourcing to third party firms demand a solution to enable the flow of data across the network perimeter. Increased brand protection focus as consumers and business partners grow intolerant of numerous and massive breaches. Financial firms are focusing on the compliance and remediation of risk; balanced and aligned with their technology strategy. Vendor landscape is consolidating and maturing into a vertical solutions, less vendors with more robust functionality Developer access to production programs are driving data obfuscation as a solution to a piece of the problem, regulation is becoming more specific / prescriptive Regulatory and compliance pressures, the need to enable more efficient delivery models (offshoring and outsourcing), reducing developer access to production risk, are driving financial services to deploy data protection solutions as an enterprise control - 2 -
Recent Deloitte Surveys Irish Survey 77% believe it is easy to remove sensitive data from the workplace 80% of respondents said that sensitive data was left unattended in their work place 50% indicated that sensitive data was left unattended across the organisation. 49% 25% 15% Desks Printers Photocopiers Fax Machines All Global Survey 66.4% of respondents experienced between 6 and 20 incidents and 12.3% indicated more than 20 events. Almost 10% of respondents has lost more than 25,000 recorded in one data breach 21.5% were not sure how many records were lost! No Response Not Sure 1 to 100 101 to 1,000 1,001 to 5,000 5,001 to 25,000 Over 25,000 6% Records lost during single "most significant" data breach 0 6% 0 5 10 15 20 25 Percentage of respondents - 3 -
Firewall Ways Enterprise Data is Compromised The majority of these breeches occur inside the firewall layer. Privileged users (developers, systems administrators, testers) present a substantial risk due to their knowledge of systems and access to data. External Users 2 File Server 4 File server Internal Users Privileged Users 1 Type of threat: 1. External users 2. Internal users 3. Files/Web servers 4. Administrators/DBAs/developers 5. Database vulnerability 6. Data backup Load Balancer Web Server 3 Insider threats a concern: 75% of threats come from insiders 60% of internal threats are undetected - 4 - App Server ERP 5 Database 6 Backups Source: Forrester
Administration Network Ways to Protect Enterprise Data Strong Security Measures Users Encryption DB Server Strict Access Control Web Server App Server DB Server Dev Test Q&A Stage - Data masking - Dummy data Developer Testers Admin Audit Process / Procedures Encryption Backups Audit Security Policies and Procedures - 5 -
Understanding Data Protection Controls A layered security approach should be adopted to protect sensitive data within environments. Sensitive data protection can be viewed as a combination of the following: Controlling access to sensitive data via user access Controls Masking/obfuscating sensitive data when user access controls are not sufficient Protection of sensitive data can be achieved by a combination of data masking and user access controls: For production systems, restrict access to sensitive data (e.g., eliminate developer access to production, provide need-only basis access to support personnel) Systems/ Applications Users Data Data masking in production systems is achieved at the application layer using native tools and custom scripts For Test, QA and Development systems, eliminate use of production data Data masking in Test, QA and Development systems is achieved at the database level - 6 -
Key Considerations for Data Protection An enterprise data protection strategy starts with understanding what your assets are. Not all data can be protected equally - we must first understand what needs to be protected the most. What information and systems/ application assets are most critical? What is the data of concern? What are the data integrity and data privacy responsibilities? A risk-based approach to data protection focuses on mitigating high-risk issues first. Begin by establishing risk profiles that account for the factors listed below: Sensitivity of the data. End-users that will access the data (i.e. developers, testers, QA personnel). Systems and applications that will access and store the sensitive data. Establishing risk profiles helps organizations understand their landscape and aids the security teams with setting policies that determine how systems/applications are configured, what rights users have, and what security mechanisms need to be in place to protect sensitive data (data of concern). Data: how critical is it? How exposed is it? Systems/ applications: what are they and how secure are they? Users: what data do they handle? Are they a security risk? - 7 -
Step 1 Understand where your data is Understand Existing Methodologies Data Inventory/Lifecycle Methodology & Process Key Deliverable: Data flow diagrams???? - 8 -
Use Technology Where Possible Where is sensitive data located? What is the user doing with it? Where is the data going? Apply DP Policy and Actions? Discovery Desktops Servers Storage Classification Tagging Content Similarity Keyword Dictionary Context Server Application File Type User Unstructured Data Read Write Copy/Paste Move Print Burn Upload Structured Data View Modify Delete Extract E-mail Applications Devices Networks Alert Detection Notify Awareness Prompt Intent Encrypt Protection Block Protection Mask Need to know Audit Logging 9-9 -
Data Protection Methods Data Protection is a general term that encompasses a number of methods, including: Data Encryption refers to a method of modifying data so that it is meaningless and unreadable in it s encrypted form. It also must be reasonably secure, i.e., must not be easily decrypted without the proper key. Data Obfuscation is data that is rendered unusable by some means, but is not considered a serious form of encryption (obfuscating the data with a simple substitution cipher is not considered encryption): - Substitution, which replaces a value in the column with fictionalized data. - Randomization, which replaces the value with random data. - Shuffling, which switches column values between records. - Nullifying, which replaces column values with NULL. - Skewing, which alters the numeric data by a random variance. - Encryption/decryption, which employs reversible scrambling. Data Masking is a method of hiding sensitive data in a way that the clear text cannot be reconstructed from the displayed data. This is useful in situations where it is only necessary to display a portion of the data. Data Generation is a method of creating fictional data following certain patterns to completely replace the original data set with the intent of being fully displayed. Data Redaction is a method of locating unstructured data in the document, index it using OCR and masking or obfuscating as appropriate. - 10 -
Key Objectives of a Data Protection Solutions An effective data protection program requires four critical factors to ensure success. Scalability Solution meets the volume and performance requirements demanded by scaling the number of applications (e.g., data obfuscation process for 20 applications scaling to UAT with 200 applications.) Sustainability Solution has the required checks and balances in place to ensure integrity and longevity of the obfuscated data (e.g., segregation of duties, algorithm safeguard and vault, request and distribution process.) Repeatability Solution can be replicated across multiple environments to ensure consistency (e.g., as the obfuscated data proliferates in the environment the obfuscation processes need to be reusable and repeated across the enterprise.) Control Solution is a compensating control and needs to be treated with discipline, including the governance, reviews, monitoring and testing to ensure the control objectives are met (e.g., scheduled audits of obfuscation processes, random tests for reversibilities, etc.) - 11 -
Data Protection Areas of Focus Information Security Policy To provide management direction and support for information security The policy document should be approved by management, published and communicated, as appropriate to all employees Review and evaluation The policy should have an owner who is responsible for its maintenance and review according to a defined review process. Information Security Infrastructure Establish a Management Forum to ensure that there is clear direction and visible management support for security initiatives shall be in place. Consider a cross-functional forum with representatives from relevant parts of the organisation to coordinate the implementation of information security controls. Responsible for the protection of information assets and for carrying out specific security processes - 12 -
Data Protection Areas of Focus Access Control Establish formal user registration and de-registration procedures for granting access to all multi-user information systems and services. The allocation and use of privileges should be restricted and controlled. Ensure adequate password security is implemented, minimum length, frequently changes, complex characters Implement a process to review users access rights at regular intervals. Don't forget physical security! Logging & Monitoring Audit logs recording exceptions and other security relevant events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. Use technology where possible however manual work arounds are possible Consider building this into any system change requests Conduct periodic reviews of access patterns Inform staff that access is monitored and ensure they are aware of their responsibilities - 13 -
Data Protection Areas of Focus System Development & Maintenance Business requirements for new systems, or enhancements to existing systems should specify the Data Protection requirements. Validation checks should be performed for any data migration to ensure that data remains current an accurate. Test Data should be protected and controlled, preferably dummy data should be used. Portable Storage Devices The biggest area for accidental data loss Must be password protected & should be encrypted Preferable not to store personal or sensitive data Ensure that all default passwords are changed Use secure access to central data storage where possible Ensure that the latest encryption standards are used Consider two factor authentication - 14 -
Data Protection Areas of Focus Data Destruction Should have appropriate procedures. Ensure that electronic storage devices are securely destroyed. Where external parties are used ensure they sign up to data protection standards. Develop a data retention policy decide how long data will be kept for Ensure that destruction process is robust Consider periodic reviews of destruction providers to ensure that procedures are appropriate don't just rely on the contract - 15 -
Data Protection Technology and Tool Selection Criteria When selecting a data protection tool it is crucial to ensure that it can adapt and fit into your organisation. Some pointers to consider range from compatibility, to its integration with the SDLC. Platforms and Database Compatibility Protection Process on Extract Referential Integrity and Key Identification Built in Protection Techniques Graphical User Interface (GUI) Version Control Integration With SDLC When selecting a tool ensure that the supported databases and platforms fit the need, and requirements of the organization. Analyze the protection process on extract to include: various timing, scheduling, maintenance, and monitoring. Ensure that the tool can identify all database level keys and table integrity. Most solutions ship with a number of protection techniques or algorithms. This can significantly enhance and simplify the implementation process. Most tools can be controlled by a GUI however, there are vendor tools that still utilize a command line level of management. Version control varies across tools. It is beneficial to ensure the selected tools version control methods. Ensure that the tool can Integrate with the given organizations SDLC throughout deployment and implementation. - 16 -
Key Challenges Securing buy-in from senior management The need to understand the data held within the organisation Training and awareness for staff Using the right technology solutions Embedding Data Protection into the organisation - 17 -